[Federal Register Volume 90, Number 166 (Friday, August 29, 2025)]
[Notices]
[Pages 42274-42278]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2025-16585]
-----------------------------------------------------------------------
NUCLEAR REGULATORY COMMISSION
[NRC-2025-0676]
Enforcement Policy Materials Security Violation Examples
AGENCY: Nuclear Regulatory Commission.
ACTION: Proposed revision to policy statement; request for comment.
-----------------------------------------------------------------------
SUMMARY: The U.S. Nuclear Regulatory Commission (NRC) is proposing
revisions to Section 6.12 of its Enforcement Policy (the Policy). The
NRC is proposing to revise the examples provided in the Policy of
violations of physical protection requirements for Category 1 and
Category 2 quantities of radioactive material.
DATES: Submit comments by September 29, 2025. Comments received after
this date will be considered if it is practical to do so, but the
Commission is able to ensure consideration only for comments received
before this date.
ADDRESSES: You may submit comments by any of the following methods;
however, the NRC encourages electronic comment submission through the
Federal rulemaking website:
[[Page 42275]]
Federal Rulemaking website: Go to https://www.regulations.gov and search for Docket ID NRC-2025-0676. Address
questions about NRC dockets to Helen Chang; telephone: 301-415-3228;
email: [email protected]. For technical questions contact the
individual listed in the FOR FURTHER INFORMATION CONTACT section of
this document.
Email comments to: [email protected]. If you do
not receive an automatic email reply confirming receipt, then contact
us at 301-415-1677.
Fax comments to: Secretary, U.S. Nuclear Regulatory
Commission at 301-415-1101.
Mail comments to: Secretary, U.S. Nuclear Regulatory
Commission, Washington, DC 20555-0001, ATTN: Rulemakings and
Adjudications Staff.
Hand deliver comments to: 11555 Rockville Pike, Rockville,
Maryland 20852, between 7:30 a.m. and 4:15 p.m. eastern time, Federal
workdays; telephone: 301-415-1677.
For additional direction on obtaining information and submitting
comments, see ``Obtaining Information and Submitting Comments'' in the
SUPPLEMENTARY INFORMATION section of this document.
FOR FURTHER INFORMATION CONTACT: David Furst, Office of Enforcement,
U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001;
telephone: 301-287-9087, email: [email protected].
SUPPLEMENTARY INFORMATION:
I. Obtaining Information and Submitting Comments
A. Obtaining Information
Please refer to Docket ID NRC-2025-0676 when contacting the NRC
about the availability of information for this action. You may obtain
publicly available information related to this action by any of the
following methods:
Federal Rulemaking website: Go to https://www.regulations.gov and search for Docket ID NRC-2025-0676.
NRC's Agencywide Documents Access and Management System
(ADAMS): You may obtain publicly available documents online in the
ADAMS Public Documents collection at https://www.nrc.gov/reading-rm/adams.html. To begin the search, select ``Begin Web-based ADAMS
Search.'' For problems with ADAMS, please contact the NRC's Public
Document Room (PDR) reference staff at 1-800-397-4209, at 301-415-4737,
or by email to [email protected]. The ADAMS accession number for
each document referenced (if it is available in ADAMS) is provided the
first time that it is mentioned in the SUPPLEMENTARY INFORMATION
section.
NRC's PDR: The PDR, where you may examine and order copies
of publicly available documents, is open by appointment. To make an
appointment to visit the PDR, please send an email to
[email protected] or call 1-800-397-4209 or 301-415-4737, between 8
a.m. and 4 p.m. eastern time, Monday through Friday, except Federal
holidays.
B. Submitting Comments
The NRC encourages electronic comment submission through the
Federal rulemaking website (https://www.regulations.gov). Please
include Docket ID NRC-2025-0676 in your comment submission.
The NRC cautions you not to include identifying or contact
information that you do not want to be publicly disclosed in your
comment submission. The NRC will post all comment submissions at
https://www.regulations.gov as well as enter the comment submissions
into ADAMS. The NRC does not routinely edit comment submissions to
remove identifying or contact information.
If you are requesting or aggregating comments from other persons
for submission to the NRC, then you should inform those persons not to
include identifying or contact information that they do not want to be
publicly disclosed in their comment submission. Your request should
state that the NRC does not routinely edit comment submissions to
remove such information before making the comment submissions available
to the public or entering the comment into ADAMS.
II. Background
On November 14, 2005, and December 22, 2005, the NRC issued Orders
entitled: ``Increased Controls for Licensees that Possess Sources
Containing Radioactive Material Quantities of Concern,'' also referred
to as the IC Orders, to radioactive materials licensees who held
licenses issued by the NRC authorizing possession of such material at
or above threshold limits. The Orders supplemented existing regulatory
requirements in title 10 of the Code of Federal Regulations (10 CFR)
20.1801 and 10 CFR 20.1802 in order to ensure adequate protection of,
and minimize danger to, the public health and safety.
On September 28, 2006, NRC issued Enforcement Guidance Memorandum
(EGM) 06-003, ``Guidance for Dispositioning Enforcement Issues
Associated with Orders Imposing Increased Controls for Licensees
Authorized to Possess Radioactive Material Quantities of Concern''
which provided interim severity level examples for disposition of
violations of the IC Orders (ADAMS Accession No. ML062710365). The NRC
later incorporated those examples into the July 12, 2011, revision to
the NRC Enforcement Policy (the Policy) by adding Section 6.12
``Materials Security'' (ADAMS Accession No. ML093480037) which
superseded EGM-06-003.
On March 19, 2013 (78 FR 16922), the NRC issued a final rule
establishing 10 CFR part 37. The rule establishes physical protection
requirements for licensees in possession of aggregated quantities of
category 1 or category 2 radioactive material listed in Appendix A,
``Category 1 and Category 2 Radioactive Materials,'' to 10 CFR part 37.
Similar requirements had previously been imposed by the IC Orders.
Section 6.12 ``Materials Security,'' of the Policy contains
examples of severity levels for violations associated with the physical
protection requirements of 10 CFR part 37. These examples were
originally written based on the IC Orders to serve as guidance for
dispositioning violations of part 37. An update is being proposed to
reflect the current language in part 37 and to include examples for
requirements that are new in part 37. The latest revision to the
Enforcement Policy was on November 1, 2016, when Section 6.12 was
edited to remove one SL III and one SL IV violation example for
limiting access to physical protection information.
III. Discussion
On March 25, 2024, the Office of the Inspector General (OIG) issued
audit report OIG-24-A-06--Audit of the U.S. Nuclear Regulatory
Commission's Security Oversight of Category 1 and Category 2 Quantities
of Radioactive Material (ADAMS Accession No. ML24085A694). The audit
report identified opportunities ``to strengthen the assessment of
enforcement activities,'' and recommended, among other things, that the
NRC staff ``Update the Enforcement Policy and Enforcement Manual to
specifically reference 10 CFR part 37 requirements.'' In response to
the OIG recommendations, the staff is proposing to update Section 6.12
``Material Security,'' of the Enforcement Policy to incorporate
severity level examples specific to 10 CFR part 37 violations.
The proposed revision is based on data analysis of previously
issued enforcement actions and leveraging lessons learned from
approximately 10
[[Page 42276]]
years of implementation and inspections of part 37 requirements. The
revision examples were developed by an NRC working group formed from
various program office and regional staff with knowledge of part 37
requirements. The violation examples in this section are intentionally
broad in scope so as to serve as a set of guiding examples that are
neither exhaustive nor controlling for making severity level (SL)
determinations. The examples are not intended to address every possible
material security violation, nor do they capture every possible
circumstance. SL determinations reflect nuclear safety and security
risks associated with the specific facts of a material security
violation.
IV. Proposed Revision
The NRC Enforcement Policy contains violation examples used to
assess and disposition apparent violations of NRC requirements.
This notice provides the public with an opportunity to review and
provide comments on the draft revision to the Policy found in ADAMS
under Accession No. ML25127A219. Comments received during this 30-day
comment period will be considered for the final version of the policy.
V. Paperwork Reduction Act
This policy statement does not contain any new or amended
collection of information subject to the Paperwork Reduction Act of
1995 (44 U.S.C. 3501 et seq.). Existing collections of information were
approved by the Office of Management and Budget (OMB), approval number
3150-0136.
Public Protection Notification
The NRC may not conduct or sponsor, and a person is not required to
respond to, a collection of information unless the document requesting
or requiring the collection displays a currently valid OMB control
number.
VI. Regulatory Planning and Review
Executive Order (E.O.) 12866
The Office of Information and Regulatory Affairs (OIRA) has
determined that this enforcement policy is not a significant regulatory
action under E.O. 12866. Accordingly, the NRC submitted this
enforcement policy to OIRA for review. The NRC is required to conduct
an economic analysis in accordance with section 6(a)(3)(B) of E.O.
12866.
The text of the Enforcement Policy is attached.
Dated: August 26, 2025.
For the Nuclear Regulatory Commission.
Bo Pham,
Acting Director, Office of Enforcement.
6.12 Materials Security for 10 CFR Part 37--Physical Protection of
Category 1 and Category 2 Quantities of Radioactive Material
This section applies to the requirements of 10 CFR part 37--
Physical Protection of Category 1 and Category 2 Quantities of
Radioactive Material. These examples were developed using a risk-
informed approach considering actual or potential loss, theft, or
diversion of material.
Additionally, when determining the significance of the violations,
factors that could be considered include the specific circumstances of
the failure, including the time and equipment needed to result in an
actual loss, theft, or diversion.
This section should be the primary reference for violations related
to the protection of information under 10 CFR part 37. If a violation
is not adequately addressed by the examples provided in Section 6.12,
Section 6.13 may be applied as appropriate.
a. SL I violations involve, for example:
1. An actual theft, diversion, or loss of a category 1 quantity of
radioactive material that results from failure to establish or
implement one or more requirements of 10 CFR part 37; or
2. A licensee fails to verify prior to transfer that a recipient is
authorized to possess the type, form, and quantity of category 1
radioactive material at the location where the material is being
transferred, where the transfer was made to a recipient that was not
authorized to possess either the type, form, or quantity of category 1
radioactive material at the location where the material was
transferred.
b. SL II violations involve, for example:
1. An actual theft, diversion, or loss of a category 2 quantity of
radioactive material that results from failure to establish or
implement one or more requirements of 10 CFR part 37; or
2. A licensee fails to verify prior to transfer that a recipient is
authorized to possess the type, form, and quantity of category 2
radioactive material being transferred, where the transfer was made to
a recipient that was not authorized to possess either the type, form,
or quantity of category 2 radioactive material.
c. SL III violations involve, for example:
1. Failures occur involving access authorization requirements, such
as the following:
(a) An individual who has not been determined trustworthy and
reliable (T&R) has the ability to access, without an escort, security
zones containing category 1 or category 2 quantities of radioactive
material;
(b) A failure to establish, implement and maintain an access
authorization program that is specific to the licensee's operations; or
(c) An individual who was not determined T&R has determined that
other individuals were T&R.
2. A failure to complete elements of the initial background
requirements for granting unescorted access.
3. Failures occur involving general security program requirements,
such as the following:
(a) A failure to develop, implement, and maintain a security plan
specific to the licensee's facilities and operations; or failure to
address the required elements of the subpart;
(b) A failure to develop, implement, and maintain procedures
specific to the licensee's facilities and operations; or failure to
address how the requirements of 10 CFR part 37 Subpart C and the
security plan will be met;
(c) A failure to conduct formal training in accordance with
37.43(c) or to complete the training at the required frequency, where
the individuals did not demonstrate knowledge of how to implement the
licensee's security program commensurate with their role(s); or
(d) A failure to limit access to, or unauthorized disclosure of,
the security plan or implementing procedures.
4. Failures occur involving Local Law Enforcement Agency (LLEA)
coordination, such as the following:
(a) A licensee fails to initially coordinate with LLEA, as required
by 10 CFR 37.45(a) or fails to notify NRC, as required by 10 CFR
37.45(b); or
(b) A licensee fails to perform coordination every 12 months and
there were changes to the facility design or operation that adversely
affected the potential vulnerability of the licensee's material to
theft, sabotage, or diversion.
5. Failures occur involving security zones, monitoring, detection,
and assessment, such as the following:
(a) A failure to continuously monitor and immediately detect,
assess, and respond to unauthorized entry to a security zone with a
category 1 or category 2 quantity of radioactive material;
(b) A failure to maintain the capability to immediately detect any
attempted unauthorized removal of a category 1 quantity of radioactive
material from a security zone; or
[[Page 42277]]
(c) A licensee has no means for continuous capability for personnel
communication and electronic data transmission and processing among
site security systems.
6. A licensee fails to implement, or fails to implement at the
required frequency, a maintenance and testing program to ensure that
intrusion alarms, associated communications systems, and other physical
components of the systems used to secure or detect unauthorized access
to radioactive material are maintained in operable condition and are
capable of performing their intended function when needed, where the
equipment was not operable.
7. Failures occur involving requirements for mobile devices, such
as the following:
(a) A licensee fails to secure a mobile device containing a
category 1 or category 2 quantity of radioactive material as required
by 10 CFR 37.53(a), when the mobile device is not under direct control
and constant surveillance by the licensee; or
(b) A licensee fails to disable a vehicle or trailer containing a
category 1 or category 2 quantity of radioactive material, when not
under direct control and constant surveillance by the licensee.
8. A licensee fails to make verbal (telephonic) notification, or
makes a late verbal (telephonic) notification, as required by 10 CFR
37.
d. SL IV Violations involve, for example:
1. Failures occur involving access authorization requirements, such
as the following:
(a) An individual who has not been determined T&R has the ability
for unescorted access to security zones containing category 1 or
category 2 quantities of radioactive material, however:
1. the individual did not gain access, or
2. gained access, yet the individual had been previously vetted
under a comparable review by the licensee that mitigates the security
risk posed by the individual (e.g., federal security clearance, a
licensee's hiring process), or
3. gained access, yet the scope/duration of unescorted access
mitigated the ability to exploit the failure.
(b) A failure to establish, implement and maintain written
procedures for implementing the access authorization program;
(c) An individual who was determined T&R but was not formally
appointed a reviewing official under oath or affirmation has determined
that other individuals were T&R;
(d) A failure to create or maintain a list of persons approved for
unescorted access; or
(e) A failure to document the basis for the determination of T&R
for the purpose of granting unescorted access to category 1 and
category 2 quantities of radioactive material.
2. Failures occur involving background investigation requirements,
such as the following:
(a) An isolated/limited failure to complete elements of 10 CFR
37.25(a)(3)-(6) of the initial background requirements for granting
unescorted access to category 1 or category 2 quantities of radioactive
material; or
(b) A failure to complete fingerprinting and an FBI identification
and criminal history records check during reinvestigation.
3. Failures occur involving general security program requirements,
such as the following:
(a) A licensee has developed a security plan and implementing
procedures specific to its facilities and operations; however, the
written security plan or implementing procedures did not describe the
required elements of 10 CFR part 37 Subpart C;
(b) A licensee did not conduct formal training in accordance with
37.43(c) or did not complete the training at the required frequency,
where the individuals demonstrated knowledge of how to implement the
licensee's security program commensurate with their role(s);
(c) A failure to document required training for an individual
granted unescorted access;
(d) A failure to limit access to, or unauthorized disclosure of,
the security plan or implementing procedures; however, access to
sensitive information was to an individual who had been previously
vetted under a comparable review completed or initiated by the licensee
that mitigates the security risk posed by the individual (e.g. federal
security clearance, a licensee's hiring process); or
(e) A failure to limit access to, or unauthorized disclosure of,
the list of individuals approved for unescorted access.
4. Failures occur involving LLEA coordination, such as the
following:
(a) A licensee initially coordinates with LLEA, but fails to meet
all the requirements set forth in 10 CFR 37.45(a);
(b) A licensee fails to perform coordination every 12 months and
there were no changes to the facility design or operation that
adversely affected the potential vulnerability of the licensee's
material to theft, sabotage, or diversion; or
(c) For initial or subsequent LLEA coordination, a failure to
notify, or late notification to NRC, as required by 10 CFR 37.45(b);
5. Failures occur involving security zones, monitoring, detection,
and assessment, such as the following:
(a) An isolated failure to continuously monitor and immediately
detect, assess, and respond to unauthorized entry to a security zone
with a category 1 quantity of radioactive material, where the
unauthorized entry is of limited duration and where there is a
capability to detect removal of category 1 material;
(b) An isolated failure to maintain the capability to immediately
detect any attempted unauthorized removal of a category 1 quantity of
radioactive material from the security zone, where there is the
capability to detect intrusion into the security zone and there is some
other function or feature in place that mitigates the ability to
exploit the failure;
(c) An isolated failure to continuously monitor and immediately
detect, assess, and respond to unauthorized entry to a security zone
with a category 2 quantity of radioactive material, where there is a
function or feature in place, separate from the means to detect removal
of category 2 material, that mitigates the ability to exploit the
failure;
(d) A licensee has one means for continuous capability for
personnel communication and electronic data transmission and processing
among site security systems; or
(e) A failure to conduct weekly verification checks for category 2
material.
6. A licensee fails to implement, or fails to implement at the
required frequency, a maintenance and testing program to ensure that
intrusion alarms, associated communications systems, and other physical
components of the systems used to secure or detect unauthorized access
to radioactive material are maintained in operable condition and are
capable of performing their intended function when needed, where the
equipment was operable.
7. Failures occur involving requirements for mobile devices, such
as the following:
(a) A licensee fails to secure material as required by 10 CFR
37.53(a), when the material is not under direct control and constant
surveillance by the licensee; however, one tangible barrier exists,
there is no actual loss of material, and the failure is isolated; or
(b) A licensee fails to disable a vehicle or trailer containing a
category 1 or category 2 quantity of radioactive
[[Page 42278]]
material, when not under direct control and constant surveillance by
the licensee, where there is a function or feature in place that
mitigates the ability to exploit the failure.
8. A licensee fails to make written reports, or makes a late
written report, required by 10 CFR part 37.
9. A licensee fails to maintain records as required by 10 CFR part
37 requirements.
10. A licensee fails to conduct an annual review of the access
authorization program or the security program.
[FR Doc. 2025-16585 Filed 8-28-25; 8:45 am]
BILLING CODE 7590-01-P