[Federal Register Volume 72, Number 52 (Monday, March 19, 2007)] [Rules and Regulations] [Pages 12705-12727] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 07-1317] ======================================================================= ----------------------------------------------------------------------- NUCLEAR REGULATORY COMMISSION 10 CFR Part 73 RIN 3150-AH60 Design Basis Threat AGENCY: Nuclear Regulatory Commission. ACTION: Final rule. ----------------------------------------------------------------------- SUMMARY: The Nuclear Regulatory Commission (NRC) is amending its regulations that govern the requirements pertaining to the design basis threats (DBTs). This final rule makes generically applicable security requirements similar to those previously imposed by the Commission's April 29, 2003 DBT Orders, based upon experience and insights gained by the Commission during implementation, and redefines the level of security requirements necessary to ensure that the public health and safety and common defense and security are adequately protected. Pursuant to Section 170E of the Atomic Energy Act (AEA), the final rule revises the DBT requirements for radiological sabotage, generally applicable to power reactors and Category I fuel cycle facilities, and for theft or diversion of NRC-licensed Strategic Special Nuclear Material (SSNM), applicable to Category I fuel cycle facilities. Additionally, a petition for rulemaking (PRM-73-12), filed by the Committee to Bridge the Gap, was considered as part of this rulemaking. The NRC partially granted PRM-73-12 in the proposed rule, but deferred action on other aspects of the petition to the final rule. The NRC's final disposition of PRM-73-12 is contained in this document. DATES: Effective Date: April 18, 2007. FOR FURTHER INFORMATION CONTACT: Manash K. Bagchi, Office of Nuclear Reactor Regulation, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, telephone 301-415-2905, e-mail [email protected]. SUPPLEMENTARY INFORMATION: Table of Contents I. Background II. Analysis of Public Comments and Consideration of the 12 Factors of the Energy Policy Act of 2005 III. Summary of Specific Changes Made to the Proposed Rule as a Result of Public Comments IV. Section by Section Analysis V. Guidance VI. Resolution of Petition (PRM-73-12) VII. Criminal Penalties VIII. Compatibility of Agreement State Regulations IX. Availability of Documents X. Plain Language XI. Voluntary Consensus Standards XII. Finding of No Significant Environmental Impact: Environmental Assessment: Availability XIII. Paperwork Reduction Act Statement XIV. Regulatory Analysis XV. Regulatory Flexibility Act Certification XVI. Backfit Analysis XVII. Congressional Review Act I. Background The DBT requirements in 10 CFR 73.1 describe general adversary characteristics that designated licensees must defend against with high assurance. These NRC requirements include protection against radiological sabotage (generally applied to power reactors and Category I fuel cycle facilities) and theft or diversion of NRC-licensed SSNM (generally applied to Category I fuel cycle facilities). On November 7, 2005 (70 FR 67380), the Commission published a proposed rule for public comment seeking to amend its regulation that governs the requirements pertaining to the DBTs. The DBTs are used by licensees to form the basis for site-specific defensive strategies implemented through physical security plans, safeguards contingency plans, and security personnel training and qualifications plans. Amendment of the DBT rule was influenced by a number of factors described below. Following the terrorist attacks on September 11, 2001, the NRC conducted a thorough review of security practices to ensure that nuclear power plants and other licensed facilities continued to have effective security measures in place to address the changing threat environment. The NRC recognized that some elements of the DBTs required enhancement. After soliciting and receiving comments from Federal, State, and local agencies, and industry stakeholders, and reviewing an analysis of intelligence information regarding the trends and capabilities of potential adversaries, the NRC imposed supplemental DBT requirements by order on April 29, 2003. The Commission deliberated on the responsibilities of the local, State, and Federal stakeholders to protect the nation and the responsibility of the licensees to protect individual nuclear facilities before issuing the April 29, 2003 DBT Orders. The April 29, 2003 DBT Orders required nuclear power reactors and Category I fuel cycle facility licensees to revise their physical security plans, security personnel training and qualification plans, and safeguards contingency plans to defend against the [[Page 12706]] supplemental DBT requirements. The orders required licensees to make security enhancements such as: Augmented security forces and capabilities; increased patrols; additional security posts and physical barriers; vehicle checks at greater standoff distances; enhanced coordination with law enforcement and military authorities; augmented security and emergency response training, equipment, and communication; and more restrictive site access controls for personnel, including expanded, expedited, and more thorough initial and follow-on screening of power reactor and Category I fuel cycle facility employees. After gaining experience with implementation of these orders, the Commission concluded that the general attributes of the orders should be generically imposed by regulation on certain classes of licensees. In addition, PRM-73-12 was filed by the Committee to Bridge the Gap on July 23, 2004, and was published for comment (69 FR 64690; November 8, 2004). PRM-73-12 requests that the NRC amend its regulations to revise the DBT regulations (in terms of the numbers, teams, capabilities, planning, willingness to die, and other characteristics of adversaries) to a level that encompasses, with a sufficient margin of safety, the terrorist capabilities evidenced by the attacks of September 11, 2001. The petition also requests that security plans, systems, inspections, and force-on-force (FOF) exercises be revised in accordance with the amended DBTs, and that a requirement be added to part 73 to construct shields against air attack (the shields are referred to as ``beamhenges'') which the petition asserts would enable nuclear power plants to withstand an air attack from a jumbo jet. The NRC partially granted PRM-73-12 in the proposed rule, but deferred action on other aspects of the petition to the final rulemaking. The NRC's final disposition of PRM-73-12 is discussed in Section VI of this document. Finally, the Energy Policy Act (EPAct) of 2005 was signed into law on August 8, 2005. Section 651(a) of the EPAct amended the AEA by adding Section 170E, that required the Commission to initiate a rulemaking to revise the DBTs. In addition, Section 170E also directed the Commission to consider but not be limited to, the 12 factors specified in the statute in the course of that rulemaking. As stated in the proposed rule, these factors are: (1) The events of September 11, 2001; (2) An assessment of physical, cyber, biochemical, and other terrorist threats; (3) The potential for attack on facilities by multiple coordinated teams of a large number of individuals; (4) The potential for assistance in an attack from several persons employed at the facility; (5) The potential for suicide attacks; (6) The potential for water-based and air-based threats; (7) The potential use of explosive devices of considerable size and other modern weaponry; (8) The potential for attacks by persons with a sophisticated knowledge of facility operations; (9) The potential for fires, especially fires of long duration; (10) The potential for attacks on spent fuel shipments by multiple coordinated teams of a large number of individuals; (11) The adequacy of planning to protect the public health and safety at and around nuclear facilities, as appropriate, in the event of a terrorist attack against a nuclear facility, and (12) The potential for theft or diversion of nuclear material from such facilities; The Commission took into account a number of issues and sources in conducting this rulemaking, which included its experience in the implementation of the DBT Orders, the issues raised in PRM-73-12, EPAct requirements, and the public comments on the proposed rule. The Commission has considered and deliberated on the 12 factors identified in the EPAct. The results of its consideration are set forth in Section II of this document. Additionally, the Commission specifically invited public comments on how these factors should be addressed in the rule. Many of the comments received substantively focused on the 12 factors. Those comments and the Commission's responses are also discussed in Section II. It is important to note that the Commission was careful to set forth rule text in the final rule that does not compromise licensee security, but also acknowledges the necessity to keep the public informed of the types of attacks against which nuclear power plants and Category I fuel cycle facilities are required to defend. To this end, the final rule maintains a level of detail in the rule language that is generally comparable to the previous regulation, while updating the general DBT attributes in a manner consistent with the insights gained from the application of supplemental security requirements imposed by the April 29, 2003 DBT Orders, the EPAct, and consideration of public comments. The final rule contains the DBT with which licensees must legally comply. More specific details (e.g., specific weapons, ammunition, etc.) are consolidated in adversary characteristics documents (ACDs) which contain classified or Safeguards Information (SGI). The technical bases for the ACDs are derived largely from intelligence information. They also contain classified or SGI that cannot be publicly disclosed. These documents must be withheld from public disclosure and made available only on a need-to-know basis to those who are cleared for access. Because the regulatory guides (RGs) and the ACDs are guidance documents that provide details to the licensees regarding implementation and compliance with the DBTs, these documents may be updated from time to time as a result of the NRC's periodic threat reviews. The NRC has been conducting threat reviews since 1979. These threat reviews are performed in conjunction with the intelligence and law enforcement communities to identify changes in the threat environment which may, in turn, require adjustments of NRC security requirements. Future revisions to the ACDs would not require changes to the DBT regulations in 10 CFR 73.1, provided the changes remain within the scope of the rule text. II. Analysis of Public Comments and Consideration of the 12 Factors of the EPAct The proposed rule provided a 75-day public comment period that ended on January 23, 2006. The comment period was extended by another 30 days in response to a request from the Nuclear Energy Institute (NEI), an industry group, to allow additional time for review of the proposed rule because the comment period overlapped the year-end holidays. The extended comment period ended on February 22, 2006. A total of 919 comments were received from about 903 individuals, one county, 13 citizen groups, one utility involved in nuclear activities, and two nuclear industry groups. The comments covered a range of issues, some of which were beyond the scope of this rulemaking because they were specific to protective measures but did not relate to the adversary characteristics. The comments have been organized under three groups: Group I, Consideration of the 12 Factors in the EPAct; Group II, In-Scope-comments, that includes comments raising issues and concerns directly related to the contents of the DBT rule; and Group III, Out-of-Scope comments, that includes comments raising issues and questions that are not directly related to the DBT rule, although they [[Page 12707]] are generally relevant to the security of nuclear facilities. Responses are provided in the following format: Group I: Consideration of the 12 Factors in the Energy Policy Act The Commission's consideration, public comments, and responses to the public comments are provided for the 12 factors described in Section A. Group II: In Scope Comments Comments in Groups II and III are organized under the following general categories. The Commission's responses to these comment categories are provided in Section B: 1. Definition of the Design Basis Threats 2. Applicability of the Enemy of the State Rule 3. Compliance with Administrative Procedure Act (APA) Notice and Comment Requirements 4. Ambiguous Rule Text 5. Differentiation in Treatment of General and Specific Licenses for ISFSI 6. Applicability of the Radiological Sabotage DBT to New Nuclear Power Plants 7. Consideration of the Uniqueness of Each Plant in Application of the DBTs 8. Continued Exemption of Research and Test Reactors from the DBT Requirements 9. Changes in Security Requirements to be Addressed Under Backfit Rule 10. Compliance with the Paperwork Reduction Act 11. Adequacy of the Regulatory Analysis 12. Compliance with the National Environmental Policy Act (NEPA) 13. Issuance of Annual Report Card on Individual Licensees Group III: Out of Scope Comments 14. Federalization of Security 15. Force-on-Force Tests of Security 16. Screening of Workers in Nuclear Power Plants 17. Self-Sufficient Defense Capabilities 18. Security of Dry Cask Storage 19. Security of Spent Fuel Pools 20. Inherent Design Problems that make Reactors Vulnerable A Comments Matrix has been provided in Appendix A, that references each topic with comments. The NRC's response to each topic is listed below: Section A Group I. Consideration of the 12 Factors in the Energy Policy Act As discussed above, Section 170E of the AEA, as amended by Section 651(a) of the EPAct, directed the Commission to consider but not be limited to, the 12 factors specified in the statute in the course of the DBT rulemaking. Many of the comments received by the Commission focused on one or more of these factors. Prior to discussing the substance of the 12 factors, the Commission notes that several commenters charged that the Commission violated Section 170E by not considering some of the 12 factors, and by deferring final consideration of some of the provisions to the final rule. Those commenters suggested that this not only violated the mandate of Section 170E, but also the Administrative Procedure Act (APA) by not providing adequate notice of the substance of the rule, and thus, the rule should be withdrawn and re-proposed. To be clear, Section 170E stated that the Commission ``shall consider,'' but not be limited to, the 12 factors when conducting the DBT rulemaking. However, the EPAct did not require that the Commission explicitly include any of the 12 factors in the proposed or final rule text. The Commission carefully considered intelligence information, vulnerability assessments, other Commission-sponsored studies, and each of the 12 factors in formulating the final rule. Accordingly, a number of provisions or rule changes were adopted that specifically incorporate certain language used in the 12 factors. For instance, the final rule contains specific provisions related to multiple, coordinated groups \1\ of attackers (Factor 3), suicide attacks (Factor 5), insider assistance (Factors 4 and 8), and waterborne attacks (Factor 6). Additionally, based on the 12 factors, public comment, and other intelligence and law enforcement information, the Commission has decided to explicitly include a cyber threat as an attribute of the DBTs (Factor 2). --------------------------------------------------------------------------- \1\ For purposes of this rule, there is no substantive difference between the terms ``group'' and ``team'' in reference to the operational capabilities of the DBT adversary force. The meaning of the term ``group'' is the same as the meaning of the term ``team'' used in the proposed rule. The term ``team'' was preserved in this final rule only when summarizing comments on the proposed rule or the 12 Factors of the EPAct. --------------------------------------------------------------------------- After careful consideration, the Commission also chose not to adopt elements related to some EPAct factors as part of the rule text. However, that decision should not be misconstrued as lack of consideration of the factors themselves. Nor should the Commission's statement in the proposed rule soliciting comments on ``whether or how the 12 factors should be addressed in the DBT rule'' be interpreted to mean that the Commission deferred consideration of the factors until after it received comments. Rather, the Commission proposed requirements that would require licensees to defend against threats the Commission considered appropriate at that time, subject to change in the final rule after further consideration of public comments. Several commenters specifically charged that the Commission deferred its consideration of air-based threats to the final rule, thus undermining stakeholders' abilities to know the Commission's position on that factor. At the time that the proposed rule was published, the Commission maintained its view that protection against airborne attack could best be provided by the strengthening of airport and airline security measures. Accordingly, the Commission did not propose to include a provision in the proposed rule that would require licensees to provide defense against an airborne attack but the Commission specifically sought comment on the issue in the proposed DBT rule and has remained open to changing its position. In addition to being raised in PRM-73-12, the Commission has received numerous comments on the airborne threat. It has carefully considered those comments and has responded to them below. The assertion about the lack of APA notice with regard to the EPAct's 12 factors is without merit. The proposed rule discussion contained, under a section designated ``Proposed Regulations,'' (70 FR 67381) a detailed listing and clarifying discussion of the 12 factors and a specific request for public comment on ``whether or how the 12 factors should be addressed in the DBT rule.'' (70 FR 67382). Factor 1. The Events of September 11, 2001 The Commission's Consideration: The events of September 11, 2001, have been central to the Commission's efforts in reevaluating the DBTs. As a result of these attacks, the NRC promptly reevaluated the DBTs and imposed additional requirements on licensees through orders, including the April 29, 2003 Orders on the DBTs. A number of revisions to the DBTs have resulted from consideration of the events of September 11, 2001. Those revisions include increased adversaries' willingness to kill or be killed, and the capability to operate in several different modes of attack, including multiple adversary groups, and multiple adversary entry points. Public Comment: Several commenters specifically challenged the proposed rule's consideration of the events of September 11, 2001, expressing concern [[Page 12708]] that the DBT rule does not require licensees to defend against a number of attackers comparable to the number of terrorists (19) who participated in the attacks on September 11, 2001. Response to Public Comment: The Commission disagrees with the comment. The Commission's consideration of the number of attackers comprising the DBT is discussed in more detail below under Factor 3. However, with respect to the assertion that the number of attackers should be comparable to the number of September 11, 2001, attackers (19), the Commission notes that the official U.S. Government terrorism report for 2001, ``Patterns of Global Terrorism,'' states that the September 11, 2001, attacks consisted of ``four separate but coordinated aircraft hijackings,'' not a single attack involving 19 assailants. However, in its annual terrorism report for 2001, the Federal Bureau of Investigation (FBI) considered the attacks as one act of international terrorism by ``four coordinated teams of terrorists.'' Consideration of seemingly inconsistent views was just one part of a significant statistical analysis conducted by the NRC as part of the post-September 11, 2001, DBT process to determine the DBT adversary force size. In summary:NRC position: Disagrees with the comment. Action: No action required. Factor 2. An Assessment of Physical, Cyber, Biochemical, and Other Terrorist Threats The Commission's Consideration: Although the DBT rule does not elaborate on the specifics of vehicle bomb size, numbers of adversaries, or exact types of weapons for operational security purposes, the Commission believes they are appropriate. The DBTs are the result of the NRC's continuous evaluation of current threats. That evaluation is not limited to a particular kind of threat, but naturally includes consideration of physical threats, cyber threats, and biochemical threats. The DBT rule reflects the Commission's determination of the composite set of adversary features against which private security forces should reasonably have to defend. The DBT rule has been amended in several significant respects to reflect the current physical, cyber, biochemical, and other terrorist threats. For example, the radiological sabotage DBT has been enhanced to reflect the requirement that the licensees have a capability to defend against attackers with the ability to operate in several modes of attack, including as multiple groups, attacking from multiple entry points. Additionally, in Sec. 73.1(a)(1)(i)(C), the phrase ``up to and including'' was changed to simply ``including'' to provide flexibility in defining the range of weapons available to the composite adversary force. One significant change to the rule relates to physical threats from the use of vehicles, either as modes of transportation or as vehicle bombs. Section 73.1(a)(1)(i)(E), for example, effectively expands the scope of vehicles available for the transportation of adversaries by deleting the reference to ``four-wheel drive'' and by adding water- based vehicles. In addition, Sec. 73.1(a)(1)(iii) (the land vehicle bomb provision) is similarly revised to delete the ``four-wheel drive'' limitation, and to add a capability that the vehicle bomb ``may be coordinated with an external assault,'' maximizing its destructive potential. Further, an entirely new capability has been added to the DBT involving a waterborne vehicle bomb, which also is encompassed in the coordinated attack concept. The Commission has also carefully considered biochemical threats both before and after the events of September 11, 2001. The previous rule already contained requirements that provided the capability of using ``incapacitating agents,'' and that attribute has been retained in the final rule. In addition, armed responders are required to be equipped with gas masks to effectively implement the protective strategy and mitigate the effects of the incapacitating agents. Public Comment: Although many of the public comments could generally be characterized as addressing Factor 2, only a few comments specifically fell under this factor. One commenter stated that the NRC needs to engage independent experts to develop a comprehensive computer vulnerability and cyber attack threat assessment, that must evaluate the vulnerability of the full range of nuclear power plant computer systems and the potential consequences of these vulnerabilities. The commenter further suggested that the revised DBTs must incorporate these findings and include a protocol for quickly detecting such an attack and recovering key computer functions in the event of an attack. Two other commenters stated that the regulations do not reflect protections against explosive devices of considerable size, other modern weaponry, and cyber, biochemical, and other terrorist threats. Another commenter did not believe the proposed DBTs protected against all conceivable attacks, such as launching a large explosive device from a boat, clogging the water intakes, dropping a conventional bomb into spent fuel pools, insider sabotage, etc. Response to Public Comment: Regarding the threat of cyber attack comment, the NRC agrees with the statement submitted by the commenter and explicitly included a cyber attack as an element of the DBTs in the final rule. The basis for this addition, and implications of the rule change are discussed further in Section III of this document. In addition, the proposed 10 CFR 73.55(m), ``Digital Computer and Communication Networks,'' that is included in the proposed rule, ``Power Reactor Security Requirements,'' (71 FR 62664; October 26, 2006), contains proposed measures to mitigate a cyber attack. With respect to the other comments regarding protection against explosives of considerable size and modern weaponry, as stated earlier, the details of the adversary capabilities can not be specified publicly, but the Commission believes they are appropriate. Furthermore, the land vehicle bomb assault may be coordinated with an external assault, maximizing its destructive potential. The NRC does not intend the DBTs to represent ``worst case'' scenarios or all conceivable attacks. It is impossible to address all possible attack scenarios, because there is no theoretical limit to what attack scenarios can be conceived. Therefore, the NRC staff considers the tactics that have been observed in use, discussed, or trained for by potential adversaries. These tactics and DBT provisions are subjected to an interagency review process where Federal law enforcement and intelligence community agencies comment and provide feedback. If changes develop in adversary tactics that could significantly impact nuclear facility security, the staff would request that the Commission consider these tactics for inclusion in the DBT provisions. In summary: NRC position: Agrees with one element of comment--include cyber threat as an attribute; disagrees with the other two elements. Action: Final rule includes cyber attack as an explicit element of the DBTs. No other action required. Factor 3. The Potential for Attack on Facilities by Multiple Coordinated Teams of a Large Number of Individuals The Commission's Consideration: The number of attackers and the tactics used by those attackers is now and has always been a core consideration of the DBT. Although the NRC obviously [[Page 12709]] cannot comment on the size (specific number of attackers) of the DBT adversary force for operational security reasons, it can address the process how these numbers are derived. As noted in the Commission's consideration of Factor 1, the size of the DBT adversary force and the number of assault teams were derived through a careful and deliberative process involving not only the NRC staff, but Federal law enforcement, and intelligence community, and homeland security agencies using a variety of classified and unclassified sources. A statistical analysis was done on terrorist group size by looking at hundreds of terrorist attacks over several years, and comparing them with previous group size analyses for changes in long-term trends. Large ``outlier'' terrorist events, although few in number, were included in this analysis. This statistical analysis was factored into a parallel analysis of known terrorist attacks against protected facilities (also few in number) and terrorist training, tactics, and doctrinal manuals concerning armed assaults against facilities. In addition, the NRC found that the vague qualifiers (``several persons'' and ``small group'') in the previous adversary descriptions in 10 CFR 73.1 did little to add to the clarity of the rule because the phrases are highly subjective. Thus, the final rule now contains the more specific language ``by an adversary force capable of operating in each of the following modes: a single group attacking through one entry point, multiple groups attacking through multiple entry points, a combination of one or more groups and one or more individuals attacking through multiple entry points, or individuals attacking through separate entry points.'' By revising the language in the rule and eliminating the reference to ``several persons'' and ``small group,'' the NRC actually increased the potential flexibility of the design basis adversary. The use of multiple adversary groups is not necessarily tactically advantageous to the attacking force in all possible scenarios. In some instances, the adversary force, as simulated in Force-on-Force (FOF) exercises can, based on its analysis of the licensee's protective strategy, concentrate its force in a single group if necessary to best attack a facility. In other instances, a licensee's protective strategy may be more vulnerable to multiple groups of attackers attempting entry from different locations. In any event, the final DBT rule now provides enough flexibility to account for all of these scenarios, while the guidance provides sufficient specificity. Public Comment: Several commenters contend that for nuclear power plants, the regulations should provide protection against coordinated attacks by multiple large groups of up to two dozen sophisticated and knowledgeable adversaries. Response to Public Comment: As stated above, the Commission has revised the rule to reflect these considerations and to provide maximum flexibility in developing threat scenarios which licensees must defend against. In summary: NRC position: Agrees partially with the comment. Action: No additional action required, beyond adoption of more specific language in the final rule. Factor 4. The Potential for Assistance in an Attack From Several Persons Employed at the Facility The Commission's Consideration: The Commission has always considered the threat of insider assistance to be a very real and significant threat. Thus, the DBTs have long contained a provision requiring licensees to protect against insider assistance. Also, other NRC regulations contain substantial requirements for access authorization programs (10 CFR 73.56, ``Personnel Access Authorization Requirements for Nuclear Power Plants,'' and 10 CFR 73.57, ``Requirements for Criminal History Checks of Individuals Granted Unescorted Access to a Nuclear Power Facility or Access to Safeguards Information by Power Reactor Licensees''). However, the final rule has amended this requirement to expand the threat of insider assistance. For instance, 10 CFR 73.1(a)(1)(A) and (2)(i)(A) add language indicating that the adversaries have ``sufficient knowledge to identify specific equipment or locations necessary for a successful attack.'' Therefore, this provision suggests that this knowledge could be obtained from an insider who has such knowledge. The insider assistance provision itself has also been revised. The final rule deletes the term ``individual'' to provide flexibility in defining the number of persons who may be involved in providing inside assistance. Public Comment: One commenter stated that the insider attribute must include an active participant in an attack and should include the possibility of first responders and or National Guardsmen providing insider assistance. Response to Public Comment: The NRC agrees with part one of this comment. The capability of ``active'' insider assistance is clearly stated in both 10 CFR 73.1(a)(1)(i)(B) for radiological sabotage and 10 CFR 73.1(a)(2)(i)(B) for theft or diversion of strategic special nuclear material. Further, the ``active'' assistance capability has long been a component of the DBTs. The use of the conjunction ``or'' provides for increased tactical flexibility on the part of the adversary, based on the specific situation. It does not preclude an active insider in favor of a passive one. The NRC disagrees with the second part of this comment. National Guard, local law enforcement and other non-licensee security personnel already stationed at the owner-controlled boundary or entry portals of some licensee facilities are not part of the licensee workforce and not subject to NRC regulatory authority; hence, they are considered beyond the scope of the DBTs. Typically, these organizations have their own internal screening procedures to determine reliability and trustworthiness. The NRC recognizes that those processes exist and provide an appropriate level of assurance against an insider threat to that organization. Furthermore, first responders, law enforcement, and National Guard personnel are not given unescorted access to the Protected Area (PA). First responders, law enforcement, and other external security personnel responding to an emergency or security event at a site would do so according to established emergency response protocols. If a particular responding organization had been penetrated by an adversary insider, then that adversary would be considered an external adversary for purposes of the DBTs. The requirement that licensees protect against ``A determined violent external assault, attack by stealth, or deceptive actions, including diversionary actions,'' as described in Sec. Sec. 73.1(a)(1)(i), and 73.1(a)(2)(i), anticipates such an adversary. In summary: NRC Position: Agrees with the first element of the comment, disagrees with the second element of the comment. Action: No action required. Factor 5. The Potential for Suicide Attacks The Commission's Consideration: The final rule contains language reflecting the potential for suicide attacks. This level of commitment has been assumed since the first DBTs were established by the NRC. Language has been added to Sec. Sec. 73.1(1)(i)(A) and 73.1(2)(i)(A) indicating that potential adversaries have the attribute of a willingness to ``kill or be killed.'' [[Page 12710]] Public Comment: No public comment received. Response to Public Comment: No response required. Factor 6. The Potential for Water-Based and Air-Based Threats a. The Commission's Consideration: Certainly one of the most substantial considerations of the Commission, NRC licensees, the Federal government, and the public is the threat of airborne attacks against critical infrastructures. As stated below, the vast majority of comments received by the Commission on the proposed DBT rule regarded the airborne threat. The Commission has been evaluating the issue of air-based threats long before it was required by the EPAct, and its position on the necessity to add this attribute to the DBTs prior to this rulemaking has been well documented. The Commission's evaluation of the airborne threat has been an ongoing process, and it has spent a significant amount of time and resources as part of this rulemaking in considering whether to make some type of airborne threat part of the DBTs. Ultimately, the Commission has determined that active protection against the airborne threat requires military weapons and ordnance that rightfully are the responsibilities of the Department of Defense (DOD), such as ground-based air defense missiles, and thus, the airborne threat is one that is beyond what a private security force can reasonably be expected to defend against. This does not mean that the Commission is discounting the airborne threat; merely that the responsibility for actively protecting against the threat lies with other organizations of the Federal government, as it does for any U.S. commercial infrastructures. Beyond active protection, the Commission believes that some considerations involving airborne attack relate to the development of specific protective strategies and physical protection measures that are not within the scope of the DBTs. The deployment of ground-based air defense weapons would be a decision for the Departments of Defense, Homeland Security, Transportation and Justice, not the NRC. In addition, the NRC believes that application of ground-based air defense weapons would present significant command and control challenges, particularly relating to the time required to identify and confirm the presence of a hostile aircraft and for a commercial entity to get permission to engage. The potential for collateral damage to the surrounding community also would have to be considered. Deployment of protective measures such as no-fly zones, combat air patrols, and ground-based air defenses are undertaken by many other Federal organizations working on preventing and protecting critical infrastructure from terrorist attacks, including the U.S. Northern Command (USNORTHCOM) and North American Aerospace Defense Command (NORAD), the Transportation Security Administration (TSA), and the Federal Aviation Administration (FAA). The FAA has issued a Notice to Airmen (NOTAM) strongly advising pilots to avoid the airspace above, or in proximity to, such sites as power plants (nuclear, hydro-electric, or coal), dams, refineries, industrial complexes, military facilities and other similar facilities. Pilots are warned not to loiter in the vicinity of these types of facilities. The significant increase in aviation security since September 11, 2001, goes a long way toward protecting the United States, including nuclear facilities, from an aerial attack. Some of these improvements include: Criminal history checks on flight crew; Reinforced cockpit doors; Checking of passenger lists against ``no-fly'' lists; Increased control of cargo; Random inspections; Increased Federal Air Marshal presence; Improved screening of passengers and baggage; Federal Flight Deck Officer Program; Controls on foreign passenger carriers; Requirements on charter aircraft; Enhanced vigilance of flight training; and Improved coordination and communication between civilian and military authorities. In February 2002, the Commission, in addition to the actions of other Federal entities, directed nuclear power plant licensees to develop specific plans and strategies to respond to a wide range of threats, including the impact of an aircraft attack. NRC staff conducted mock exercises to practice imminent air attack responses with each licensee. The NRC has continued to work with licensees on these issues and has inspected licensee actions to identify and implement mitigation strategies to limit the effects of such an event. The NRC has conducted detailed, site-specific engineering studies of a limited number of plants to gain insights on potential vulnerabilities of nuclear power plants to deliberate attacks involving large commercial aircraft. The results of these studies have confirmed the effectiveness of the February 2002 NRC-ordered mitigative measures, and have identified the need for some additional enhancements. For the facilities analyzed, the studies confirm the low likelihood of both damaging the reactor core and releasing radioactivity that could affect public health and safety. Even in the unlikely event of a radiological release due to a terrorist use of a large aircraft against a nuclear power plant, the studies indicate that there would be time to implement the required on-site mitigating actions. These results have also validated the potential radioactive source term for off-site emergency planning basis. Nevertheless, on June 20, 2006, the NRC issued orders to appropriate power reactor licensees requiring the implementation of additional key radiological protection and mitigation strategies to reduce potential consequences from the loss of large areas of the plant due to large fires or explosions. This information is discussed in, ``In the Matter of Operating Power Reactor Licensees Identified in Attachment 1; Orders Modifying Licensees (Effective Immediately),'' (71 FR 36554; June 27, 2006). Additional studies are being considered to further assess mitigative capabilities. The NRC will continue to coordinate with the Department of Homeland Security (DHS) on this initiative. (See Factor 9 for further discussion of a related topic, ``The potential for fires, especially fires of long duration.'') Finally, in early March 2006, the NRC hosted an Interagency Aircraft Attack Tabletop Exercise at NRC Headquarters. Representatives from the DHS, the DOD/USNORTHCOM, and the FBI attended. The purpose of the exercise was to explore Federal responsibilities and interfaces, consistent with the National Infrastructure Protection Plan and National Response Plan, for terrorist incidents at nuclear power plants, with a focus on an aircraft attack on the facility. The tabletop exercise reconfirmed the respective responsibilities of the participating organizations (NRC, DHS, DOD, and FBI) in the event of a nuclear plant aircraft attack and clarified protocols for response- related interagency communication and coordination. The final DBT contains two new provisions that account for the capability of a water-based attack, as discussed under Factor 2. These capabilities were included based on conclusions drawn from the NRC's continuing review of intelligence information and liaison with Federal law enforcement, intelligence community, and homeland security [[Page 12711]] agencies. Sections 73.1(a)(1)(i)(E) and 73.1(a)(2)(i)(E) add the capability to use water-based vehicles for transporting personnel and equipment to the proximity of vital areas. Sections 73.1(a)(1)(iv) and 73.1(a)(2)(iv) add a new provision for a waterborne vehicle bomb assault. The NRC has concluded that defense against these new DBT provisions will provide a high-assurance of protection against the waterborne threat. Public Comment: Approximately 820 comments indicated that the ``beamhenges'' concept or similar barrier method of protection should be considered for protection against airborne attacks. As generically described by the commenters, a ``beamhenge'' shield is constructed out of an interlocking series of steel I-beams and cables that would be built at sufficient stand-off distances from safety-related buildings at nuclear power plants to protect against an aircraft attack. Comments also indicated that a ``no-fly'' zone should be imposed around nuclear power plants and that ground based-air defense systems should be deployed to protect each site. Further, multiple commenters expressed concerns regarding the vulnerabilities of nuclear power plants and other licensed facilities to terrorist waterborne attacks. Commenters suggested that the revised DBTs should require nuclear power plants and other licensed facilities situated on navigable waterways to be equipped with visible, engineered physical barriers. Response to Public Comment: The Commission has spent considerable time and resources considering the threat of airborne and waterborne attacks on nuclear facilities. Based on these considerations, the NRC has chosen a two-track approach to respond to these threats in order to assure adequate protection. First, the NRC has determined that active protection against the airborne threat rests with other organizations of the Federal government, such as NORTHCOM and NORAD, TSA, and FAA. The NRC will continue to test these relationships through exercises. Second, licensees have been directed to implement certain mitigative measures to limit the effects of an aircraft strike. To the extent that commenters have suggested the imposition of specific physical security measures such as the ``beamhenges'' concept, the NRC has considered on the issue, but has rejected the concept because it believes that the mitigation measures in place are sufficient to ensure adequate protection of the public health and safety. With respect to the waterborne attack threat, the DBT rule has been revised to reflect two new water-based capabilities. However, requirements of physical barriers for the protection of the nuclear power plants and other licensed facilities under waterborne attack are not in the scope of DBT rule. Requirements for physical barriers are addressed in a separate rulemaking to amend 10 CFR 73.55. The security requirements in the proposed rulemaking that would amend 10 CFR 73.55 (71 FR 62664; October 26, 2006) address protective strategies and security measures for nuclear power plants and other licensed facilities under waterborne attacks, and require licensees to defend against the DBTs. In summary: NRC Position: Agrees with the waterborne comment. Disagrees with ``no-fly'' zones and ``beamhenges'' concept comments. Action: No action required. Factor 7. The Potential Use of Explosive Devices of Considerable Size and Other Modern Weaponry The Commission's Consideration: As part of its consideration of Factor 2, the Commission assessed the potential use of explosive devices of considerable size and other modern weaponry. The Commission notes that the DBTs have been revised to specifically reflect these two considerations. First, Sec. Sec. 73.1(a)(1)(i)(C) and 73.1(a)(2)(i)(C) were amended to revise the phrase ``up to and including'' to simply ``including'' to increase the flexibility in defining the available range of weapons. Second, the vehicle bomb threat has been expanded to include waterborne vehicles. This factor has been further articulated in Factor 2. Public Comment: Refer to Factor 2. Response to Comment: Refer to Factor 2. In summary: NRC Position: Agrees with the comment. Action: No action required. Factor 8. The Potential for Attacks by Persons With a Sophisticated Knowledge of Facility Operations The Commission's Consideration: As noted above under the discussion of Factor 4, Sec. Sec. 73.1(a)(1)(i)(A) and 73.1(a)(2)(i)(A) added language indicating that the adversaries have ``sufficient knowledge to identify specific equipment or locations necessary for a successful attack.'' Public Comment: No public comment received. Response to Comment: No response required. Factor 9. The Potential for Fires, Especially Fires of Long Duration The Commission's Consideration: The DBTs describe specific adversary characteristics against which licensees must be prepared to defend. Fires, in contrast, are not adversary characteristics, but result from a particular adversary attack. Nevertheless, the NRC considered fires resulting from several possible initiating events, both accidental and malicious in nature. The NRC conducted vulnerability assessments for some operating nuclear power plants in the 1970s and 1980s to establish the technical basis for security requirements. The NRC also routinely evaluated the potential impacts of terrorist attacks on power reactors as part of the FOF exercise program on a plant-by-plant basis. After the terrorist attacks on September 11, 2001, the NRC promptly assessed the potential for and consequences of terrorists targeting a nuclear power plant, including its spent fuel storage facilities, for an aircraft attack, the physical effects of such a strike, and how compounding factors (e.g., fires, meteorology, etc.) would affect the impact of potential radioactive releases. As part of a comprehensive assessment, the NRC conducted detailed site- specific engineering studies of a limited number of nuclear power plants to assess potential vulnerabilities of deliberate attacks involving a large commercial aircraft. Additional Commission considerations are provided under the discussion of Factor 6. A summary of the assessment study is available in a publicly available document. Public Comment: One commenter stated that the proposed rule did not consider the potential for fires, especially fires of long duration and thus asserts that the proposed rule does not comply with the Congressional directive because it fails to mention the fire threat. Response to Public Comment: The NRC disagrees with the statement submitted by the commenter. As stated above, the NRC considered fire to be a result of several possible threats. Adversary forces, bombs, and explosives can all result in fires, and potentials for fires have been considered during the DBT rulemaking process. The following is provided as background information related to this comment. As part of a larger NRC effort to enhance the safety and security of the Nation's nuclear power plants, an initiative was undertaken as part of a February 2002 NRC Order. The order required licensees to look at what might [[Page 12712]] happen if a nuclear power plant lost large areas due to explosions or fires. The licensees then were required to identify and later implement strategies that would maintain or restore cooling for the reactor core, containment building, and spent fuel pool. The requirements listed in Section B.5.b of this order directed licensees to identify ``mitigative strategies'' (meaning the measures licensees could take to reduce the potential consequences of a large fire or explosion) that could be implemented with resources already existing or ``readily available.'' The NRC held inspections in 2002 and 2003 to identify if licensees had implemented the required mitigative strategies. These inspections, as well as additional studies, showed significant differences in the strategies implemented by the plants. As a result, the NRC developed additional mitigative strategy guidance. The guidance was based on ``lessons learned'' from NRC engineering studies and included a list of ``best practices'' for mitigating losses of large areas of the plant. Each plant was requested to consider implementation of applicable additional strategies by August 31, 2005. The NRC inspected each plant in 2005 to review their implementation of any additional mitigative measures. The NRC is continuing to ensure licensees appropriately implement these measures. Finally, aircraft attack, another threat likely to result in fires was also considered and studies analyzing the consequences of successful commercial airline attacks were performed. In conducting these studies, the NRC drew on national experts from several DOE laboratories using state-of-the-art structural and fire analyses. The NRC also enhanced its ability to realistically predict accident progression and radiological release consequences. For the facilities analyzed, the studies found that the likelihood of both damaging the reactor core and releasing radioactivity that could affect public health and safety is low. Even in the unlikely event of a radiological release due to terrorist use of a large aircraft, there would be time to implement mitigating actions and off-site emergency plans such that the NRC's emergency planning basis remains valid (71 FR 36554; June 27, 2006). Additional site-specific studies of operating nuclear power plants are underway or being planned to determine the need, if any, for additional mitigating capability on a site-specific basis. In summary, the NRC considered the potential for fires during the DBT rulemaking process, as required by the EPAct. NRC position: Disagrees with the comment. Action: No action required. Factor 10. The Potential for Attacks on Spent Fuel Shipments by Multiple Coordinated Teams of a Large Number of Individuals The Commission's Consideration: As stated in response to Factor 3, the Commission considered the potential for attacks on nuclear facilities by multiple coordinated groups of a large number of individuals. The number of attackers and the tactics used by those attackers is now and has always been a core consideration of the DBTs. In addition, the Commission has considered the potential for attacks on spent fuel shipments and issued an order, requiring specific protective measures. The Commission is planning to propose a rule on spent fuel shipments in the near future. Public Comment: No public comment received. Response to Public Comment: No response required. Factor 11. The Adequacy of Planning To Protect the Public Health and Safety at and Around Nuclear Facilities, as Appropriate, in the Event of a Terrorist Attack Against a Nuclear Facility The Commission's Consideration: The DBT rule does not include requirements imposing specific emergency planning considerations. Nevertheless, the Commission considered the implications of security- related incidents on emergency planning. As part of those efforts, following the terrorist attacks of September 11, 2001, the NRC evaluated the emergency preparedness (EP) planning basis and determined that the planning basis for nuclear power reactors remains valid. Further, the NRC issued orders requiring compensatory measures for nuclear security and safety, and observed licensee performance during security-based EP drills and exercises and security FOF exercise evaluations. Also, the NRC reviewed current public radiological protective action guidance, and discussed security-based EP issues with various stakeholders, including licensees and Federal, State and local government officials. Based on the information obtained from the reviews and evaluations, the NRC determined that EP of nuclear power plants could be enhanced. The Commission approved the communication of enhancements to EP and response actions for security-based events to power reactor licensees. NRC Bulletin 2005-02, ``Emergency Preparedness and Response Actions for Security-Based Events,'' dated July 18, 2005, communicated enhancements in the following areas: Security-based emergency classification levels and emergency action levels; A 15 minute prompt notification to the NRC for security- based events; On-site protective actions to maximize personnel safety during security-based events; Enhanced emergency response organization augmentation; and Development of a security-based emergency drill and exercise program. As of February 18, 2006, all power reactor licensees have implemented the enhancements to their EP programs with the exception of the drill and exercise program. A majority of nuclear power plant licensees indicated that adoption of the security-based EP drill and exercise program is contingent on NRC and the Department of Homeland Security (DHS) endorsement. The NRC continues to work with DHS and the Nuclear Energy Institute to develop and implement a security-based drill and exercise program at power reactor licensees. This program is being conducted in a phased approach. Tabletop drills at four power reactor sites and a facility drill were conducted successfully, and areas for improvement were identified and incorporated by the industry into draft guidelines. Over the next three years, the industry plans to conduct security-based EP drills at each power reactor licensee with an end state of the integration of security-based EP scenarios into the biennial EP exercise program. In addition to those security-related emergency planning efforts, the NRC and DHS worked together to develop and improve EP for a terrorist attack through federal initiatives such as comprehensive review programs and integrated response planning efforts. The NRC and DHS have enhanced the coordination of integrated EP programs through evaluations of licensee and State/local/tribal response capabilities, and reviews of critical infrastructure preparedness and response plans for commercial nuclear power plants. Our combined efforts have resulted in specific enhancements to security-related EP measures, and continued improvement in capabilities for licensees and off-site response organizations to respond to a wide spectrum of events. Public Comment: No public comment received. Response to Public Comment: No response required. [[Page 12713]] Factor 12. The Potential for Theft or Diversion of Nuclear Material From Such Facilities The Commission's Consideration: The DBT rule includes two separate components, the DBT of radiological sabotage, and the DBT of theft or diversion of formula quantities of special nuclear materials. Although the legal requirements of the radiological sabotage DBT and the theft or diversion DBT, as embodied in the rule text of Sec. Sec. 73.1(a)(1) and in 73.1(a)(2), respectively, are the same, the ACDs and RGs differ in describing how power reactor and Category I fuel cycle facility licensees should implement and comply with the separate rules. These differences are classified and are not elaborated on here. As stated in 10 CFR 73.55(a), power reactor licensees are only required to protect against the threat of radiological sabotage. Spent fuel is not an attractive theft or diversion target due to its large physical size and high thermal heat and radioactivity (most power reactor spent fuel is considered ``self-protecting''). As stated in the response to Group III Comments No. 18 (Security of Dry Cask Storage) and 19 (Security of Spent Fuel Pools), the NRC has required that licensees take additional security and mitigating measures against a radioactive release of spent fuel. The NRC has authorized the Duke Energy Corporation, owner and operator of the Catawba plant, to irradiate four fuel assemblies of Mixed-Oxide (MOX) fuel at the Catawba plant on a test basis as part of its license amendment issued on March 3, 2005. MOX fuel technically meets the criteria of a formula quantity of Strategic Special Nuclear Material, in this case plutonium, and would be subject to the DBT provisions of Sec. 73.1(a)(2) for theft or diversion. However, the NRC staff found that MOX fuel is not attractive to potential adversaries from a theft and diversion standpoint at the reactor site due to its low plutonium concentration, composition, and form (size and weight). The MOX fuel consists of plutonium oxide particles dispersed in a ceramic matrix of depleted uranium oxide with a plutonium concentration of less than six weight percent. The MOX fuel assemblies are the same form as conventional fuel assemblies designed for a commercial light- water power reactor and are over 12 feet long and weigh approximately 1,500 pounds. A large quantity of MOX fuel and an elaborate extraction process would be required to yield enough material for use in an improvised nuclear device or weapon. On the ``attractiveness'' bases, the NRC staff found that the complete application of 10 CFR 73.45(d)(1)(iv), 73.46 (C)(1), 73.46(h)(3), 73.46(b)(3)-(b)(12), 73.46(d)(9), and 73.46(e)(3) for MOX fuel was not necessary. The staff therefore approved the exemptions requested to these regulations, finding that they were authorized by law, and will not endanger life or property or the common defense and security, and that are otherwise in the public interest. The Commission later approved this determination in an adjudicatory order issued on June 20, 2005. Duke Energy Corporation (Catawba Nuclear Station, Units 1 and 2), CLI-05-014, 61 NRC 359,363 (2005). Furthermore, transportation of the MOX fuel assemblies to Catawba will be done by the Department of Energy's (DOE's) Office of Secure Transportation, that has legal responsibility for the MOX fuel assemblies until custody is transferred to the licensee. Afterwards, the spent MOX fuel is cooled and stored like other spent fuel on site and is subject to the radiological sabotage DBT while stored in the spent fuel pool inside the Protected Area of the plant. Public Comment: No public comment received. Response to Public Comment: No response required. Section B Group II. In Scope Comments 1. Defining the ``Design Basis Threat'' Public Comment: Multiple commentators expressed concern that the NRC has not publicly defined or explained the ``design basis threat.'' Specifically, commenters were unclear what the Commission means by the statement that the DBTs are based on a ``determination as to the attacks against which a private security force can reasonably be expected to defend.'' These commenters suggested that the Commissions's failure to articulate the DBT concept creates an ambiguity in establishing the division of responsibility between NRC licensees and the DOD, or DHS. Several commenters suggested that if the NRC does not require plants to defend against air attack because it is unreasonable for a private security force to be able to do so, then it has no choice but to federalize security by requesting that DHS or the military assume full responsibility for the protection of nuclear power facilities. Other commenters suggested that the NRC's rationale for limiting the characteristics of the DBTs to the attacks against which a private security force could reasonably be expected to defend appears to be based on cost considerations, which is not permitted for measures that are necessary for the protection of public safety. Other commenters representing the nuclear industry, while agreeing that the DBT scope must be clear, asserted that the DBT can not be greater than the largest threats against which private sector facilities can reasonably be requested to defend themselves, and threats beyond the DBT are reasonably the responsibility of the national defense system. Response to Public Comment: The Commission has determined that the DBTs, as articulated in the rule, are based on adversary characteristics against which a private security force can reasonably be expected to defend. This formulation provides the Commission with the flexibility necessary to make reasoned, well-informed decisions regarding the DBTs. In contrast, detailed, prescriptive criteria would be unduly restrictive, and would unnecessarily limit the Commission's judgment. This judgment is guided by the Commission's considerable expertise in nuclear security matters, developed over the course of 30 years of experience regulating the physical protection of nuclear facilities. With regard to the federalization of nuclear plants security forces, the Commission does not have the authority to federalize nuclear security forces and cannot demand deployment of military forces to protect nuclear facilities. Nor has Congress chosen to require these measures. As it has stated publicly many times, the Commission is confident that neither measure is necessary or even prudent. A primary reason for this is that the introduction of a federalized nuclear security force or military unit to provide day-to-day security would create command and control issues for plant management because it would essentially establish two classes of employees at commercial nuclear facilities, both of whom would be responsible for reactor safety in the event of a terrorist attack. This could result in a reduction in the licensee's ability to ensure reactor safety. In contrast, the continued use of private nuclear security officers responsible to the licensee maintains a unitary command structure focused on a unitary objective. The tightly-regulated private nuclear security forces in use today are well trained on the unique security considerations specific to nuclear power facilities and through rigorous FOF training have proven themselves to be effective and reliable. These conclusions were also documented when the Commission originally studied the issue [[Page 12714]] in 1976 in a report to Congress titled the ``Security Agency Study.'' The DBT rule is also guided by the Commission's knowledge that, in addition to being among the most robust industrial facilities in the world, nuclear power plants are arguably the most physically secured industrial facilities. No other civilian industry security force is subject to as much regulatory oversight as the nuclear industry. However, the Commission acknowledges that the use of private security forces to defend nuclear power facilities faces limitations. For instance, there are legal limitations on the types of weapons and tactics available to private security forces. Generally, nuclear security officers have access only to weapons that are available to civilians. Although authority recently granted the Commission under the EPAct of 2005 will allow the Commission to authorize the use of more sophisticated weaponry, the most powerful weapons and defensive systems will remain reserved for use only by the military and law enforcement. Thus, it would be unreasonable to establish a DBT that could only be defended against with weapons unavailable to private security forces. In addition, the Commission previously decided not to require licensees to defend against attacks by ``Enemies of the State'' as defined by 10 CFR 50.13. However, these limitations on weapons and defensive systems available to private security forces do not undermine the Commission's confidence in those forces to provide adequate protection. The defense of our nation's critical infrastructure is a shared responsibility between the NRC, the DOD, the DHS, Federal and State law enforcement, and other Federal agencies. A reasonable approach in determining the threat requires making certain assumptions about these shared responsibilities. Although licensees are not required to develop protective strategies to defend against beyond-DBT events, it should not be concluded that licensees can provide no defense against those threats. The Commission's regulations at 10 CFR 73.55(a) require power reactor licensees' security programs to provide ``high assurance that activities involving special nuclear material are not inimical to the common defense and security and do not constitute an unreasonable risk to the public health and safety.'' Within this requirement is the expectation that, if confronted by an adversary beyond its maximum legal capabilities, on-site security would continue to respond with a graded reduction in effectiveness. The Commission is confident that a licensee's security force would respond to any threat no matter the size or capabilities that may present itself. The Commission expects that licensees and State and Federal authorities will use whatever resources are necessary in response to both DBT and beyond-DBT events. Several commenters felt that the DBT rule should define clearly demarcated boundaries where the responsibilities of the licensee end and those of the Government begin for defending nuclear facilities. In the Commission's view, establishing set boundaries demarcating a division of responsibilities is neither possible nor desirable. The better approach is for the Commission to continue its efforts to encourage licensees and Government organizations to integrate and complement their respective security and incident-response duties so that facilities subject to the DBTs have the benefit of all available incident-response resources during the widest possible range of security events. Currently, these integrated response planning efforts include prearranged plans with local law enforcement and emergency planning coordination. Licensees also must comply with event reporting requirements to the NRC so that a Federal response is readily available, if necessary. However, the DBTs are not defined by cost considerations, as suggested by several commenters. The rule text set forth at Sec. 73.1 represents the largest adversary against which the Commission believes private security forces can reasonably be expected to defend. Thus, when the DBT rule is used by licensees to design their site specific protective strategies, the Commission is thereby provided with reasonable assurance that the public health and safety and common defense and security are adequately protected. The Commission agrees with the commenters that it may not legally consider economic factors in determining the level of adequate protection of public health and safety and common defense and security (Union of Concerned Scientists v. NRC, 824 F.2d 108, 117118 (D.C. Cir. 1987)), and it did not do so in deciding what level of protection it considers to be adequate in this rulemaking. Rather, as the Commission has clearly set forth above, the requirements in the DBT rule are determined by the Commission's consideration of the staff's threat assessments based on coordination with law enforcement, intelligence, and homeland security agencies, the Commission's considerable experience in these matters, and the legal limitations on security forces available to licensees. In contrast, the Commission's determination of specific aspects of implementation of and compliance with the DBT rule, as described in the ACDs and regulatory guidance, may involve consideration, along with other factors, of the relative costs of various methods of implementing particular requirements of the DBTs. In summary: NRC position: Disagrees with the comments. Action: No action required. 2. Applicability of the Enemy of the State Rule Public Comment: Several commenters also suggested that the proposed rule does not clearly distinguish between a threat posed by an ``enemy of the state'' excluded by 10 CFR 50.13, and threats covered by the DBTs. They asserted that the phrase ``enemy of the state'' is ambiguous and can no longer be relied on to preclude the development of defensive measures at nuclear power plants. Those commenters again expressed concern that the division of responsibilities between the licensees and the national defense system are ambiguous. Other commenters argued that the Commission has failed to explain why the DBTs exclude an ``Al-Qaeda like terrorist organization'' as an ``enemy of the state'' notwithstanding the Commission's statements in the vehicle bomb rulemaking, that described the characteristics of an ``enemy of the state,'' that seemingly would have included organization like an Al-Qaeda. Commenters representing industry stated that licensees are not and should not be required to defend against threats posed by enemies of the United States. They argued that the DBTs represent the largest threat against which a private security force can reasonably be expected to defend, and that any escalation of this adversary would be inconsistent with 10 CFR 50.13. These threats are properly the responsibility of the national defense establishment and other security agencies. Response to Public Comment: The enemy of the state rule, 10 CFR 50.13, was promulgated in 1967 amid concerns that Cuba might launch attacks against nuclear power plants in Florida. That rule (32 FR 13455; September 26, 1967) was primarily intended to make clear that privately-owned nuclear facilities were not responsible for defending against attacks that typically could only be carried out by foreign military organizations. By contrast, the DBT rule does not focus on the identity, [[Page 12715]] sponsorship, or nationality of the adversaries. Instead, it affirmatively defines a range of attacks and capabilities against which nuclear power plants and Category I fuel cycle facilities must be prepared to defend. An adversary force that falls outside of the range of attacks against which nuclear facilities are reasonably expected to defend is considered to be ``beyond-DBT,'' regardless of whether it would or would not be deemed an ``enemy of the state.'' The Commission disagrees that any extension of the DBTs automatically conflicts with 10 CFR 50.13. The Commission may revise the DBTs in response to changes in the threat environment without necessarily implicating 10 CFR 50.13. To be clear, ``beyond-DBT'' and ``enemy of the state'' are not equivalent concepts. In addition, improved response capabilities may become available to private security forces in the future. In that case, potential increases to the DBTs may be ``reasonable to expect a private force to protect against'' without coming into conflict with ``enemy of the state.'' In summary: NRC position: Disagrees with the comments. Action: No action required. 3. Compliance With Administrative Procedure Act (APA) Notice and Comment Requirements Public Comment: Multiple commenters stated that sharing the ACDs with an exclusive group of parties constitutes a violation of the APA because the technical basis for the proposed rule is contained in those documents. Those commenters stated that the NRC should disclose the general and legal principles discussed in the exchange of the documents without releasing Safeguards Information. Another commenter expressed concern that the DBT rule is based on ex parte communications received from the nuclear industry after sharing the contents of the proposed rule only with certain parties. Also, because the general public has no idea what general legal or technical principles were discussed in these private communications, it could not intelligently comment on the proposed rule. Other commenters charged that the DBT rulemaking is simply codifying secret orders to avoid public scrutiny. Thus, they suggest that because the proposed rule did not contain specifics of the DBTs, the NRC is free to change the specific requirements without notice to the public, effectively conducting a secret rulemaking in violation of the APA. Industry commenters suggested that the ACDs and RGs should be incorporated by reference into the DBT rule to ensure adequate stakeholder participation in changes to the specific details of the DBTs. Otherwise, these commenters argue that the use of the ACDs and RGs has the potential for circumventing the APA and Paperwork Reduction Act. Response to Public Comment: The Commission is confident that the rulemaking process for the DBT rule complies with the APA. As set forth in the statements of consideration to the proposed rule (70 FR 67380, 67382; November 7, 2005), the Commission has carefully balanced the public interest in knowing the security considerations for the protection of special nuclear material and the need for meaningful comment with security interests related to the disclosure of specific details of DBT adversaries. The result is a DBT rule that defines in reasonable detail a range of attacks against which licensees are required to defend. The DBT rule contains all of the requirements with which licensees must legally comply. No additional information was necessary to understand or to comment on the proposed DBT rule. The ACDs and RGs are guidance documents containing SGI and classified information, and describe how licensees can comply with the regulations. The ACDs and RGs are not regulations, and are not legally enforceable. The APA permits agencies to develop guidance documents like the ACDs and RGs without following notice-and-comment rulemaking requirements (5 U.S.C. 553(b)(3)(A)). Changing the guidance in the ACDs or RGs based on changes to the threat environment would not change the requirements of the rule. The text of the proposed rule provided ample information to enable meaningful comment on what the current level of protection for nuclear power plants and Category I fuel cycle facilities should entail. Members of the public can and have provided the Commission their views in this rulemaking on the number of attackers, amounts of explosives, and types of weapons that licensees should be required to defend against, even without having access to classified information or SGI. Therefore, access to the ACDs and the RGs was not necessary to enable meaningful public comment on the proposed DBT rule. One commenter suggested that it was improper for the Commission to share the draft ACDs and RGs with members of the nuclear industry but not members of the general public. The NRC shared the draft ACDs and RGs with licensees at the request of NEI before expiration of the initial comment period because NEI, in its capacity as the representative of the nuclear industry, had the appropriate clearance and a specific need to know the information in order to assist licensees in planning and designing protective strategies capable of defending against the DBTs. The NRC also shared those documents with the States of New Jersey and Illinois that had established a need to know and obtained appropriate clearance. Other NRC stakeholders do not necessarily share this need to know, and therefore, have not been granted access to the classified and SGI ACDs and RGs. The NRC did not provide the draft ACDs and RGs to enable industry comments on the rule, nor has the Commission received or considered non-public comments on the rule. The Commission reiterates that no SGI or classified information was necessary to enable public comment, nor were any non-public comments received or considered over the course of this rulemaking. All of the comments received and considered in this rulemaking have been made publicly available. Finally, the Commission disagrees that the ACDs and RGs should be incorporated by reference in the text of the final rule. As explained above, the ACDs and RGs are guidance documents. The legally-binding requirements are contained in the text of the rule. Incorporating these documents by reference would not only be inconsistent with that approach, but would potentially subject these documents to public disclosure based on the requirements of Section 552 of the APA, and the Office of the Federal Register regulations. In summary: NRC position: Disagrees with the comments. Action: No action required. 4. Ambiguous Rule Text Public Comment: Several commenters stated that the continued use of the phrase ``one or more teams'' in the rule ignores the inherent ambiguity of this type of construction, as identified in the Atomic Safety and Licensing Board's 2005 decision in the Catawba licensing proceedings. See Duke Energy Corporation (Catawba Nuclear Station, Units 1 and 2), LBP-05-10, 61 NRC 241, 297 (2005). The commenters argued that this construction i.e. use of the conjunction ``or'') permits licensees to select from one of two options (i.e. either one team or more teams), and thus permits licensees to develop their protective strategy ignoring the [[Page 12716]] possibility of three teams or more. The commenters therefore suggested that the rule be revised to eliminate use of this ambiguous construction. One commenter suggested rule text that read ``capable of operating in multiple teams, up to the maximum number of teams that can be formed from the adversary force, where a team has no fewer than two members.'' Response to Public Comment: Though the Commission does not necessarily agree that the phrase ``capable of operating as one or more teams'' is ambiguous, in the final rule, it has nevertheless modified this language to be clear that licensees are required to defend against multiple modes of attack, including both a single group as well as multiple groups. Notably, the prior radiological sabotage DBT rule did not contain language requiring licensees to defend against multiple groups of adversaries, as specified in the theft or diversion DBT. The final rule adds a requirement to the radiological sabotage DBT that licensees protect against an adversary ``capable of operating in each of the following modes: a single group attacking through one entry point, multiple groups attacking through multiple entry points, a combination of one or more groups and one or more individuals attacking through multiple entry points, or individuals attacking through separate entry points,'' and the theft or diversion DBT has been revised for consistency. The rule therefore requires that licensees evaluate a wide range of possible attack scenarios when developing their protective strategies. Under the final rule, licensees must be able to defend against an attack from multiple entry points by a number of groups and/or individuals. Neither a protective strategy that is only capable of defending against a single group nor one that is only capable of defending against a number of smaller groups would meet the requirements of the rule. The revision of this language does not, however, change the scope of this provision as originally intended by the Commission in the proposed rule. The purpose of the change is merely to provide the clearest possible articulation of the rule's requirements. In summary: NRC position: Disagrees with the comments. Action: No action required. 5. Differentiation in Treatment of General and Specific Licenses for ISFSI Public Comment: One commenter stated that the NRC did not provide a specific rationale in the proposed rule as to why a specific license ISFSI with security requirements arising from the security requirements in 10 CFR 72.182 should be subject to a different DBT than a general license ISFSI with security requirements arising from 10 CFR 72.212, especially when nearly identical spent fuel in identical storage casks is stored at these two classes of licensees. The commenter requested that the NRC describe why these two types of ISFSIs should be treated differently from a DBT perspective in the final rule, or indicate that these licensees are subject to the same security requirements. Response to Public Comment: The commenter is correct in noting that specifically-licensed and generally-licensed ISFSIs are treated differently in the current regulations. For example, the current regulation in 10 CFR 73.1(a) contains an exemption for specifically- licensed ISFSIs, subject to 10 CFR 72.182. However, the physical protection regulations for specifically-licensed ISFSIs, found at 10 CFR 72.180 and 72.182, do not require protection against the DBT, so it is unnecessary to exempt specifically-licensed ISFSIs from the DBT regulation. By contrast, generally-licensed ISFSIs are required to protect against the DBT for radiological sabotage by 10 CFR 72.212(b)(5), but by the same regulation, are excepted from certain specific requirements contained in the DBT. Ultimately, these discrepancies have no effect on the security of the facilities because both generally-licensed and specifically-licensed ISFSIs have equivalent protective measures in place, including those imposed by the October 2002 Order. The intent of this rulemaking was to update the DBTs applicable to power reactors and Category I fuel cycle facilities. Conforming changes were made to preserve the existing regulatory structure for other licensees. However, the NRC is currently considering future rulemakings to align the generally-licensed and specifically-licensed ISFSI requirements and to evaluate the application of the DBT. In summary: NRC position: Agrees with the comments. Action: No action required as part of this rulemaking. 6. Applicability of the Radiological Sabotage DBT to New Nuclear Power Plants Public Comments: Two commenters stated that the DBT for new nuclear power plants should be the same as for operating nuclear power plants. One commenter specifically stated that the proposed rule did not justify the adoption of different DBTs for new nuclear power plants. The commenter believes that the NRC has already set the DBTs at the level of the largest threat against which a private guard force can reasonably be expected to defend. Therefore, there is no reason to have a different set of DBTs for new nuclear power plants. The commenter expressed a concern that different DBTs for new plants could result in two different sets of DBTs for the same nuclear power plant site with a currently operating nuclear power plant. Response to Public Comment: The NRC agrees with the commenters that the radiological sabotage DBT should be uniformly applicable to new and currently operating nuclear power plants. In fact, the NRC did not propose different radiological sabotage DBTs for new nuclear power plants in the proposed rule. As stated by the Commission in the staff requirements memorandum on SECY-05-120, ``Security Design Expectations for New Reactor Licensing Activities,'' the expectation is that new reactors will be designed and constructed to be inherently more secure with less reliance on other elements of a traditional security program. To assess the security of new reactors, the NRC is developing proposed requirements for new reactor licensees to submit security assessments as part of their license application package. In summary: NRC position: Agrees with the comments. Action: No action required as part of this rulemaking. 7. Consideration of the Uniqueness of Each Facility in Application of the DBTs Public Comment: One commenter stated that each nuclear facility is unique due to its location and surrounding population, and therefore, the DBT for each facility must have its own specific requirements. The DBT cannot be a one-size fits all program. Response to Public Comment: The DBT rule specifies threat characteristics, and does not specify or include requirements for any specific programs. Site-specific security requirements are embodied in site security plans and security measures. The NRC does not agree with the statement submitted by the commenter that each facility must have its own specific requirements. Site-specific requirements are taken into account by licensees during development of their physical security plans. The NRC considers the site-specific requirements when it reviews and approves the plans, and tests the adequacy of the site-specific requirements when it conducts FOF exercises at nuclear power plants. It should be noted that the DBTs are comprised of attributes selected from [[Page 12717]] the overall threat environment. The technical bases for the DBTs are based on the NRC's periodic threat assessments performed in conjunction with the Federal intelligence and law enforcement communities for identification of changes in the threat environment. The assessments contain classified and SGI that cannot be publicly disclosed. The NRC believes that the DBTs should be uniformly applicable to all comparable nuclear facilities and will continue to ensure adequate protection of public health and safety and the common defense and security by requiring the secure use and management of radioactive materials. In summary: NRC position: Disagrees with the comments. Action: No action required. 8. Continued Exemption of Research and Test Reactors From the DBT Requirements Public Comment: Two commenters stated that research reactors possessing Category I quantities of highly-enriched uranium (HEU) must provide protection against theft at the same level as any other Category I facility. Response to Public Comment: The NRC disagrees with this comment. The NRC has made a policy decision that Research and Test Reactors (RTRs) who possess Category I quantities of Special Nuclear Material protect this material as specified in the physical protection requirements for non-power reactor fuel in 10 CFR 73.60(a) through (e) and 73.67. These regulations do not require licensees to protect against either the radiological sabotage or the theft or diversion DBT. Under 10 CFR 73.60, non-power reactor licensees who possess or use 5 kilograms or greater of HEU are exempt from the requirements in 10 CFR 73.60(a) through (e) if the HEU is not readily separable and has a total external radiation dose rate in excess of 100 rems per hour at a distance of 3 feet from any accessible surface without intervening shielding. It should also be noted that most RTRs possess limited quantities of nuclear material on-site, and that the nature and form of this material is not easily dispersed or handled. As a result, the NRC has determined that RTRs pose a relatively low risk to public health and safety from potential radiation exposure and has tailored the security requirements and oversight for these facilities consistent with their relatively low risk. The NRC requires that RTR licensees have security plans and/or procedures that reflect a graded approach which considers the attractiveness of the reactor fuel as a target, and the risk of radiological release. RTR security programs and systems provide for detection and response to unauthorized activities. In general, these programs include access control to the facilities, observation of activities within the facilities, and alarms or other devices to detect unauthorized presence. RTRs also have emergency plans in place to respond to emergency situations. Those RTRs that are still licensed to use HEU are either already scheduled to convert to low-enriched uranium (LEU) or intend to do so. The DOE is the lead agency for converting RTRs to LEU fuel. The NRC has been working with the DOE to facilitate this effort. In summary: NRC Position: Disagrees with the comment. Action: No action required. 9. Changes In NRC Security Requirements To Be Addressed Under the Backfit Rule Public Comment: One commentator stated that the Backfit Rule requires that the NRC perform a backfit analysis for changes in regulatory position. The commenter observed that the NRC has determined that a backfit analysis is not necessary in connection with the changes to the DBTs because the changes result from redefining the level of protection that should be regarded as adequate, but that such a determination should be supported by a documented evaluation and the proposed rulemaking does not provide such an evaluation, and each future change to the ACDs and RGs will require a separate backfit analysis. Response to Public Comment: The Commission disagrees with the comment that the proposed rulemaking does not provide a documented evaluation of its decision. As stated in the Federal Register (70 FR 67387; November 7, 2005), the NRC has determined, pursuant to the exception in 10 CFR 50.109(a)(4)(iii) and 10 CFR 70.76(a)(4)(iv), that a backfit analysis is unnecessary for this rule. Sections 50.109 and 70.76(a)(4)(iv) state, in pertinent part, that a backfit analysis is not required if the Commission finds and declares with appropriate documented evaluation for its finding that a ``regulatory action involves defining or redefining what level of protection to the public health and safety or common defense and security should be regarded as adequate.'' When the Commission imposed security enhancements by order in April 2003, it did so in response to an escalated domestic threat level. Since that time, the Commission has continued to monitor intelligence reports regarding plausible threats from terrorists currently threatening the U.S. The Commission has also gained experience from implementing the order requirements and reviewing revised licensee security plans. The Commission has considered all of this information and finds that the security requirements similar to those previously imposed by the April 29, 2003 Orders, which applied only to existing licensees, should be made generically applicable. The Commission further finds that the rule redefines the security requirements stated in existing NRC regulations, and is necessary to ensure that the public health and safety and common defense and security are adequately protected in the current, post-September 11, 2001, environment. The Commission concurs with the commenter's position that documented evaluation should be performed when there are changes in ACDs and RGs necessitated by changes in the threat environment. In summary: NRC position: Disagrees with first element of the comment. Concurs with the second element of the comment. Action: No current action is required. Future changes in the ACDs and RGs will require a documented evaluation. 10. Compliance With the Paperwork Reduction Act Public Comment: Several commenters stated that the Paperwork Reduction Act is circumvented by this approach. The commenters assert that the proposed approach using RGs and ACDs to establish the details of the DBTs has the potential for circumventing the Paperwork Reduction Act, and avoiding proper regulatory analyses and backfit analyses. The rule provides broad requirements that lack details and provides the NRC with significant flexibility to change the details of the DBTs, which drives the design of protective measures and protective strategies without appropriate input from the affected regulated licensees. The Paperwork Reduction Act Statement in the proposed rule (70 FR 67380; November 7, 2005) states that: ``This proposed rule does not contain new or amended information collection requirements subject to the Paperwork Reduction Act of 1995.'' The commenter believes that this statement is incorrect and underestimates the impact on licensees due to future changes to the RGs and ACDs. The Paperwork Reduction Act Statement is flawed and should be revised. Response to Public Comment: The DBT rule specifies threat characteristics used by licensees to design their [[Page 12718]] protective strategies. The rule does not contain prescriptive measures to be adopted by individual licensees. The ACDs and RGs include certain details and guidance related to such threat characteristics. This approach has been adopted because the ACDs and RGs contain SGI or classified information that cannot be disclosed in the public domain and would be useful to potential adversaries. This approach is not a circumvention of the Paperwork Reduction Act, but reflects the inherent dichotomy of the DBT rulemaking in trying to reach a balance between the needs for meaningful public participation and the requirement to protect SGI and classified information, where public disclosure of specific attributes or details of security designs or protective measures would have the potential of making them ineffective. The statement, ``This proposed rule does not contain new or amended information collection * * *. Act of 1995,'' is accurate. The final rule consolidates the supplemental requirements put in place by the orders with the previous DBTs in Sec. 73.1(a), and does not impose additional burden for the current licensees even though the rule contains a cyber threat as an additional attribute of the threat. This is because the licensees subject to the DBTs were directed by the Interim Compensatory Measures (ICM) Order (EA-02-026) to consider and address cyber safety and security vulnerabilities. In April 2003, the Orders (EA-03-086) and (EA-03-087) that supplemented the DBT, also contained language concerning the cyber threat. Licensees were subsequently provided with a cyber security self-assessment methodology, the results of pilot studies, and a guidance document issued by the NEI to facilitate development of site cyber security programs. The designated licensees have done so accordingly.The burden for future licensees will be covered under 10 CFR Part 52 (3150-0151). In summary: NRC Position: Disagrees with the comment. Action: No action required. 11. Adequacy of the Regulatory Analysis Public Comment: A commenter stated that the regulatory analysis is based on an incorrect premise and should be revised. A statement in the Regulatory Analysis states that ``Impacts upon the licensees from this proposed rule would be minimal. Because the adversary characteristics would remain consistent with those promulgated by orders, no technical changes will be required. Licensees may need to update references in their security plan documentation, which could be accomplished without NRC review and in conjunction with future plan updates.'' One commenter believes that this statement is incorrect and underestimates the impact on licensees. Response to Public Comment: The Commission disagrees with the commenter that the regulatory analysis is based on an incorrect premise and should be revised. The regulatory analysis contained in the proposed rule stated that, ``The proposed regulatory action would not involve imposition of any new requirements, and would not expand the DBTs beyond the requirements in place under NRC regulations and orders.'' Consequently, the DBT amendments would not require existing licensees to make additional changes to their current NRC-approved security plans. This premise was correct then and is correct even now because a cyber threat is explicitly included as an attribute of the final rule. Even though the regulatory action involves the imposition of a cyber threat as an explicit requirement, this does not impose additional burden for the licensees. This is because the licensees subject to the DBTs were directed by the ICM Order (EA-02-026) to consider and address cyber safety and security vulnerabilities. Licensees were subsequently provided with a cyber security self- assessment methodology, the results of pilot studies, and a guidance document issued by the NEI to facilitate development of site cyber security programs. This additional requirement in the final rule does not expand the DBTs beyond the requirements currently in place under existing NRC regulations and orders. Consequently, DBT amendments will not require existing licensees to make additional changes to their current NRC-approved security plans. However, the NRC acknowledges that any future changes to the threat environment may effect the ACDs and RGs, and could possibly effect the licensees' security plans that would require either NRC's approval or official communications noting the changes to the NRC. This may also impose additional burden on the licensees. In those events, the regulatory analysis would be changed accordingly. In summary: NRC Position: Disagrees with the comment. Action: Regulatory Analysis to be changed when there is change in the threat environment in the future. 12. Compliance With the National Environmental Policy Act (NEPA) Public Comment: Several commenters stated that the proposed rule fails to satisfy NEPA, and the NRC must prepare an Environmental Impact Statement (EIS) for the proposed rule because this is a major federal action significantly affecting the quality of the human environment. These commenters stated that the action is significant because ``the NRC's limitations on the scope of adversaries against which `a private security force could reasonably be expected to defend' bears directly on the degree to which public health and the environment will be protected against the impacts of accidents caused by terrorist attacks.'' Further, commenters suggested that the NEPA commenting process would be a better forum to disclose and discuss the policy considerations associated with development of the DBTs. Response to Public Comment: The Commission disagrees that this rule requires the completion of an EIS, and that the NEPA commenting process would provide a better forum for discussion of sensitive security issues. The NEPA and the Commission's regulations at 10 CFR 51.20(a)(1) only require preparation of an EIS if the proposed action is a major Federal action significantly affecting the quality of the human environment. The NRC prepared an environmental assessment (EA) for the proposed rule (70 FR 67387; November 7, 2005) and found that there would be no significant environmental impact associated with implementation of the proposed rule if adopted; and therefore, concluded that no EIS was necessary. NEPA (40 CFR.1508.8(b)) only requires that the Commission consider the ``reasonably foreseeable'' environmental effects of its actions in determining whether an EIS is necessary. Effects that are remote, speculative, or embody the worst- case outcome of a particular action do not require an EIS.\2\ In this instance, the consequences of a terrorist attack cannot be said to be ``an effect'' of this rule, and analyzing the effects of a terrorist attack [[Page 12719]] would be speculative at best. NEPA does not require such an inquiry. --------------------------------------------------------------------------- \2\ The Commission recognizes that its position on the necessity of a terrorism analysis as part of an environmental review for a specific proposed facility has been called into question by a recent decision in the 9th Circuit Court of Appeals (San Luis Obispo Mothers for Peace v. NRC, 449 F.3d 1016 (9th Cir. 2006)). However, the 9th Circuit's determination that the potential environmental effects of a terrorist attack as a result of the licensing of an Independent Spent Fuel Storage Installation should be considered, does not necessarily lead to the conclusion that such effects should be considered as part of this rulemaking action. --------------------------------------------------------------------------- The Commission does not agree that the NEPA process would provide a better forum for disclosure and discussion of the DBT rule than this rulemaking action. It is not clear how publishing an EIS for public comment would result in the disclosure of additional information because NEPA does not provide any other mechanism how additional information on a proposed rule could be obtained by commenters; the APA notice and comment process provides ample opportunity to comment and provide pertinent information on the proposed rules. Nor does a request by a member of the public to have access to additional information on a particular agency action mandate that the agency conduct a full EIS. All information necessary for public comment on the proposed rule has been made available and therefore, no greater level of detail contained in the ACDs and RGs need to be discussed in the NEPA comment process. The Commission's public comment process in developing an EIS is not a forum for sensitive security issues. In summary: NRC Position: Disagrees with the comment. Action: No action required. 13. Issuance of Annual Report Card on Individual Licensees Public Comment: One commenter stated that the NRC should publish an annual report card assessing specific plant performance to defeat attacks in ongoing ``table top'' and mock ``force-on-force'' exercises. Response to Public Comment: The NRC partially agrees with the statements submitted by the commenter. Section 651 of the EPAct required that the Commission submit two annual reports to the Congress, one classified and another unclassified, describing the results of the Commission's force-on-force exercises and related corrective actions. The detailed results of security-related drills and exercises are, and will remain, protected as SGI because this information can provide insights to potential adversaries in planning of attacks. The Commission recently submitted the first set of these reports to Congress. The unclassified version of the annual report to the Congress is publicly available, and posted on the NRC's website. Through these reports, the NRC provides information regarding the overall security performance of the commercial nuclear power plants to keep Congress and the public informed of the NRC's efforts to help protect our nation's electric power infrastructure against terrorist attacks. In addition, the NRC recently revised its policy on public availability of security inspection results. Under the revised policy, the existence of inspection findings for a specific site's FOF exercises will be identified in the publicly available cover letter transmitting the inspection results to the licensee. In summary: NRC Position: Partially agrees with the comment. Action: No action required as part of this rulemaking. Group III. Out of Scope Comments Though the following topics and comments are pertinent to the security issues of nuclear facilities, they are not directly relevant to the DBT rulemaking. The DBT rule identifies general threat characteristics, but does not require specific protective strategies and security measures to defend against and thwart attacks. Accordingly, the following comments are deemed outside the scope of this rule. However, relevant information is provided as background material to facilitate a better understanding of the existing security measures in place and planned for the future, and to answer the underlying questions and issues raised in the following public comments. 14. Federalization of Security Public Comment: Commenters stated that the proposed rule should indicate that the threat of an air attack exceeds the defensive capabilities of a plant's security forces, and that the Federal government should either take over the security of the plant and/or integrate the response from local, State, and Federal government resources. Response to Public Comment: The Commission disagrees with the comment. Federalization of nuclear power plant security is outside of the scope of the proposed rule. However, the following background information is provided for a clearer understanding of the issues involved and the rationale of the Commission's position. The issue of a Federal protective security force to provide protection at commercial power reactors was initially studied by the NRC and documented in a report to Congress, ``Security Agency Study,'' (August 1976). The study found that the ``* * * creation of a Federal guard force would not result in a higher degree of guard force effectiveness than can be achieved by the use of private guards, properly trained, qualified, trained and certified by the NRC.'' Shortly after September 11, 2001, this issue was again raised. The NRC continues to support the concept that a private security guard force with special emphasis on performance based training and full accountability is the best approach to securing our nation's commercial nuclear facilities. The security for nuclear facilities should be addressed in the context of the protection of other sensitive infrastructure. Society should allocate its security resources according to the relative risks, and, as a result, the separation of nuclear facilities from all other types of sensitive infrastructure will fragment the analysis inappropriately. Past legislation proposed that the NRC establish a security force for sensitive nuclear facilities. Current security forces at sensitive nuclear facilities are well-trained, and have high retention rates. This change would bring about a fundamental shift in the responsibility and mission of the NRC, diverting the agency from being an independent regulator of nuclear safety and security to being a provider of nuclear security. This could create command and control issues because it would establish two classes of employees at nuclear sites: licensee staff to ensure the safe operation of the reactors and Federal staff to ensure security. This could lead to conflicts and confusion in emergency situations, that could diminish nuclear safety. The change would serve to increase the Federal budget needlessly. Presumably, given the enhancement in the security threat against which the guard force would be required to defend, the NRC would be required to hire more guards than currently exists at sensitive nuclear facilities (more than 7,000 new Federal workers, which is more than twice the number of staff now employed by the NRC.) These new workers would have to undergo extensive background checks, be trained and qualified, and be armed and equipped. The training of this force alone would likely overload any Federal law enforcement agency's training capability. Presumably, the NRC would have to assume the responsibility for establishment of new security barriers and communications capabilities at the nuclear facilities that by itself raises complicated issues associated with the interplay of security barriers and safety considerations. The NRC estimates that the additional cost to the Federal government to implement these changes may well be over $1 billion a year. Supplementing the guard force with Federal forces inside the plant areas raises similar concerns. National Guard forces and local/State law enforcement units have been used successfully at a number of facilities to provide additional security external to the plants [[Page 12720]] when deemed necessary, circumventing difficult command and control issues. Such an external capability can more easily be ``surged'' when needed. In sum, the Commission does not believe such a change is needed. In the Commission's view, the qualified, trained, and tightly regulated private guard forces at nuclear plants should not be replaced by a new Federal security force. In summary: NRC position: Disagrees with the comment. Action: No action required. 15. Force-on-Force (FOF) Testing of Security Public Comment: Several commenters stated that security and FOF exercises must be upgraded in order to demonstrate a high degree of confidence that site security forces are able to repel an assault like the September 11, 2001, attack. In addition, under Section 651(a)(1)(b) of the EPAct, the NRC shall mitigate any potential conflict of interest that could influence the results of a FOF exercise. In some instances, the same contractor had supplied both the security guards as well as the mock terrorists. Response to Public Comment: The Commission disagrees with the comment. The requirements related to FOF testing are outside the scope of this rule. However, the following is provided as background information pertinent to this comment. The NRC FOF exercise program is designed to provide a realistic evaluation of the proficiency of licensee security forces against a threat consistent with the supplemented DBTs reflected in the orders issued by the Commission on April 29, 2003. After the attacks of September 11, 2001, the agency has expanded and refined its FOF program to make the exercises more realistic. These changes have significantly increased the level of complexity for each exercise in terms of planning, preparation, and logistical support. The NRC agrees that a credible, well-trained, and consistent mock adversary force is vital to the NRC's FOF program. Therefore, the NRC has worked with the nuclear industry to develop a composite adversary force (CAF) that is trained to the standards issued by the Commission. The new CAF has been used for all FOF exercises conducted after October 2004 and represents a significant improvement in ability, consistency, and effectiveness over the previous adversary forces. The NRC continues to evaluate the CAF at each exercise using rigorous NRC performance standards. The CAF is currently managed by a company (Wackenhut) that provides much of the security for U.S. nuclear power plants and is, therefore, well-versed in the security operations of nuclear power plants. The NRC recognizes that there may be a perception of a conflict of interest. The NRC established a clear separation of functions between the CAF and plant security force to ensure an independent, reliable, and credible mock adversary force. In addition, the CAF composition includes security officers that are not employed by Wackenhut and no member of the CAF may participate in an exercise at his or her home site. It is important to emphasize that the NRC, not the CAF, designs, runs, and evaluates the results of the FOF exercises. Because the CAF does not establish the exercise objectives, boundaries, or timelines, and the CAF's performance is subject to continual observation and evaluation by the NRC and its contractors, the agency controls the exercise. If the industry is unable to maintain an adequate and objective CAF that meets the standards mandated by the NRC, the NRC will take the necessary actions to ensure the effectiveness of the force-on-force evaluation program. The NRC is documenting requirements for the performance of FOF testing as well as implementing EPAct requirements for the mitigation of conflict of interest in a separate rulemaking. In summary: NRC Position: Disagrees with the comment. Action: No action required. 16. Screening of Workers in Nuclear Power Plants Public Comment: One commenter stated that the NRC must be able to regulate or at least oversee the initial and follow-up screening of temporary and permanent workers who will have access to the reactor vessel, the spent fuel pool, and the related valves, generators, pumps, electrical systems, and miles of piping that are required for the plant's operation and are vulnerable as terrorist targets. Response to Public Comment: The Commission agrees with the comment to the extent that the NRC does regulate the screening of both permanent and temporary workers with unescorted access to the protected area. The DBT rule does not regulate or oversee specific programs. Instead, it defines the general threat against which licensees must be able to defend against with high assurance. Accordingly, NRC regulation or oversight of screening of workers at nuclear power plants is outside the scope of this rule. However, it should be noted that the NRC requires licensees to have an access authorization program that meets NRC requirements. 10 CFR 73.56, ``Personnel access authorization requirements for nuclear power plants,'' requires all 10 CFR 50 and 52 licensees to include the required access authorization program as part of their site Physical Security Plan. Specifically, 10 CFR 73.56 states that the licensee is responsible for granting, denying, or revoking unescorted access authorization to any contractor, vendor, or other affected organization employee. Those requirements are intended to ensure that personnel granted unescorted access to vital areas of a nuclear power plant are trustworthy and reliable, and do not constitute an unreasonable risk to the health and safety of the public, including a potential to commit radiological sabotage. In summary: NRC Position: Agrees with the comment. Action: No action required. 17. Self-Sufficient Defense Capabilities Public Comment: Two commenters stated that in some regions, notably in large metropolitan areas, communication and transportation modes make it impossible to provide outside help in time to aid in facility defense following a terrorist attack. Response to Public Comment: The Commission disagrees with the comment. The capabilities of off-site responders are beyond the scope of this rule. However, the following provides an overview of the existing programs and policies in place for addressing issues raised in this comment. After the September 11, 2001 attacks, the NRC has worked with licensees, the DHS, and State and local governments to improve the capabilities of first responders as part of the National Infrastructure Protection Plan. Part of this program includes conducting Comprehensive Reviews of commercial nuclear site security. The Comprehensive Review, led by the DHS, is a Government and private sector analysis of critical infrastructure facilities to determine the facilities' exposure to potential terrorist attack, the consequences of such an attack, and the integrated prevention and response capabilities of the owner/operator, local law enforcement, and emergency response organizations. The results are used to enhance the security posture of the facilities and community first responders by using short-term improvements in equipment, training, and processes; and informing longer-term risk-based investments and [[Page 12721]] science and technology decisions. In less than a year, Comprehensive Reviews have resulted in identifying readily adaptable, low-cost protective measures for increased readiness and preparedness in the event of a terrorist attack or natural disaster. The nuclear sector was the first of the sectors to participate in these reviews. A number of Federal agencies participated in various assessments involving these facilities. Although recognizing that nuclear plants are the best- protected assets of our critical infrastructure, those Federal agencies and the nuclear industry also recognized the value of a unified, collaborative effort to enhance the protection of these vital assets. In summary: NRC Position: Disagrees with the comment. Action: No action required. 18. Security of Dry Cask Storage Public Comment: Multiple commenters expressed concerns regarding vulnerabilities of dry cask storage at nuclear power plants under terrorist attacks. The commenters suggested that dry cask storage should be protected by: (i) Separation with a minimum spacing of 50 yards between each cask, (ii) Hardening with beamhenge, and/or (iii) Burial in earthen mounds. One commenter stated that the NRC must require berming of dry storage casks as part of the DBT. Response to Public Comment: The Commission disagrees with the commenters' statements. In addition, requirements related to the security of dry cask storage are beyond the scope of this rulemaking. However, design basis and vulnerabilities assessment of dry cask storage facilities are provided below as background information for better understanding of existing requirements. Dry cask storage facilities (e.g., independent spent fuel storage installations (ISFSIs)) at nuclear power plants are designed to protect against external events such as tornados, hurricanes, fires, floods, and earthquakes. The standards in 10 CFR Part 72 Subpart E, ``Siting Evaluation Factors,'' and Subpart F, ``General Design Criteria,'' ensure that the dry cask storage designs are very rugged and robust. The casks must maintain structural, thermal, shielding, criticality, and confinement integrity during a variety of postulated external events including cask drops, tip-over, and wind driven missile impacts. After the terrorist attacks of September 11, 2001, the Commission initiated a program in 2002 to assess the capability of nuclear facilities to withstand terrorist attacks. As part of the program, the Commission analyzed the performance of ISFSIs under aircraft attacks and has evaluated the results of detailed security assessments involving large commercial aircraft attacks, which were performed on four representative spent fuel casks. The large aircraft impact studies included structural analyses of the aircraft impact into a single cask and the resulting cask-to-cask interactions. Those evaluations indicate that it is highly unlikely that a significant release of radioactivity would occur from an aircraft impact on a dry spent fuel storage cask. The Commission is finalizing the security assessments for a number of representative spent fuel storage casks for additional types of attacks and weaponry (including ground attacks), and will continue to evaluate the results of the ongoing assessments. Based upon these results and any other new information, the Commission will evaluate whether any change to its spent fuel storage policy is warranted. The Commission issued a security order for ISFSIs in October 2002, and required the licensees to implement additional enhancement measures for dry cask storage. These enhancements to security included increased vehicle standoff distances, additional security posts, and improved coordination with law enforcement and intelligence communities, as well as strengthened safety-related mitigation procedures and strategies. In summary: NRC Position: Disagrees with the comment. Action: No action required. 19. Security of Spent Fuel Pools Public Comment: Four commenters expressed concerns regarding vulnerabilities of spent fuel storage pools at nuclear power reactors under terrorist attacks. The comments referenced the summary of the study performed by the National Academy of Science (NAS) which indicated that a terrorist attack on spent fuel pools is a credible threat and may lead to a release of a large amount of radioactive materials to the environment if it were successful. One comment specifically stated that not only is the NRC's response to the findings of the NAS study slow, but also, that the NRC has no intention of addressing these risk issues. It further stated that the apparent absence of a concerted spent fuel security program in the revised DBT is further evidence of the NRC's failure to recognize and address the problem. Response to Public Comment: Security program requirements are the subject of another rulemaking, namely 10 CFR 73.55. Accordingly, the need for a concerted spent fuel security program in the revised DBT is beyond the scope of this rule. In addition, the Commission disagrees with the statements submitted by the commenters. The following is provided as background information pertinent to these comments. The NRC has taken numerous actions to enhance the security of spent nuclear fuel, and will take appropriate additional action as necessary as a result of on-going evaluations. Before September 11, 2001, spent fuel was well protected by physical barriers, armed guards, intrusion detection systems, area surveillance systems, access controls, and access authorization requirements for employees working inside the plants. After September 11, 2001, the NRC has enhanced its requirements, and licensees have increased their resources to improve security at nuclear power plants. For example, the NRC's February 25, 2002 Order to power reactor licensees dealt with spent fuel pool cooling capabilities in the event of a terrorist attack. As a result of the supplemented DBT, the security of spent fuel pools has been enhanced at operating power reactors. The NRC also initiated a program in 2002 to assess the capability of nuclear facilities to withstand a terrorist attack. The early focus of that program was on power reactors, including spent fuel pools. As the results of that program became available, the NRC provided power reactor licensees additional guidance in February 2005 on the implementation of the February 2002 Order regarding spent fuel mitigation measures. The power reactor licensees responded to these additional specific recommendations in May 2005. Mitigating measures that are being or have been established include those specifically recommended in the NAS study regarding fuel distribution and enhanced cooling capabilities. The NRC is working with industry to conduct additional plant- specific damage assessments for a range of potential attack scenarios. The NRC continues to evaluate spent fuel pool security in FOF exercises, which the NRC conducts at least once every three years at each power reactor site. In summary: NRC Position: Disagrees with the comment. Action: No action required. 20. Inherent Design Problems That Make Power Reactors Vulnerable Public Comment: One commenter stated that the present DBTs ignore [[Page 12722]] vulnerabilities inherent in the design of nuclear facilities. The commenter stated that the NRC has granted exemptions from certain safety regulations (e.g., Appendix R fire protection standards) to many licensees that present obvious and unacceptable vulnerabilities. The commenter stated that the vulnerability of fire-safety related pump rooms at a nuclear power plant under an attack scenario was disregarded. The commenter further related the documentation of concerns of vulnerabilities regarding inherent design problems through numerous petitions and allegations to the NRC. Response to Public Comment: The Commission disagrees with the commenter's statement that the present DBTs ignore vulnerabilities inherent in the design of nuclear facilities. The Commission has high assurance that the designs of currently operating reactors are safe, and provide adequate security protection. Moreover, the notion of ``inherent design vulnerabilities'' of nuclear facilities is beyond the scope of this rule, since the DBTs do not specify specific protective measures, such as design features. However, plant specific vulnerabilities are considered during the process of target set development and are utilized during force-on-force testing to assure the licensee is capable of defending the plant. In addition, the NRC is undertaking several separate rulemakings related to this issue. For instance, the Commission has proposed a rule that would amend its regulations related to security requirements for power reactors (71 FR 62664; October 26, 2006). Also, the Commission is considering issuing a proposed rule that would require applicants to assess specific design features that would be incorporated into the final design to support overall security effectiveness of nuclear power plants. With respect to the commenter's statement on the exemptions from certain safety regulations (e.g., Appendix R fire protection standards), the NRC staff believes that the comment is out of scope of this rulemaking. However, a response to the issue raised in this question is in order. To that end, the following information is provided as background information. Plants licensed to operate before January 1, 1979, must comply with fire protection requirements as specified in 10 CFR 50.48(b) that backfit paragraphs III.G, J and O of Appendix R. Plants licensed to operate after January 1, 1979, must comply with the approved fire protection program incorporated into their operating license. When the Commission promulgated 10 CFR Part 50, Appendix R, the Commission recognized that there would be plant specific conditions and configurations where strict compliance with the prescriptive features specified in Appendix R would not significantly enhance the level of fire safety already provided by the licensee. Therefore, in certain cases, where the licensee could demonstrate an equivalent level of fire safety that satisfied the underlying purpose of the rule, the licensee could apply for a specific exemption from Appendix R. Thus, the exemption process allowed through 10 CFR 50.12 provides a means of allowing licensees to meet Appendix R through alternate means. The NRC has granted and continues to grant exemptions when a licensee meets the criteria of 10 CFR 50.12 and demonstrates that the alternate means provide an adequate level of fire safety. The NRC believes that individual fire protection exemptions have had a small impact on plant risk. Regarding the commenter's statement concerning the petitions and allegations documented and submitted to the NRC, the NRC is currently preparing responses to those that have been received. NRC Position: Disagrees with the comment that the present DBTs ignore vulnerabilities inherent in the design of nuclear facilities. Action: No action is required with respect to this DBT rulemaking. However, the NRC will provide proper responses to the petitions and allegations that have been received. III. Summary of Specific Changes Made to the Proposed Rule as a Result of Public Comment One change is being made to the rule to add a cyber threat as an explicit element of the DBT rule for both external and internal adversaries. The previous DBT requirements in 10 CFR 73.1 did not specifically include the threat of a cyber attack. However, a cyber attack capability was implied in the proposed 10 CFR 73.1 issued for public comment in the Federal Register on November 7, 2005 (70 FR 67380). Under Section 651(a)(2) of the EPAct of 2005, Congress also directed NRC to consider making an ``assessment of physical, cyber, biochemical, and other terrorist threats'' when developing the revised rule, and the NRC specifically asked for public comment on whether this and a number of other aspects should be included in the DBT. One commenter specifically referred to the need for the DBT rule to contain requirements pertaining to cyber attack capabilities. The NRC has historically required licensees to evaluate cyber vulnerabilities. In February 2002, licensees subject to the DBTs were directed by ICM Order (EA-02-026) to consider and address cyber safety and security vulnerabilities. In April 2003, NRC Orders (EA-03-086 and EA-03-087) that supplemented the DBTs contained language concerning the threat of a cyber attack. Licensees were subsequently provided with a cyber security self-assessment methodology and the results of pilot studies, as well as additional guidance issued by the nuclear industry, to facilitate development of site cyber security programs. The February 2003, U.S. National Strategy to Secure Cyberspace suggests that the cyber threat likely will increase both in capability and frequency in the future. In light of this threat, the cyber security programs already initiated by the industry, the proposed draft 10 CFR 73.55(m), ``Digital Computer and Communication Networks,'' that is included in the proposed rule on power reactor security requirements (71 FR 62664; October 26, 2006), and the requirements of the EPAct of 2005, the Commission has decided to include a cyber attack as an element of the DBT. IV. Section-by-Section Analysis The following provides a comparison between the previous rule text and the final rule text in 10 CFR 73.1. (a) Previous Rule: Purpose. This part prescribes requirements for the establishment and maintenance of a physical protection system which will have capabilities for the protection of special nuclear material at fixed sites and in transit and of plants in which special nuclear material is used. The following design basis threats, where referenced in ensuing sections of this part, shall be used to design safeguards systems to protect against acts of radiological sabotage and to prevent the theft of special nuclear material. Licensees subject to the provisions of Sec. Sec. 72.182, 72.212, 73.20, 73.50, and 73.60 are exempt from 73.1(a)(1)(i)(E) and 73.1(a)(1)(iii). (a) Final Rule: Purpose. This part prescribes requirements for the establishment and maintenance of a physical protection system which will have capabilities for the protection of special nuclear material at fixed sites and in transit and of plants in which special nuclear material is used. The following design basis threats, where referenced in ensuing sections of this part, shall be used to design safeguards systems to protect against acts of radiological sabotage and to prevent the [[Page 12723]] theft or diversion of special nuclear material. Licensees subject to the provisions of Sec. 73.20 (except for fuel cycle licensees authorized under part 70 of this chapter to receive, acquire, possess, transfer, use, or deliver for transportation formula quantities of strategic special nuclear material), Sec. Sec. 73.50, and 73.60, are exempt from Sec. Sec. 73.1(a)(1)(i)(E), 73.1(a)(1)(iii), 73.1(a)(1)(iv), 73.1(a)(2)(iii), 73.1(a)(2)(iv). Licensees subject to the provisions of Sec. 72.212 are exempt from Sec. 73.1(a)(1)(iv). (a) Change: The paragraph is modified to clarify that the DBT is designed to protect against diversion in addition to theft of special nuclear material. The exemptions are updated based on the order requirements and conforming changes to other paragraphs of this part. (1)(i) Previous Rule: Radiological sabotage. (i) A determined violent external assault, attack by stealth, or deceptive actions, of several persons with the following attributes, assistance and equipment: (1)(i) Final Rule: Radiological sabotage. (i) A determined violent external assault, attack by stealth, or deceptive actions, including diversionary actions, by an adversary force capable of operating in each of the following modes: a single group attacking through one entry point, multiple groups attacking through multiple entry points, a combination of one or more groups and one or more individuals attacking through multiple entry points, or individuals attacking through separate entry points, with the following attributes, assistance and equipment: (1)(i) Change: The paragraph adds new capabilities to the DBT including operation in multiple modes of attack. The language in the final rule was modified to provide specificity that licensees are required to maintain the capability to protect against several modes, and that a physical security plan only capable of defending against one of the prescribed modes would not satisfy the requirements of the rule. (1)(i)(A) Previous Rule: Well-trained (including military training and skills) and dedicated individuals, (1)(i)(A) Final Rule: Well-trained (including military training and skills) and dedicated individuals, willing to kill or be killed, with sufficient knowledge to identify specific equipment or locations necessary for a successful attack, (1)(i)(A) Change: The paragraph adds adversaries who are willing to kill or be killed and are knowledgeable about specific target selection to the DBT. (1)(i)(B) Previous Rule: Inside assistance which may include a knowledgeable individual who attempts to participate in a passive role (e.g., provide information), an active role (e.g., facilitate entrance and exit, disable alarms and communications, participate in violent attack), or both, (1)(i)(B) Final Rule: Active (e.g., facilitate entrance and exit, disable alarms and communications, participate in violent attack) or passive (e.g., provide information), or both, knowledgeable inside assistance, (1)(i)(B) Change: The reference to an individual is removed and the paragraph reworded to provide flexibility in defining the scope of the inside threat. (1)(i)(C) Previous Rule: Suitable weapons, up to and including hand-held automatic weapons, equipped with silencers and having effective long range accuracy, (1)(i)(C) Final Rule: Suitable weapons, including hand-held automatic weapons, equipped with silencers and having effective long range accuracy, (1)(i)(C) Change: The phrase ``up to and including'' is changed to ``including'' to provide flexibility in defining the range of weapons licensees must be able to defend against. (1)(i)(D) Previous Rule: Hand-carried equipment, including incapacitating agents and explosives for use as tools of entry or for otherwise destroying reactor, facility, transporter, or container integrity or features of the safeguards system, and (1)(i)(D) Final Rule: Hand-carried equipment, including incapacitating agents and explosives for use as tools of entry or for otherwise destroying reactor, facility, transporter, or container integrity or features of the safeguards system, and (1)(i)(D) Change: This description is not revised by the final rule. (1)(i)(E) Previous Rule: A four-wheel drive land vehicle used for transporting personnel and their hand-carried equipment to the proximity of vital areas, and (1)(i)(E) Final Rule: Land and water vehicles, which could be used for transporting personnel and their hand-carried equipment to the proximity of vital areas, and (1)(i)(E) Change: The scope of vehicles licensees must defend against is expanded to include water vehicles and a range of land vehicles beyond four-wheel drive vehicles. (1)(ii) Previous Rule: An internal threat of an insider, including an employee (in any position), and (1)(ii) Final Rule: An internal threat, and (1)(ii) Change: The current rule describes the internal threat as a threat posed by an individual. The language is revised to provide flexibility in defining the scope of the internal threat. (1)(iii) Previous Rule: A four-wheel drive land vehicle bomb. (1)(iii) Final Rule: A land vehicle bomb assault, which may be coordinated with an external assault, and (1)(iii) Change: The paragraph is updated to reflect that licensees are required to protect against a wide range of land vehicles. A new mode of attack not previously part of the DBT regulations is added indicating that adversaries may coordinate a vehicle bomb assault with another external assault. (1)(iv) Previous Rule: None. (1)(iv) Final Rule: A waterborne vehicle bomb assault, which may be coordinated with an external assault, and (1)(iv) Change: The paragraph adds a new mode of attack not previously part of the DBT, that being a waterborne vehicle bomb assault. This paragraph also adds a coordinated attack concept. (1)(v) Previous Rule: None. (1)(v) Final Rule: A cyber attack. (1)(v) Change: Adds a cyber attack. The capability to exploit site computer and communications system vulnerabilities to modify or destroy data and programming code, deny access to systems, and prevent the operation of the computer system and the equipment it controls. (2)(i) Previous Rule: Theft or diversion of formula quantities of strategic special nuclear material. (i) A determined, violent, external assault, attack by stealth, or deceptive actions by a small group with the following attributes, assistance, and equipment: (2)(i) Final Rule: Theft or diversion of formula quantities of strategic special nuclear material. (i) A determined violent external assault, attack by stealth, or deceptive actions, including diversionary actions, by an adversary force capable of operating in each of the following modes: a single group attacking through one entry point, multiple groups attacking through multiple entry points, a combination of one or more groups and one or more individuals attacking through multiple entry points, or individuals attacking through separate entry points, with the following attributes, assistance and equipment: (2)(i) Change: The paragraph adds new adversary capabilities to the DBT including operation in multiple modes of attack. The language in the final rule was modified to provide specificity that [[Page 12724]] licensees are required to maintain the capability to protect against several modes, and that a physical security plan only capable of defending against one of the prescribed modes would not satisfy the requirements of the rule. (2)(i)(A) Previous Rule: Well-trained (including military training and skills) and dedicated individuals; (2)(i)(A) Final Rule: Well-trained (including military training and skills) and dedicated individuals, willing to kill or be killed, with sufficient knowledge to identify specific equipment or locations necessary for a successful attack; (2)(i)(A) Change: The paragraph adds to the DBT adversaries who are willing to kill or be killed and are knowledgeable about specific target selection. (2)(i)(B) Previous Rule: Inside assistance that may include a knowledgeable individual who attempts to participate in a passive role (e.g., provide information), an active role (e.g., facilitate entrance and exit, disable alarms and communications, participate in violent attack), or both; (2)(i)(B) Final Rule: Active (e.g., facilitate entrance and exit, disable alarms and communications, participate in violent attack) or passive (e.g., provide information), or both, knowledgeable inside assistance; (2)(i)(B) Change: The reference to an individual is removed and the paragraph reworded to provide flexibility in defining the scope of the inside threat. (2)(i)(C) Previous Rule: Suitable weapons, up to and including hand-held automatic weapons, equipped with silencers and having effective long-range accuracy; (2)(i)(C) Final Rule: Suitable weapons, including hand-held automatic weapons, equipped with silencers and having effective long- range accuracy; (2)(i)(C) Change: The phrase ``up to and including'' is changed to ``including'' to provide flexibility in defining the range of weapons licensees must be able to defend against. (2)(i)(D) Previous Rule: Hand-carried equipment, including incapacitating agents and explosives for use as tools of entry or for otherwise destroying reactor, facility, transporter, or container integrity or features of the safeguards system; (2)(i)(D) Final Rule: Hand-carried equipment, including incapacitating agents and explosives for use as tools of entry or for otherwise destroying reactor, facility, transporter, or container integrity or features of the safeguards system; and (2)(i)(D) Change: This description is not revised by the final rule. (2)(i)(E) Previous Rule: Land vehicles used for transporting personnel and their hand-carried equipment; and (2)(i)(E) Final Rule: Land and water vehicles, which could be used for transporting personnel and their hand-carried equipment. (2)(i)(E) Change: The scope of vehicles licensees must defend against is expanded to include water vehicles and a range of land vehicles beyond four-wheel drive vehicles. (2)(i)(F) Previous Rule: The ability to operate as two or more teams. (2)(i)(F) Final Rule: Deleted. (2)(i)(F) Change: This requirement is included in (2)(i). (2)(ii) Previous Rule:An individual, including an employee (in any position), and (2)(ii) Final Rule: An internal threat, (2)(ii) Change: The current rule describes the internal threat as a threat posed by an individual. The language is revised to provide flexibility in defining the scope of the internal threat. (2)(iii) Previous Rule: A conspiracy between individuals in any position who may have: (A) Access to and detailed knowledge of nuclear power plants or the facilities referred to in Sec. 73.20(a), or (B) Items that could facilitate theft of special nuclear material (e.g., small tools, substitute material, false documents, etc.), or both. (2)(iii) Final Rule: A land vehicle bomb assault, which may be coordinated with an external assault, and (2)(iii) Change: The paragraph is updated to reflect that licensees are required to protect against a wide range of land vehicles. A new mode of attack not previously part of the DBT is added indicating that adversaries may coordinate a vehicle bomb assault with another external assault. (2)(iv) Previous Rule: None. (2)(iv) Final Rule: A waterborne vehicle bomb assault, which may be coordinated with an external assault. (2)(iv) Change: The paragraph would add a new mode of attack not previously part of the DBT, that being a waterborne vehicle bomb assault. This coordinated attack concept is another upgrade to the current regulation. (2)(v) Previous Rule: None. (2)(v) Final Rule: A cyber attack. (2)(v) Change: Adds a cyber attack. The capability to exploit site computer and communications system vulnerabilities to modify or destroy data and programming code, deny access to systems, and prevent the operation of the computer system and the equipment it controls. The Commission concludes that the amendments to Sec. 73.1 will continue to ensure adequate protection of public health and safety and the common defense and security by requiring the secure use and management of radioactive materials. The revised DBTs represent the largest threats against which private sector facilities must be able to defend with high assurance. The amendments to 10 CFR 73.1 reflect requirements currently in place under existing NRC regulations and orders. V. Guidance The NRC staff is preparing new regulatory guides (RGs) to provide detailed guidance on the revised DBT requirements in 10 CFR 73.1. These guides are intended to assist current licensees in ensuring that their security plans meet requirements in the revised rule, as well as future license applicants in the development of their security programs and plans. The new guidance incorporates the insights gained from applying the earlier guidance that was used to develop, review, and approve the site security plans that licensees put in place in response to the April 2003 Orders. As such, this regulatory guidance is expected to be consistent with revised security measures at current licensees. The publication of the RGs is planned to coincide with the publication of the final rule. 1. Regulatory Guide (RG-5.69) , ``Guidance for the Implementation of the Radiological Sabotage Design-Basis Threat (Safeguards).'' This regulatory guide will provide guidance to the industry on the radiological sabotage DBT. RG-5.69 contains SGI and, therefore, is being withheld from public disclosure and distributed on a need-to-know basis to those who otherwise qualify for access. 2. Regulatory Guide (RG-5.70), ``Guidance for the Implementation of the Theft or Diversion Design-Basis Threat (Classified).'' This regulatory guide will provide guidance to the industry on the theft or diversion DBT. RG-5.70 contains classified information and, therefore, is withheld from public disclosure and distributed only on a need to know basis to those who otherwise qualify for access. VI. Resolution of Petition (PRM-73-12) The staff incorporated consideration of a petition for rulemaking into this rulemaking filed by the Committee to Bridge the Gap (PRM-73- 12) on July 23, 2004. The petition requests that NRC conduct a rulemaking to revise the DBT regulations (including numbers, teams, capabilities, planning, willingness to die, and other characteristics of [[Page 12725]] adversaries) to a level that encompasses, with a sufficient margin of safety, the terrorist capabilities demonstrated during the attacks of September 11, 2001. The petition also requests that security plans, systems, inspections, and FOF exercises be revised in accordance with the amended DBTs. Finally, the petition requests that a requirement be added to Part 73 to require licensees to construct shields against air attack (referred to as ``beamhenges'') so that nuclear power plants would be able to withstand an air attack from a jumbo jet similar to the September 11, 2001, attacks. PRM-73-12 was published for public comment in the Federal Register on November 8, 2004 (69 FR 64690). There were 845 comments submitted on PRM-73-12, of which 528 were form letters. The staff reviewed both the petition and the comments on the petition against the supplemental DBTs to determine if the DBTs should be revised as requested by the petitioner. Based on this review, the NRC staff determined that a number of the proposed revisions in PRM-73-12 had already been set forth in the proposed DBT rule language. The NRC partially granted PRM- 73-12 as stated in the public notice of the proposed 10 CFR 73.1 DBT rulemaking, (See, 70 FR 67380; November 7, 2005), but deferred action on other aspects of the petition, particularly with respect to its consideration of the airborne threat, to the final rulemaking. During the course of this rulemaking, the Commission considered if it would be necessary to add some type of airborne threat as part of the DBTs. After careful evaluation and consideration, the Commission has chosen a two-track response to the air threat that excludes physical security measures such as ``beamhenge.'' First, the Commission determined that active protection against the airborne threat requires military weapons and ordinance (i.e., ground-based air defense missiles), that rightfully belong to the Department of Defense. Thus, the airborne threat is one which is beyond what a private security force can reasonably be expected to defend against. Second, licensees have been directed to implement certain mitigative measures to limit the effects of an aircraft strike. Therefore, the Commission has denied the request of the petition PRM-73-12 regarding the inclusion of the airborne threat in the DBTs, as well as beamhenge as physical security measures. More detailed information in support of the Commission's position is provided in the comment resolutions for Factor 6, the potential for water-based and air-based threats, and Factor 9, the potential for fires, especially fires of long duration. VII. Criminal Penalties For the purposes of Section 223 of the Atomic Energy Act, as amended, the Commission is issuing the final rule to revise 10 CFR 73.1 under Sections of 161b, 161i, or 161o of the Atomic Energy Act of 1954 (AEA). Criminal penalties, as they apply to regulations in Part 73, are discussed in 10 CFR 73.81. VIII. Compatibility of Agreement State Regulations Under the ``Policy Statement on Adequacy and Compatibility of Agreement States Programs, ``approved by the Commission on June 20, 1997, and published in the Federal Register (62 FR 46517; September 3, 1997), this rule is classified as compatibility ``NRC.'' Compatibility is not required for Category ``NRC'' regulations. The NRC program elements in this category are those that relate directly to areas of regulation reserved to the NRC by the AEA or the provisions of Title 10 of the Code of Federal Regulations, and although an Agreement State may not adopt program elements reserved to NRC, it may wish to inform its licensees of certain requirements via a mechanism that is consistent with the particular State's administrative procedure laws, but does not confer regulatory authority on the State. IX. Availability of Documents Some documents discussed in this notice are not available to the public. The following table indicates which documents are available to the public and how they may be obtained. Public Document Room (PDR). The NRC Public Document Room is located at 11555 Rockville Pike, Rockville, Maryland 20852. Rulemaking Website (Web). The NRC's interactive rulemaking Website is located at: //ruleforum.llnl.gov. These documents may be viewed and downloaded electronically via this Web site. NRC's Electronic Reading Room (ERR). The NRC's electronic reading room is located at http://www.nrc.gov/reading-rm.html. ---------------------------------------------------------------------------------------------------------------- Document PDR Web ERR ---------------------------------------------------------------------------------------------------------------- Environmental Assessment................... X X ML070530261 Regulatory Analysis........................ X X ML070530193 Public Comments on PRM-73-12............... X X ML053040061 Radiological Sabotage Adversary no no no Characteristics document. Theft or diversion Adversary no no no Characteristics document. Technical Basis Document................... no no no RG 5.69 on Radiological Sabotage........... no no no RG -5.70 on Theft or Diversion............. no no no Memorandum: Status of Security-Related X X ML041180532 Rulemaking. Commission SRM dated August 23, 2004....... .................. ............ ML042360548 Memorandum: Schedule for Part 73 X X ML043060572 Rulemakings. Letter to Petitioner....................... X X ML052920150 Commission SRM dated October 27, 2005...... X X ML053000448 Proposed Rulemaking dated November 7, 2005. X X ML060090310 Public Comments on Proposed Rule........... X X ML062130575 Commission SRM dated January 29, 2007...... X X ML070290286 Final Rulemaking........................... X X ML070520692 ---------------------------------------------------------------------------------------------------------------- X. Plain Language The Presidential memorandum dated June 1, 1998, entitled ``Plain Language in Government Writing,'' published on June 10, 1998 (63 FR 31883) directed that the Government's documents be in plain, clear, and accessible language. The NRC requested comments on the proposed rule specifically with respect to the clarity and effectiveness of the language used. No specific comments were received on the proposed rule related to this issue. [[Page 12726]] XI. Voluntary Consensus Standards The National Technology Transfer and Advancement Act of 1995, Pub. L. 104-113, requires that Federal agencies use technical standards that are developed or adopted by voluntary consensus standards bodies unless using such a standard is inconsistent with applicable law or is otherwise impractical. The NRC is not aware of any voluntary consensus standard that could be used instead of the proposed Government-unique standards. The NRC will consider using a voluntary consensus standard if an appropriate standard is identified. XII. Finding of No Significant Environmental Impact: Environmental Assessment: Availability The Commission has determined under the National Environmental Policy Act of 1969, as amended, and the Commission's regulations in Subpart A of 10 CFR Part 51, that this rule is not a major Federal action significantly affecting the quality of the human environment and, therefore, an environmental impact statement is not required. The determination of this environmental assessment is that there will be no significant off-site impact to the public from this action. The NRC sent a copy of the environmental assessment and the proposed rule to every State Liaison Officer and requested their comments on the environmental assessment. No comments were received from the State Liaison Officer on the environmental assessment. XIII. Paperwork Reduction Act Statement This final rule does not contain new or amended information collection requirements and, therefore is not subject to the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.). Existing information collection requirements were approved by the Office of Management and Budget, approval number 3150-0002. The burden for all future licensees will be covered under 10 CFR Part 52 (3150-0151) as part of the combined operator license applications. Public Protection Notification The NRC may not conduct or sponsor, and a person is not required to respond to, a request for information or an information collection requirement unless the requesting document displays a currently valid OMB control number. XIV. Regulatory Analysis The Commission has prepared a regulatory analysis on this regulation. The analysis examines the costs and benefits of the alternatives considered by the Commission. The Commission requested public comment on the draft regulatory analysis. Comments on the draft analysis have been addressed in Section II of this document. Availability of the regulatory analysis is provided in Section VIII of this document. XV. Regulatory Flexibility Certification Under the Regulatory Flexibility Act (5 U.S.C. 605(b)), the Commission certifies that this rule does not have a significant economic impact on a substantial number of small entities. This final rule affects only the licensing and operation of nuclear power plants and Category I fuel cycle facilities. The companies that own these plants do not fall within the scope of the definition of ``small entities'' set forth in the Regulatory Flexibility Act or the size standards established by the NRC (10 CFR 2.810). XVI. Backfit Analysis The NRC has determined, pursuant to the exception in 10 CFR 50.109(a)(4)(iii) and 10 CFR 70.76(a)(4)(iv), that a backfit analysis is unnecessary for this final rule. Sections 50.109 and 70.76(a)(4)(iv) state, in pertinent part, that a backfit analysis is not required if the Commission finds and declares with appropriate documented evaluation for its finding that a ``regulatory action involves defining or redefining what level of protection to the public health and safety or common defense and security should be regarded as adequate.'' The final rule increases the security requirements currently prescribed in NRC regulations, and is necessary to protect nuclear facilities against potential terrorists. When the Commission imposed security enhancements by order in April 2003, it did so in response to an escalated domestic threat level. Since that time, the Commission has continued to monitor intelligence reports regarding plausible threats from terrorists currently facing the U.S. The Commission has also gained experience from implementing the order requirements and reviewing revised licensee security plans. The Commission has considered all of this information and finds that security requirements similar to those previously imposed by the DBT Orders, which applied only to existing licensees, should be made generically applicable. The Commission further finds that the final rule would redefine the security requirements stated in existing NRC regulations, and is necessary to ensure that the public health and safety and common defense and security are adequately protected in the current, post-September 11, 2001 environment. XVII. Congressional Review Act Under the Congressional Review Act of 1996, NRC has determined that this action is not a ``major rule'' and has verified this determination with the Office of Information and Regulatory Affairs of OMB. List of Subjects in 10 CFR Part 73 Criminal penalties, Export, Hazardous materials transportation, Import, Nuclear materials, Nuclear power plants and reactors, Reporting and recordkeeping requirements, and Security measures. 0 For the reasons set out in the preamble and under the authority of the Atomic Energy Act of 1954, as amended; the Energy Reorganization Act of 1974, as amended; and 5 U.S.C. 552 and 553; the NRC is adopting the following amendments to 10 CFR part 73. PART 73--PHYSICAL PROTECTION OF PLANTS AND MATERIALS 0 1. The authority citation for part 73 continues to read as follows: Authority: Secs. 53, 161, 68 Stat. 930, 948, as amended, sec. 147, 94 Stat. 780 (42 U.S.C. 2073, 2167, 2201); sec. 201, as amended, 204, 88 Stat. 1242, as amended, 1245, sec. 1701, 106 Stat. 2951, 2952, 2953 (42 U.S.C. 5841, 5844, 2297f); sec. 1704, 112 Stat. 2750 (44 U.S.C. 3504 note). Section 73.1 also issued under secs. 135, 141, Pub. L. 97-425, 96 Stat. 2232, 2241 (42 U.S.C, 10155, 10161). Section 73.37(f) also issued under sec. 301, Pub. L. 96-295, 94 Stat. 789 (42 U.S.C. 5841 note). Section 73.57 is issued under sec. 606, Pub. L. 99-399, 100 Stat. 876 (42 U.S.C. 2169). 0 2. In Sec. 73.1, paragraph (a) is revised to read as follows: Sec. 73.1 Purpose and scope. (a) Purpose. This part prescribes requirements for the establishment and maintenance of a physical protection system which will have capabilities for the protection of special nuclear material at fixed sites and in transit and of plants in which special nuclear material is used. The following design basis threats, where referenced in ensuing sections of this part, shall be used to design safeguards systems to protect against acts of radiological sabotage and to prevent the theft or diversion of special nuclear material. Licensees subject to the provisions of Sec. 73.20 (except for fuel cycle licensees authorized under Part 70 of this chapter [[Page 12727]] to receive, acquire, possess, transfer, use, or deliver for transportation formula quantities of strategic special nuclear material), Sec. Sec. 73.50, and 73.60 are exempt from Sec. Sec. 73.1(a)(1)(i)(E), 73.1(a)(1)(iii), 73.1(a)(1)(iv), 73.1(a)(2)(iii), and 73.1(a)(2)(iv). Licensees subject to the provisions of Sec. 72.212 are exempt from Sec. 73.1(a)(1)(iv). (1) Radiological sabotage. (i) A determined violent external assault, attack by stealth, or deceptive actions, including diversionary actions, by an adversary force capable of operating in each of the following modes: A single group attacking through one entry point, multiple groups attacking through multiple entry points, a combination of one or more groups and one or more individuals attacking through multiple entry points, or individuals attacking through separate entry points, with the following attributes, assistance and equipment: (A) Well-trained (including military training and skills) and dedicated individuals, willing to kill or be killed, with sufficient knowledge to identify specific equipment or locations necessary for a successful attack; (B) Active (e.g., facilitate entrance and exit, disable alarms and communications, participate in violent attack) or passive (e.g., provide information), or both, knowledgeable inside assistance; (C) Suitable weapons, including hand-held automatic weapons, equipped with silencers and having effective long range accuracy; (D) Hand-carried equipment, including incapacitating agents and explosives for use as tools of entry or for otherwise destroying reactor, facility, transporter, or container integrity or features of the safeguards system; and (E) Land and water vehicles, which could be used for transporting personnel and their hand-carried equipment to the proximity of vital areas; and (ii) An internal threat; and (iii) A land vehicle bomb assault, which may be coordinated with an external assault; and (iv) A waterborne vehicle bomb assault, which may be coordinated with an external assault; and (v) A cyber attack. (2) Theft or diversion of formula quantities of strategic special nuclear material. (i) A determined violent external assault, attack by stealth, or deceptive actions, including diversionary actions, by an adversary force capable of operating in each of the following modes: a single group attacking through one entry point, multiple groups attacking through multiple entry points, a combination of one or more groups and one or individuals attacking through multiple entry points, or individuals attacking through separate entry points, with the following attributes, assistance and equipment: (A) Well-trained (including military training and skills) and dedicated individuals, willing to kill or be killed, with sufficient knowledge to identify specific equipment or locations necessary for a successful attack; (B) Active (e.g., facilitate entrance and exit, disable alarms and communications, participate in violent attack) or passive (e.g., provide information), or both, knowledgeable inside assistance; (C) Suitable weapons, including hand-held automatic weapons, equipped with silencers and having effective long-range accuracy; (D) Hand-carried equipment, including incapacitating agents and explosives for use as tools of entry or for otherwise destroying reactor, facility, transporter, or container integrity or features of the safe-guards system; (E) Land and water vehicles, which could be used for transporting personnel and their hand-carried equipment; and (ii) An internal threat; and (iii) A land vehicle bomb assault, which may be coordinated with an external assault; and (iv) A waterborne vehicle bomb assault, which may be coordinated with an external assault; and (v) A cyber attack. * * * * * Dated at Rockville, Maryland this 13th day of March 2007. For the Nuclear Regulatory Commission. Annette L. Vietti-Cook, Secretary of the Commission. [FR Doc. 07-1317 Filed 3-16-07; 8:45 am] BILLING CODE 7590-01-P