NRC Enforcement Policy, 78022-78028 [2016-26762]

Agencies

• NUCLEAR REGULATORY COMMISSION

[Federal Register Volume 81, Number 215 (Monday, November 7, 2016)]
[Rules and Regulations]
[Pages 78022-78028]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-26762]


-----------------------------------------------------------------------

NUCLEAR REGULATORY COMMISSION

10 CFR Chapter I

[NRC-2014-0221]


NRC Enforcement Policy

AGENCY: Nuclear Regulatory Commission.

ACTION: Policy revision; issuance.

-----------------------------------------------------------------------

SUMMARY: The U.S. Nuclear Regulatory Commission (NRC) is issuing a 
revision to its Enforcement Policy (Policy) to incorporate changes 
approved by the Commission.

DATES: This revision is effective on November 7, 2016. The NRC is not 
soliciting comments on this revision to its Policy at this time.

ADDRESSES: Please refer to Docket ID NRC-2014-0221 when contacting the 
NRC about the availability of information regarding this document. You 
may obtain publicly-available information related to this document 
using any of the following methods:
     Federal Rulemaking Web site: Go to https://www.regulations.gov and search for Docket ID NRC-2014-0221. Address 
questions about NRC dockets to Carol Gallagher: telephone: 301-415-
3463; email: Carol.Gallagher@nrc.gov. For technical questions, contact 
the individual listed in the FOR FURTHER INFORMATION CONTACT section of 
this document.
     NRC's Agencywide Documents Access and Management System 
(ADAMS): You may obtain publicly-available documents online in the 
ADAMS Public Documents collection https://www.nrc.gov/reading-rm/adams.html. To begin the search, select ``ADAMS Public Documents'' and 
then select ``Begin Web-based ADAMS Search.'' For problems with ADAMS, 
please contact the NRC's Public Document Room (PDR) reference staff at 
1-800-397-4209, 301-415-4737, or by email to pdr.resource@nrc.gov. The 
ADAMS accession number for each document referenced in this document 
(if that document is available in ADAMS) is provided the first time 
that a document is referenced.
     NRC's PDR: You may examine and purchase copies of public 
documents at the NRC's PDR, Room O1-F21, One White Flint North, 11555 
Rockville Pike, Rockville, Maryland 20852.
    The NRC maintains the Enforcement Policy on its Web site at https://www.nrc.gov: under the heading ``Popular Documents,'' select 
``Enforcement Actions,'' then under ``Enforcement'' in the left side 
column, select ``Enforcement Policy.'' The revised Enforcement Policy 
is available in ADAMS under Accession No. ML16271A446.

FOR FURTHER INFORMATION CONTACT: Gerry Gulla, Office of Enforcement, 
U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001; 
telephone: 301-287-9143; email: Gerald.Gulla@nrc.gov.

SUPPLEMENTARY INFORMATION:

I. Background

    The mission of the NRC is to license and regulate the Nation's 
civilian use of byproduct, source, and special nuclear material to 
ensure adequate protection of public health and safety, promote the 
common defense and security, and protect the environment. The NRC 
supports this mission through its use of its Policy. Adequate 
protection is presumptively assured by compliance with the NRC's 
regulations, and the Policy contains the basic procedures used to 
assess and disposition apparent violations of the NRC's requirements.
    The NRC initially published the Policy in the Federal Register on 
October 7, 1980 (45 FR 66754). Since its initial publication, the 
Policy has been revised on a number of occasions to address changing 
requirements and lessons learned. The most recent Policy revision is 
dated August 1, 2016. That revision reflects the new maximum civil 
penalty amount that the NRC can assess for a violation of the Atomic 
Energy Act of 1954, as amended (AEA), or any regulation or order issued 
under the AEA.
    This current revision to the Policy incorporates lessons learned 
along with miscellaneous clarifications and additions. These revisions 
include a rewrite of Section 6.13, ``Information Security,'' to 
incorporate a risk-informed approach for assessing the significance of 
information security violations; the implementation of the Construction 
Reactor Oversight Process (cROP); and miscellaneous revisions to: (1) 
The Glossary; (2) violation examples; and (3) Section 2.3.4, ``Civil 
Penalty.''
    The NRC provided an opportunity for the public to comment on these 
Policy revisions in a document published in the Federal Register on 
October 9, 2014 (79 FR 61107). The Nuclear Energy Institute (NEI) was 
the only stakeholder that submitted comments (ADAMS Accession No. 
ML14364A020).

II. Revisions to the Enforcement Policy

1. Construction Reactor Oversight Process (cROP)

a. Table of Contents
    The NRC is revising the Table of Contents to incorporate the 
implementation of the cROP into the Policy. This requires a revision to 
the titles of Sections 2.2.3 and 2.2.4. In addition to the revision 
discussed below, there are also other miscellaneous cROP related 
reference revisions throughout the Policy.
b. Section 2.2 ``Assessment of Violations''
    Section 2.2 is modified to include the cROP, and remove the 
specificity which allows for the use of the significance determination 
process (SDP), not only for facilities under construction, but for 
independent spent fuel storage installations when an SDP is developed.
Revision
    After a violation is identified, the NRC assesses its severity or 
significance (both actual and potential). Under traditional 
enforcement, the severity level (SL) assigned to the violation 
generally reflects the assessment of the significance of a violation. 
For most violations committed by power reactor licensees, the 
significance of a violation is assessed using the Reactor Oversight 
Process (ROP) or the Construction Reactor Oversight Process (cROP), as 
discussed below in Section 2.2.3, ``Assessment of Violations Identified 
Under the ROP or cROP.'' All other violations at power reactors or 
power

[[Page 78023]]

reactor facilities under construction will be assessed using 
traditional enforcement as described in Section 2.2.4, ``Using 
Traditional Enforcement to Disposition Violations Identified at Power 
Reactors.'' Violations identified at facilities that are not subject to 
an ROP or cROP are assessed using traditional enforcement.
c. Section 2.2.3 ``Operating Reactor Assessment Program''
    The NRC is revising this section to add the implementation of the 
cROP and will reference the NRC's Inspection Manual Chapter (IMC) 2505, 
``Periodic Assessment of Construction Inspection Program Results'' 
(ADAMS Accession No. ML14269A107). IMC 2505 describes the construction 
assessment program and IMC 0305, ``Operating Reactor Assessment 
Program,'' describes the ROP (ADAMS Accession No. ML15089A315).
Revision
2.2.3 Assessment of Violations Identified Under the ROP or cROP
    The assessment, disposition, and subsequent NRC action related to 
inspection findings identified at operating power reactors are 
determined by the ROP, as described in NRC Inspection Manual Chapter 
(IMC) 0305, ``Operating Reactor Assessment Program,'' and IMC 0612, 
``Power Reactor Inspection Reports.'' The assessment, disposition, and 
subsequent NRC action related to inspection findings identified at 
power reactors under construction are determined by the cROP, as 
described in IMC 2505, ``Periodic Assessment of Construction Inspection 
Program Results'' and in IMC 0613, ``Power Reactor Construction 
Inspection Reports.''
    Inspection findings identified through the ROP are assessed for 
significance using the SDP described in IMC 0609, ``Significance 
Determination Process.'' Inspection findings identified through the 
cROP are assessed for significance using the SDP described in IMC 2519, 
``Construction Significance Determination Process.'' The SDPs use risk 
insights, where possible, to assist the NRC staff in determining the 
significance of inspection findings identified within the ROP or cROP. 
Inspection findings processed through the SDP, including associated 
violations, are documented in inspection reports and are assigned one 
of the following colors, depending on their significance.
d. Section 2.2.4 ``Exceptions To Using Only the Operating Reactor 
Assessment Program''
    The NRC is revising this section to add the implementation of the 
cROP and will reference IMC 2505.
Revision
2.2.4 Using Traditional Enforcement to Disposition Violations 
Identified at Power Reactors
    Some aspects of violations at power reactors cannot be addressed 
solely through the SDP. In these cases, violations must be addressed 
separately from any associated ROP or cROP findings (when findings are 
present). Accordingly, these violations are assigned severity levels 
and can be considered for civil penalties in accordance with this 
Policy while the significance of the associated ROP or cROP finding 
(when present) must be dispositioned in accordance with the SDP. In 
determining the severity level assigned to such violations, the NRC 
will consider information in this Policy and the violation examples in 
Section 6.0 of this Policy, as well as SDP-related information, when 
available.
e. Section 2.2.6 ``Construction''
    Section 2.2.6, ``Construction,'' will be revised to provide 
clarifying guidance regarding enforcement and the Changes during 
Construction (CdC) Preliminary Amendment Request (PAR) process. The 
policy will now note that enforcement actions will not be taken for 
construction pursuant to a PAR No-Objection Letter, issued by the NRC, 
even if that construction is outside of the current licensing basis 
(CLB) while a corresponding license amendment request (LAR) is under 
review. This will allow the licensee to continue construction at-risk 
if the construction is consistent with the associated LAR and the No-
Objection Letter. In addition, this section will also be revised to 
conform the policy to be consistent with the revised regulations 
promulgated by the NRC in ``Licenses, Certifications, and Approvals for 
Materials Licenses'' (76 FR 56951; September 15, 2011).

Revision

2.2.6 Construction
    In accordance with 10 CFR 50.10, no person may begin the 
construction of a production or utilization facility on a site on which 
the facility is to be operated until that person has been issued either 
a construction permit under 10 CFR part 50, a combined license under 10 
CFR part 52, an early site permit authorizing the activities under 10 
CFR 50.10(d), or a limited work authorization under 10 CFR 50.10(d). In 
an effort to preclude unnecessary regulatory burden on 10 CFR part 52 
combined license holders while maintaining safety, the Changes during 
Construction (CdC) Preliminary Amendment Request (PAR) process was 
developed in Interim Staff Guidance (ISG)-025, ``Interim Staff Guidance 
on Changes During Construction Under 10 CFR part 52.'' The license 
condition providing the option for a PAR as detailed in ISG-025 allows 
the licensee to request to make physical changes to the plant that are 
consistent with the scope of the associated license amendment request 
(LAR). The NRC staff may issue a No-Objection Letter with or without 
specific limitations, in response to the PAR. Enforcement actions will 
not be taken for construction pursuant to a PAR No-Objection Letter 
that is outside of the Current Licensing Basis (CLB) while the 
corresponding LAR is under review as long as the construction is 
consistent with the associated LAR and the No-Objection Letter (the 
latter of which may contain limitations on construction activities). 
The PAR No-Objection Letter authorization is strictly conditioned on 
the licensee's commitment to return the plant to its CLB if the 
requested LAR is subsequently denied or withdrawn. Failure to timely 
restore the CLB may be subject to separate enforcement, such as an 
order, a civil penalty, or both.
f. Section 2.3.1 ``Minor Violation''
    This revision will remove redundant language (IMC titles) from 
previously identified IMCs and will add references to examples of minor 
violation issues found in IMCs 0613 and 0617.
Revision
    Violations of minor safety or security concern generally do not 
warrant enforcement action or documentation in inspection reports but 
must be corrected. Examples of minor violations can be found in the NRC 
Enforcement Manual, IMC 0612, Appendix E, ``Examples of Minor Issues,'' 
IMC 0613, Appendix E, ``Examples of Minor Construction Issues,'' and 
IMC 0617, Appendix E, ``Minor Examples of Vendor and Quality Assurance 
Implementation Findings.'' Provisions for documenting minor violations 
can be found in the NRC Enforcement Manual, IMC 0610, IMC 0612, IMC 
0613, IMC 0616, and IMC 0617.
g. Section 2.3.2 ``Noncited Violation''
    This revision incorporates ``plain writing'' into the Policy 
regarding noncited violations. It will also revise

[[Page 78024]]

the opening paragraph of Section 2.3.2 to be consistent with a previous 
approved revision to this section associated with crediting licensee 
corrective action programs.
Revision
2.3.2 Noncited Violation
    If a licensee or nonlicensee has implemented a corrective action 
program that is determined to be adequate by the NRC, the NRC will 
normally disposition SL IV violations and violations associated with 
green ROP or cROP findings as noncited violations (NCVs) if all the 
criteria in Paragraph 2.3.2.a. are met.
    For licensees and nonlicensees that are not credited by the NRC as 
having adequate corrective action programs, the NRC will normally 
disposition SL IV violations and violations associated with green ROP 
or cROP findings as NCVs if all of the criteria in Paragraph 2.3.2.b 
are met. If the SL IV violation or violation associated with Green ROP 
or cROP finding was identified by the NRC, the NRC will normally issue 
a Notice of Violation.
    Inspection reports or inspection records document NCVs and briefly 
describe the corrective action the licensee or nonlicensee has taken or 
plans to take, if known. Licensees and nonlicensees are not required to 
provide written responses to NCVs; however, they may provide a written 
response if they disagree with the NRC's description of the NCV or 
dispute the validity of the NCV.

2. Section 2.3.4 ``Civil Penalty''

    Recent cases involving the willful failure to file for reciprocity 
or to obtain an NRC specific license have led to discussions about the 
agency's ability to deter future noncompliance in these areas and 
lessen the perceived potential economic benefit of working in NRC 
jurisdiction without the required notification or license.
    Although the Policy (Section 3.6, ``Use of Discretion in 
Determining the Amount of a Civil Penalty'') allows the NRC to exercise 
discretion to propose or escalate a civil penalty for cases involving 
willfulness, the NRC will add clarifying language to Section 2.3.4, 
``Civil Penalty.'' To aid in implementation and ensure consistency, the 
Enforcement Manual will include specific guidance on the typical or 
``starting'' civil penalty amount (e.g., 2 times the base civil 
penalty).
Revision
    The following language appears in Section 2.3.4 after the paragraph 
starting: ``The NRC considers civil penalties for violations . . .''
    For cases involving the willful failure to either file for 
reciprocity or obtain an NRC specific license, the NRC will normally 
consider a civil penalty to deter noncompliance for economic benefit. 
Therefore, notwithstanding the normal civil penalty assessment process, 
in cases where there is any indication (e.g., statements by company 
employees regarding the nonpayment of fees, previous violations of the 
requirement including those not issued by the NRC, or previous filings 
without a significant change in management) that the violation was 
committed for economic gain, the NRC may exercise discretion and impose 
a civil penalty. The resulting civil penalty will normally be no more 
than 3 times the base civil penalty; however, the agency may mitigate 
or escalate the amount based on the merits of a specific case.

3. Addition of Section 3.10 ``Reactor Violations With No Performance 
Deficiencies''

    The NRC is revising Section 2.2.4.d to clarify that violations with 
no ROP findings are dispositioned by using traditional enforcement. 
Section 3.10, ``Reactor Violations with No Performance Deficiencies,'' 
has been added for NRC guidance to properly disposition these 
violations. This clarification involves no actual change in policy.
Revisions
2.2.4.d: Violations not Associated With ROP or cROP Findings
3.10 Reactor Violations With No Performance Deficiencies
    The NRC may exercise discretion for violations of NRC requirements 
by reactor licensees for which there are no associated performance 
deficiencies (e.g., a violation of a TS which is not a performance 
deficiency).

4. Section 6.0 ``Violation Examples''

a. 6.3 ``Materials Operations''
    Section 6.3, ``Materials Operations,'' of the Policy addresses the 
failure to secure a portable gauge as required by 10 CFR 30.34(i). 
Specifically, under the current Policy, paragraph 6.3.c.3, a Severity 
Level (SL) III violation example, states, ``A licensee fails to secure 
a portable gauge with at least two independent physical controls 
whenever the gauge is not under the control and constant surveillance 
of the licensee as required by 10 CFR 30.34(i).'' Accordingly, a 
violation of 10 CFR 30.34(i) constitutes a SL III violation for gauges 
having either no security or one level of security. The SL III 
significance is based largely on licensees' control of portable gauges 
to reduce the opportunity for unauthorized removal or theft and is the 
only example currently provided in the Policy for this type of 
violation.
    When assessing the significance of a violation involving the 
failure to secure a portable gauge, the NRC considers that both 
physical controls must be defeated for the portable gauge to be 
removed. This deters a theft by requiring a more determined effort to 
remove the gauge. Considering that there is a reduced risk associated 
with having one barrier instead of no barrier, the NRC has determined 
that a graded approach is appropriate for 10 CFR 30.34(i) violations of 
lower significance. Therefore, the NRC believes that failures of one 
level of physical control to secure portable gauges warrant a SL IV 
designation. This graded approach was piloted in Enforcement Guidance 
Memoranda 11-004, dated April 28, 2011 (ADAMS Accession No. 
ML111170601). After over 2 years of monitoring, the NRC determined that 
the addition of the SL IV example did not increase the number of 
losses/thefts reported. Therefore, the NRC is revising violation 
example 6.3.c.3 and adding violation example 6.3.d.10:
Revisions
    6.3.c.3: Except as provided for in section 6.3.d.10 of the policy, 
a licensee fails to secure a portable gauge as required by 10 CFR 
30.34(i);
    6.3.d.10: A licensee fails to secure a portable gauge as required 
by 10 CFR 30.34(i), whenever the gauge is not under the control and 
constant surveillance of the licensee, where one level of physical 
control existed and there was no actual loss of material, and that 
failure is not repetitive.
b. Section 6.5.c.4 and 5 SL III Violations Involve, for Example
    The NRC modifies these examples (4 and 5) to reference the 
appropriate regulation governing changes to a facility referencing a 
certified design (i.e., 10 CFR 52.98). This regulation refers to 
applicable change processes in the applicable design certification 
rule, which are currently contained in 10 CFR part 52, Appendix A-D.
Revisions
    4. A licensee fails to obtain prior Commission approval required by 
10 CFR 50.59 or 10 CFR 52.98 for a change that results in a condition 
evaluated as having low-to-moderate or greater safety significance; or

[[Page 78025]]

    5. A licensee fails to update the FSAR as required by 10 CFR 
50.71(e), and the FSAR is used to perform a 10 CFR 50.59 or 10 CFR 
52.98 evaluation for a change to the facility or procedures, 
implemented without Commission approval, that results in a condition 
evaluated as having low-to-moderate or greater safety significance.
c. Section 6.5.d.5 SL IV Violations Involve, for Example
    Example 6.5.d.5 was added to Section 6.9.d ``Inaccurate and 
Incomplete Information or Failure to Make a Required Report.''
d. Section 6.9 Inaccurate and Incomplete Information or Failure to Make 
a Required Report
    Section 50.55(e)(3) requires holders of a construction permit or 
combined license (until the Commission makes the finding under 10 CFR 
52.103(g)) to adopt procedures to evaluate deviations and failures to 
comply to ensure identification of defects and failures to comply 
associated with substantial safety hazards as soon as practicable. This 
section is similar to the reporting requirements of 10 CFR part 21. A 
SL II violation example was added; violation example 6.9.c.2.(a) was 
deleted; and the reference to 10 CFR 50.55(e) was moved to the revised 
6.9.c.5 examples.
Revisions
b. SL II Violations Involve, for Example
    8. A deliberate failure to notify the Commission as required by 10 
CFR 50.55(e).
c. SL III Violations Involve, for Example
    2.(a) Deleted ``failure to make required notifications and reports 
pursuant to 10 CFR 50.55(e);''
    5. A failure to provide the notice required by 10 CFR part 21 or 10 
CFR 50.55(e), for example:
    (a) An inadequate review or failure to review such that, if an 
appropriate review had been made as required, a 10 CFR part 21 or 10 
CFR 50.55(e) report would have been required; or
    (b) A withholding of information or a failure to make a required 
interim report by 10 CFR 21.21, ``Notification of Failure to Comply or 
Existence of a Defect and Its Evaluation,'' or 10 CFR 50.55(e) occurs 
with careless disregard.
d. SL IV Violations Involve, for Example
    12. A licensee fails to make an interim report required by 10 CFR 
21.21(a)(2) or under 10 CFR 50.55(e);
    13. Failure to implement adequate 10 CFR part 21 or 10 CFR 50.55(e) 
processes or procedures that has more than minor safety or security 
significance; or
    14. A materials licensee fails to . . .
e. Section 6.9 ``Inaccurate and Incomplete Information or Failure to 
Make a Required Report''
    The NRC is removing the reference to 10 CFR 26.719(d) in violation 
example 6.9.c.2.(c) because 10 CFR 26.719(d) is not a reporting 
requirement.
Revision
    6.9.c.2.(b): Failure to make any report required by 10 CFR 73.71, 
``Reporting of Safeguards Events,'' or Appendix G, ``Reportable 
Safeguards Events,'' to 10 CFR part 73 ``Physical Protection of Plants 
and Materials,'' or 10 CFR part 26, ``Fitness-For-Duty Programs;''
f. Section 6.11 ``Reactor, Independent Spent Fuel Storage Installation, 
Fuel Facility, and Special Nuclear Material Security''
    The current Policy examples for a SL IV violation in Section 6.11.d 
are focused on the loss of special nuclear material (SNM) of low 
strategic significance. The loss of SNM is too narrow of a focus on the 
loss of material and not the other aspects of the Materials Control & 
Accountability (MC&A) program that could be a precursor to a loss of 
SNM. The Policy should include an example for the MC&A program at fuel 
facilities that covers the reduction in the ability to detect a loss or 
diversion of material which could lead to a more significant event. 
Therefore, the NRC is adding violation example 6.11.d.3 as follows.
Violation Example
    6.11.d.3: A licensee fails to comply with an element of its 
material and accounting program that results in a fuel cycle facility 
procedure degradation regarding adequate detection or protection 
against loss, theft, or diversion of SNM.
g. Section 6.14 ``Fitness-For-Duty'' Violation Example 6.14.a.2
    The NRC is incorporating violation example 6.14.a.2 into example 
6.14.b.1. An employee assistance program (EAP) is one provision of many 
contained in 10 CFR part 26, subpart B, for which 6.14.a.1 applies. 
Therefore, the ``severity'' associated with an inadequate EAP is 
significantly less than that of a licensee not meeting ``two or more 
subparts of 10 CFR part 26.'' An ineffective implementation of an EAP 
does not directly result in an immediate safety or security concern and 
should not represent a SL I violation. Therefore, the NRC is deleting 
violation example 6.14.a.2 and modifying violation example 6.14.b.1.
Revision
    6.14.a.2: Deleted.
    6.14.b.1: A licensee fails to remove an individual from unescorted 
access status when this person has been involved in the sale, use, or 
possession of illegal drugs within the protected area, or a licensee 
fails to take action in the case of an on-duty misuse of alcohol, 
illegal drugs, prescription drugs, or over-the-counter medications or 
once the licensee identifies an individual that appears to be impaired 
or that their fitness is questionable, the licensee fails to take 
immediate actions to prevent the individual from performing the duties 
that require him or her to be subject to 10 CFR part 26;
h. Section 6.14 ``Fitness-For-Duty'' Violation Example 6.14.b.2
    In violation example 6.14.b.2, the NRC is removing the language 
``unfitness for duty based on drug or alcohol use.'' Regulations in 10 
CFR part 26 do not define unfitness and the behavioral observation 
program is not limited to drug and alcohol impairment.
Revision
    6.14.b.2: A licensee fails to take action to meet a regulation or a 
licensee behavior observation program requirement when observed 
behavior within the protected area or credible information concerning 
the activities of an individual indicates impairment by any substance, 
legal or illegal, or mental or physical impaired from any cause, which 
adversely affects their ability to safely and competently perform their 
duties.
i. Section 6.14 ``Fitness-For-Duty'' Violation Example 6.14.c.1
    The NRC is revising violation example 6.14.c.1 to encompass more 
than positive drug and alcohol tests; it should include other aspects 
of the fitness-for-duty program such as subversions.
Revision
    6.14.c.1: A licensee fails to take the required action for a person 
who has violated the licensee's Fitness-For-Duty Policy, in cases that 
do not amount to a SL II violation;
j. Section 6.14 ``Fitness-For-Duty'' Violation Example 6.14.c.5
    Due to the revision to violation example 6.14.b.1, the NRC is 
revising violation example 6.14.c.5 to maintain a graded approach 
method to its violation example.

[[Page 78026]]

Revision
    6.14.c.5: A licensee's employee assistance program (EAP) staff 
fails to notify licensee management when the EAP staff is aware that an 
individual's condition, based on the information known at the time, may 
adversely affect safety or security of the facility and the failure to 
notify did not result in a condition adverse to safety or security; or

5. Section 6.13 ``Information Security''

    The NRC is revising Section 6.13, ``Information Security.'' This 
revision will replace the current examples, which are based on the 
classification levels of the information, with a risk-informed approach 
for assessing the severity of information security violations. This 
approach of evaluating the severity of information security violations 
by using a risk-informed process is based on the totality of the 
circumstances surrounding the information security violation and will 
more accurately reflect the severity of these types of violations and 
improve regulatory consistency.
    This process is the result of lessons learned from a number of 
violations that the NRC has processed over the last few years based on 
varying significance levels. This process will use a flow chart and 
table approach, along with defined terms.
    Once a noncompliance is identified, a four-step approach will be 
applied to determine the severity level of the violation. The four 
steps are: (1) Determine the significance of the information (i.e., 
high, moderate, or low), (2) determine the extent of disclosure (i.e., 
individual deemed trustworthy and reliable, unknown disclosure, or 
confirmed to an unauthorized individual), (3) determine the 
accessibility of the information (i.e., how limited was access to the 
information), and (4) determine the duration of the noncompliance 
(i.e., how long was the information available).
    Once all steps are completed, the user will obtain a recommended 
severity level for the violation. The staff recognizes this approach as 
a change from the traditional violation examples; however, the process 
will be risk-informed and will consider the totality of circumstances 
surrounding the information disclosure. The risk-informed approach to 
information security violations adopted by the NRC should not be read 
to contradict the national policy on classified information as set 
forth in Executive Order 13526, ``Classified National Security 
Information.'' This first revision is located in the beginning of the 
last paragraph of Section 4.3 of the Policy. Two conforming revisions 
are being made to Section 6.12 of the Policy to delete examples that 
conflict with the revised approach.
Revisions
a. Section 4.3 Civil Penalties to Individuals
    Section 6.13, ``Information Security,'' of this Policy provides a 
risk-informed approach for assessing the significance of information 
security violations.
b. Section 6.12 Materials Security
    6.12.c.3: Deleted
    6.12.d.10: Deleted
b. Violation example 6.13 Information Security
BILLING CODE 7590-01-P
[GRAPHIC] [TIFF OMITTED] TR07NO16.008

BILLING CODE 7590-01-C
    Step 1: Significance \1\--Describes the decision point to determine 
the significance of the disclosure as it relates to national security 
and/or common defense and security.
---------------------------------------------------------------------------

    \1\ The significance guidance provided in Step 1 is only 
applicable within the context of the NRC's Enforcement Policy and 
its application. The significance guidance is not intended to define 
the ``harm'' that an unauthorized disclosure of SECRET or 
CONFIDENTIAL information is reasonably expected to cause as those 
definitions are set forth in Executive Order 13526, ``Classified 
National Security Information.'' Nothing in section 6.13 of the 
Enforcement Policy should be read to contradict the National Policy 
on classified information.
---------------------------------------------------------------------------

    High Significance: The totality of information disclosed provides a 
significant amount of information about a technology (i.e., key 
elements of a technology or system) or combinations of the following 
elements related to

[[Page 78027]]

protective strategies: Response Strategy, Target Sets, Physical 
Security Plan, Contingency Plan or Integrated Response Plan. The 
information can be either SECRET or CONFIDENTIAL (National Security or 
Restricted Data) or Safeguards.
    Moderate Significance: The totality of information disclosed 
provides limited information that may be useful to an adversary about 
technology information or physical security plan of a facility. The 
information can be either SECRET or CONFIDENTIAL (National Security or 
Restricted Data), Safeguards, or information requiring protection under 
10 CFR part 37.
    Low Significance: The totality of information disclosed, taken by 
itself, would not aid an adversary in gaining information about a 
technology or physical security plan of a facility. The information can 
be either SECRET or CONFIDENTIAL (National Security or Restricted 
Data), Safeguards, or information requiring protection under 10 CFR 
part 37.
    Step 2: Disclosure--Describes the decision point to determine if: 
(a) The information was accessible to any individual(s) via hard copy 
format or electronic (e.g. computers) form, (b) you can determine who 
the individual(s) are, and (c) those individual(s) would meet the 
definition of Trustworthy and Reliable.
    Trustworthy and Reliable (T&R): Are characteristics of an 
individual considered dependable in judgment, character, and 
performance, such that disclosure of information to that individual 
does not constitute an unreasonable risk to the public health and 
safety or common defense and security. A determination of T&R for this 
purpose is based upon the results from a background investigation or 
background check in accordance with 10 CFR 37.5 or 10 CFR 73.2, 
respectively. To meet the T&R requirement, the individual must possess 
a T&R determination before the disclosure of the information, 
regardless of the ``need to know'' determination. Note: In accordance 
with 10 CFR 73.21 or 73.59, there are designated categories of 
individuals that are relieved from fingerprinting, identification and 
criminal history checks and other elements of background checks.
    Unknown Disclosure: Instances when controlled information has been 
secured, protected, or marked improperly but there is no evidence that 
anyone has accessed the information while it was improperly handled.
    Confirmed: Instances where a person who does not have authorization 
to access controlled information gains access to the information.
    Electronic Media/Confirmed: For electronic media it is considered 
confirmed once the information is no longer on an approved network for 
that type of information.
    Unauthorized Individual: A person who does not possess a T&R 
determination and a need to know.
    Step 3: Limited Access--Describes the decision point to determine 
the amount of controls (e.g., doors, locks, barriers, firewalls, 
encryption levels) needed to enter or gain access to an area or 
computer system in order to obtain the disclosed security information.
    Hard Copy Format: A location provides limited access if it meets 
all of the following conditions:
    a. The area was locked or had access control measures, and;
    b. individuals that frequented the area were part of a known 
population, and;
    c. records of personnel entry were maintained to the area via key 
control or key card access.
    Electronic Media: A computer network provides limited access if it 
meets all of the following conditions:
    a. The information is stored in a location that is still within the 
licensee's computer network's firewall, and
    b. the licensee has some type of control system in place which 
delineates who can access the information.
    Step 4: Duration--Describes the decision point in which a time 
period determination is made regarding the number of days the 
information was not controlled properly in accordance with the 
respective handling and storage requirements of the security 
information.
    Long: Greater than or equal to 14 days from the date of infraction 
to discovery of the non-compliance.
    Short: Less than 14 days from the date of infraction to discovery 
of the non-compliance.

6. Glossary

a. Confirmatory Action Letter
    Some agency procedures have not consistently described all 
Confirmatory Action Letter (CAL) recipients, according to an audit of 
the NRC's use of CALs. To date, all affected procedures have been 
revised to incorporate a consistent definition with the exception of 
the Policy. Therefore, the NRC is revising the Glossary term CAL to 
specifically state the recipients of a CAL.
Revision
    Confirmatory Action Letter (CAL) is a letter confirming a 
licensee's, contractor's, or nonlicensee's (subject to NRC 
jurisdiction) voluntary agreement to take certain actions to remove 
significant concerns about health and safety, safeguards, or the 
environment.
c. Interim Enforcement Policy
    The term Interim Enforcement Policy was added to the Glossary.
Revision
    Interim Enforcement Policies (IEPs) refers to a policy that is 
developed by the NRC staff and approved by the Commission for specific 
topics, typically for a finite period. Generally, IEPs grant the staff 
permission to refrain from taking enforcement action for generic issues 
which are not currently addressed in the Policy and are typically 
effective until such time that formal guidance is developed and 
implemented or other resolution to the generic issue. IEPs can be found 
in Section 9.0 of the Policy.
d. Traditional Enforcement
    The NRC is revising the definition of traditional enforcement for 
clarification purposes.
Revision
    Traditional Enforcement, as used in this Policy, refers to the 
process for the disposition of violations of NRC requirements, 
including those that cannot be addressed only through the Operating 
Reactor Assessment Program. Traditional enforcement violations are 
assigned severity levels and typically include, but may not be limited 
to, those violations involving (1) actual safety and security 
consequences, (2) willfulness, (3) impeding the regulatory process, (4) 
discrimination, (5) violations not associated with ROP or cROP 
findings, (6) materials regulations, and (7) deliberate violations 
committed by individuals.

7. Miscellaneous Corrections/Modifications

    Note: The page numbers cited correspond with the newly revised 
Enforcement Policy.
    a. Page 8: Subject to the same oversight as the regional offices, 
the Directors of the Office of Nuclear Reactor Regulation (NRR), the 
Office of Nuclear Material Safety and Safeguards (NMSS), the Office of 
New Reactors (NRO), and the Office of Nuclear Security and Incident 
Response (NSIR) may also approve, sign, and issue certain enforcement 
actions as delegated by the Director, OE. The Director, OE, has 
delegated authority to the Directors of NRR, NMSS, NRO, and NSIR to 
issue Orders not related to specific violations

[[Page 78028]]

of NRC requirements (i.e., nonenforcement-related Orders.)
    b. Page 9: The NRC reviews each case being considered for 
enforcement action on its own merits to ensure that the severity of a 
violation is characterized at the level appropriate to the safety or 
security significance of the particular violation.
    Whenever possible, the NRC uses risk information in assessing the 
safety or security significance of violations and assigning severity 
levels. A higher severity level may be warranted for violations that 
have greater risk, safety, or security significance, while a lower 
severity level may be appropriate for issues that have lower risk, 
safety, or security significance.
    c. Page 15: a. Licensees and Nonlicensees with a credited 
Corrective Action Program
    d. Page 19: The flow chart (Figure 2) is a graphic representation 
of the civil penalty assessment process and should be used in 
conjunction with the narrative in this section.
    e. Page 33: The NRC may refrain from issuing an NOV for a SL II, 
III, or IV violation that meets the above criteria, provided that the 
violation was caused by conduct that is not reasonably linked to the 
licensee's present performance (normally, violations that are at least 
3 years old or violations occurring during plant construction) and that 
there had not been prior notice so that the licensee could not have 
reasonably identified the violation earlier.
    f. Page 34: In addition, the NRC may refrain from issuing 
enforcement action for violations resulting from matters not within a 
licensee's control, such as equipment failures that were not avoidable 
by reasonable licensee QA measures or management controls (e.g., 
reactor coolant system leakage that was not within the licensee's 
ability to detect during operation, but was identified at the first 
available opportunity or outage).
    g. Page 43: 6.1.c.2 A system that is part of the primary success 
path and which functions or actuates to mitigate a DBA or transient 
that either assumes the failure of or presents a challenge to the 
integrity of the fission product barrier not being able to perform its 
licensing basis safety function because it is not fully qualified (per 
the IMC 0326, ``Operability Determinations & Functional Assessment for 
Conditions Adverse to Quality or Safety'') (e.g., materials or 
components not environmentally qualified);
    h. Page 43: 6.1.d.3 A licensee fails to update the FSAR as required 
by 10 CFR 50.71(e) and the lack of up-to-date information has a 
material impact on safety or licensed activities; or
    i. Page 59: 6.7.d.3 ``A radiation dose rate in an unrestricted or 
controlled area exceeds 0.002 rem (0.02 millisieverts) in any 1 hour (2 
mrem/hour) or 50 mrem (0.5 mSv) in a year;''

III. Procedural Requirements

Paperwork Reduction Act Statement

    This policy statement does not contain new or amended information 
collection requirements subject to the Paperwork Reduction Act of 1995 
(44 U.S.C. 3501 et seq.). Existing requirements were approved by the 
Office of Management and Budget (OMB), approval number 3150-0136.

Public Protection Notification

    The NRC may not conduct or sponsor, and a person is not required to 
respond to, a request for information or an information collection 
requirement unless the requesting document displays a currently valid 
OMB control number.

Congressional Review Act

    This policy is a rule as defined in the Congressional Review Act (5 
U.S.C 801-808). However, the Office of Management and Budget has not 
found it to be a major rule as defined in the Congressional Review Act.

    Dated at Rockville, Maryland, this 1st day of November, 2016.

    For the Nuclear Regulatory Commission.

Annette L. Vietti-Cook,
Secretary of the Commission.
[FR Doc. 2016-26762 Filed 11-4-16; 8:45 am]
 BILLING CODE 7590-01-P