[Federal Register Volume 81, Number 215 (Monday, November 7, 2016)]
[Rules and Regulations]
[Pages 78022-78028]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-26762]
-----------------------------------------------------------------------
NUCLEAR REGULATORY COMMISSION
10 CFR Chapter I
[NRC-2014-0221]
NRC Enforcement Policy
AGENCY: Nuclear Regulatory Commission.
ACTION: Policy revision; issuance.
-----------------------------------------------------------------------
SUMMARY: The U.S. Nuclear Regulatory Commission (NRC) is issuing a
revision to its Enforcement Policy (Policy) to incorporate changes
approved by the Commission.
DATES: This revision is effective on November 7, 2016. The NRC is not
soliciting comments on this revision to its Policy at this time.
ADDRESSES: Please refer to Docket ID NRC-2014-0221 when contacting the
NRC about the availability of information regarding this document. You
may obtain publicly-available information related to this document
using any of the following methods:
Federal Rulemaking Web site: Go to http://www.regulations.gov and search for Docket ID NRC-2014-0221. Address
questions about NRC dockets to Carol Gallagher: telephone: 301-415-
3463; email: [email protected]. For technical questions, contact
the individual listed in the FOR FURTHER INFORMATION CONTACT section of
this document.
NRC's Agencywide Documents Access and Management System
(ADAMS): You may obtain publicly-available documents online in the
ADAMS Public Documents collection http://www.nrc.gov/reading-rm/adams.html. To begin the search, select ``ADAMS Public Documents'' and
then select ``Begin Web-based ADAMS Search.'' For problems with ADAMS,
please contact the NRC's Public Document Room (PDR) reference staff at
1-800-397-4209, 301-415-4737, or by email to [email protected]. The
ADAMS accession number for each document referenced in this document
(if that document is available in ADAMS) is provided the first time
that a document is referenced.
NRC's PDR: You may examine and purchase copies of public
documents at the NRC's PDR, Room O1-F21, One White Flint North, 11555
Rockville Pike, Rockville, Maryland 20852.
The NRC maintains the Enforcement Policy on its Web site at http://www.nrc.gov: under the heading ``Popular Documents,'' select
``Enforcement Actions,'' then under ``Enforcement'' in the left side
column, select ``Enforcement Policy.'' The revised Enforcement Policy
is available in ADAMS under Accession No. ML16271A446.
FOR FURTHER INFORMATION CONTACT: Gerry Gulla, Office of Enforcement,
U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001;
telephone: 301-287-9143; email: [email protected].
SUPPLEMENTARY INFORMATION:
I. Background
The mission of the NRC is to license and regulate the Nation's
civilian use of byproduct, source, and special nuclear material to
ensure adequate protection of public health and safety, promote the
common defense and security, and protect the environment. The NRC
supports this mission through its use of its Policy. Adequate
protection is presumptively assured by compliance with the NRC's
regulations, and the Policy contains the basic procedures used to
assess and disposition apparent violations of the NRC's requirements.
The NRC initially published the Policy in the Federal Register on
October 7, 1980 (45 FR 66754). Since its initial publication, the
Policy has been revised on a number of occasions to address changing
requirements and lessons learned. The most recent Policy revision is
dated August 1, 2016. That revision reflects the new maximum civil
penalty amount that the NRC can assess for a violation of the Atomic
Energy Act of 1954, as amended (AEA), or any regulation or order issued
under the AEA.
This current revision to the Policy incorporates lessons learned
along with miscellaneous clarifications and additions. These revisions
include a rewrite of Section 6.13, ``Information Security,'' to
incorporate a risk-informed approach for assessing the significance of
information security violations; the implementation of the Construction
Reactor Oversight Process (cROP); and miscellaneous revisions to: (1)
The Glossary; (2) violation examples; and (3) Section 2.3.4, ``Civil
Penalty.''
The NRC provided an opportunity for the public to comment on these
Policy revisions in a document published in the Federal Register on
October 9, 2014 (79 FR 61107). The Nuclear Energy Institute (NEI) was
the only stakeholder that submitted comments (ADAMS Accession No.
ML14364A020).
II. Revisions to the Enforcement Policy
1. Construction Reactor Oversight Process (cROP)
a. Table of Contents
The NRC is revising the Table of Contents to incorporate the
implementation of the cROP into the Policy. This requires a revision to
the titles of Sections 2.2.3 and 2.2.4. In addition to the revision
discussed below, there are also other miscellaneous cROP related
reference revisions throughout the Policy.
b. Section 2.2 ``Assessment of Violations''
Section 2.2 is modified to include the cROP, and remove the
specificity which allows for the use of the significance determination
process (SDP), not only for facilities under construction, but for
independent spent fuel storage installations when an SDP is developed.
Revision
After a violation is identified, the NRC assesses its severity or
significance (both actual and potential). Under traditional
enforcement, the severity level (SL) assigned to the violation
generally reflects the assessment of the significance of a violation.
For most violations committed by power reactor licensees, the
significance of a violation is assessed using the Reactor Oversight
Process (ROP) or the Construction Reactor Oversight Process (cROP), as
discussed below in Section 2.2.3, ``Assessment of Violations Identified
Under the ROP or cROP.'' All other violations at power reactors or
power
[[Page 78023]]
reactor facilities under construction will be assessed using
traditional enforcement as described in Section 2.2.4, ``Using
Traditional Enforcement to Disposition Violations Identified at Power
Reactors.'' Violations identified at facilities that are not subject to
an ROP or cROP are assessed using traditional enforcement.
c. Section 2.2.3 ``Operating Reactor Assessment Program''
The NRC is revising this section to add the implementation of the
cROP and will reference the NRC's Inspection Manual Chapter (IMC) 2505,
``Periodic Assessment of Construction Inspection Program Results''
(ADAMS Accession No. ML14269A107). IMC 2505 describes the construction
assessment program and IMC 0305, ``Operating Reactor Assessment
Program,'' describes the ROP (ADAMS Accession No. ML15089A315).
Revision
2.2.3 Assessment of Violations Identified Under the ROP or cROP
The assessment, disposition, and subsequent NRC action related to
inspection findings identified at operating power reactors are
determined by the ROP, as described in NRC Inspection Manual Chapter
(IMC) 0305, ``Operating Reactor Assessment Program,'' and IMC 0612,
``Power Reactor Inspection Reports.'' The assessment, disposition, and
subsequent NRC action related to inspection findings identified at
power reactors under construction are determined by the cROP, as
described in IMC 2505, ``Periodic Assessment of Construction Inspection
Program Results'' and in IMC 0613, ``Power Reactor Construction
Inspection Reports.''
Inspection findings identified through the ROP are assessed for
significance using the SDP described in IMC 0609, ``Significance
Determination Process.'' Inspection findings identified through the
cROP are assessed for significance using the SDP described in IMC 2519,
``Construction Significance Determination Process.'' The SDPs use risk
insights, where possible, to assist the NRC staff in determining the
significance of inspection findings identified within the ROP or cROP.
Inspection findings processed through the SDP, including associated
violations, are documented in inspection reports and are assigned one
of the following colors, depending on their significance.
d. Section 2.2.4 ``Exceptions To Using Only the Operating Reactor
Assessment Program''
The NRC is revising this section to add the implementation of the
cROP and will reference IMC 2505.
Revision
2.2.4 Using Traditional Enforcement to Disposition Violations
Identified at Power Reactors
Some aspects of violations at power reactors cannot be addressed
solely through the SDP. In these cases, violations must be addressed
separately from any associated ROP or cROP findings (when findings are
present). Accordingly, these violations are assigned severity levels
and can be considered for civil penalties in accordance with this
Policy while the significance of the associated ROP or cROP finding
(when present) must be dispositioned in accordance with the SDP. In
determining the severity level assigned to such violations, the NRC
will consider information in this Policy and the violation examples in
Section 6.0 of this Policy, as well as SDP-related information, when
available.
e. Section 2.2.6 ``Construction''
Section 2.2.6, ``Construction,'' will be revised to provide
clarifying guidance regarding enforcement and the Changes during
Construction (CdC) Preliminary Amendment Request (PAR) process. The
policy will now note that enforcement actions will not be taken for
construction pursuant to a PAR No-Objection Letter, issued by the NRC,
even if that construction is outside of the current licensing basis
(CLB) while a corresponding license amendment request (LAR) is under
review. This will allow the licensee to continue construction at-risk
if the construction is consistent with the associated LAR and the No-
Objection Letter. In addition, this section will also be revised to
conform the policy to be consistent with the revised regulations
promulgated by the NRC in ``Licenses, Certifications, and Approvals for
Materials Licenses'' (76 FR 56951; September 15, 2011).
Revision
2.2.6 Construction
In accordance with 10 CFR 50.10, no person may begin the
construction of a production or utilization facility on a site on which
the facility is to be operated until that person has been issued either
a construction permit under 10 CFR part 50, a combined license under 10
CFR part 52, an early site permit authorizing the activities under 10
CFR 50.10(d), or a limited work authorization under 10 CFR 50.10(d). In
an effort to preclude unnecessary regulatory burden on 10 CFR part 52
combined license holders while maintaining safety, the Changes during
Construction (CdC) Preliminary Amendment Request (PAR) process was
developed in Interim Staff Guidance (ISG)-025, ``Interim Staff Guidance
on Changes During Construction Under 10 CFR part 52.'' The license
condition providing the option for a PAR as detailed in ISG-025 allows
the licensee to request to make physical changes to the plant that are
consistent with the scope of the associated license amendment request
(LAR). The NRC staff may issue a No-Objection Letter with or without
specific limitations, in response to the PAR. Enforcement actions will
not be taken for construction pursuant to a PAR No-Objection Letter
that is outside of the Current Licensing Basis (CLB) while the
corresponding LAR is under review as long as the construction is
consistent with the associated LAR and the No-Objection Letter (the
latter of which may contain limitations on construction activities).
The PAR No-Objection Letter authorization is strictly conditioned on
the licensee's commitment to return the plant to its CLB if the
requested LAR is subsequently denied or withdrawn. Failure to timely
restore the CLB may be subject to separate enforcement, such as an
order, a civil penalty, or both.
f. Section 2.3.1 ``Minor Violation''
This revision will remove redundant language (IMC titles) from
previously identified IMCs and will add references to examples of minor
violation issues found in IMCs 0613 and 0617.
Revision
Violations of minor safety or security concern generally do not
warrant enforcement action or documentation in inspection reports but
must be corrected. Examples of minor violations can be found in the NRC
Enforcement Manual, IMC 0612, Appendix E, ``Examples of Minor Issues,''
IMC 0613, Appendix E, ``Examples of Minor Construction Issues,'' and
IMC 0617, Appendix E, ``Minor Examples of Vendor and Quality Assurance
Implementation Findings.'' Provisions for documenting minor violations
can be found in the NRC Enforcement Manual, IMC 0610, IMC 0612, IMC
0613, IMC 0616, and IMC 0617.
g. Section 2.3.2 ``Noncited Violation''
This revision incorporates ``plain writing'' into the Policy
regarding noncited violations. It will also revise
[[Page 78024]]
the opening paragraph of Section 2.3.2 to be consistent with a previous
approved revision to this section associated with crediting licensee
corrective action programs.
Revision
2.3.2 Noncited Violation
If a licensee or nonlicensee has implemented a corrective action
program that is determined to be adequate by the NRC, the NRC will
normally disposition SL IV violations and violations associated with
green ROP or cROP findings as noncited violations (NCVs) if all the
criteria in Paragraph 2.3.2.a. are met.
For licensees and nonlicensees that are not credited by the NRC as
having adequate corrective action programs, the NRC will normally
disposition SL IV violations and violations associated with green ROP
or cROP findings as NCVs if all of the criteria in Paragraph 2.3.2.b
are met. If the SL IV violation or violation associated with Green ROP
or cROP finding was identified by the NRC, the NRC will normally issue
a Notice of Violation.
Inspection reports or inspection records document NCVs and briefly
describe the corrective action the licensee or nonlicensee has taken or
plans to take, if known. Licensees and nonlicensees are not required to
provide written responses to NCVs; however, they may provide a written
response if they disagree with the NRC's description of the NCV or
dispute the validity of the NCV.
2. Section 2.3.4 ``Civil Penalty''
Recent cases involving the willful failure to file for reciprocity
or to obtain an NRC specific license have led to discussions about the
agency's ability to deter future noncompliance in these areas and
lessen the perceived potential economic benefit of working in NRC
jurisdiction without the required notification or license.
Although the Policy (Section 3.6, ``Use of Discretion in
Determining the Amount of a Civil Penalty'') allows the NRC to exercise
discretion to propose or escalate a civil penalty for cases involving
willfulness, the NRC will add clarifying language to Section 2.3.4,
``Civil Penalty.'' To aid in implementation and ensure consistency, the
Enforcement Manual will include specific guidance on the typical or
``starting'' civil penalty amount (e.g., 2 times the base civil
penalty).
Revision
The following language appears in Section 2.3.4 after the paragraph
starting: ``The NRC considers civil penalties for violations . . .''
For cases involving the willful failure to either file for
reciprocity or obtain an NRC specific license, the NRC will normally
consider a civil penalty to deter noncompliance for economic benefit.
Therefore, notwithstanding the normal civil penalty assessment process,
in cases where there is any indication (e.g., statements by company
employees regarding the nonpayment of fees, previous violations of the
requirement including those not issued by the NRC, or previous filings
without a significant change in management) that the violation was
committed for economic gain, the NRC may exercise discretion and impose
a civil penalty. The resulting civil penalty will normally be no more
than 3 times the base civil penalty; however, the agency may mitigate
or escalate the amount based on the merits of a specific case.
3. Addition of Section 3.10 ``Reactor Violations With No Performance
Deficiencies''
The NRC is revising Section 2.2.4.d to clarify that violations with
no ROP findings are dispositioned by using traditional enforcement.
Section 3.10, ``Reactor Violations with No Performance Deficiencies,''
has been added for NRC guidance to properly disposition these
violations. This clarification involves no actual change in policy.
Revisions
2.2.4.d: Violations not Associated With ROP or cROP Findings
3.10 Reactor Violations With No Performance Deficiencies
The NRC may exercise discretion for violations of NRC requirements
by reactor licensees for which there are no associated performance
deficiencies (e.g., a violation of a TS which is not a performance
deficiency).
4. Section 6.0 ``Violation Examples''
a. 6.3 ``Materials Operations''
Section 6.3, ``Materials Operations,'' of the Policy addresses the
failure to secure a portable gauge as required by 10 CFR 30.34(i).
Specifically, under the current Policy, paragraph 6.3.c.3, a Severity
Level (SL) III violation example, states, ``A licensee fails to secure
a portable gauge with at least two independent physical controls
whenever the gauge is not under the control and constant surveillance
of the licensee as required by 10 CFR 30.34(i).'' Accordingly, a
violation of 10 CFR 30.34(i) constitutes a SL III violation for gauges
having either no security or one level of security. The SL III
significance is based largely on licensees' control of portable gauges
to reduce the opportunity for unauthorized removal or theft and is the
only example currently provided in the Policy for this type of
violation.
When assessing the significance of a violation involving the
failure to secure a portable gauge, the NRC considers that both
physical controls must be defeated for the portable gauge to be
removed. This deters a theft by requiring a more determined effort to
remove the gauge. Considering that there is a reduced risk associated
with having one barrier instead of no barrier, the NRC has determined
that a graded approach is appropriate for 10 CFR 30.34(i) violations of
lower significance. Therefore, the NRC believes that failures of one
level of physical control to secure portable gauges warrant a SL IV
designation. This graded approach was piloted in Enforcement Guidance
Memoranda 11-004, dated April 28, 2011 (ADAMS Accession No.
ML111170601). After over 2 years of monitoring, the NRC determined that
the addition of the SL IV example did not increase the number of
losses/thefts reported. Therefore, the NRC is revising violation
example 6.3.c.3 and adding violation example 6.3.d.10:
Revisions
6.3.c.3: Except as provided for in section 6.3.d.10 of the policy,
a licensee fails to secure a portable gauge as required by 10 CFR
30.34(i);
6.3.d.10: A licensee fails to secure a portable gauge as required
by 10 CFR 30.34(i), whenever the gauge is not under the control and
constant surveillance of the licensee, where one level of physical
control existed and there was no actual loss of material, and that
failure is not repetitive.
b. Section 6.5.c.4 and 5 SL III Violations Involve, for Example
The NRC modifies these examples (4 and 5) to reference the
appropriate regulation governing changes to a facility referencing a
certified design (i.e., 10 CFR 52.98). This regulation refers to
applicable change processes in the applicable design certification
rule, which are currently contained in 10 CFR part 52, Appendix A-D.
Revisions
4. A licensee fails to obtain prior Commission approval required by
10 CFR 50.59 or 10 CFR 52.98 for a change that results in a condition
evaluated as having low-to-moderate or greater safety significance; or
[[Page 78025]]
5. A licensee fails to update the FSAR as required by 10 CFR
50.71(e), and the FSAR is used to perform a 10 CFR 50.59 or 10 CFR
52.98 evaluation for a change to the facility or procedures,
implemented without Commission approval, that results in a condition
evaluated as having low-to-moderate or greater safety significance.
c. Section 6.5.d.5 SL IV Violations Involve, for Example
Example 6.5.d.5 was added to Section 6.9.d ``Inaccurate and
Incomplete Information or Failure to Make a Required Report.''
d. Section 6.9 Inaccurate and Incomplete Information or Failure to Make
a Required Report
Section 50.55(e)(3) requires holders of a construction permit or
combined license (until the Commission makes the finding under 10 CFR
52.103(g)) to adopt procedures to evaluate deviations and failures to
comply to ensure identification of defects and failures to comply
associated with substantial safety hazards as soon as practicable. This
section is similar to the reporting requirements of 10 CFR part 21. A
SL II violation example was added; violation example 6.9.c.2.(a) was
deleted; and the reference to 10 CFR 50.55(e) was moved to the revised
6.9.c.5 examples.
Revisions
b. SL II Violations Involve, for Example
8. A deliberate failure to notify the Commission as required by 10
CFR 50.55(e).
c. SL III Violations Involve, for Example
2.(a) Deleted ``failure to make required notifications and reports
pursuant to 10 CFR 50.55(e);''
5. A failure to provide the notice required by 10 CFR part 21 or 10
CFR 50.55(e), for example:
(a) An inadequate review or failure to review such that, if an
appropriate review had been made as required, a 10 CFR part 21 or 10
CFR 50.55(e) report would have been required; or
(b) A withholding of information or a failure to make a required
interim report by 10 CFR 21.21, ``Notification of Failure to Comply or
Existence of a Defect and Its Evaluation,'' or 10 CFR 50.55(e) occurs
with careless disregard.
d. SL IV Violations Involve, for Example
12. A licensee fails to make an interim report required by 10 CFR
21.21(a)(2) or under 10 CFR 50.55(e);
13. Failure to implement adequate 10 CFR part 21 or 10 CFR 50.55(e)
processes or procedures that has more than minor safety or security
significance; or
14. A materials licensee fails to . . .
e. Section 6.9 ``Inaccurate and Incomplete Information or Failure to
Make a Required Report''
The NRC is removing the reference to 10 CFR 26.719(d) in violation
example 6.9.c.2.(c) because 10 CFR 26.719(d) is not a reporting
requirement.
Revision
6.9.c.2.(b): Failure to make any report required by 10 CFR 73.71,
``Reporting of Safeguards Events,'' or Appendix G, ``Reportable
Safeguards Events,'' to 10 CFR part 73 ``Physical Protection of Plants
and Materials,'' or 10 CFR part 26, ``Fitness-For-Duty Programs;''
f. Section 6.11 ``Reactor, Independent Spent Fuel Storage Installation,
Fuel Facility, and Special Nuclear Material Security''
The current Policy examples for a SL IV violation in Section 6.11.d
are focused on the loss of special nuclear material (SNM) of low
strategic significance. The loss of SNM is too narrow of a focus on the
loss of material and not the other aspects of the Materials Control &
Accountability (MC&A) program that could be a precursor to a loss of
SNM. The Policy should include an example for the MC&A program at fuel
facilities that covers the reduction in the ability to detect a loss or
diversion of material which could lead to a more significant event.
Therefore, the NRC is adding violation example 6.11.d.3 as follows.
Violation Example
6.11.d.3: A licensee fails to comply with an element of its
material and accounting program that results in a fuel cycle facility
procedure degradation regarding adequate detection or protection
against loss, theft, or diversion of SNM.
g. Section 6.14 ``Fitness-For-Duty'' Violation Example 6.14.a.2
The NRC is incorporating violation example 6.14.a.2 into example
6.14.b.1. An employee assistance program (EAP) is one provision of many
contained in 10 CFR part 26, subpart B, for which 6.14.a.1 applies.
Therefore, the ``severity'' associated with an inadequate EAP is
significantly less than that of a licensee not meeting ``two or more
subparts of 10 CFR part 26.'' An ineffective implementation of an EAP
does not directly result in an immediate safety or security concern and
should not represent a SL I violation. Therefore, the NRC is deleting
violation example 6.14.a.2 and modifying violation example 6.14.b.1.
Revision
6.14.a.2: Deleted.
6.14.b.1: A licensee fails to remove an individual from unescorted
access status when this person has been involved in the sale, use, or
possession of illegal drugs within the protected area, or a licensee
fails to take action in the case of an on-duty misuse of alcohol,
illegal drugs, prescription drugs, or over-the-counter medications or
once the licensee identifies an individual that appears to be impaired
or that their fitness is questionable, the licensee fails to take
immediate actions to prevent the individual from performing the duties
that require him or her to be subject to 10 CFR part 26;
h. Section 6.14 ``Fitness-For-Duty'' Violation Example 6.14.b.2
In violation example 6.14.b.2, the NRC is removing the language
``unfitness for duty based on drug or alcohol use.'' Regulations in 10
CFR part 26 do not define unfitness and the behavioral observation
program is not limited to drug and alcohol impairment.
Revision
6.14.b.2: A licensee fails to take action to meet a regulation or a
licensee behavior observation program requirement when observed
behavior within the protected area or credible information concerning
the activities of an individual indicates impairment by any substance,
legal or illegal, or mental or physical impaired from any cause, which
adversely affects their ability to safely and competently perform their
duties.
i. Section 6.14 ``Fitness-For-Duty'' Violation Example 6.14.c.1
The NRC is revising violation example 6.14.c.1 to encompass more
than positive drug and alcohol tests; it should include other aspects
of the fitness-for-duty program such as subversions.
Revision
6.14.c.1: A licensee fails to take the required action for a person
who has violated the licensee's Fitness-For-Duty Policy, in cases that
do not amount to a SL II violation;
j. Section 6.14 ``Fitness-For-Duty'' Violation Example 6.14.c.5
Due to the revision to violation example 6.14.b.1, the NRC is
revising violation example 6.14.c.5 to maintain a graded approach
method to its violation example.
[[Page 78026]]
Revision
6.14.c.5: A licensee's employee assistance program (EAP) staff
fails to notify licensee management when the EAP staff is aware that an
individual's condition, based on the information known at the time, may
adversely affect safety or security of the facility and the failure to
notify did not result in a condition adverse to safety or security; or
5. Section 6.13 ``Information Security''
The NRC is revising Section 6.13, ``Information Security.'' This
revision will replace the current examples, which are based on the
classification levels of the information, with a risk-informed approach
for assessing the severity of information security violations. This
approach of evaluating the severity of information security violations
by using a risk-informed process is based on the totality of the
circumstances surrounding the information security violation and will
more accurately reflect the severity of these types of violations and
improve regulatory consistency.
This process is the result of lessons learned from a number of
violations that the NRC has processed over the last few years based on
varying significance levels. This process will use a flow chart and
table approach, along with defined terms.
Once a noncompliance is identified, a four-step approach will be
applied to determine the severity level of the violation. The four
steps are: (1) Determine the significance of the information (i.e.,
high, moderate, or low), (2) determine the extent of disclosure (i.e.,
individual deemed trustworthy and reliable, unknown disclosure, or
confirmed to an unauthorized individual), (3) determine the
accessibility of the information (i.e., how limited was access to the
information), and (4) determine the duration of the noncompliance
(i.e., how long was the information available).
Once all steps are completed, the user will obtain a recommended
severity level for the violation. The staff recognizes this approach as
a change from the traditional violation examples; however, the process
will be risk-informed and will consider the totality of circumstances
surrounding the information disclosure. The risk-informed approach to
information security violations adopted by the NRC should not be read
to contradict the national policy on classified information as set
forth in Executive Order 13526, ``Classified National Security
Information.'' This first revision is located in the beginning of the
last paragraph of Section 4.3 of the Policy. Two conforming revisions
are being made to Section 6.12 of the Policy to delete examples that
conflict with the revised approach.
Revisions
a. Section 4.3 Civil Penalties to Individuals
Section 6.13, ``Information Security,'' of this Policy provides a
risk-informed approach for assessing the significance of information
security violations.
b. Section 6.12 Materials Security
6.12.c.3: Deleted
6.12.d.10: Deleted
b. Violation example 6.13 Information Security
BILLING CODE 7590-01-P
[GRAPHIC] [TIFF OMITTED] TR07NO16.008
BILLING CODE 7590-01-C
Step 1: Significance \1\--Describes the decision point to determine
the significance of the disclosure as it relates to national security
and/or common defense and security.
---------------------------------------------------------------------------
\1\ The significance guidance provided in Step 1 is only
applicable within the context of the NRC's Enforcement Policy and
its application. The significance guidance is not intended to define
the ``harm'' that an unauthorized disclosure of SECRET or
CONFIDENTIAL information is reasonably expected to cause as those
definitions are set forth in Executive Order 13526, ``Classified
National Security Information.'' Nothing in section 6.13 of the
Enforcement Policy should be read to contradict the National Policy
on classified information.
---------------------------------------------------------------------------
High Significance: The totality of information disclosed provides a
significant amount of information about a technology (i.e., key
elements of a technology or system) or combinations of the following
elements related to
[[Page 78027]]
protective strategies: Response Strategy, Target Sets, Physical
Security Plan, Contingency Plan or Integrated Response Plan. The
information can be either SECRET or CONFIDENTIAL (National Security or
Restricted Data) or Safeguards.
Moderate Significance: The totality of information disclosed
provides limited information that may be useful to an adversary about
technology information or physical security plan of a facility. The
information can be either SECRET or CONFIDENTIAL (National Security or
Restricted Data), Safeguards, or information requiring protection under
10 CFR part 37.
Low Significance: The totality of information disclosed, taken by
itself, would not aid an adversary in gaining information about a
technology or physical security plan of a facility. The information can
be either SECRET or CONFIDENTIAL (National Security or Restricted
Data), Safeguards, or information requiring protection under 10 CFR
part 37.
Step 2: Disclosure--Describes the decision point to determine if:
(a) The information was accessible to any individual(s) via hard copy
format or electronic (e.g. computers) form, (b) you can determine who
the individual(s) are, and (c) those individual(s) would meet the
definition of Trustworthy and Reliable.
Trustworthy and Reliable (T&R): Are characteristics of an
individual considered dependable in judgment, character, and
performance, such that disclosure of information to that individual
does not constitute an unreasonable risk to the public health and
safety or common defense and security. A determination of T&R for this
purpose is based upon the results from a background investigation or
background check in accordance with 10 CFR 37.5 or 10 CFR 73.2,
respectively. To meet the T&R requirement, the individual must possess
a T&R determination before the disclosure of the information,
regardless of the ``need to know'' determination. Note: In accordance
with 10 CFR 73.21 or 73.59, there are designated categories of
individuals that are relieved from fingerprinting, identification and
criminal history checks and other elements of background checks.
Unknown Disclosure: Instances when controlled information has been
secured, protected, or marked improperly but there is no evidence that
anyone has accessed the information while it was improperly handled.
Confirmed: Instances where a person who does not have authorization
to access controlled information gains access to the information.
Electronic Media/Confirmed: For electronic media it is considered
confirmed once the information is no longer on an approved network for
that type of information.
Unauthorized Individual: A person who does not possess a T&R
determination and a need to know.
Step 3: Limited Access--Describes the decision point to determine
the amount of controls (e.g., doors, locks, barriers, firewalls,
encryption levels) needed to enter or gain access to an area or
computer system in order to obtain the disclosed security information.
Hard Copy Format: A location provides limited access if it meets
all of the following conditions:
a. The area was locked or had access control measures, and;
b. individuals that frequented the area were part of a known
population, and;
c. records of personnel entry were maintained to the area via key
control or key card access.
Electronic Media: A computer network provides limited access if it
meets all of the following conditions:
a. The information is stored in a location that is still within the
licensee's computer network's firewall, and
b. the licensee has some type of control system in place which
delineates who can access the information.
Step 4: Duration--Describes the decision point in which a time
period determination is made regarding the number of days the
information was not controlled properly in accordance with the
respective handling and storage requirements of the security
information.
Long: Greater than or equal to 14 days from the date of infraction
to discovery of the non-compliance.
Short: Less than 14 days from the date of infraction to discovery
of the non-compliance.
6. Glossary
a. Confirmatory Action Letter
Some agency procedures have not consistently described all
Confirmatory Action Letter (CAL) recipients, according to an audit of
the NRC's use of CALs. To date, all affected procedures have been
revised to incorporate a consistent definition with the exception of
the Policy. Therefore, the NRC is revising the Glossary term CAL to
specifically state the recipients of a CAL.
Revision
Confirmatory Action Letter (CAL) is a letter confirming a
licensee's, contractor's, or nonlicensee's (subject to NRC
jurisdiction) voluntary agreement to take certain actions to remove
significant concerns about health and safety, safeguards, or the
environment.
c. Interim Enforcement Policy
The term Interim Enforcement Policy was added to the Glossary.
Revision
Interim Enforcement Policies (IEPs) refers to a policy that is
developed by the NRC staff and approved by the Commission for specific
topics, typically for a finite period. Generally, IEPs grant the staff
permission to refrain from taking enforcement action for generic issues
which are not currently addressed in the Policy and are typically
effective until such time that formal guidance is developed and
implemented or other resolution to the generic issue. IEPs can be found
in Section 9.0 of the Policy.
d. Traditional Enforcement
The NRC is revising the definition of traditional enforcement for
clarification purposes.
Revision
Traditional Enforcement, as used in this Policy, refers to the
process for the disposition of violations of NRC requirements,
including those that cannot be addressed only through the Operating
Reactor Assessment Program. Traditional enforcement violations are
assigned severity levels and typically include, but may not be limited
to, those violations involving (1) actual safety and security
consequences, (2) willfulness, (3) impeding the regulatory process, (4)
discrimination, (5) violations not associated with ROP or cROP
findings, (6) materials regulations, and (7) deliberate violations
committed by individuals.
7. Miscellaneous Corrections/Modifications
Note: The page numbers cited correspond with the newly revised
Enforcement Policy.
a. Page 8: Subject to the same oversight as the regional offices,
the Directors of the Office of Nuclear Reactor Regulation (NRR), the
Office of Nuclear Material Safety and Safeguards (NMSS), the Office of
New Reactors (NRO), and the Office of Nuclear Security and Incident
Response (NSIR) may also approve, sign, and issue certain enforcement
actions as delegated by the Director, OE. The Director, OE, has
delegated authority to the Directors of NRR, NMSS, NRO, and NSIR to
issue Orders not related to specific violations
[[Page 78028]]
of NRC requirements (i.e., nonenforcement-related Orders.)
b. Page 9: The NRC reviews each case being considered for
enforcement action on its own merits to ensure that the severity of a
violation is characterized at the level appropriate to the safety or
security significance of the particular violation.
Whenever possible, the NRC uses risk information in assessing the
safety or security significance of violations and assigning severity
levels. A higher severity level may be warranted for violations that
have greater risk, safety, or security significance, while a lower
severity level may be appropriate for issues that have lower risk,
safety, or security significance.
c. Page 15: a. Licensees and Nonlicensees with a credited
Corrective Action Program
d. Page 19: The flow chart (Figure 2) is a graphic representation
of the civil penalty assessment process and should be used in
conjunction with the narrative in this section.
e. Page 33: The NRC may refrain from issuing an NOV for a SL II,
III, or IV violation that meets the above criteria, provided that the
violation was caused by conduct that is not reasonably linked to the
licensee's present performance (normally, violations that are at least
3 years old or violations occurring during plant construction) and that
there had not been prior notice so that the licensee could not have
reasonably identified the violation earlier.
f. Page 34: In addition, the NRC may refrain from issuing
enforcement action for violations resulting from matters not within a
licensee's control, such as equipment failures that were not avoidable
by reasonable licensee QA measures or management controls (e.g.,
reactor coolant system leakage that was not within the licensee's
ability to detect during operation, but was identified at the first
available opportunity or outage).
g. Page 43: 6.1.c.2 A system that is part of the primary success
path and which functions or actuates to mitigate a DBA or transient
that either assumes the failure of or presents a challenge to the
integrity of the fission product barrier not being able to perform its
licensing basis safety function because it is not fully qualified (per
the IMC 0326, ``Operability Determinations & Functional Assessment for
Conditions Adverse to Quality or Safety'') (e.g., materials or
components not environmentally qualified);
h. Page 43: 6.1.d.3 A licensee fails to update the FSAR as required
by 10 CFR 50.71(e) and the lack of up-to-date information has a
material impact on safety or licensed activities; or
i. Page 59: 6.7.d.3 ``A radiation dose rate in an unrestricted or
controlled area exceeds 0.002 rem (0.02 millisieverts) in any 1 hour (2
mrem/hour) or 50 mrem (0.5 mSv) in a year;''
III. Procedural Requirements
Paperwork Reduction Act Statement
This policy statement does not contain new or amended information
collection requirements subject to the Paperwork Reduction Act of 1995
(44 U.S.C. 3501 et seq.). Existing requirements were approved by the
Office of Management and Budget (OMB), approval number 3150-0136.
Public Protection Notification
The NRC may not conduct or sponsor, and a person is not required to
respond to, a request for information or an information collection
requirement unless the requesting document displays a currently valid
OMB control number.
Congressional Review Act
This policy is a rule as defined in the Congressional Review Act (5
U.S.C 801-808). However, the Office of Management and Budget has not
found it to be a major rule as defined in the Congressional Review Act.
Dated at Rockville, Maryland, this 1st day of November, 2016.
For the Nuclear Regulatory Commission.
Annette L. Vietti-Cook,
Secretary of the Commission.
[FR Doc. 2016-26762 Filed 11-4-16; 8:45 am]
BILLING CODE 7590-01-P