[Federal Register Volume 91, Number 122 (Friday, June 26, 2026)]
[Proposed Rules]
[Pages 38928-38989]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2026-12989]



[[Page 38927]]

Vol. 91

Friday,

No. 122

June 26, 2026

Part IV





Nuclear Regulatory Commission





-----------------------------------------------------------------------





10 CFR Parts 26, 50, et al.





-----------------------------------------------------------------------





Modernizing Security Requirements; Proposed Rule

Federal Register / Vol. 91, No. 122 / Friday, June 26, 2026 / 
Proposed Rules

[[Page 38928]]


-----------------------------------------------------------------------

NUCLEAR REGULATORY COMMISSION

10 CFR Parts 26, 50, 52, 72, 73, and 95

[PRM-26-4; PRM-26-7; PRM-26-8; NRC-2012-0079; and NRC-2025-1303]
RIN 3150-AL53


Modernizing Security Requirements

AGENCY: Nuclear Regulatory Commission.

ACTION: Proposed rule and draft guidance; request for comment.

-----------------------------------------------------------------------

SUMMARY: The U.S. Nuclear Regulatory Commission (NRC) is proposing to 
revise its regulations to modernize security and fitness-for-duty 
requirements to enhance efficiency, consistent with Executive Order 
14300, ``Ordering the Reform of the Nuclear Regulatory Commission.'' 
The proposed revisions are intended to reduce regulatory burden, where 
appropriate, while continuing to provide reasonable assurance that 
safety and security will be adequately maintained at NRC-licensed 
facilities.

DATES: Comments must be submitted electronically using https://www.regulations.gov by 11:59 p.m. eastern time on July 27, 2026.

ADDRESSES: Submit your comments, identified by Docket ID NRC-2025-1303, 
at https://www.regulations.gov. If your material cannot be submitted 
using https://www.regulations.gov, call or email the individuals listed 
in the FOR FURTHER INFORMATION CONTACT section of this document for 
alternate instructions.
    Do not include any personally identifiable information (such as 
name, address, or other contact information) or confidential business 
information that you do not want publicly disclosed. All comments are 
public records; they are publicly displayed exactly as received and 
will not be deleted, modified, or redacted. Comments may be submitted 
anonymously.
    Follow the search instructions on https://www.regulations.gov to 
view public comments.
    You can read a plain language description of this proposed rule at 
https://www.regulations.gov/docket/NRC-2025-1303. For additional 
direction on obtaining information and submitting comments, see 
``Obtaining Information and Submitting Comments'' in the SUPPLEMENTARY 
INFORMATION section of this document.

FOR FURTHER INFORMATION CONTACT: Nicole Fields, Office of Nuclear 
Material Safety and Safeguards, telephone: 630-829-9570, email: 
[email protected] and Shyrl Coker, Office of Nuclear Reactor 
Regulation, telephone: 301-287-3603, email: [email protected]. Both 
are staff of the U.S. Nuclear Regulatory Commission, Washington, DC 
20555-0001.

SUPPLEMENTARY INFORMATION:

Executive Summary

A. Need for the Regulatory Action

    The U.S. Nuclear Regulatory Commission (NRC) is proposing to revise 
its regulations to modernize security and fitness-for-duty requirements 
to enhance efficiency, consistent with Executive Order 14300, 
``Ordering the Reform of the Nuclear Regulatory Commission.''

B. Major Provisions

    Major provisions of this proposed rule, supported by accompanying 
draft guidance, include the following:
     Fitness for Duty Programs. The NRC is proposing 
effectiveness and efficiency improvements to the drug and alcohol 
testing requirements based on lessons learned from implementing title 
10 of the Code of Federal Regulations (10 CFR) part 26, ``Fitness for 
Duty Programs,'' to align with select changes made by other Federal 
agency testing programs, and to address several petitions for 
rulemaking (PRMs). Changes include enabling the collection and drug 
testing of oral fluid specimens for all conditions for testing, a risk-
informed reduction in the annual random testing rate for most licensee 
employees, enhancing blind performance testing requirements with 
additional program flexibilities and targeted sampling reductions, 
updating the refresher training interval, and eliminating the 
requirement for licensees to conduct annual audits of U.S. Department 
of Health and Human Services certified laboratories. The NRC also is 
proposing to extend the duration of applicability for the optional 
subpart K to 10 CFR part 26 fitness-for-duty programs for reactor 
construction, and to enable licensees and other entities to escort 
construction workers instead of subjecting those workers to a subpart K 
program. Under the fatigue management program requirements, the NRC is 
proposing to add a new exception from the work-hour controls for 
sequestration events, specifying alternative work hour controls and 
requirements that licensees may meet during such events. The NRC is 
also proposing to eliminate the annual reporting of fatigue management 
performance information to the NRC. These changes would reduce 
unnecessary regulatory burden.
     Security Requirements for Independent Spent Fuel Storage 
Installations. The proposed rule would revise security requirements for 
independent spent fuel storage installations (ISFSIs) to improve 
clarity and consistency between the requirements for general license 
ISFSIs and specific license ISFSIs. Major provisions would allow 
standalone ISFSIs located outside a power reactor's protected area to 
implement security programs appropriate for their risk profile. The 
rule would streamline the process for updating ISFSI security plans and 
reduce the frequency of required submissions to the NRC. These changes 
would be responsive to stakeholder feedback and Commission direction, 
reducing licensee burden and facilitating efficient transitions to 
decommissioning.
     Physical Security Requirements. The NRC is proposing to 
modernize and streamline physical security requirements for nuclear 
power reactors and materials by shifting from prescriptive rules to 
performance-based, risk-informed criteria. The amendments would provide 
increased flexibility for implementing security measures and allow for 
the use of technology-inclusive approaches and alternatives tailored to 
diverse reactor designs. The proposal addresses access authorization, 
cybersecurity, safeguards information handling, event notifications, 
and training, and resolves industry concerns from recent rulemakings. 
In revising performance objectives, the changes would support 
innovation, reduce unnecessary regulatory burden, and maintain 
protection against credible threats.
     Facility Security Clearance and Safeguarding of National 
Security Information and Restricted Data. The NRC is proposing to 
revise 10 CFR part 95, ``Facility Security Clearance and Safeguarding 
of National Security Information and Restricted Data,'' to remove 
requirements that are duplicative and to ensure alignment with 32 CFR 
part 117, ``National Industrial Security Program Operating Manual 
(NISPOM).'' These changes would provide references to the applicable 
provisions of 32 CFR part 117 for implementation of the National 
Industrial Security Program.

C. Costs and Benefits

    The NRC prepared a draft regulatory analysis to determine the 
expected quantitative costs and benefits of this proposed rule and 
associated draft guidance as well as qualitative factors to be 
considered in the NRC's rulemaking decision. The conclusion from the 
analysis is that this proposed rule and associated draft guidance would 
result

[[Page 38929]]

in net cost savings to the industry and the NRC, over the next 30 
years, ranging from $561 million using a 7 percent discount rate to 
$1.01 billion using a 3 percent discount rate. For the industry, the 
net cost savings are estimated at $557 million (7 percent discount 
rate) and $1.01 billion (3 percent discount rate). For the NRC, the net 
cost savings are estimated at $3.4 million (7 percent discount rate) 
and $6.7 million (3 percent discount rate). On an annualized basis, the 
net cost savings to the industry and the NRC would be about $45.2 
million per year at a 7 percent discount rate and $51.8 million per 
year at a 3 percent discount rate.
    The draft regulatory analysis also considers qualitative factors, 
such as regulatory efficiency. These benefits would result from 
clarifications, administrative changes, and streamlining of processes 
(such as notifications), along with aligning requirements with existing 
Federal regulations instead of maintaining separate but similar NRC 
requirements.
    For more information, please see the draft regulatory analysis 
(available in the NRC's Agencywide Documents Access and Management 
System (ADAMS) Accession No. ML26113A051).

Table of Contents

I. Obtaining Information and Submitting Comments
    A. Obtaining Information
    B. Submitting Comments
II. Executive Order 14300: Ordering the Reform of the Nuclear 
Regulatory Commission
III. Background
IV. Discussion
    A. Fitness for Duty Programs (Part 26)
    B. Security Requirements for Independent Spent Fuel Storage 
Installations (ISFSIs) (Parts 72 and 73)
    C. Physical Security Requirements (Part 73)
    D. Facility Security Clearance and Safeguarding of National 
Security Information and Restricted Data (Part 95)
V. Specific Requests for Comments
VI. Regulatory Flexibility Certification
VII. Regulatory Analysis
VIII. Backfitting and Issue Finality
IX. Cumulative Effects of Regulation
X. Plain Writing
XI. National Environmental Policy Act
XII. Paperwork Reduction Act
XIII. Executive Orders
    A. Executive Order 12866: Regulatory Planning and Review (as 
Amended by Executive Order 14215, Ensuring Accountability for All 
Agencies)
    B. Executive Order 14154: Unleashing American Energy
    C. Executive Order 14192: Unleashing Prosperity Through 
Deregulation
    D. Executive Order 14267: Reducing Anti-Competitive Regulatory 
Barriers
    E. Executive Order 14270: Zero-Based Regulatory Budgeting To 
Unleash American Energy
XIV. Voluntary Consensus Standards
XV. Availability of Guidance
XVI. Availability of Documents

I. Obtaining Information and Submitting Comments

A. Obtaining Information

    Please refer to Docket ID NRC-2025-1303 when contacting the NRC 
about the availability of information for this action. You may obtain 
publicly available information related to this action by any of the 
following methods:
     Federal Rulemaking Website: Go to https://www.regulations.gov and search for Docket ID NRC-2025-1303.
     NRC's Agencywide Documents Access and Management System 
(ADAMS): You may obtain publicly available documents online in the 
ADAMS Public Documents collection at https://www.nrc.gov/reading-rm/adams.html. To begin the search, select ``Begin ADAMS Public Search.'' 
For problems with ADAMS, please contact the NRC's Public Document Room 
(PDR) reference staff at 1-800-397-4209, at 301-415-4737, or by email 
to [email protected]. For the convenience of the reader, 
instructions about obtaining materials referenced in this document are 
provided in the ``Availability of Documents'' section.
     NRC's PDR: The PDR, where you may examine and order copies 
of publicly available documents, is open by appointment. To make an 
appointment to visit the PDR, please send an email to 
[email protected] or call 1-800-397-4209 or 301-415-4737, between 8 
a.m. and 4 p.m. eastern time, Monday through Friday, except Federal 
holidays.
     Public Meeting: The NRC will conduct a public meeting to 
describe the proposed amendments and answer questions from the public 
on the proposed rule. The NRC will publish a notice of the location, 
time, and agenda of the meeting on the NRC's public meeting website 
within 10 calendar days of the meeting. Stakeholders should monitor the 
NRC's public meeting website for information about the public meeting 
at: https://www.nrc.gov/public-involve/public-meetings/index.cfm.

B. Submitting Comments

    Comments must be submitted electronically using https://www.regulations.gov no later than 11:59 p.m. eastern time on July 27, 
2026. Please include Docket ID NRC-2025-1303 in your comment 
submission.
    The NRC cautions you not to include identifying or contact 
information that you do not want to be publicly disclosed in your 
comment submission. The NRC will post all comment submissions at 
https://www.regulations.gov as well as enter the comment submissions 
into ADAMS. The NRC does not routinely edit comment submissions to 
remove identifying or contact information.
    If you are requesting or aggregating comments from other persons 
for submission to the NRC, then you should inform those persons not to 
include identifying or contact information that they do not want to be 
publicly disclosed in their comment submission. Your request should 
state that the NRC does not routinely edit comment submissions to 
remove such information before making the comment submissions available 
to the public or entering the comment into ADAMS.

II. Executive Order 14300: Ordering the Reform of the Nuclear 
Regulatory Commission

    On May 23, 2025, President Donald J. Trump signed Executive Order 
(E.O.) 14300, ``Ordering the Reform of the Nuclear Regulatory 
Commission.'' Section 5, ``Reforming and Modernizing the NRC's 
Regulations,'' requires the NRC to undertake a review and wholesale 
revision of its regulations and guidance documents as guided by the 
policies set forth in section 2 of the E.O. This rulemaking addresses 
section 5(g), which directs the NRC to ``[r]evise the Reactor Oversight 
Process and reactor security rules and requirements to reduce 
unnecessary burdens and be responsive to credible risks.''

III. Background

    Over the decades, the NRC has developed a comprehensive regulatory 
framework to ensure that licensee programs at nuclear facilities 
provide reasonable assurance that public health and safety is 
adequately protected and are in accord with the common defense and 
security. This proposed rule seeks to modernize the NRC's regulatory 
framework for licensee security programs--reducing regulatory burden, 
where appropriate, while continuing to provide reasonable assurance of 
adequate safety and security. The principal regulations relevant to 
this

[[Page 38930]]

proposed rule are set forth in 10 CFR parts 26; 72, ``Licensing 
Requirements for the Independent Storage of Spent Nuclear Fuel, High-
Level Radioactive Waste, and Reactor-Related Greater Than Class C 
Waste''; 73, ``Physical Protection of Plants and Materials''; and 95.
    The regulations in 10 CFR part 26 govern fitness-for-duty (FFD) 
programs, including drug and alcohol testing and fatigue management, 
for personnel at nuclear power plants and certain other NRC-licensed 
facilities. The requirements are designed, in part, to provide 
reasonable assurance that individuals are trustworthy, reliable, and 
not under the influence of any substances, legal or illegal, or 
mentally or physically impaired from any cause that could adversely 
affect their ability to safely and competently perform their duties.
    The regulations in 10 CFR part 72 set forth requirements for the 
licensing and operation of ISFSIs. These facilities are used to safely 
store spent nuclear fuel and certain other radioactive materials, both 
at power reactor sites and away from reactor sites. Part 72 includes 
both safety and security provisions, with physical protection 
requirements that vary depending on whether the ISFSI is operated under 
a general license or specific license.
    The regulations in 10 CFR part 73 address the physical protection 
of plants and materials. Part 73 contains detailed requirements for 
physical security programs, access authorization, cybersecurity, and 
the protection of safeguards information. These requirements apply to 
commercial nuclear power reactors, fuel cycle facilities, and other 
licensees that possess special nuclear material (SNM). The regulation 
is structured to protect against the design basis threats of 
radiological sabotage and theft or diversion of SNM, and includes 
requirements for security organization, training, response strategies, 
and contingency planning.
    The regulations in 10 CFR part 95 establish requirements for 
facility security clearances and the safeguarding of national security 
information and restricted data. These requirements are intended to 
ensure that NRC licensees and certificate holders who require access to 
classified information maintain appropriate security measures in 
accordance with the National Industrial Security Program.
    The NRC recognizes the need to modernize and streamline its 
security and FFD regulations to reduce unnecessary regulatory burden, 
promote regulatory clarity, provide appropriate program flexibility, 
and support the deployment of innovative technologies, while also 
continuing to provide reasonable assurance that safety and security 
will be adequately maintained. This proposed rule aligns with national 
policy directives to facilitate the expansion of United States nuclear 
energy capacity, as articulated in recent Executive Orders and 
statutory mandates.
    In addition to E.O. 14300, other recent E.O.s related to the 
expansion of United States nuclear energy capacity include E.O. 14156, 
``Declaring a National Energy Emergency'' (90 FR 8433; January 29, 
2025), which stressed the need for a reliable, diversified, and 
affordable supply of energy, and E.O. 14154, ``Unleashing American 
Energy'' (90 FR 8353; January 29, 2025), which stated that it is in the 
national interest to ``unleash America's affordable and reliable energy 
and national resources.''
    Recent statutory mandates related to nuclear energy capacity 
include the Nuclear Energy Innovation and Modernization Act (Pub. L. 
115-439, 132 Stat. 5572) (NEIMA) and the Accelerating Deployment of 
Versatile, Advanced Nuclear for Clean Energy Act of 2024 (Pub. L. 118-
67, 138 Stat. 1448) (ADVANCE Act). In response to NEIMA, the NRC 
recently issued a final rule establishing 10 CFR part 53, ``Risk-
Informed, Technology-Inclusive Regulatory Framework for Commercial 
Nuclear Power Plants,'' which sets forth a regulatory framework for 
licensing and regulating advanced reactors (91 FR 15696; March 30, 
2026). Part 53 is designed to accommodate a wide range of reactor 
technologies and business models, providing performance-based 
requirements that enable the use of modern safety and security 
approaches. As discussed in Section IV of this document, proposed 
changes as a part of this proposed rule would apply to licensees and 
applicants under 10 CFR parts 50, ``Domestic Licensing of Production 
and Utilization Facilities''; 52, ``Licenses, Certifications, and 
Approvals for Nuclear Power Plants''; and 53. The proposed amendments 
are intended to provide enhanced regulatory flexibility for both 
current and future licensees, streamline administrative processes, and 
ensure that NRC requirements remain effective, efficient, and 
responsive to credible risks.
    The NRC prepared an unofficial redline strikeout version of the 
proposed changes to regulatory text that is intended to help the reader 
identify the changes. The unofficial redline strikeout version of the 
proposed rule is publicly available and is listed in the ``Availability 
of Documents'' section. Comments on the rule text should refer to this 
proposed rule and not the unofficial redline strikeout version.

IV. Discussion

    The discussion is organized by subject area because of the wide-
ranging set of issues covered by this proposed rule. The proposed rule 
also includes minor editorial corrections.

A. Fitness for Duty Programs (Part 26)

    The proposed rule would incorporate effectiveness and efficiency 
improvements into the NRC's FFD program requirements for drug and 
alcohol testing and fatigue management since the NRC's extensive 
amendments of part 26 in 2008 (73 FR 17176; March 31, 2008). These 
proposed effectiveness and efficiency changes would reduce unnecessary 
regulatory burden on licensees and other entities and address section 
5(g) of E.O. 14300. This proposed rule focuses on three areas: (1) 
incorporating lessons learned from implementing part 26 since 2008; (2) 
aligning part 26 with select updates made to the U.S. Department of 
Health and Human Services (HHS) Mandatory Guidelines for Federal 
Workplace Drug Testing Programs (HHS Guidelines) and the U.S. 
Department of Transportation (DOT) drug testing requirements in 49 CFR 
part 40, ``Procedures for Transportation Workplace Drug and Alcohol 
Testing Programs''; and (3) addressing three PRMs.\1\
---------------------------------------------------------------------------

    \1\ The PRMs (PRM-26-4, PRM-26-7, and PRM-26-8) are discussed in 
this section and in Section IV.A.(i)(s), ``SAE credential--State-
licensed or -certified marriage and family therapists,'' and Section 
IV.A.(i)(t), ``SAE credential--Certified Addiction Specialist by the 
American Academy of Health Care Providers in Addictive Medicine,'' 
of this document.
---------------------------------------------------------------------------

    Proposed changes to the drug and alcohol testing program 
requirements include the following: expanding the option to collect and 
drug test oral fluid specimens for all conditions for testing in Sec.  
26.31(c); implementing a risk-informed reduction to the annual random 
testing rate in Sec.  26.31(d)(2)(vii) that applies to most licensee 
employees (i.e., those that do not perform critical safety- or 
security-related functions); extending the duration of applicability 
for the optional FFD program for reactor construction under subpart K 
to 10 CFR part 26, ``FFD Program for Construction''; enabling licensees 
and other entities to escort construction workers performing activities 
under Sec.  26.4(f), as an alternative to those workers being subject 
to an FFD program; enhancing the Sec.  26.168 blind performance testing 
requirements to

[[Page 38931]]

reduce unnecessary burden; eliminating annual audits of HHS-certified 
laboratories performed by licensees and other entities; updating the 
FFD program refresher training interval; and removing unused 
regulations (specifically, subpart F, ``Licensee Testing Facilities''). 
Proposed changes to the fatigue management program requirements include 
alternative requirements that licensees can meet during a sequestration 
event and the elimination of the requirement to annually report fatigue 
management information to the NRC.
    From 2010 through 2012, the NRC also received three PRMs (docketed 
by the NRC as PRM-26-4, PRM-26-7, and PRM-26-8), which the NRC 
determined to be appropriate for consideration in the rulemaking 
process; all three of the PRMs are being considered as part of this 
rulemaking. To address PRM-26-4, ``California Association of Marriage 
and Family Therapists'' (75 FR 51958; August 24, 2010), the NRC is 
proposing to add State-licensed or State-certified marriage and family 
therapists to the list of acceptable credentials in Sec.  26.187(b) 
that qualify individuals to serve as substance abuse experts (SAEs). 
The NRC also considered the issues identified for rulemaking in PRM-26-
7, ``Certification of Substance Abuse Experts'' (76 FR 61625; October 
5, 2011), related to Certified Addiction Specialists. The NRC is not 
proposing to add the petitioner's requested Certified Addiction 
Specialist that has been certified by the American Academy of Health 
Care Providers in the Addictive Disorders to the list of acceptable 
credentials to serve as an SAE under Sec.  26.187(b), and accordingly 
would deny PRM-26-7.
    Finally, the NRC considered the issues identified for rulemaking in 
PRM-26-8, ``Additional Synthetic Drug Testing'' (78 FR 22209; April 15, 
2013). The NRC determined that the 2022 part 26 final rule (87 FR 
71422; November 22, 2022), in part, addressed the issues raised in this 
petition by expanding the drug testing panel to include additional 
semi-synthetic opioids (hydrocodone, hydromorphone, oxycodone, 
oxymorphone), methylenedioxy-methamphetamine (MDMA), and 
methylenedioxyamphetamine (MDA). Under Sec.  26.31(d)(1)(i), licensees 
and other entities also have the ability to consult with local law 
enforcement, hospitals, and drug counseling services to determine if 
other drugs with abuse potential are being used in the geographic 
locale of facilities, and to expand the drug testing panels to include 
any controlled substance that is listed on Schedules I through V of 
section 202 of the Controlled Substances Act. In addition, under Sec.  
26.77(b), a licensee or other entity must take immediate action to 
prevent any individual from performing covered duties if they appear 
impaired, which provides reasonable assurance that impairment from any 
cause (including the use of both scheduled and unscheduled substances) 
can be addressed. Accordingly, the NRC is not proposing changes related 
to PRM-26-8 and would deny this petition.
    HHS and DOT have also updated their drug testing program 
requirements since the 2008 and 2022 amendments to part 26. On October 
12, 2023, HHS published final revisions to the HHS Guidelines for the 
testing of drugs in urine and oral fluid specimens (88 FR 70768 and 88 
FR 70814, respectively). DOT published two final rules amending its 
drug and alcohol testing programs in 49 CFR part 40. One updated DOT's 
urine drug testing requirements (82 FR 52229; November 13, 2017), and 
the other enabled oral fluid drug testing (88 FR 27596; May 2, 2023). 
The HHS Guidelines govern Federal employee workplace drug testing 
programs at more than 100 Federal agencies and Federal agency drug 
testing programs (e.g., DOT) that test civilians in safety- and 
security-sensitive positions similar to personnel tested under the 
NRC's FFD program in part 26. The NRC has historically relied on the 
HHS Guidelines to establish the technical requirements for the 
collection and testing of specimens for drugs and the review of test 
results. The NRC also relies on the DOT's drug and alcohol testing 
regulations in 49 CFR part 40 in certain situations for which HHS does 
not have guidelines; for example, the HHS Guidelines do not cover 
testing for alcohol or evaluating and returning individuals to covered 
duties following a positive drug or alcohol test result. The DOT-
regulated entities also test millions of individuals each year, which 
provides valuable lessons learned from implementing a testing program 
covering a much larger worker population than exists in the U.S. 
nuclear industry. This proposed rule would incorporate select updates 
to the HHS Guidelines and DOT drug testing requirements into part 26.
(i) Drug and Alcohol Testing
(a) Program Implementation Milestone
    The proposed rule includes a risk-informed change that would extend 
the implementation milestone for when a licensee or other entity must 
transition from the optional subpart K to an FFD program that meets all 
of the requirements of part 26, except subparts K and M, ``Fitness for 
Duty Programs for Facilities Licensed under 10 CFR part 53.'' The 
milestone would change from the receipt of special nuclear material in 
the form of fuel assemblies to before initial fuel load into the 
reactor.
    The NRC has reassessed the risks presented during the construction 
of nuclear power reactors and has determined that implementation of 
Sec.  26.3(a) and (c) and Sec.  26.4(e)(1) is not commensurate with 
current risk insights. Section 26.3(a) currently requires, in part, 
that licensees authorized to operate a nuclear power reactor under part 
50 and holders of a combined license (COL) under part 52 after the 
Commission has made the finding under Sec.  52.103(g) shall implement 
the FFD program under the requirements of part 26, except for subparts 
K and M, before the receipt of SNM in the form of fuel assemblies. 
Under Sec.  26.3(c), licensees and other entities constructing a 
nuclear power plant must implement their FFD program no later than 
receipt of SNM in the form of fuel assemblies. The risk associated with 
unirradiated fuel, however, does not increase when the fuel arrives 
onsite, because its engineered safety features, storage, and 
configuration have not changed since the fuel was in transit. For 
transit and receipt onsite, the same physical protection requirements 
(i.e., Sec.  73.67, ``Licensee fixed site and in-transit requirements 
for the physical protection of special nuclear material of moderate and 
low strategic significance'') are applied to protect the fuel. Safety 
and security risks associated with unirradiated nuclear fuel begin to 
increase once the process of loading fuel into its operating 
configuration begins. The operational milestone ``before initial fuel 
load into the reactor'' therefore corresponds more closely to the start 
of NRC-licensed activities that could result in consequences adverse to 
public health and safety or the common defense and security than does 
the current milestone of receipt of nuclear fuel onsite. Further, this 
proposed milestone change is based on recent operating experience from 
implementing subpart K FFD programs at power reactor construction 
sites. Specifically, the NRC issued an exemption to the licensee for 
Vogtle Electric Generating Plant Units 3 and 4 to delay implementing 
FFD programs, except those that applied for construction, until initial 
fuel load (86 FR 73809; December 28, 2021).

[[Page 38932]]

(b) Specimen Testing Options
    The proposed rule would expand the option to collect and drug test 
oral fluid specimens for all conditions of testing specified under 
Sec.  26.31(c). This proposed change would provide an effective method 
to thwart attempts to subvert the drug testing process because all oral 
fluid specimens would be collected under direct observation. Each year, 
approximately 25 to 30 percent of the drug testing violations under 
part 26 are identified subversion attempts. In most cases, a donor 
attempts to provide a specimen that did not come from their body (e.g., 
synthetic urine). This action is possible because a donor typically 
provides a urine specimen inside a privacy enclosure. However, oral 
fluid testing is conducted in a manner that is directly observable 
without the privacy enclosure associated with collecting a urine 
sample, and therefore precludes potential subversion attempts that can 
be visually identified.
    Currently, under Sec.  26.83(b), licensees and other entities have 
the option to collect and drug test an oral fluid specimen instead of a 
urine specimen only when a directly observed collection is required 
(i.e., when information suggests a donor may be attempting to subvert a 
urine drug test). Expanding the collection and drug testing of oral 
fluid specimens has the potential to significantly improve the 
deterrent capabilities of the drug testing process, which would improve 
public health and safety and common defense and security. This proposed 
rule would also reduce the financial and administrative burdens 
associated with actions taken in response to subversion attempts that 
licensees and other entities would no longer encounter.
(c) Blind Performance Testing Submissions
    Blind performance test samples (BPTSs) are formulated to verify the 
accuracy and reliability of each drug and validity test performed by 
the HHS-certified laboratory that a licensee or other entity uses to 
perform testing under contract. In each calendar quarter, BPTSs must be 
submitted to the laboratory for each drug or drug metabolite that must 
be tested in donor specimens and for each validity test performed to 
identify subversion attempts. A licensee or other entity must prepare 
BPTSs to appear as donor specimens to the laboratory, and BPTSs must be 
submitted along with donor specimens throughout the calendar quarter to 
evaluate laboratory performance.
    Each year, operating experience demonstrates that the BPTS program 
identifies unsatisfactory performance at HHS-certified laboratories. 
Given the consolidated use of testing laboratories by industry, an 
identified performance issue at one laboratory generally impacts 
numerous licensee and other entity FFD programs. Identified performance 
issues, for example, have pertained to false negative test results 
because of laboratory certified scientists failing to adhere to 
laboratory testing procedures, weaknesses in laboratory standard 
operating procedures, improperly formulated reagents used in testing, 
and testing equipment maintenance issues.
    The proposed rule would incorporate three effectiveness and 
efficiency improvements for blind performance testing programs based on 
industry practice and lessons learned. These improvements would reduce 
unnecessary regulatory burden for licensees and other entities.
1. Testing During Initial 90 Days
    The proposed rule would eliminate the increased number of BPTSs 
that must be submitted in the initial 90 days of a licensee or other 
entity initiating a contract with a new HHS-certified laboratory. Under 
the existing requirements in Sec.  26.168(a), in this initial 90-day 
period, a minimum of 30 BPTSs must be submitted for testing, whereas in 
each subsequent calendar quarter, a minimum of 10 BPTSs must be 
submitted for testing. The increased number of BPTS submissions in the 
initial 90 days of testing is unnecessary. The NRC has found that the 
post-initial 90-day period BPTS submission number of 10 BPTSs per 
calendar quarter is sufficient to identify unsatisfactory laboratory 
performance. The blind testing program already requires that, if 
unsatisfactory performance is identified (e.g., false negative test 
result for a BPTS formulated to test positive for marijuana), a 
licensee or other entity must take immediate action to investigate and 
implement corrective actions under Sec. Sec.  26.719(c) and 26.167(f). 
Eliminating the increased number of BPTSs in the initial 90 days of 
testing would also reduce an unnecessary financial and administrative 
burden on a licensee or other entity considering changing to another 
HHS-certified testing laboratory.
2. Fleetwide BPTS Submissions
    The proposed rule would revise Sec.  26.168(a) to clarify how a 
licensee or other entity is to determine how many BPTSs it must submit 
for testing in each calendar quarter, after the initial 90-day period, 
to the HHS-certified laboratory that it maintains under contract to 
perform testing. The current BPTS submission requirements require a 
minimum of 10 BPTSs to be submitted per quarter, or 1 percent of the 
donor specimens up to a maximum of 100 BPTSs, whichever is greater. 
Generally, Sec.  26.168(a) has been applied at the facility level 
(e.g., a location with one or more nuclear power reactors), whereby the 
minimum BPTS submission requirement almost always applies. However, 
Sec.  26.168(a) could also be interpreted to apply at the fleet level. 
That is, a utility could calculate the number of BPTSs to submit to its 
HHS-certified laboratory based on the total number of donor specimens 
submitted for testing from all its facilities each quarter. This 
application would result in a reduction in the number of BPTS 
submissions per quarter compared to treating each of the utility's 
facilities independently under Sec.  26.168(a). Either application 
would adequately maintain safety and security because the testing 
capabilities of the laboratory used by the licensee would be 
effectively challenged throughout each testing quarter. Current 
industry practice demonstrates that a small number of HHS-certified 
laboratories are used by a large number of part 26-regulated entities 
(regardless of whether the number of BPTS submittals is calculated at 
the facility or the fleet level), which ensures that the HHS-certified 
laboratories undergo adequate testing, focusing on those program 
elements unique to the NRC's FFD framework.
3. Quarterly Drug Testing Submissions
    The NRC is proposing to eliminate the BPTS submission requirements 
in Sec.  26.168(b)(1) and (2) that require a licensee or other entity 
to submit at least two BPTSs positive for marijuana in each quarter and 
to replace the BPTS positive for PCP with an additional BPTS positive 
for cocaine in at least two quarters per year. These prescriptive 
requirements are unnecessarily restrictive to effectively challenge 
testing performed at HHS-certified laboratories (e.g., changing drug 
use trends may warrant a licensee to adjust which substances it submits 
to the laboratory, once it meets the minimum required in a quarter). 
The NRC is also proposing clarifications to Sec.  26.168(d) for false 
negative challenge BPTSs and Sec.  26.168(f) for negative BPTSs, which 
require a minimum of 10 percent of BPTSs submitted each quarter to be 
false negative challenge BPTSs and negative BPTSs, respectively. To 
conform with Sec.  26.168(e) for validity testing BPTSs, the NRC is 
proposing to

[[Page 38933]]

include a statement in each requirement to clarify that either a 
minimum of one BPTS, or 10 percent of BPTSs submitted each quarter, 
whichever is greater, must be submitted per quarter.
(d) Escorting Construction Workers
    The proposed rule would amend part 26 to permit licensees and other 
entities to escort construction workers performing activities covered 
under Sec.  26.4(f) instead of requiring these workers to be subject to 
an FFD program. This proposed change is based on recent operating 
experience from implementing subpart K FFD programs at the Vogtle 
Electric Generating Plant Units 3 and 4. Specifically, the NRC issued 
an exemption to the Vogtle licensee to permit the escorting of 
construction workers (84 FR 27364; June 12, 2019). To permit escorting, 
the proposed rule would amend Sec.  26.5, ``Definitions,'' to define 
the word ``Escort''; Sec.  26.4(e) to include a new requirement that 
individuals that serve as an escort must be subject to an FFD program 
that meets all part 26 requirements, except subparts I, ``Managing 
Fatigue,'' K, and M; Sec.  26.4(f) to state that individuals who are 
escorted and constructing or directing the construction of safety- or 
security-related structures, systems, and components (SSCs) need not be 
subject to the licensee's FFD program; Sec.  26.27(c)(5) and Sec.  
26.606(b)(7) to require the licensee or other entity to establish, 
implement, and maintain written procedures for escorting; and Sec.  
26.403(a) and (b) to require the licensee or other entity implementing 
a subpart K FFD program to establish, carry out, and maintain a 
procedure for escorts and those individuals under escort. These 
proposed changes would improve regulatory flexibility and potentially 
reduce costs by enabling licensees and other entities the opportunity 
to better plan and carry out construction activities with individuals 
who may be onsite for only short periods of time.
(e) Fitness for Duty Program Refresher Training
    The proposed rule would revise Sec.  26.29(c)(2) to change the FFD 
program refresher training interval from a nominal 12-month frequency 
to a nominal 24-month frequency. This proposed change would align with 
the refresher training interval that would apply to future part 53 
licensees and other entities that implement Sec.  26.608(b) of subpart 
M. The proposed rule would maintain the requirement in existing 
Sec. Sec.  26.29(c)(2) and 26.608(b) for refresher training to be 
performed more frequently than the specified interval if the need is 
indicated, such as when an individual fails to properly implement FFD 
program procedures, or because of the severity of problems discovered 
through licensee-performed FFD program audits. This proposed change 
would reduce unnecessary regulatory burden by providing licensees and 
other entities with more flexibility on when to perform FFD program 
refresher training.
(f) Random Testing Rates for Licensee Employees
    The proposed rule would revise Sec.  26.31(d)(2)(vii) to reduce the 
annual random testing rate from 50 percent to 25 percent for most 
licensee employees (i.e., those that do not perform critical safety- or 
security-related activities). This risk-informed proposed change is 
based on an assessment of approximately 35 years of FFD program 
performance data annually reported to the NRC by licensees and other 
entities.
    The licensee employee workforce has consistently tested positive at 
much lower rates on pre-access and random drug and alcohol testing than 
the contractor/vendor workforce. The data show two to three times 
higher positive rates for contractor/vendors than licensee employees. 
In addition, FFD program performance data has consistently demonstrated 
that the licensee employee worker population has very low subversion 
rates.
    The existing 50 percent annual random testing rate would continue 
to apply to the small subset of licensee employees that perform 
critical safety and security-related functions (i.e., individuals 
licensed under 10 CFR part 55, ``Operators' Licenses,'' to operate a 
power reactor, security personnel under Sec.  26.4(a)(5), FFD program 
personnel under Sec.  26.4(g), and any supervisory personnel directing 
the operation or maintenance of safety- or security-related SSCs or 
directing the performance of security duties under Sec.  26.4(a)(5)).
(g) Random Testing--Use of Consortium/Third-Party Administrators
    The proposed rule would amend Sec.  26.31(d)(2)(vii) to incorporate 
a requirement--similar to that described in Sec.  26.607(b)(2)(vi) of 
subpart M of 10 CFR part 26--that applies to FFD programs with small 
staff sizes where random testing cannot be implemented without 
predictability. Small staff sizes can contribute to increased 
predictability in random testing, due to the possibility for staff to 
make inferences based on patterns in testing frequency that are more 
easily recognizable when there is a smaller pool of employees to choose 
from. For FFD programs with small staff sizes, the proposed rule--under 
a new Sec.  26.31(d)(2)(vii)(C)--would require the use of a consortium/
third-party administrator (C/TPA) to include the workers from multiple 
licensees or other entities in a combined random testing pool, from 
which the C/TPA would make testing selections throughout the year. Use 
of a C/TPA would significantly improve the effectiveness of the random 
testing programs of potential future licensee sites that may have small 
worker populations, and would ensure that individuals at these 
facilities would not be able to predict whether random testing would be 
conducted in a given period of time. As discussed in the 2026 part 53 
final rule, C/TPAs have been used for many years by other Federally-
regulated testing programs implemented by the U.S. Department of 
Transportation, such as those covering independent owner-operator truck 
drivers. This proposed aligning change would ensure that effective 
random testing programs can be implemented at future nuclear power 
reactor sites under parts 50 and 52 that may be operated by a small 
number of individuals.
    The proposed rule would also include a conforming revision to Sec.  
26.607(b)(2)(vi) to ensure that a C/TPA-managed random testing pool for 
a facility licensed under part 53 meets the same annual random testing 
rate as that required under Sec.  26.607(b)(2)(v). Without this 
correction, a C/TPA pool would not have a specified random testing 
rate.
(h) Licensee Audits of HHS-Certified Laboratories
    The proposed rule would eliminate the Sec.  26.41(c)(2) requirement 
for licensees and other entities to annually audit the HHS-certified 
laboratories maintained under contract to perform testing. These audits 
are redundant because HHS's National Laboratory Certification Program 
(NLCP) uses highly trained technical experts to independently inspect 
each HHS-certified laboratory twice per year. The NLCP inspection 
process evaluates the majority of laboratory services and functions 
provided to licensees and other entities under part 26, and the Sec.  
26.168 performance-based blind performance testing program (i.e., 
quarterly submission of BPTSs and implementing of corrective actions 
under Sec. Sec.  26.719(c) and 26.167(f)) effectively monitors and 
addresses unsatisfactory performance issues associated with unique 
testing program attributes specific to NRC programs. As

[[Page 38934]]

a result of eliminating the annual auditing requirement, the proposed 
rule would also make conforming changes to Sec.  26.41(a), (c)(1), (g), 
and (g)(4) and would remove Sec.  26.41(g)(5). These proposed rule 
changes would reduce unnecessary regulatory burden on licensees and 
other entities and the HHS-certified laboratories that perform testing 
for part 26 regulated entities.
(i) HHS-Certified Laboratory Contract Provisions for Subpart M FFD 
Programs
    The proposed rule would revise Sec.  26.607(c)(4), in subpart M of 
10 CFR part 26, to align with the requirements of Sec.  26.153(f) that 
apply to existing licensees and other entities implementing FFD 
programs under part 26. Paragraph Sec.  26.607(c)(4) requires, in part, 
that each licensee or other entity establish and maintain a contract 
with the HHS-certified laboratory relied upon for testing, and that the 
contract must stipulate that the laboratory is subject to inspection 
and auditing by the licensee or other entity, and that the laboratory 
must provide access to records and permit copying and removal of 
records, if necessary. However, Sec.  26.607(c)(4), as published in the 
2026 final rule that created subpart M, did not include other important 
contractual requirements in Sec.  26.153(f). The proposed rule would 
address these differences between the commensurate requirements by 
creating a new Sec.  26.607(c)(5) that would replace the last sentence 
currently in Sec.  26.607(c)(4).
    Specifically, the proposed rule would add the requirements 
equivalent to those in the existing requirements of Sec.  26.153(f)(1) 
through (6). These requirements specify that laboratories must comply 
with applicable provisions of any State licensor; make qualified 
personnel available to testify at any administrative or disciplinary 
proceedings against an individual based on a laboratory's test results; 
and provide a donor with access, upon written request, to all 
laboratory records associated with testing of the individual's specimen 
and any relevant records on laboratory certification, review, or 
revocation-of-certification proceedings. These requirements also 
include individual privacy requirements pertaining to laboratory 
records; conflict of interest provisions applicable to a licensee's or 
other entity's medical review officer (MRO); and the requirement that 
the NRC and any licensee or other entity using the laboratory's 
services must be permitted to inspect the laboratory at any time, 
including unannounced inspections.
    Maintaining uniform contractual requirements for HHS-certified 
laboratories that perform testing for any licensee or other entity FFD 
program under part 26 would be necessary because the NRC does not 
regulate HHS-certified laboratories. As such, contractual requirements 
would ensure that the NRC and its licensees and other entities have 
adequate access to each laboratory facility, its personnel, and its 
records, as necessary to conduct quality assurance reviews. Contractual 
requirements would also ensure that conflicts of interest do not exist 
between the laboratory and MROs who may review the laboratory's test 
results for a licensee or other entity.
(j) Maintaining Back-Up HHS-Certified Laboratories Under Contract for 
Subpart M FFD Programs
    The proposed rule would remove the Sec.  26.607(c)(4) requirement 
that a licensee or other entity maintain a contract with a back-up HHS-
certified laboratory for each biological specimen tested. While a 
contract with a primary laboratory performing testing on all donor 
specimens for a licensee or other entity is necessary, imposing a 
requirement that a back-up laboratory also be maintained under contract 
is unnecessarily restrictive, inconsistent with industry practice, and 
is not required for current licensees and other entities implementing 
an FFD program under part 26.
    A back-up HHS-certified laboratory typically conducts testing for a 
licensee or other entity only when a donor is determined to have 
violated the FFD policy based on a confirmed positive drug test result 
or a substituted or adulterated validity test result, and the donor 
requests retesting at a second laboratory to independently verify the 
accuracy of the initial laboratory's test result. Many current 
licensees and other entities implementing FFD programs under part 26 do 
not maintain a contractual relationship with a particular back-up 
laboratory and instead provide a donor with a list of all HHS-certified 
laboratories in the United States to choose from with respect to 
conducting additional testing on their specimen.
    Given the limited use of back-up laboratories by existing 
licensees, the Sec.  26.607(c)(4) contractual requirement would impose 
an unnecessary additional burden on future part 53 licensees and other 
entities that implement subpart M FFD programs and is inconsistent with 
the current HHS-certified laboratory contractual requirements that 
apply to part 50 and 52 licensees and other entities. The proposed 
change would reduce unnecessary regulatory burden and afford donors 
maximum flexibility in choosing the HHS-certified laboratory to perform 
additional testing on their specimens, in instances where follow-up 
testing is requested after an FFD policy violation has been determined.
(k) Licensee Testing Facilities
    The proposed rule would eliminate subpart F, ``Licensee Testing 
Facilities.'' Under subpart F, part 26 currently enables licensees to 
conduct initial drug and initial validity testing on urine specimens at 
a licensee testing facility (LTF), typically located at the power 
reactor site. Any specimen tested by an LTF that does not test negative 
or has a validity testing issue must be forwarded to an HHS-certified 
laboratory for additional testing.
    Historically, LTF testing was the preferred option for many FFD 
programs because of the quick turnaround time on negative drug test 
results, which enabled the timely in-processing of workers during 
outages. Use of LTFs, however, has steadily declined over time as HHS-
certified laboratories have greatly improved the turnaround times for 
reporting negative test results, and no licensee FFD programs currently 
use an LTF. Operating experience also demonstrates that future use of 
LTFs is unlikely given high operating costs, the increasing technical 
complexity of urine testing (e.g., drugs tested, cutoff levels used, 
validity tests performed), and the fact that LTFs can only test urine 
specimens.
    Eliminating the option for LTFs would improve regulatory 
effectiveness and efficiency by more closely aligning the part 26 drug 
testing program with the HHS and DOT testing programs, both of which 
require testing to be performed at HHS-certified laboratories. 
Eliminating subpart F would also simplify other part 26 requirements 
beyond subpart F, because numerous sections reference the use of an LTF 
or describe LTF-specific processes. Eliminating subpart F would also 
reduce the administrative burden on the NRC to maintain training 
programs and inspection procedures that accommodate LTF use.
    On December 3, 2025 (90 FR 55621), the NRC published a direct final 
rule to insert a conditional sunset provision into Sec.  26.121, 
``Purpose,'' and certain other regulations in response to E.O. 14270, 
``Zero-Based Regulatory Budgeting to Unleash American Energy'' (90 FR 
15643; April 15, 2025). The conditional sunset provision in Sec.  
26.121 provides that subpart F of part 26 will cease to have effect on 
January 8, 2027, unless the NRC, after considering public input on the 
costs and benefits of the

[[Page 38935]]

subpart, determines that the cessation deadline should be extended. The 
NRC is using this proposed rule to accelerate the sunsetting of subpart 
F by proposing to remove subpart F and make other conforming changes.
(l) Event Notification for Supervisor FFD Policy Violations
    The proposed rule would risk-inform the 24-hour reporting 
requirement in Sec.  26.719(b)(2) to notify the NRC of significant 
violations of a licensee's or other entity's FFD policy by supervisory 
personnel. Specifically, the proposed rule would focus this 
notification requirement on supervisors who direct the operation or 
maintenance of safety- or security-related SSCs or who direct the 
performance of security duties as specified in Sec.  26.4(a)(5).
    The timely reporting of information to the NRC is necessary to 
enable prompt regulatory action, if needed. Operating experience 
demonstrates that 24-hour notification of FFD policy violations for 
supervisors directing work activity that is not safety- or security-
significant is unnecessary. These violations would continue to be 
captured in the existing annual FFD program performance reporting 
requirements under Sec. Sec.  26.717, ``Fitness-for-duty program 
performance data,'' and 26.417(b)(2), which ensure that the NRC 
receives uniform and robust information on all FFD program violations. 
This risk-informed change would reduce unnecessary burden on licensees, 
other entities, and the NRC.
(m) Behavioral Observation Program
    The proposed rule would apply the same behavioral observation 
program (BOP) requirement to SAEs that already applies to MROs and MRO 
staff under Sec.  26.31(b)(1)(v). The change would make SAEs subject to 
BOP when onsite at a licensee or other entity's facility, removing the 
current distinction between MROs and MRO staff, who are subject to BOP 
when onsite, and SAEs, who are currently subject to BOP both onsite and 
offsite when they are providing services to an FFD program. SAE and MRO 
functions are typically, although not always, performed by the same 
medical professional. Under the current requirements, if a medical 
professional is both an MRO and an SAE for the same FFD program, that 
professional is not subject to BOP when performing services for the 
licensee from an offsite location. However, if that same professional 
only provided SAE services to a licensee, they would be subject to BOP 
at whatever location they provided services to that licensee's FFD 
program. This BOP distinction between MROs and SAEs poses an 
unnecessary burden on licensees and other entities that choose to use 
medical professionals that only provide SAE services. SAEs also 
typically provide services to FFD programs from locations other than a 
licensee's or other entity's facility, communicating with individuals 
by telephone or by video teleconference methods. Therefore, this change 
would reduce unnecessary regulatory burden on licensees and other 
entities that rely on SAEs that do not also provide services as MROs.
(n) Shy-Bladder Evaluation
    A shy-bladder evaluation is required under current Sec.  26.119, 
``Determining `shy' bladder,'' if a donor is unable to provide a urine 
specimen of adequate quantity for drug testing within the 3 hours 
permitted for a urine collection. A shy-bladder evaluation must be 
completed within 5 business days of the unsuccessful attempt and 
performed by a licensed physician that is acceptable to the MRO and has 
expertise in the medical issues raised by the donor's inability to 
provide a specimen for testing. The proposed rule would revise Sec.  
26.119(a) to extend the deadline to complete a shy-bladder evaluation 
from 5 business days to 10 business days if a justification acceptable 
to the MRO is provided by the donor.
    The purpose of a timely evaluation is to determine if a medical 
condition precluded the donor from providing a urine specimen for 
testing (e.g., end stage renal failure). If a medical condition is 
identified, then the MRO could request the collection of an alternative 
specimen for drug testing. If no medical condition is identified, then 
the donor is determined to have subverted the testing process by 
refusing to provide a urine specimen for testing. Under the current 
requirements, if a donor is unable to obtain a medical evaluation 
within 5 business days, the licensee would make a subversion attempt 
determination for a refusal to provide a specimen for testing and the 
individual would be permanently denied authorization under Sec.  26.75, 
``Sanctions.'' The proposed rule would reduce unnecessary regulatory 
burden by providing additional flexibility to accommodate for potential 
challenges a donor may encounter in obtaining an appointment and 
completing the required shy-bladder evaluation by an appropriately 
qualified physician within 5 business days from the date of failing to 
provide a specimen for testing. Based on industry operating experience, 
the NRC anticipates that licensees would only exercise this flexibility 
on rare occasions, when necessary to address extenuating circumstances.
(o) Initial Drug Test Requirements
    The proposed rule would revise paragraph (1) of Sec.  26.167(d), 
``Quality control requirements for performing initial drug tests,'' in 
three ways. It would remove ``of urine'' from the phrase ``any initial 
drug test of urine performed by an HHS-certified laboratory,'' to 
clarify that the initial drug testing requirements apply to any 
specimen that is tested by an HHS-certified laboratory (i.e., urine or 
oral fluid under Sec.  26.83(b)). It would also remove the requirement 
that HHS-certified laboratories use an immunoassay ``that meets the 
requirements of the Food and Drug Administration for commercial 
distribution.'' Instead, Sec.  26.167(d)(1) would specify that the 
initial drug test may be an immunoassay or an alternate technology that 
is permitted for use in Federal workplace drug testing programs to 
align with changes to Section 11.10 of the HHS Guidelines (82 FR 7920; 
January 23, 2017). The proposed rule would also remove the prohibition 
that ``non-instrumented immunoassay testing devices that are pending 
HHS/SAMHSA [Substance Abuse and Mental Health Services Administration] 
review and approval may not be used for initial drug testing under this 
part.'' This prohibition is unnecessary because the requirements in 
Sec.  26.167(d)(1) are specific to testing performed at HHS-certified 
laboratories, which adhere to the testing requirements in the current 
version of the HHS Guidelines for the specimen(s) to be tested, unless 
otherwise directed under part 26. Reducing the prescriptive nature of 
the initial drug testing requirement would reduce unnecessary 
regulatory burden and ensure that licensees and other entities can 
benefit from the best testing approaches available at HHS-certified 
laboratories to identify drugs and drug metabolites. The proposed rule 
would also make conforming changes to Sec.  26.405(f) in subpart K.
(p) MRO Qualifications
    Under paragraph (a) of Sec.  26.183, ``Medical review officer,'' an 
MRO must be a physician holding either a Doctor of Medicine or Doctor 
of Osteopathy degree who is licensed to practice medicine by any State 
or Territory of the United States, the District of Columbia, or the 
Commonwealth of Puerto Rico. The proposed rule would revise Sec.  
26.183(a) to clarify that ``an equivalent foreign degree'' also would 
be acceptable. This clarification would ensure that physicians who have 
received their medical degrees from

[[Page 38936]]

medical schools outside the United States could still be considered 
qualified to serve as an MRO under part 26. This change would reduce 
unnecessary regulatory burden on licensees and other entities by 
allowing them to consider additional qualified physicians who may be 
able to provide services as an MRO.
(q) Review of Dilute Specimen Test Results
    The proposed rule would address inconsistencies in the requirements 
that apply to the review of dilute test results to clearly define the 
activities that must be performed by MROs and that may be performed by 
MRO staff.
    As currently written in Sec.  26.183(c), one of the 
responsibilities of the MRO is to review and interpret dilute test 
results, and Sec.  26.185(g)(2) and (4) specify how the MRO is to 
conduct the reviews of those results. For MRO staff, Sec.  
26.183(d)(2)(ii) limits the review of dilute test results to performing 
administrative functions (e.g., reviewing custody and control forms for 
errors). However, under Sec.  26.183(d)(2)(i), MRO staff under the 
direction of the MRO are permitted to ``receive, review, and report 
negative test results to the licensee's or other entity's designated 
representative.'' As currently written, the MRO must review all dilute 
test results (both positive and negative), which is inconsistent with 
the MRO review requirements for dilute test results under Sec.  
26.185(g)(2) and (4). Specifically, Sec.  26.185(g)(2) states that MRO 
review is required for ``positive and dilute'' specimen test results, 
and Sec.  26.185(g)(4) states that MRO review is not required for 
``negative and dilute'' specimen test results. A ``negative and 
dilute'' test result is not an FFD policy violation and is therefore 
acceptable for review by MRO staff under Sec.  26.183(d)(2)(i).
    The proposed rule would make changes to Sec.  26.183(c) and (c)(1), 
Sec.  26.183(d)(2)(ii) through (iv), and Sec.  26.185(b) by replacing 
``dilute'' with ``positive and dilute.'' The proposed rule would also 
make the conforming change of adding the term ``positive and dilute'' 
to Sec.  26.405(g). These changes would reduce unnecessary regulatory 
burden by addressing internal inconsistencies in the part 26 
requirements regarding the review of dilute positive and dilute 
negative validity test results.
(r) Clinical Evidence of Abuse Before Verifying Positive Results for 
Using Another Person's Prescription Medication
    The proposed rule would enable licensees to more efficiently 
address the misuse of controlled substances by individuals by allowing 
licensees to more readily address instances wherein an individual 
illegally uses a prescription medication that has not been prescribed 
to them.
    Currently, under Sec.  26.185(j)(3), if the MRO determines that a 
donor has used another individual's prescription medication and no 
clinical evidence of drug abuse is found during the required clinical 
examination, the MRO must report that the donor misused a prescription. 
However, under the current framework, this is not considered a positive 
test result. The MRO is to report an FFD policy violation for a 
confirmed positive test result only when clinical evidence of abuse 
also exists.
    Requiring the MRO to confirm a positive test result only if 
clinical evidence of drug abuse exists, even when the donor admits to 
using another individual's prescription medication and lacks a 
legitimate medical explanation, is inconsistent with the HHS Guidelines 
and DOT requirements. Specifically, under those programs, the MRO is to 
report a confirmed positive drug test result if a donor admits to 
unauthorized use of a drug or does not provide a legitimate medical 
explanation for the test result (i.e., a valid prescription, as 
specified in Section 13.5 of the HHS Guidelines for urine and oral 
fluid testing and in DOT's requirements in 49 CFR 40.137).
    The use of another person's prescription medication is prohibited 
by Federal law and is described in the HHS ``Medical Review Officer 
Manual for Federal Workplace Drug Testing Programs (effective February 
1, 2024).'' Specifically, the MRO Manual states that--

    Under no circumstances can prescriptions be legally transferred 
from a different individual to a donor in the event the donor 
exhausts his or her own prescription medication, even if the other 
individual's medication is identical and prescribed for the same 
medical condition (Controlled Substances Act Revised 2010, 
Pharmacist's Manual, Section VIII--Dispensing Requirements--Required 
Information for Prescription Labels). Federal Food and Drug 
Administration regulations [found in 21 CFR 290.5] require that the 
label of any drug listed as a ``controlled substance'' in Schedules 
II, III, or IV of the [Controlled Substances Act] must, when 
dispensed to or for a patient, contain the following warning: 
``CAUTION: Federal law prohibits the transfer of this drug to any 
person other than the patient for whom it was prescribed.''

    The proposed rule would eliminate the requirement in Sec.  
26.185(j)(3) to determine that clinical signs of abuse exist to report 
a positive test result as an FFD policy violation when a donor admits 
to using another individual's prescription medication. This proposed 
rule change would align with other Federal agency testing policies, 
would improve public health and safety and common defense and security 
by allowing licensees to more efficiently address known trustworthiness 
and reliability concerns, and would remove unnecessary regulatory 
burden, as a positive test result could be reported by an MRO after a 
discussion with the donor (i.e., without the need to perform a clinical 
evaluation).
(s) SAE Credential--State-Licensed or -Certified Marriage and Family 
Therapists
    The proposed rule would add a State-licensed or -certified marriage 
and family therapist (MFT) to the list of credentials that would 
qualify individuals to serve as an SAE under Sec.  26.187(b). This 
action would address the PRM docketed as PRM-26-4.
    To be a State-licensed or -certified MFT requires a master's or 
doctoral degree, supervised clinical experience, and successful 
completion of the national examination conducted by the American 
Association for Marriage and Family Therapy Regulatory Board. Many 
programs accredited by the Commission on Accreditation of Marriage and 
Family Therapists have ``substance abuse'' knowledge as part of their 
core curriculum requirements in their graduate studies. Potential 
candidates can sit for the examination only after their credentials 
have been examined and found to meet the education and experience 
requirements for licensure or certification in their respective States. 
In 2006, the DOT added State-licensed or -certified MFTs to its list of 
credentialed professionals eligible to serve as substance abuse 
professionals under 49 CFR 40.281(a) (71 FR 49382; August 23, 2006).
    Updating the Sec.  26.187(b) SAE credential list to include State-
licensed or -certified MFTs would be consistent with the approach taken 
by the NRC when it established the SAE requirements in the 2008 part 26 
final rule. In the 2008 part 26 final rule, the NRC stated that it had 
adapted many of the SAE provisions from the DOT requirements regarding 
substance abuse professionals under 49 CFR part 40, subpart O.

[[Page 38937]]

    This proposed change would reduce unnecessary regulatory burden by 
allowing licensees and other entities to consider additional qualified 
individuals who may be able to provide SAE services.
(t) SAE Credential--Certified Addiction Specialist by the American 
Academy of Health Care Providers in Addictive Medicine
    The proposed rule would address a PRM (PRM-26-7) that requested 
that the ``Certified Addiction Specialist'' (CAS) certification from 
the American Academy of Health Care Providers in the Addictive 
Disorders (the Academy) be added to the list of acceptable credentials 
to serve as an SAE under Sec.  26.187(b)(5). In a supplement to its 
petition to the NRC dated August 3, 2011 (ML11256A020), the Academy 
stated that it was in the process of preparing a petition to request 
that the DOT add the CAS certification to the substance abuse 
professional credentials in 49 CFR 40.281(a). As of the issuance of 
this proposed rule, however, the CAS credential does not appear on the 
DOT's approved credentials list in 49 CFR 40.281(a), and the NRC has 
not received any additional information to support the Academy's 
petition. Furthermore, the NRC evaluated publicly available information 
regarding the CAS credentialling process and determined that, while the 
training and education requirements are similar to those in place for 
credentials currently accepted in accordance with NRC requirements, the 
Academy did not provide adequate information on the examination process 
associated with the CAS credential. Based on this evaluation, the NRC 
determined that there is insufficient information available to support 
adding the CAS certification to the list of acceptable credentials. The 
proposed rule, therefore, would not incorporate the CAS certification 
into Sec.  26.187(b)(5).
(u) Face-to-Face for-Cause Determinations of Fitness
    The proposed rule would remove the prohibition on the use of 
electronic means to perform face-to-face for-cause determinations of 
fitness under Sec.  26.189(c), because video technology has advanced 
significantly since the creation of the Sec.  26.189(c) requirement in 
the 2008 part 26 final rule.
    Video teleconference technology is already being used by some 
clinicians to complete other NRC-required evaluations, such as 
performing psychological assessments under the personnel access 
authorization requirements in Sec.  73.56(e)(4) or determinations of 
fitness performed under Sec.  26.189(b) when potentially disqualifying 
FFD information is discovered about individuals subject to part 26.
    The proposed rule would specify that if video teleconference 
technology is used by a professional to conduct a face-to-face 
determination of fitness for a for-cause drug and alcohol testing 
determination under Sec.  26.31(c)(2) or a fatigue assessment performed 
for cause under Sec.  26.211(a)(1), then the determination must be 
supported by an individual that is in the room with the person being 
evaluated. A supporting person would be necessary in these 
circumstances to ensure that the professional performing the 
determination of fitness is provided with contemporaneous information 
that can only be obtained in the location where the person is being 
assessed (e.g., sensory information such as the smell of alcohol on an 
individual's breath or an aspect of the individual's physical condition 
that is not ascertainable by video teleconference). The proposed rule 
would specify that the supporting person must have received training on 
the FFD program under Sec.  26.29, which includes the ``ability to 
observe and detect performance degradation, indications of impairment, 
or behavioral changes.'' All individuals subject to a licensee's or 
other entity's FFD program must complete this training.
    Eliminating the prohibition on the use of electronic communications 
to perform face-to-face determinations of fitness would reduce 
unnecessary regulatory burden and could improve the speed at which 
these determinations are made.
(v) Post-Event Testing Terminology
    The proposed rule would make a conforming change to terminology 
used in Sec.  26.405(c)(3) that applies to FFD programs implemented 
under subpart K of part 26. Specifically, the proposed rule would 
replace ``post-accident'' with ``post-event'' and ``accident'' with 
``event.'' The term ``post-event'' is used in FFD program requirements 
under subpart M of part 26. The term ``post-event'' is also used in NRC 
Forms 890, ``Single Positive Test Form,'' and 891, ``Annual Reporting 
Form for Drug and Alcohol Tests,'' which licensees and other entities 
have used to submit FFD program performance data to the NRC under Sec.  
26.417(b)(2).
(w) Clarification of Subpart K FFD Program Applicability to Individuals 
Directing the Construction of Safety- or Security-Related SSCs
    The proposed rule would clarify the provisions of Sec.  26.419, 
``Suitability and fitness evaluations,'' for individuals who direct the 
construction of safety- or security-related SSCs in subpart K FFD 
programs to ensure that licensees are able to assign duties to those 
individuals in accordance with FFD program requirements.
    Section 26.4(f) requires that individuals constructing or directing 
the construction of safety- or security-related SSCs be subject to a 
subpart K FFD program (or an FFD program that meets all the 
requirements of part 26, except for subparts I, K, and M). Furthermore, 
in the 2008 part 26 final rule, the Commission stated that Sec.  26.419 
``requires licensees and other entities who implement FFD programs 
under subpart K to develop, implement, and maintain procedures for 
evaluating whether to assign individuals to the duties specified in 
Sec.  26.4(f).'' However, the rule text of Sec.  26.419 only includes 
provisions for assigning duties to ``individuals to construct safety- 
and security-related SSCs,'' but does not currently include such 
provisions for the individuals directing those activities. As such, the 
NRC is proposing to include in Sec.  26.419 individuals directing the 
construction of safety- or security-related SSCs to provide clarity and 
maintain consistency with Sec.  26.4(f) and the intent of the 2008 part 
26 final rule.
(x) Terminology Clarification for Construction FFD Programs
    The proposed rule would make a conforming change to the terminology 
used in Sec.  26.401(b), revising the term ``entities'' to ``licensees 
and other entities.'' This administrative revision would provide 
consistency in the use of the terminology across part 26, subpart K.
(ii) Fatigue Management
(a) Temporary Relief From Work Hour Controls
    The NRC is proposing to add a new exception from the work hour 
controls in Sec.  26.205(c) and (d) during sequestration events as an 
alternative to licensees needing to grant waivers. This new exception 
in Sec.  26.207(e) would address sequestration events during which 
licensee personnel remain on-site at the facility due to unavoidable 
external conditions (e.g., a severe weather event, public health 
emergency, or failure of local infrastructure) that could affect safe 
and secure plant operation. Part 26 currently contains exceptions for 
plant emergencies and other limited circumstances but does not account 
for conditions in which personnel may be required to remain on

[[Page 38938]]

site due to unavoidable external circumstances.
    Under the proposed rule, during such events, licensees would be 
able to implement alternative fatigue management controls for up to 60 
days, consistent with those authorized by the NRC during the COVID-19 
public health emergency (e.g., NRC Letter, ``Quad Cities Nuclear Power 
Station, Units 1 and 2--Exemption from Select Requirements of 10 CFR 
part 26 (EPID L-2020-LLE-0018 [COVID-19]),'' dated April 8, 2020). If a 
licensee were to use this exception and need to extend the alternative 
controls beyond 60 days, the licensee would need to submit an exemption 
request. The addition of the sequestration exception would provide a 
less burdensome alternative to waivers or exemption requests during 
sequestration events.
(b) Annual Fatigue Reporting
    The NRC is proposing to eliminate the requirement in Sec.  
26.203(e) and Sec.  26.717(b)(9) for licensees to provide annual 
reports of waivers and fatigue management program information to the 
NRC. In addition, the NRC is also proposing to eliminate the same 
requirement for subpart M FFD programs in Sec.  26.202(e). Annually, 
the FFD performance reports have included limited instances when 
waivers to the work hour controls were issued, with the trends 
decreasing in the years since the requirements were first implemented 
in 2009, demonstrating the successful implementation of the work hour 
controls to mitigate fatigue. While no longer submitted in an annual 
report, the associated records would continue to be maintained by 
licensees in accordance with Sec.  26.203(d) and would be available for 
NRC inspection or review as needed. The elimination of the reports 
would reduce burden on licensees and would also save NRC resources 
associated with the receipt and maintenance of these records.
(c) Expanding the Applicability of Remote Assessments
    The NRC is proposing changes to Sec. Sec.  26.207(a)(1)(ii) and 
26.211(b) to allow additional licensees to use electronic 
communications to perform face-to-face assessments to support the 
approval of work hour control waivers and to conduct fatigue 
assessments. Under the current provisions, only licensees and other 
entities under 10 CFR part 53, as specified in Sec.  26.3(f), can use 
electronic communications for these purposes. The proposed changes 
would expand the option of using electronic communications to other 
types of NRC licensees specified in Sec.  26.3(a), (c), and (d). The 
provisions would continue to indicate that supervisors may conduct such 
assessments from a remote location under appropriate circumstances, and 
that such remotely conducted assessments need to be supported by 
someone who is present in-person with the individual being assessed and 
who is trained in accordance with the requirements of either Sec. Sec.  
26.29 and 26.203(c), or Sec. Sec.  26.608 and 26.202(c).
    The reasoning for these changes and the associated need for in-
person support to augment electronic communications is addressed 
further in the discussion of the proposed changes to Sec.  26.189(c) in 
Section IV.A.(i)(u) of this document.
(iii) Changes to Definitions in Part 26
    The proposed rule would add two new definitions, revise five 
definitions, and remove four definitions in Sec.  26.5. The additions, 
revisions, and removals would improve the clarity, consistency, and 
accuracy of the requirements under part 26. Specifically, this proposed 
rule would add definitions for ``Escort'' and ``Sequestration event.'' 
In conjunction with another proposed rule change to remove subpart F, 
``Licensee Testing Facilities,'' this proposed rule would revise 
definitions for ``Analytical run,'' ``Cancelled test,'' ``Cutoff 
level,'' ``Positive result,'' and ``Rejected for testing''; and remove 
definitions for ``Licensee testing facility,'' ``Questionable 
validity,'' ``Validity screening test,'' and ``Validity screening test 
lot.''
    A definition for ``Escort'' would be added, defining the term to 
mean a person who is designated by the licensee or other entity to be 
responsible for directly observing an individual who has been assigned 
to perform duties and responsibilities or maintain the type of access 
described in Sec.  26.4(f) but is not subject to the requirements in 
part 26.
    A definition for ``Sequestration event'' would be added, defining 
the term to mean a situation in which personnel remain on-site at a 
nuclear power reactor due to unavoidable external conditions that pose 
a risk to the safe, secure, and continuous operation of the facility.

B. Security Requirements for Independent Spent Fuel Storage 
Installations (ISFSIs) (Parts 72 and 73)

    An ISFSI is a complex designed for the safe storage of power 
reactor spent nuclear fuel and certain other radioactive materials. 
These installations use robust storage systems, such as dry casks, that 
securely contain and shield the radioactive material until it can be 
disposed of in the future, allowing licensees to store this material 
safely on site or at standalone storage locations. The security risk 
profile of an ISFSI is reduced from that of an operating nuclear power 
reactor due to the absence of a fueled reactor and the placement of all 
spent fuel into these robust storage systems. This configuration 
eliminates reactor-related target sets and significantly lowers the 
potential consequences of radiological sabotage.
    There are two main types of ISFSIs regulated by the NRC: general 
license ISFSIs and specific license ISFSIs. A general license ISFSI is 
operated by a nuclear power plant licensee under a general license 
provided in NRC regulations. Section 72.210, ``General license 
issued,'' states that a general license for an ISFSI is issued to 
persons authorized to possess or operate nuclear power reactors under 
10 CFR part 50, part 52, or part 53. A nuclear power plant licensee 
does not need to apply for a separate, stand-alone license for the 
ISFSI. In contrast, a specific license ISFSI is authorized through a 
separate, detailed licensing process that is independent from the 
nuclear power reactor license. Although both types of ISFSIs must meet 
NRC safety and security standards, there are differences in the 
licensing approach and in some of the security requirements that 
currently apply to each type.
    The proposed requirements for ISFSI security would enhance 
consistency and regulatory clarity between general and specific license 
ISFSIs. Licensees operating general license ISFSIs that are not 
collocated with an operating reactor would have the option to provide 
physical protection under the same requirements that apply to specific 
license ISFSIs. These changes would provide consistency for similarly 
situated ISFSIs, while reducing the burden of submitting exemption and 
alternative measure requests.
    Additionally, this proposed rule would extend the time associated 
with submitting ISFSI security plan changes to the NRC. The frequency 
required for the submission of security plan changes would be modified 
to reduce the licensee burden that is associated with security plan 
revisions.
(i) Security Requirements for ISFSIs Located Outside a Reactor's 
Protected Area
    The proposed rule would include changes addressing security 
requirements for ISFSIs located either outside the protected area (PA) 
of an operating reactor or within the PA of a decommissioning reactor 
for which all

[[Page 38939]]

spent fuel at the site has been placed in dry storage.
    Some ISFSIs are located within the same PA as an operating reactor. 
Other ISFSIs are located in a separate PA because either the reactor 
with which an ISFSI was originally collocated has gone into 
decommissioning or the ISFSI was constructed with a separate PA. The 
proposed changes to parts 72 and 73 of the NRC's regulations would 
allow licensees with ISFSIs in this latter category the option to 
implement security requirements that are designed specifically for 
ISFSIs. With regards to ISFSIs adjacent to decommissioning reactors, 
the proposed changes are consistent with those in SECY-24-0011, ``Final 
Rule: Regulatory Improvements for Production and Utilization Facilities 
Transitioning to Decommissioning,'' dated January 31, 2024, which is 
currently being considered by the Commission.
    This proposed rule would revise Sec.  72.212(b)(9) to allow general 
license ISFSIs the option to develop and implement their physical 
protection programs in accordance with Sec.  73.51, ``Requirements for 
the physical protection of stored spent nuclear fuel and high-level 
radioactive waste,'' instead of Sec.  73.55, ``Requirements for 
physical protection of licensed activities in nuclear power reactors 
against radiological sabotage.'' This change would align the physical 
protection requirements of general license ISFSIs and specific license 
ISFSIs for separate protected areas constructed outside the PA of an 
existing operating reactor, or during decommissioning, once all spent 
fuel at the site has been placed in dry storage. This change would be 
appropriate because the security requirements in Sec.  73.51 are 
designed for and provide security appropriate to the reduced risk level 
of ISFSIs as compared to nuclear power plants, which are subject to 
Sec.  73.55. This change would reduce the regulatory burden on current 
and future licensees by offering the increased flexibility provided 
under Sec.  73.51. In particular, licensees that choose to transition 
to Sec.  73.51 would no longer be required to implement protection 
measures against the design basis threat nor comply with the associated 
requirements outlined in Sec.  73.55.
    The proposed rule also includes conforming changes to Sec. Sec.  
72.13, ``Applicability,'' and 73.51 to clarify the applicability of the 
security requirements that are found in part 72, subpart H, ``Physical 
Protection,'' to general license ISFSIs. Currently, these licensees 
need to submit alternative measures or exemption requests from certain 
Sec.  73.55 requirements to allow for the implementation of security 
requirements that are consistent with the risk profile for their 
facilities. The proposed change would eliminate the need to submit 
alternative measures or exemption requests. Licensees that elect to 
implement the new proposed regulatory requirements would provide a 
revised security plan through the process described in paragraph (p)(2) 
of Sec.  50.54, ``Conditions of licenses.''
    ISFSIs that are within an operating reactor PA would still be 
required to implement Sec.  73.55, consistent with the physical 
protection program for the reactor, with the specific exceptions in 
Sec.  72.212(b)(9). Additionally, licensee physical protection programs 
would be required to continue to address the terms of any applicable 
security-related orders associated with either a general or specific 
license ISFSI.
(ii) Submittal of Security Plan Changes
    The proposed rule would extend the time associated with the 
requirement to submit ISFSI security plan changes to the NRC under 
paragraph (e) of Sec.  72.44, ``License conditions,'' and paragraph (b) 
of Sec.  72.186, ``Change to physical security and safeguards 
contingency plans.'' Instead of submitting to the Commission a report 
containing a description of each change within two months after the 
change is made, licensees would have to submit the report within 12 
months after the change is made. This revision would reduce the 
licensee burden that is associated with security plan revisions. The 
extension would also maintain safety and security because it would be 
limited to reports of changes that would not decrease the effectiveness 
of the plans.

C. Physical Security Requirements (Part 73)

    Under this proposed rule, the security regulations for the physical 
protection of plants and materials under 10 CFR part 73, along with 
their associated guidance documents, would be revised to reduce 
unnecessary burdens and respond to credible risks--as directed in E.O. 
14300, section 5(g)--to support efficiencies in licensing and 
oversight. Where possible, prescriptive requirements would be replaced 
with more performance-based requirements to streamline, clarify, and 
modernize the current regulations, thus increasing flexibility for 
current and future licensees and facilitating the increased deployment 
of new civilian nuclear reactor technologies, consistent with section 
2(b) of E.O. 14300.
    This proposal covers updates across various elements of part 73, 
including physical protection, security training, access authorization, 
and cybersecurity for power reactors; transmittal of safeguards 
information (SGI); special nuclear material security; records; and 
definitions. This proposal also incorporates changes to part 73 
intended to address industry concerns from the 2023 Enhanced Weapons 
final rule, the consideration of law enforcement support to licensee 
security programs, and certain aspects of the draft final 
decommissioning rule in SECY-24-0011.
(i) Power Reactor Physical Protection Program
    The proposed changes to Sec.  73.55, as well as appendices B, 
``General Criteria for Security Personnel,'' and C, ``Licensee 
Safeguards Contingency Plans,'' to part 73, would support the agency's 
mission to enable the safe and secure use and deployment of civilian 
nuclear energy technologies and would reduce unnecessary burden on 
current and future licensees.
    This proposed rule would provide licensees with increased 
flexibility in implementing their physical protection programs by 
incorporating performance-based requirements and, where appropriate, 
allowing for specific alternatives. The proposed alternatives would 
most likely be available to non-light water reactor designs that 
incorporate security by design and engineered safety or security 
features.
    For the existing light-water reactor fleet, the proposed revision 
of the security requirements would eliminate certain prescriptive 
requirements that are more appropriately addressed in regulatory 
guidance and in some instances are no longer necessary for the 
implementation of the physical protection program.
    This proposed rule would establish a revised performance objective 
that applies a risk-informed approach that would continue to provide 
reasonable assurance that activities involving special nuclear material 
are not inimical to the common defense and security, and do not pose an 
unreasonable risk to public health and safety.
    Existing licensees that are in compliance with Sec.  73.55 as of 
the effective date of publication of the final rule, if this proposed 
change is made effective in a final rule, would also be in compliance 
with the proposed revisions to the regulations and would not be 
required to modify their current physical protection programs. However, 
existing licensees would be able to voluntarily adopt the proposed

[[Page 38940]]

alternative methods of compliance and take advantage of the increased 
flexibility in implementing the requirements of Sec.  73.55.
    This proposal builds on previous efforts to risk-inform physical 
security regulations by shifting from prescriptive to performance-based 
requirements to allow for the use of technology-neutral alternatives 
(e.g., security and safety features) in the implementation of Sec.  
73.55. The core performance-based criteria for implementing licensees' 
physical protection programs would remain unchanged because these 
programs would continue to be required to detect, assess, interdict, 
and neutralize threats.
    The proposed amendments would revise Sec.  73.55 and appendices B 
and C to 10 CFR part 73 to enhance requirements for physical 
protection, power reactor security training, and contingency response. 
Specifically, the proposed revisions should provide increased 
flexibility in the implementation of security, training, and response 
measures. This would be accomplished by modifying the performance 
objective, the use of performance-based requirements, and the use of 
voluntary alternatives that allow for the use of technology and 
engineered design features.
    The proposed requirements would adopt technology-inclusive 
approaches to provide the necessary regulatory flexibility for 
licensing and regulating multiple categories of nuclear reactor 
technologies and designs. A technology-inclusive approach to security 
requirements would provide greater flexibility in both the design and 
implementation of physical protection programs. Licensees and 
applicants using this approach could integrate security considerations 
into the safety design process, enabling the effective implementation 
of security measures through the use of both design-based and 
engineered security features. This approach could enable safety and 
security functions to work collaboratively in the implementation of the 
physical protection program. Additionally, the proposed technology-
inclusive approach would allow for the increased use of technology by 
licensees to implement security measures for the protection of a 
facility, providing greater operational flexibility.
(a) High Assurance
    The general performance objectives throughout part 73 would be 
revised to reflect the Commission's decision on the concept of ``high 
assurance'' as it relates to licensee physical protection programs. In 
SRM-SECY-16-0073, ``Staff Requirements--SECY-16-0073--Options and 
Recommendations for the Force-on-Force Inspection Program in Response 
to SRM-SECY-14-0088,'' dated October 5, 2016, the Commission determined 
that the concept of ``high assurance'' in security regulations is 
functionally equivalent to ``reasonable assurance'' used in safety 
contexts and that security regulations should not be applied using a 
``zero risk'' mentality. Therefore, the proposed rule would revise the 
regulations in Sec. Sec.  73.20(a), 73.22(f)(3), 73.51(b)(1), 73.54(a), 
73.55(b)(1), and 73.56(c) to use the term ``reasonable assurance'' in 
place of ``high assurance.''
(b) Significant Core Damage and Spent Fuel Sabotage
    The performance objective in Sec.  73.55(b)(3) would be revised 
from specifically protecting against significant core damage and spent 
fuel sabotage to a broader goal of preventing a release of 
radionuclides from any source that exceeds the dose reference values 
defined in Sec.  50.34(a)(1)(ii)(D)(1) and (2), Sec.  
52.79(a)(1)(vi)(A) and (B), or Sec.  53.210, as applicable. This shift 
would emphasize radiological sabotage in general, rather than focusing 
solely on core damage or spent fuel scenarios. The existing fleet of 
light-water reactors would be in compliance with this proposed 
performance objective by continuing to prevent significant core damage 
and spent fuel sabotage. The revised objective would be technology-
inclusive, providing flexibility to accommodate multiple categories of 
nuclear reactor technologies and designs, including those that may not 
have conventional cores.
(c) Achievable Target Sets
    This proposed rule would introduce a revised set of requirements in 
Sec.  73.55(f), ``Target sets,'' that adopts a risk-informed, 
technology-inclusive, and graded approach through the identification of 
achievable target sets. Licensees that voluntarily elect to implement 
the revised performance objective would need to perform an analysis to 
identify the necessary plant equipment, operator actions, mitigative 
measures, detection capabilities, assessment processes, and armed 
response needed to identify the achievable target sets for the site's 
physical protection program, which must be designed to prevent a 
radionuclide release from exceeding the dose reference values specified 
in Sec.  50.34(a)(1)(ii)(D)(1) and (2), Sec.  52.79(a)(1)(vi)(A) and 
(B), or Sec.  53.210, as applicable, to protect against the design 
basis threat of radiological sabotage as stated in Sec.  73.1.
    Achievable target sets would be identified through a site-specific 
analysis. Achievable target sets would include those that are within 
the capabilities of the design basis threat adversary to compromise, 
destroy, or render non-functional; cannot be mitigated after adversary 
interference is precluded and prior to a release of radionuclides 
exceeding the dose reference values defined in in Sec.  
50.34(a)(1)(ii)(D)(1) and (2), Sec.  52.79(a)(1)(vi)(A) and (B), or 
Sec.  53.210, as applicable; and, if defeated, result irreversibly in 
exceedance of the dose reference values defined in in Sec.  
50.34(a)(1)(ii)(D)(1) and (2), Sec.  52.79(a)(1)(vi)(A) and (B), or 
Sec.  53.210, as applicable.
    Under this framework, licensees would determine the applicability 
of Sec.  73.55 as follows:
     If a licensee could demonstrate that no achievable target 
sets exist, and would not credit any active measures (e.g., operator 
action, mitigative action, detection, assessment, armed response), then 
the licensee would be exempt from the remaining requirements of Sec.  
73.55. The requirements of 10 CFR part 26; 10 CFR part 37, ``Physical 
Protection of Category 1 and Category 2 Quantities of Radioactive 
Material''; and Sec. Sec.  73.21, ``Protection of Safeguards 
Information: Performance requirements,'' 73.22, ``Protection of 
Safeguards Information: Specific requirements,'' 73.23, ``Protection of 
Safeguards Information--Modified Handling: Specific requirements,'' 
73.54, ``Protection of digital computer and communication systems and 
networks,'' 73.56, ``Personnel access authorization requirements for 
nuclear power plants,'' and 73.67 would need to be implemented as 
applicable.
     If a licensee could demonstrate that no achievable target 
sets exist, and would credit active measures in making that 
demonstration, then the licensee would be required to implement the 
applicable requirements of Sec.  73.55 through its physical security 
plan, training and qualification plan, safeguards contingency plan, and 
cybersecurity plan. Licensees that would rely on active measures could 
limit the scope of their physical protection program by ensuring that 
the credited active measures will be implemented when needed in 
response to threats.
     If a licensee could demonstrate that achievable target 
sets exist, then the licensee would be required to implement the 
requirements of Sec.  73.55 through its physical security plan,

[[Page 38941]]

training and qualification plan, safeguards contingency plan, and 
cybersecurity plan.
(d) Prescriptive Requirements Revised to Performance-Based Requirements
    The current physical security requirements use a combination of 
performance criteria (e.g., protection against the design basis threat 
for radiological sabotage as stated in Sec.  73.1) and numerous 
prescriptive requirements to implement a physical protection program to 
achieve the current performance objective. In this performance-based 
proposed rule, physical security would be implemented through 
performance criteria to meet the general performance objective, thus 
giving the licensee flexibility to determine how to meet the 
established performance criteria for an effective physical protection 
program. The proposed rule would remove a number of prescriptive 
requirements while preserving the effectiveness of the physical 
protection program framework. Power reactor physical protection 
programs would continue to address each of the programmatic functions 
of the overall physical protection program (e.g., detection and 
assessment, delay barriers, armed response, etc.) to meet the 
performance objectives of 10 CFR 73.55 to protect against the design 
basis threat of radiological sabotage. For new applicants, the NRC 
would evaluate the measures an applicant proposes to use to meet the 
performance criteria and the general performance objective through the 
NRC's review and approval of the physical security plan. For existing 
licensees who make changes to their physical protection programs based 
on the revised performance criteria, the NRC would verify the adequacy 
of the licensee's measures through inspection.
1. Physical Barriers
    Prescriptive physical barrier requirements in current Sec.  
73.55(e) would be revised to remove the details concerning the specific 
considerations and criteria for each barrier, including isolation 
zones. Isolation zones have been removed from the requirements to 
provide greater flexibility for licensee programs implementing 
detection measures. In certain conditions, these clear areas are not 
necessary to meet detection and assessment requirements due to site-
specific configurations. Additionally, advancements in detection and 
assessment technologies have significantly reduced, or eliminated, the 
need for clear areas to identify unauthorized access into protected 
areas. The proposed rule would continue to require licensees to detect 
attempted or actual penetrations using detection and assessment 
equipment capable of meeting the performance objectives outlined in 10 
CFR 73.55(b).
    These specifics would be retained in guidance as voluntary 
considerations for licensee physical protection programs. Licensees 
would still be required by proposed Sec.  73.55(e)(1) to ensure that 
physical barriers are sufficient to meet the performance criteria 
(e.g., detect, delay, and deter) and performance objective for their 
intended function.
2. Access Control Measures
    Access control measures in current Sec.  73.55(g) would be revised 
to remove the prescriptive requirements regarding access to different 
areas of a facility. These specifics would be retained in guidance as 
voluntary considerations for licensee physical protection programs. 
Licensees would still be required by proposed Sec.  73.55(g)(1) to 
ensure that their access control measures meet the performance criteria 
(e.g., restricts unauthorized access and implements verification 
measures) and performance objective.
3. Search
    The specific methods for how vehicles, materials, and personnel are 
searched in current Sec.  73.55(h) would be revised with performance 
criteria applicable to searches conducted in various areas (e.g., owner 
controlled and protected areas) of licensee facilities. Under proposed 
Sec.  73.55(h), licensees would have the flexibility to determine the 
search method(s) used to meet the performance criteria for conducting 
searches.
4. Detection and Assessment
    Prescriptive detection and assessment requirements in current Sec.  
73.55(i) would be revised to allow licensees the flexibility to use 
technology for surveillance and illumination to meet the performance 
criteria to detect and assess at all times. Advanced technology systems 
provide flexible capabilities to licensees offering superior detection 
range, accuracy, and reliability compared to human observation under 
0.2 foot-candle illumination. Replacing a prescriptive lighting level 
with a technology-based detection strategy aligns with the performance-
based approach. Because modern technologies provide detection and 
assessment capabilities that meet or exceed those enabled by the 
historical lighting and surveillance requirements, the overall security 
posture would continue to satisfy the standard of reasonable assurance 
of adequate protection against radiological sabotage. This proposed 
change would support the effective implementation of the licensee's 
protective strategy by allowing site-specific applications that align 
with the licensee's facility layout and operational needs.
5. Response Requirements
    Current requirements in Sec.  73.55(k) identify the minimum number 
of ten armed responders to implement a site's protective strategy to 
meet the performance objective to protect against the design basis 
threat of radiological sabotage. The proposed rule would remove this 
prescriptive number, allowing licensees flexibility to determine the 
minimum number of armed responders necessary to implement the site 
protective strategy and respond to the design basis threat of 
radiological sabotage. The proposed requirements would continue to 
allow licensees to use armed responders and armed security officers to 
form an armed response team to meet response requirements. The proposed 
rule would add an alternative in Sec.  73.55(k)(5) for current and 
future licensees that voluntarily elect to rely partially or solely on 
law enforcement or other offsite armed response personnel to meet the 
response requirements for their facilities. Licensees that rely solely 
on law enforcement or offsite armed responders would be required to 
obtain prior Commission approval before using these entities to meet 
the site response requirements.
6. Safety/Security Interface
    The NRC proposes to remove Sec.  73.58, ``Safety/security interface 
requirements for nuclear power reactors,'' from part 73 to streamline 
requirements and to eliminate rule text that provides a level of detail 
more appropriate for guidance. A performance-based requirement for 
safety/security interface would be added to Sec.  73.55(l)(1). The 
proposed safety/security interface requirement would require licensees 
to evaluate and manage changes to safety and security activities to 
prevent or mitigate potential adverse effects that could impact plant 
safety or security at power reactors.
    The current requirements in Sec.  73.55(l) regarding physical 
protection for reactor facilities using mixed-oxide (MOX) fuel would be 
removed. These provisions have never been applied to any applicant or 
licensee.
7. Security Program Reviews
    The prescriptive requirements for conducting a security program 
review at a periodicity of every 24 months in

[[Page 38942]]

current Sec.  73.55(m) would be revised to allow a licensee to conduct 
risk-based security reviews that are commensurate with the importance 
or significance to the safety of plant operations.
(e) Flexibility in Implementing an Acceptable Physical Protection 
Program
    The proposed rule would revise Sec.  73.55 to be more technology-
inclusive. Designed-in features, structures, systems, and components, 
as well as engineered and administrative controls, could be used to 
provide flexibility in implementing an acceptable physical protection 
program for different reactor designs.
(f) Alternatives
    In several areas of the proposed requirements, licensees would be 
provided with voluntary alternatives to existing regulations to achieve 
the required performance objectives. These alternatives would be 
technology neutral (i.e., to address various approaches to plant SSCs, 
designs, and technology). The voluntary alternatives might not be 
suitable for a licensee to implement in all cases; therefore, in 
determining the use of the voluntary alternatives, licensees would be 
required to complete a site-specific analysis to determine if their 
plant design and physical protection program would meet the applicable 
proposed requirements and the overall performance objective of 
reasonable assurance of adequate protection against threats up to and 
including the design basis threat of radiological sabotage. The NRC has 
provided draft regulatory guidance that describes some acceptable 
methods to meet the proposed alternatives. Voluntary alternatives have 
been proposed for the security organization, bullet resistant barriers, 
Performance Evaluation Program, physical barriers, and response 
requirements. In addition to the alternatives specifically provided for 
in the regulations, licensees would be able to continue to propose 
alternative measures under the provisions of Sec.  73.55(r), 
``Alternative measures.''
    Licensees that retain their current physical protection program 
would be able to elect to change their security plans and implementing 
procedures to reference the new proposed regulatory requirements 
through the Sec.  50.54(p) process.
(g) Appendix B to Part 73
    The NRC proposes to revise the general criteria for security 
personnel in 10 CFR part 73, appendix B, to address the minimum age for 
employment, for the use of a qualified training instructor for the 
attestation of training documentation, and to provide flexibility for 
the use of a nationally recognized course of fire for all weapons 
identified in this appendix. For the security training that is outlined 
in appendix B, sections I through VI, the majority of prescriptive 
requirements would be removed. The requirements for suitability would 
be streamlined for all security personnel that are identified in 
appendix B to part 73. Also, the NRC proposes changes to the training 
for power reactor licensees in the implementation of licensee 
Performance Evaluation Programs. The proposed rule would reduce the 
required frequency of tactical response drills from four per year to 
two per year. In addition, the requirement for each member of each 
shift to participate in one force-on-force exercise annually would be 
modified to once every three years. The proposed modifications to the 
performance evaluation program reflect that licensees have mature, 
established training programs that have consistently demonstrated that 
licensee security forces maintain the knowledge, skills, and abilities 
for effective contingency response. Tactical response drills would 
continue to be based on target set scenarios and would provide a 
practical demonstration of defense against specific design basis threat 
attributes. The proposed adjustment to the frequency of participation 
in the licensee's full-scale force-on-force exercises recognizes that 
full-scale exercises are the most resource intensive to conduct. While 
valuable, this activity is only one component of a comprehensive 
performance evaluation program. This proposed change recognizes that 
the broader performance evaluation program is sufficiently robust 
without relying on annual force-on-force participation. On an annual 
basis, licensees would conduct at least one fully integrated force-on-
force exercise to test the protective strategy as a whole. The 
licensee's performance evaluation program would continue to ensure that 
any degradation in security force member performance and potential 
protective strategy deficiencies would be identified and corrected 
through the corrective action program. Additionally, several 
prescriptive training requirements would be removed from appendix B to 
part 73 (e.g., range activities periodicity, written exams, required 
courses of fire, and on-the-job training hours). Removing these 
prescriptive elements would not eliminate these training areas from the 
licensee's training and qualification program, rather it would provide 
licensees with increased flexibility to design and implement training 
that more directly supports their operational needs. In place of the 
prescribed range activity periodicity and courses of fire, the 
regulations would require licensees to ensure security officers have 
the appropriate types of weapons training at frequencies that ensure 
the proper handling of firearms with the accuracy that is necessary to 
implement the use of assigned weapons. This approach allows for 
flexibility in scheduling and allows the licensee to use performance 
data to determine the appropriate type of training and intervals, thus 
reducing administrative burden and providing for more efficient 
allocation of resources. With regard to written exams, such exams are 
only one method of evaluating security force knowledge. The proposed 
removal of required written exams would allow licensees the option to 
use other types of knowledge-based activities or performance-based 
evaluations to evaluate the knowledge, skills, and abilities of members 
of the security organization. These changes are being proposed to 
decrease the burden in implementation of licensee security training 
programs and allow for increased flexibility, while maintaining safety 
and security. The requirements that were retained or modified would 
continue to capture the programmatic areas that licensees must 
implement to provide the appropriate training for security personnel. 
Training methods that were previously described in requirements would 
generally be retained in guidance as one acceptable method of meeting 
the requirements. Licensees would be required to ensure that the 
personnel who implement the physical protection program have the 
appropriate knowledge, skills, and abilities to effectively perform 
their assigned duties and responsibilities to accomplish the 
performance objective of protecting public health and safety.
    The removal of the prescriptive security equipment lists from 
appendix B to part 73 would allow licensees to select equipment that 
best meets their operational needs and integrate new technologies as 
appropriate. The removal would reduce the need for exemptions or 
license amendments.
    The proposed rule would remove the prescriptive requirements for 40 
hours of on-the-job training, and would instead use a performance-based 
approach that allows a licensee to determine the appropriate number of 
on-the-job training hours. Modern training methodologies, job-specific 
competencies, and improved

[[Page 38943]]

instructional systems design processes enable licensees to tailor 
training more precisely to the knowledge, skills, and abilities needed 
for each role. Allowing flexibility in determining the number of on-
the-job training hours gives licensees the ability to align training 
with actual task complexity, prior experience, and demonstrated 
proficiency, rather than relying on a uniform time-based metric. The 
regulations would continue to require that on-the-job training is 
documented and attested by a qualified training instructor or a 
security supervisor. The licensee would verify that the implemented 
training approach provides personnel with the capability to effectively 
execute their responsibilities under the safeguards contingency plan
(h) Appendix C to Part 73
    The changes proposed in appendix C to part 73 would remove the 
prescriptive periodicity associated with the review of safeguards 
contingency plans to provide licensee flexibility in these types of 
reviews.
(i) Expand Regulatory Flexibility
    The proposed rule would expand the regulatory options for physical 
security for new applicants under parts 50 and 52. Specifically, 
applicants would be able to select the most appropriate physical 
security rule for their design and approach for licensing by complying 
with either Sec.  73.55 or Sec.  73.100, ``Technology-inclusive 
requirements for physical protection of licensed activities at advanced 
nuclear plants against radiological sabotage,'' which was developed for 
reactors licensed under part 53. The distinctions between Sec.  73.55 
and Sec.  73.100 largely reflect the fact that the existing reactor 
fleet was built without accounting for security during the initial 
design phase. The proposed revisions to Sec.  73.55 in this rule would 
address the current configuration of the operating fleet and, similar 
to Sec.  73.100, provide increased flexibility to accommodate the wide 
range of current and future reactor technologies. Currently, applicants 
under part 53 have the option of complying with either Sec.  73.55 or 
Sec.  73.100 for physical security. Extending this flexibility to 
applicants under parts 50 and 52 would ensure that future applicants 
have appropriate physical security options for licensing when designing 
their physical protection programs under part 50, 52, or 53. This 
proposal would include revisions to Sec. Sec.  50.34, 52.79, and 73.100 
to reflect this expanded regulatory flexibility for future applicants.
(ii) Access Authorization
    The NRC is proposing revisions to its access authorization 
requirements under Sec. Sec.  73.55 and 73.56 to promote program 
efficiency by providing appropriate flexibilities to licensees and 
reducing unnecessary program burdens, while maintaining safety and 
security. The proposed revisions would also provide additional relief 
from requirements for those licensees and applicants who demonstrate 
that no achievable target sets exist in accordance with proposed Sec.  
73.55(f).
(a) Changes to the Milestone for Program Implementation
    The proposed rule includes a risk-informed change that would extend 
the implementation milestone for when a licensee or other entity must 
transition from its construction-phase security measures (employed 
through appropriate site procedures for the control of personnel, 
access controls, and pre-employment screening during the construction 
phase) to an operational access authorization program that meets all of 
the applicable requirements of Sec.  73.56.
    Under the existing regulations, Sec.  73.56(a)(3) requires 
licensees to implement the requirements of Sec.  73.56 before fuel is 
allowed onsite (in the protected area). The proposed rule would change 
the milestone for implementation of an access authorization program 
from before fuel is allowed onsite (i.e., into the protected area) to 
before initial fuel load into the reactor.
    This proposed milestone change is based on recent operating 
experience from implementing phased subpart K FFD programs and pre-
employment screening at power reactor construction sites. Specifically, 
the NRC issued an exemption to the licensee for Vogtle Electric 
Generating Plant, Units 3 and 4, to delay implementing the access 
authorization program requirements of Sec.  73.56 until initial fuel 
load (86 FR 67734; November 29, 2021). The NRC has reassessed the risks 
presented during the construction of nuclear power reactors and has 
determined that the currently established milestone for transition to 
an operations-phase access authorization program is not commensurate 
with current risk insights. The risk associated with unirradiated fuel 
does not increase when the fuel arrives onsite, because its engineered 
safety features, storage, and configuration have not changed since the 
fuel was in transit. (For transit and receipt onsite, physical 
protection requirements under Sec.  73.67 are applied to protect the 
fuel.) Safety and security risks associated with unirradiated nuclear 
fuel only begin to increase once the process of loading the fuel into 
its operating configuration begins. The operational milestone ``before 
initial fuel load into the reactor'' therefore corresponds more closely 
to the start of NRC-licensed activities that could result in 
consequences adverse to public health and safety or the common defense 
and security than does the current milestone of receipt of nuclear fuel 
onsite.
(b) Revisions To Reduce Unnecessary Burden and Prescriptiveness
    The proposed changes to access authorization program requirements 
would revise and/or eliminate program elements that have been 
identified as being unnecessarily costly or burdensome and not adding 
commensurate value to site safety or security. Requirements in Sec.  
73.56 would be revised to reflect insights gained from operating 
experience in the years since the requirements were last revised in the 
Power Reactor Security Requirements final rule in 2009 (74 FR 13970; 
March 27, 2009). These changes would promote efficiency and 
effectiveness for commercial nuclear power plant licensees and 
applicants, while adequately maintaining safety and security.
    Proposed revisions to Sec.  73.56(d)(3) would remove prescriptive 
requirements for the verification of true identity. Some approved 
methods for verifying true identity (e.g., validating a foreign 
national's claimed non-immigration status using independent sources of 
reliable information) would be maintained in applicable guidance 
contained in Regulatory Guide (RG) 5.66, ``Access Authorization Program 
for Nuclear Power Plants.'' This change would provide appropriate 
flexibilities to licensees in implementing identity verification 
requirements, and the NRC would maintain reasonable assurance regarding 
the trustworthiness and reliability of personnel unescorted through 
continued reporting of access authorization information to the Federal 
Bureau of Investigation (FBI) Threat Screening Center.
    Proposed revisions to Sec.  73.56(i)(1)(v) would remove the 
requirement to perform a credit history re-evaluation as part of the 
process for determining the continued trustworthiness and reliability 
of individuals. Operating experience has shown that, although 
conducting a credit history evaluation at the time that unescorted 
access is initially authorized is important towards making an initial 
determination

[[Page 38944]]

regarding an individual's trustworthiness and reliability, re-
evaluations of credit history add little value. Potential concerns 
regarding continued trustworthiness and reliability are more 
effectively identified through the required criminal history update and 
through licensee behavioral observation programs.
(c) Adjustment to Annual Supervisory Review
    The proposed rule would adjust the requirements in Sec.  
73.56(i)(1)(iv) regarding supervisory review for personnel who are 
maintaining unescorted access. As proposed by the NRC, if an 
individual's supervisor were to interact with that individual with a 
frequency that allows the supervisor to form an informed and reasonable 
opinion regarding the individual's behavior, trustworthiness, and 
reliability, then the supervisor would not be required to conduct an 
annual supervisory review. Otherwise, the individual would be subject 
to an annual (within 365 calendar days) supervisory review conducted in 
accordance with the requirements of the licensee's or applicant's 
behavioral observation program. This proposed adjustment would reduce 
the unnecessary redundancy of annual reviews for cases where an 
individual is already subject to regular review by their supervisor, 
while still ensuring that individuals would undergo supervisor review 
in instances where contact is less frequent, ensuring that the 
objectives of the behavior observation program would be met.
(d) Relaxations for Licensees Who Opt Into a U.S. Government Monitoring 
and Notification Program
    The proposed rule would modernize program requirements by adjusting 
the frequency of certain requirements (e.g., criminal history records 
checks and vital area access list authorization) in a manner that 
provides additional burden relief to those licensees who opt into a 
U.S. Government continuous monitoring and notification program--such as 
the FBI Record of Arrest and Prosecution Background (Rap Back) 
service--through a Memorandum of Understanding with the NRC.
    The FBI Rap Back service is a subscription-based program that 
provides continuous, automated notifications of new criminal activity 
associated with individuals who have undergone a fingerprint-based 
background check. Enrolling in such a service can substantially reduce 
the need for a licensee to rely on repeated background checks to ensure 
the continued trustworthiness and reliability of personnel. The 
proposed rule would reflect these benefits by reducing the frequency of 
required checks for those licensees enrolled in such a program. This 
change would help enable licensees to modernize their programs and 
reduce unnecessary burden, while ensuring that security is adequately 
maintained through the use of appropriate alternative processes.
(e) Reductions to the Frequency of Audits and Record-Retention Periods
    The proposed rule would reduce the frequency of audits required 
under Sec.  73.56(n), ``Audits and corrective action,'' by extending 
audit intervals from 12 months to 24 months for contractors or vendors, 
and from 24 months to 36 months for licensee and applicant programs. 
The proposed audit interval for contractors or vendors would be shorter 
than the interval for licensee and applicant programs because 
contractor and vendor activities operate outside licensees' routine 
processes and are less easily observable by licensees. The proposed 
rule would also reduce the records retention period in Sec.  
73.56(o)(2) from 5 years to 3 years. These proposed changes would 
reduce costs and administrative burdens while enhancing overall 
efficiency. With these changes, there would still be reasonable 
assurance that security will continue to be adequately maintained 
because licensees would still be required to periodically review the 
effectiveness of their programs, and the NRC would maintain the ability 
to effectively oversee program effectiveness through its inspection and 
oversight of licensee performance.
(f) Alternative Requirements for Licensees Who Demonstrate No 
Achievable Target Sets Exist in Accordance With Sec.  73.55(f)
    The proposed rule would provide relief from certain human 
reliability requirements for licensees and applicants who could 
demonstrate no achievable target sets exist in accordance with proposed 
Sec.  73.55(f) and who would not credit any active measures (e.g., 
operator action, mitigative action, detection, assessment, armed 
response) in making that demonstration. Under the proposed rule, such 
licensees would implement a program that meets the alternative access 
authorization requirements of Sec.  73.120, ``Access authorization 
program for commercial nuclear plants,'' which were originally 
developed to provide alternative requirements for facilities licensed 
under 10 CFR part 53 that meet the criteria outlined in Sec.  
73.100(a)(1)(i).
    Under the requirements of Sec.  73.120, eligible licensee 
facilities would be relieved from the requirements to perform 
psychological assessments and reassessments in Sec.  73.56(e), 
``Psychological assessment,'' and to establish a full training program 
for behavioral observation (i.e., initial and refresher training 
including knowledge checks) in Sec.  73.56(f), ``Behavioral 
observation.'' Such licensees would have the option to provide minimal 
guidance to personnel on reporting questionable behavior, similar to 
the Department of Homeland Security's ``If you see something, say 
something'' campaign or a commensurate corporate behavior awareness 
program. This relief would be commensurate with the lower security risk 
posed by potential human actions at these facilities.
(iii) Category I Physical Fitness and Performance Evaluation Programs
    The proposed changes to Sec.  73.46 would reduce burden on current 
and future licensees. The proposed changes for facilities licensed to 
possess or use a Category I quantity of SNM are in the areas of 
security training, specifically for drills, exercises, and physical 
fitness requirements. The proposed rule would reduce the required 
frequency of security training exercises from four to a maximum of 
three per year. On an annual basis, the licensee would need to ensure 
that each shift participates in at least two tactical response drills, 
one of which would test the security response using the response force 
and a mock adversary team. Additionally, the licensee would need to 
conduct at least one force-on-force exercise annually and ensure that 
each shift that implements the safeguards contingency plan protective 
strategy participates in one force-on-force exercise every three years. 
Licensees would continue to ensure the effectiveness of their security 
programs, as security officers would maintain the knowledge, skills, 
and abilities necessary for contingency response activities through 
annual recurring training.
    The proposed changes for security drills and exercises captured in 
10 CFR 73.46(b)(9) and the physical fitness test captured in 10 CFR 
73.46(b)(10) would be revised to align with the approach taken for 
power reactors. These changes are being proposed to decrease the burden 
in the implementation of licensee security training programs and to 
allow for increased flexibility, while maintaining safety and security.
    These revisions would streamline the current requirements for 
security drills, exercises, and the physical fitness test to eliminate 
certain prescriptive

[[Page 38945]]

requirements, which in some instances are no longer necessary for the 
implementation of the training program. Existing licensees that are in 
compliance with Sec.  73.46 as of the effective date of the final rule, 
if this proposed change is made effective in a final rule, would also 
be in compliance with the proposed revisions to the regulations and 
would not be required to modify their current physical fitness and 
performance evaluation programs.
(iv) Category II and Category III Material Security
(a) Performance-Based Requirements
    The NRC proposes to modify Sec.  73.67(d) for physical protection 
for fixed site facilities for SNM of moderate strategic significance. 
This proposal would build on previous efforts to risk-inform physical 
security regulations by shifting from prescriptive to performance-based 
requirements that would increase flexibility for current and future 
licensees; reduce unnecessary burden on licensees; and, where 
appropriate, allow for alternatives. The proposed changes to Sec.  
73.67 would support the agency's mission to enable the deployment of 
nuclear energy technologies (e.g., the use of high-assay low-enriched 
uranium fuel supporting new types of reactors).
    This proposed rulemaking for Category II quantities of SNM would 
address regulatory gaps and create a standardized approach for physical 
security. This would provide a consistent set of requirements for new 
applicants that use this type of SNM. Additionally, these changes would 
support efficiencies in the NRC's licensing and oversight programs.
    The existing security requirements for possession and use of 
Category II quantities of SNM were originally established in 1979. 
Since that time, the NRC and other governmental agencies completed 
several studies to evaluate the risk and consequences associated with 
the physical protection of SNM. These studies were performed following 
the terrorist events of September 11, 2001, in part to evaluate and 
address changes in the threat environment. These studies and changes in 
the threat environment identified new vulnerabilities and risks that 
were not addressed by the then-existing regulations.
    Subsequently, the NRC issued orders containing additional security 
measures to fuel cycle facilities licensed to possess Categories I and 
III quantities of SNM. At the time these orders were issued, the only 
facilities licensed to possess a Category II quantity of SNM were non-
power reactors. To address the threat at these non-power reactor 
facilities, in 2002 and 2003, the NRC issued confirmatory action 
letters documenting the implementation of compensatory measures. 
However, additional security measures specific to a Category II 
quantity of SNM were not developed.
    The NRC proposes to modify requirements in Sec.  73.67 for Category 
II quantities of SNM to be largely performance-based, only retaining 
the prescriptive requirements that would be expected for all licensees 
subject to the requirements of Sec.  73.67(d). The proposed rule would 
allow greater flexibility for both material and potential reactor 
licensees who would utilize these requirements for physical protection. 
This would permit licensees to adjust their security to better 
correspond to what is needed to ensure adequate physical protection.
    The performance objectives in Sec.  73.67(d)(1)(ii) and (iii) would 
require licensees to provide prompt detection for Category II 
quantities of SNM, instead of the early detection standard used in 
Sec.  73.67(a)(2)(i) and (ii). Additional measures contained in Sec.  
73.67(d)(1) would provide requirements to store material in a 
controlled access area, mitigate and delay the bulk theft of special 
nuclear material, analyze and identify site-specific conditions that 
affect the protective strategy, provide defense in depth, coordinate 
the physical security plan with other onsite plans to avoid conflicts, 
and manage the potential for adverse effects on safety, security, and 
material control. These proposed changes would allow licensees 
possessing Category II quantities of SNM at a fixed site to implement 
protective strategies that are commensurate to the attractiveness of 
the material.
    Proposed Sec.  73.67(d)(2) would include performance requirements 
for the physical protection capabilities of detection, assessment, 
response, communication, and access authorization. Proposed Sec.  
73.67(d)(2)(xiii) would add requirements for compensatory measures. 
This addition would specify performance objectives for compensatory 
actions that should be taken when an item relied on for security is in 
a degraded condition. This addition would ensure the effectiveness of 
the physical protection system under abnormal operating conditions such 
as inclement weather and equipment malfunctions.
    The NRC proposes to remove the current Sec.  73.67(d)(3) and 
replace it with a new proposed Sec.  73.67(d)(3). The proposed 
replacement Sec.  73.67(d)(3) would allow the Commission to adjust 
physical security requirements--either adding or removing measures--
based on the specific risk posed by the individual facility and site 
conditions to ensure adequate protection. The NRC is issuing draft 
Regulatory Guide (DG)-5088, ``Physical Protection of Special Nuclear 
Material of Moderate or Low Strategic Significance,'' proposed Revision 
2 to RG 5.59, for public comment with this proposed rule to support 
implementation of the proposed requirements.
    Proposed Sec.  73.67(d)(4), ``Alternative measures,'' as revised, 
would provide a regulatory method for licensees who may wish to use 
different protective measures that are demonstrated to meet the 
performance objectives and requirements in Sec.  73.67(a) and (b)(1).
    Existing licensees that are in compliance with Sec.  73.67 as of 
the effective date of the final rule, if this proposed change is made 
effective in a final rule, would be in compliance with the proposed 
revisions to the regulation and would not be required to modify their 
current physical protection programs. However, existing licensees would 
be able to voluntarily adopt certain performance-based alternatives, 
which would allow for greater flexibility in implementing the 
requirements of Sec.  73.67.
    Licensees that would elect to implement the proposed revised 
performance objective would be required by proposed Sec.  
73.67(d)(1)(vi), (viii), (ix), and (x) to perform an analysis to 
identify the necessary plant equipment, mitigative measures, detection 
capabilities, assessment processes, and response needed to ensure the 
site's physical protection program would be designed to prevent theft 
and diversion of SNM.
    Alternatively, licensees that would elect to retain their existing 
physical protection programs to protect against theft and diversion of 
special nuclear material would be in compliance with the proposed 
performance objectives. All current licensees approved to possess a 
Category II quantity of SNM have approved security plans that include 
site-specific, performance-based security requirements that meet the 
proposed performance objectives, so an analysis of the proposed 
performance objectives would not be required. These licensees would 
continue to meet and implement the current requirements as relates to 
site-specific analysis for their physical protection program.
    Licensees that would retain their current physical protection 
program

[[Page 38946]]

would be able to elect to change their security plans and implementing 
procedures to reference the new proposed regulatory requirements using 
the existing Sec.  70.32(e) process.
(b) Protection of Category II and Category III Special Nuclear Material
    The proposed rule would address an identified regulatory gap in the 
security requirements in Sec.  73.67 for the protection of Category II 
and Category III special nuclear material among power reactor license 
holders. Paragraphs 73.67(d) and (f) would be modified to include an 
exception for part 52 licensees who will use Category II quantities of 
SNM inside a protected area. This change would align with Commission 
direction in SRM-SECY-22-0052, ``Staff Requirements--SECY-22-0052--
Proposed Rule: Alignment of Licensing Processes and Lessons Learned 
from New Reactor Licensing (RIN 3150-AI66),'' dated November 20, 2024, 
to make security requirements for Category II and Ill quantities of 
special nuclear material brought on site at nuclear power reactors for 
new and existing facilities licensed under part 50 consistent with 
those requirements for facilities licensed under part 52. Under the 
current regulations, a part 50 licensee is exempt from the regulations, 
but a part 52 licensee is not. By providing this exemption for part 52 
licensees, the proposed rule eliminates the need for part 52 licensees 
to comply with both Sec.  73.67 and the more stringent Sec.  73.55 
requirements when the material is located inside a protected area. The 
Sec.  73.55 requirements are designed to protect irradiated fuel from 
sabotage events at nuclear power reactors. Given the relative risks of 
irradiated and unirradiated fuel, it is acceptable to protect 
unirradiated reactor fuel and other nonfuel SNM brought onsite at a 
nuclear power reactor in accordance with Sec.  73.67 until that 
material is protected in accordance with Sec.  73.55. The change in 
this proposed rulemaking would reduce unnecessary regulatory burden and 
provide consistency between parts 50 and 52 applicants by providing the 
same exception for part 52 licensees. This proposed change is discussed 
further in Section VIII, ``Backfitting and Issue Finality,'' in this 
document.
(v) Electronic Processing of Safeguards Information
    Sections 73.22 and 73.23 currently restrict licensees to 
transmitting SGI using NRC-approved technology and storage on 
standalone computers, transmitting SGI for voice communications using 
only technology approved by the NRC, and processing documents only on a 
standalone computer. Historically, the NRC has expected SGI to be 
treated more like classified information. These current regulations are 
very restrictive and not consistent with the threat environment, SGI's 
status as sensitive unclassified information, and the design basis 
threat's focus on threats posed by non-state actors.
    The NRC is proposing to revise its regulations for the protection 
of SGI in Sec. Sec.  73.22 and 73.23 to expand the means through which 
SGI can be transmitted for voice communications and to provide an 
option through which SGI can be viewed on networked computer systems. 
Sections 73.22(f)(3) and 73.23(f)(3) would be revised to allow an 
individual to transmit SGI for voice communications using commercially 
available digital technology that uses encryption algorithms that are 
compliant with or validated against an active and approved version of 
Federal Information Processing Standard (FIPS) 140. Additionally, the 
proposed rule would expand the ability to process SGI on computer 
systems. Currently, SGI may be stored on only standalone computers. The 
proposed rule would provide an option in Sec.  73.22(g)(2) to store and 
process SGI on computer systems that permit viewing of the information 
on networked computers, using a virtual desktop or thin client 
architecture, provided that the systems storing the SGI would implement 
security controls that ensure the information is protected against 
unauthorized disclosure.
(a) Voice Communications
    The proposed rule would expand the means through which SGI could be 
transmitted for voice communications. The proposed changes in Sec.  
73.22(f)(3) would enable licensees to communicate SGI by voice using 
encryption algorithms that have been approved by the National Institute 
of Standards and Technology (NIST), rather than also requiring that 
they be submitted to the NRC for review and approval. Draft guidance 
changes would discuss appropriate measures to protect against spills 
(e.g., disabling transcription and recording, use in an area where only 
SGI authorized personnel are present, etc.).
    Current Sec.  73.23(f)(3) requires that SGI be transmitted only by 
NRC-approved secure electronic devices, encrypted by a method (FIPS 
140-2 or later) approved by the NRC. Under the proposed Sec.  
73.23(f)(3), SGI would be transmitted only using a commercially 
available encryption system compliant with an active, approved version 
of FIPS 140. This change would eliminate the requirement for entities 
to seek NRC approval prior to using an encryption system, as long as it 
meets the FIPS 140 standard.
(b) Viewing Safeguards Information on Networked Computer Systems
    The proposed rule would provide an option through which SGI could 
be viewed on networked computer systems. Processing SGI on standalone 
computers creates a significant burden, particularly for new reactor 
vendors incorporating security by design principles. Additionally, the 
cybersecurity field has matured significantly since the SGI regulations 
were last modified. The proposed changes in Sec.  73.22(g)(2) would 
give licensees the option to use networked systems that would implement 
security controls specified by NIST as being appropriate for controlled 
unclassified information (NIST SP 800-171) using a thin client or 
virtual desktop architecture that would protect SGI from unauthorized 
disclosure and from being transmitted or stored on unapproved 
computers.
(vi) Decommissioning
    As discussed in Section IV.B.(i), ``Security Requirements for 
ISFSIs Located Outside a Reactor's Protected Area,'' of this document, 
this proposed rule would streamline and expedite the reduction of 
resources needed to implement the physical protection program as a site 
in decommissioning transitions from storing fuel in the spent fuel pool 
to dry storage. Those proposed changes are consistent with the draft 
amendments presented to the Commission in SECY-24-0011.
(vii) Addressing Issues Related to the 2023 Enhanced Weapons Final Rule
    This proposed rule would revise part 73 definitions, physical 
security event notification requirements, and suspicious activity 
reporting requirements to resolve industry concerns and challenges from 
the 2023 Enhanced Weapons final rule (88 FR 15864; March 14, 2023).
    The proposed amendments would modify requirements issued in the 
2023 Enhanced Weapons final rule that posed concerns and challenges for 
industry to effectively and efficiently implement. Industry identified 
these concerns and challenges to the NRC and requested exemptions from 
these requirements (e.g., definitions of specific terms, protocols for 
contacting local Federal Aviation Administration (FAA) control towers, 
and the timelines associated with certain notifications). The NRC

[[Page 38947]]

proposes to clarify or remove other provisions from the 2023 Enhanced 
Weapons final rule that were identified as imposing unnecessary 
burdens. The NRC was able to address many of the implementation issues 
by revising three RGs in 2024 (i.e., RG 5.62, Revision 3, ``Physical 
Security Event Notifications, Reports, and Records''; RG 5.86, Revision 
1, ``Preemption Authority, Enhanced Weapons Authority, and Firearms 
Background Checks''; and RG 5.87, Revision 1, ``Suspicious Activity 
Reports Under 10 CFR part 73''). Other issues that could be resolved 
only by rulemaking were discussed in a public meeting on July 31, 2025 
(``Summary of July 31, 2025, Meeting with External Stakeholders 
Discussing Perspectives on Recent Security Event Notifications,'' dated 
December 18, 2025). The proposed changes to Sec. Sec.  73.2, 
``Definitions,'' 73.1200, ``Notification of security events,'' 73.1205, 
``Written follow-up reports of security events,'' 73.1210, 
``Recordkeeping of security events,'' and 73.1215, ``Suspicious 
activity reports,'' in this proposed rule would resolve these issues 
and are reflected in the proposed revisions to supporting guidance in 
DG-5089 and DG-5098.
    Section 73.1200 would be revised in several locations to increase 
consistency between facility-based and transportation-based event 
notifications (e.g., use of hostile action versus hostile threat, 
adding notification of thefts of spent nuclear fuel or high-level 
radioactive waste from facilities). The NRC proposes to clarify 
language on the elimination of duplication to reduce burden for a 
single event that had both a physical security component (under part 
73) and an information security component (under part 95).
    Sections 73.1205 and 73.1210 would be revised to correct 
unnecessary records retention requirements by replacing the phrase 
``whichever is later'' (which implied an obligation after license 
termination) with ``whichever is earlier.'' Section 73.1205 would also 
be revised to remove the requirement for written follow-up reports 
subsequent to 15-minute and 8-hour event notifications to reduce 
industry burden. For events of high security significance requiring 
notification within 15 minutes (i.e., actual or expected attacks on a 
facility or shipment), prompt onsite follow-up by the NRC would occur 
and would be documented sufficiently by the NRC and the licensee to 
obviate the need for a licensee's written follow-up report within 60 
days. For events of low security significance requiring notification 
within 8 hours, documented follow-up can occur during the NRC's next 
routine security inspection.
    The NRC would make conforming changes to NRC Form 366, ``Licensee 
Event Reports,'' to remove references to Sec.  73.77, ``Cybersecurity 
event notifications,'' which would be revised by this rulemaking as 
discussed in Section IV.C.(x).
    Section 73.1215 would be revised to use more generic language for 
suspicious activity reports to the FAA. Specifically, references to 
``aircraft'' would be revised to ``crewed/uncrewed aviation-related 
assets'' and the term ``local FAA control tower'' would be revised to 
``applicable FAA facility.'' The revised language would provide greater 
flexibility in implementing the reporting provisions and making these 
reports while meeting FAA operational (workload and airspace) 
considerations. The NRC proposes to add language on the elimination of 
duplication to address suspicious activity reports that would otherwise 
be required under both Sec.  73.1215 and Sec.  37.57, ``Reporting of 
events'' (e.g., a licensee storing both spent fuel and greater than 
class C waste at an ISFSI).
(viii) Personnel Identification System
    Section 73.70, ``Records,'' would be revised to add a conforming 
change to reflect the proposal in Sec.  73.55(g)(6)(ii) to allow 
licensees to use a personnel identification system, rather than 
specifically requiring numbered badges. With this change, licensees 
would have an option for the method of compliance for logging 
individuals that have been issued identification to enter a protected 
area. This proposed change could also reduce the cost of providing 
access to individuals that have access to a protected area.
    Under the current Sec.  73.70, certain licensees are required to 
maintain records of the names, addresses, and badge numbers of all 
individuals authorized to have access to vital equipment or special 
nuclear material, and the vital areas and material access areas to 
which authorization is granted. This proposed change would require 
licensees who elect to use an alternative personnel identification 
system to retain the records for individuals enrolled in that system. 
By adding this option, power reactor licensees would have an option for 
complying that also reduces the cost of producing badges for personnel 
that have access to vital areas or special nuclear material.
(ix) Definitions
    Section 73.2 would be updated to reflect various regulatory changes 
in 10 CFR part 73 that affect multiple categories of licensees by 
revising the definitions of ``Physical barrier,'' and ``Contraband.'' A 
new definition for ``Target set'' would be added. As it relates to the 
relevant sections, these proposed changes would enhance clarity and 
promote consistency.
    The definition for ``Physical barrier'' would be revised to allow 
for increased flexibility in licensee methods for meeting part 73 
requirements. This change would reduce the need for licensees to submit 
licensing actions to modify their physical barriers in ways that depart 
from the current, prescriptive requirements. Instead, licensees could 
adopt a performance-based approach based on the function of the barrier 
in the physical protection program.
    The definition of ``Contraband'' would be revised to remove 
reference to ``disease causing agents'' because the ability to identify 
these agents would exceed the reasonable capabilities of a licensee's 
physical protection program. With the removal of ``disease causing 
agents,'' the term ``dangerous materials'' would be redundant to the 
existing terms in the definition of contraband and therefore would also 
be removed. Separately, language in the definition of contraband 
regarding electronic devices would be removed. The existing 
requirements in 10 CFR part 95, ``Facility Security Clearance and 
Safeguarding National Security Information and Restricted Data,'' and 
32 CFR part 117, ``National Industrial Security Program Operating 
Manual (NISPOM),'' are sufficient to protect classified information 
from unauthorized electronic devices, which pose an information 
security concern rather than a physical security concern.
    A definition for ``Target set'' would be added in Sec.  73.2. This 
term was previously defined in regulatory guidance, including RG 5.81, 
Revision 1, ``Target Set Identification and Development for Nuclear 
Power Reactors,'' \2\ and NUREG-2203, ``Glossary of Security Terms for 
Nuclear Power Reactors.'' The NRC proposes to revise that definition to 
reflect the dose consequence performance objective of proposed Sec.  
73.55.
---------------------------------------------------------------------------

    \2\ Revision 1 to RG 5.81 contains Official Use Only--Security 
Related Information. Therefore, this RG is withheld from public 
disclosure but is available to those affected licensees, 
stakeholders who have established a need to know, and cleared 
stakeholders who have access authorization.
---------------------------------------------------------------------------

(x) Cybersecurity
(a) Regulatory Guidance Revisions
    The existing regulatory framework for cybersecurity under Sec.  
73.54 is

[[Page 38948]]

performance based and provides reasonable assurance that digital 
computer and communication systems and networks associated with safety, 
security, and emergency preparedness (SSEP) functions are adequately 
protected against cyberattacks up to and including the design basis 
threat, as defined in Sec.  73.1. Commercial nuclear power plant 
licensees can choose from approved guidance documents (e.g., RG 5.71, 
``Cybersecurity Programs for Nuclear Power Reactors,'' and NEI 08-09, 
``Cyber Security Plan for Nuclear Power Reactors'') for well-
established standardized approaches to meet the cybersecurity 
requirements in Sec.  73.54.
    The NRC is proposing to update RG 5.71 to reflect lessons learned 
from operating experience while ensuring that licensees continue to 
maintain reasonable assurance of safety and security. The proposed RG 
5.71 updates would effectively result in reducing regulatory burden by, 
for example, focusing on safety and security over general cybersecurity 
hygiene--cutting approximately 19 percent of controls--and allowing 
licensees to take credit for cybersecurity best practices already in 
use (beyond those specified in RG 5.71).
(b) Event Notifications
    The requirements for commercial nuclear power plant licensees to 
notify the NRC of certain cybersecurity-related events that adversely 
impact or could have impacted SSEP functions are defined in Sec.  
73.77, with supporting guidance in RG 5.83, ``Cybersecurity Event 
Notifications.'' To date, no licensee has made a notification under 
these provisions. In lieu of reporting incidents in accordance with the 
requirements of Sec.  73.77, licensees have used the existing 
notification processes under Sec. Sec.  50.72 and 50.73 (for safety-
related events) and Sec.  73.1200 (for security-related events). This 
proposal would simplify the regulation in Sec.  73.77 by eliminating 
specific event notifications and instead redirect licensees to the 
aforementioned notification processes (i.e., a cybersecurity-related 
event notification would use these safety-related or security-related 
regulations, based upon the affected function). This approach would 
allow the NRC to withdraw RG 5.83 and incorporate cybersecurity-related 
events reporting into the broader, established notification processes 
under parts 50, 53, and 73.
(c) Expand Regulatory Flexibility
    To support innovation and modernization of the existing 
cybersecurity regulatory framework, this proposed rule would expand the 
regulatory options for new applicants under parts 50 and 52. 
Specifically, applicants would be able to select the most appropriate 
cybersecurity rule for their design and risk profile by complying with 
either Sec.  73.54 or Sec.  73.110, ``Technology-inclusive requirements 
for protection of digital computer and communication systems and 
networks,'' which was developed for part 53. Differences between the 
Sec.  73.54 requirements and those in Sec.  73.110 are primarily based 
on the implementation of a consequence-based approach to cybersecurity 
in Sec.  73.110 that provides flexibility to accommodate the wide range 
of reactor technologies to be assessed by the NRC. A graded approach 
based on consequences would account for the differing risk levels among 
reactor technologies.
    This proposal would include revisions to Sec. Sec.  73.54, 73.55, 
73.77, and 73.110; the companion regulatory guidance for Sec.  73.110, 
DG-5103 (proposed Revision 1 to RG 5.96), ``Establishing Risk-Informed 
and Technology-Inclusive Cybersecurity Programs for Commercial Nuclear 
Plants''; and Sec. Sec.  50.34 and 52.79 to reflect this expanded 
regulatory flexibility.
    This proposal would eliminate the existing introductory paragraph 
of Sec.  73.54. That statement was originally intended to require that 
operating nuclear power plants, at the time of rule implementation in 
2009, establish, implement, and maintain a cybersecurity program. All 
currently operating nuclear power plants have fully implemented their 
cybersecurity plans and will continue to maintain their plans per the 
requirements of Sec.  73.55 and Sec.  73.54.
    The NRC is also proposing revisions to Sec.  73.54(g) as conforming 
changes to align with the expansion of regulatory options for new 
applicants. Specifically, the cybersecurity program review requirement 
would be independent of the physical security program.
(xi) Design Requirements
    The NRC is proposing amendments to Sec.  50.34(a)(3)(i) and Sec.  
52.79(a)(4)(i) to require that safety and security be considered 
together in the design process such that, where possible, security 
issues are effectively resolved through design and engineered security 
features. This approach, which is consistent with the requirement in 
Sec.  53.440(f), ensures consideration is given to safety and security 
together throughout the plant's lifetime, including the design process 
and prior to implementing changes to plant configurations, to ensure 
risks are effectively managed. This evaluation helps determine whether 
enhancements to the design basis or physical protection system are 
warranted. Incorporating security strategies and design features early 
in the design process can be significantly more efficient and cost-
effective than retrofitting these measures after the plant has been 
designed or constructed.

D. Facility Security Clearance and Safeguarding of National Security 
Information and Restricted Data (Part 95)

    The proposed rule would revise 10 CFR part 95 to remove 
requirements that are duplicative and ensure alignment with 32 CFR part 
117 by providing references to 32 CFR part 117 where appropriate. 
Furthermore, specific NRC prescriptive requirements would be eliminated 
to resolve any conflicting regulations.
    Part 95 establishes requirements for licensees, applicants, and 
other entities that obtain a facility security clearance from the NRC, 
as well as the requirements for the protection of classified matter. 
These requirements are based on the National Industrial Security 
Program Operating Manual (NISPOM), which was codified in regulation in 
February 2021, at 32 CFR part 117. Part 95 ensures that entities that 
fall under NRC cognizance meet the requirements of the NISPOM.
    The regulations in 32 CFR part 117 establish the NRC as the 
cognizant security agency for NRC-cleared entities that are issued 
facility security clearances. Currently, cleared entities under NRC 
cognizance are subject to both 10 CFR part 95 and 32 CFR part 117, 
which has resulted in the establishment of duplicative and inconsistent 
regulatory requirements for cleared entities.
    Under this proposed rule, the NRC would revise 10 CFR part 95. The 
proposed changes would not affect any existing regulatory guidance, but 
inspection procedures related to part 95 would be updated. The NRC 
would remove requirements from 10 CFR part 95 that are duplicative or 
inconsistent with the requirements in 32 CFR part 117. Part 95 would 
retain only those requirements and processes that are unique to NRC-
cleared entities.
    Section 95.1, ``Purpose,'' would be revised to identify that the 
purpose of part 95 is to implement the National Industrial Security 
Program, as described in 32 CFR part 117.
    Section 95.5 would be revised to remove unused definitions or those 
definitions that are duplicative to definitions in 32 CFR part 117.

[[Page 38949]]

    Section 95.11, ``Specific exemptions,'' would be revised to change 
the section title to ``Specific exemptions and waivers,'' to include 
reference to the NRC's ability to issue waivers in accordance with 32 
CFR part 117.
    Section 95.17, ``Processing facility clearance,'' would be renamed 
``Facility clearance process'' for clarity. Requirements unrelated to 
the facility clearance process that had previously been in Sec.  95.17 
were moved to other more relevant sections. Other revisions would 
clarify that the review referred to in Sec.  95.17 is an operational 
readiness review (rather than a security review). The NRC would revise 
Sec.  95.17 to use the definition of ``key management personnel'' found 
in 32 CFR part 117.
    The NRC proposes to delete Sec. Sec.  95.18, ``Key personnel''; 
95.25, ``Protection of National Security Information and Restricted 
Data in storage''; 95.27, ``Protection while in use''; 95.29, 
``Establishment of Restricted or Closed areas''; 95.31, ``Protective 
personnel''; 95.35, ``Access to matter classified as National Security 
Information and Restricted Data''; 95.45, ``Changes in 
classification''; and 95.51, ``Retrieval of classified matter following 
suspension or revocation of access authorization,'' because they 
duplicate provisions in 32 CFR part 117.
    Section 95.19, ``Changes to security practices and procedures,'' 
would be revised to remove the requirement to resubmit the Standard 
Practice Procedures Plan every 5 years. This change would result in a 
reduction in licensee burden.
    The NRC proposes to add Sec.  95.24, ``Safeguarding National 
Security Information and Restricted Data,'' which would be a new 
section. This section would retain existing requirements from 95.25, 
``Protection of National Security Information and Restricted Data in 
storage,'' related to the maintenance of keys and padlocks used to 
protect classified information. There would be no additional licensee 
burden associated with this change.
    Sections 95.33, ``Security education,'' 95.34, ``Control of 
visitors,'' 95.37, ``Classification and preparation of documents,'' 
95.39, ``External transmission of documents and material,'' 95.43, 
``Authority to reproduce,'' and 95.47, ``Destruction of matter 
containing classified information,'' would be modified to remove 
specific requirements and instead require that cleared entities conduct 
these activities in accordance with 32 CFR part 117.
    Section 95.49, ``Security of automatic data processing (ADP) 
systems,'' would be renamed ``Authorization to operate national 
security systems,'' consistent with usage in 32 CFR part 117. Specific 
requirements would be deleted, and the revised section would require 
cleared entities to process classified information on information 
technology or operational technology systems in accordance with 32 CFR 
part 117.
    The NRC would revise Sec.  95.57, ``Reports,'' to establish 
reporting requirements consistent with the provisions in 32 CFR part 
117 that state that the cognizant security agency (CSA) (in this case, 
the NRC) will provide guidance on reporting security events. The 
proposed revision would provide that all actual or suspected losses or 
compromises of classified information would be reported to the NRC 
Headquarters Operations Center within one hour of discovery, with a 
written follow-up submitted within 48 hours. If it is determined that 
no loss, compromise, or suspected compromise occurred, a written report 
documenting this determination would be submitted in accordance with 
Sec.  95.9, ``Communications,'' within 48 hours of reaching that 
conclusion. If the NRC is not the CSA, the entity would first report to 
their applicable CSA and then to the NRC. This revision would also 
eliminate the previous requirement for monthly logs.

V. Specific Requests for Comments

    The NRC is seeking advice and recommendations from the public on 
the proposed rule. The NRC is particularly interested in comments with 
supporting rationales from the public on the following questions. In 
addition to the general discussion in Section IV, additional context is 
provided for certain questions in order to help the public comment on 
these issues.

Requirements for Vital Areas

    Part 73 establishes requirements for the physical protection of 
licensed activities and facilities, which includes nuclear power 
reactors and Category I facilities. Section 73.2 defines vital areas 
and vital area equipment. The vital area concept focuses protective 
measures and access controls on locations housing equipment and 
functions essential to preventing significant radiological consequences 
from malevolent acts.
    The licensees and the NRC have gained additional experience 
implementing the requirements associated with vital areas. The current 
approach for power reactors to protect their facilities focuses on the 
use of target sets (plant equipment and operator actions) that may or 
may not involve vital equipment. Evolving plant design changes, digital 
modernization, and operational practices may warrant an assessment of 
whether the vital area concept remains optimally defined and 
implemented across 10 CFR part 73 are clear, efficient, and risk-
informed.
    Question 1: The NRC seeks stakeholder input on whether to revise or 
remove the term ``vital areas'' for power reactor facilities. Please 
explain the basis for your response.

Performance Objective

    Under current part 73, licensees subject to Sec.  73.55 must meet 
the performance objective in Sec.  73.55(b)(3) of protecting against 
significant core damage and spent fuel sabotage. The NRC is proposing 
to change the performance objective from protecting against significant 
core damage and spent fuel sabotage to a broader goal of preventing 
release of radionuclides from any source that exceeds the dose 
reference values defined in Sec.  50.34(a)(1)(ii)(D)(1) and (2), Sec.  
52.79(a)(1)(vi)(A) and (B), or Sec.  53.210, as applicable, given that 
the term ``core damage'' is not necessarily applicable for some reactor 
technologies and designs.
    Question 2: The NRC seeks stakeholder input on the following:
    a. How would this change impact the security programs of current 
licensees?
    b. Would changing the performance objective in Sec.  73.55(b)(3) 
provide any benefit to future licensees given that Sec.  73.100 already 
offers a flexible, technology-inclusive performance objective for new 
reactors?

Fitness-for-Duty Program Requirements

    Part 26 establishes requirements for FFD programs at NRC-licensed 
facilities. These requirements have been developed over time to 
provide, in part, a level of detail needed to support licensee legal 
considerations (e.g., related to donor protections, the accuracy and 
reliability of tests performed, and the defensibility of licensee 
decisions regarding sanctions imposed on individuals because of FFD 
program violations). The proposed rule includes several changes to 10 
CFR part 26 intended to reduce regulatory burden while increasing 
program effectiveness, efficiency, and flexibility.
    Question 3: Are there additional changes that the NRC should 
consider to streamline or simplify FFD program requirements for NRC 
licensees? For example, are there specific requirements in 10 CFR part 
26 or other related regulations that could be transitioned to 
regulatory guidance (e.g., to reduce prescriptiveness and allow 
licensees

[[Page 38950]]

and applicants to propose alternate methodologies in their licensing 
applications)? Please explain the basis for your response and provide 
specific recommendations to the extent possible.

Applicability of Changes to New Reactor Licensees and Applicants

    The proposed rule includes several changes to prescriptive security 
and fitness-for-duty requirements that are based on the operating 
experience and performance history of the operating reactor fleet. 
Examples of such changes for power reactors include the proposed 
reduction in the number of required tactical response drills and force-
on-force exercises, elimination of the annual reports of waivers and 
fatigue management program information, and reduction in annual random 
testing rate for employees that do not perform critical safety- or 
security-related activities. New reactor licensees and applicants, 
however, may lack similar operating experience and performance history 
in these areas.
    Question 4: Should the proposed changes to prescriptive security 
and fitness-for-duty requirements that are based on the operating 
experience and performance history of the operating reactor fleet be 
applicable to all licensees and applicants, as currently proposed, or 
should the NRC develop criteria to limit the applicability of these 
proposed changes? If the NRC should develop criteria to limit the 
applicability of these proposed changes, what criteria should the NRC 
consider? Please provide a basis for your response.

VI. Regulatory Flexibility Certification

    As required by the Regulatory Flexibility Act of 1980, 5 U.S.C. 
605(b), the Commission certifies that this rule, if adopted, will not 
have a significant economic impact on a substantial number of small 
entities. This proposed rule affects only the licensing and operation 
of nuclear power plants. The companies that own these plants do not 
fall within the scope of the definition of ``small entities'' set forth 
in the Regulatory Flexibility Act or the size standards established by 
the NRC (10 CFR 2.810).

VII. Regulatory Analysis

    The NRC has prepared a draft regulatory analysis on this proposed 
regulation. The analysis examines the costs and benefits of the 
alternatives considered by the NRC. The NRC requests public comment on 
the draft regulatory analysis. The regulatory analysis is available as 
indicated in the ``Availability of Documents'' section of this 
document. Comments on the draft analysis may be submitted to the NRC as 
indicated under the ADDRESSES caption of this document. As discussed in 
Section IV.A.(i)(k) of this document, the NRC also requests public 
input on the costs and benefits of subpart F of 10 CFR part 26.

VIII. Backfitting and Issue Finality

    The Commission has completed a backfitting and issue finality 
assessment for this proposed rule under Sec. Sec.  50.109, 
``Backfitting''; 53.1590, ``Backfitting''; 70.76, ``Backfitting''; and 
72.62, ``Backfitting,'' and the issue finality provisions of part 52 
and part 53. Also, a number of the changes in this proposed rule would 
not be subject to the backfitting and issue finality requirements. This 
assessment is available as indicated in the ``Availability of 
Documents'' section of this document.
    One set of changes in this proposed rule would constitute 
backfitting, as that term is defined in Sec.  50.109 and described in 
NRC Management Directive 8.4, ``Management of Backfitting, Forward 
Fitting, Issue Finality, and Information Requests.'' The proposed 
changes to Sec. Sec.  73.67(d) and 73.67(f) to clarify the appropriate 
security requirements for Category II and III quantities of SNM stored 
within the owner-controlled area but outside the protected area at 10 
CFR part 50 nuclear power reactors could impose a change to those 
licensees' required physical security programs, thereby meeting the 
definition of ``backfitting'' in Sec.  50.109(a)(1). As described in 
the backfitting assessment, these proposed backfits would be justified 
on the basis that the proposed changes would be necessary to ensure 
that these facilities provide adequate protection to the health and 
safety of the public and are in accord with the common defense and 
security.
    The NRC is issuing fifteen DGs that, if finalized, would provide 
guidance on the methods acceptable to the NRC for complying with 
aspects of this proposed rule. As discussed in the DGs, applicants and 
licensees would not be required to comply with the positions set forth 
in the DGs. Therefore, issuance of the DGs in final form would not 
constitute backfitting or forward fitting, as that term is defined and 
described in Management Directive 8.4, or affect the issue finality of 
any approval issued under part 52.

IX. Cumulative Effects of Regulation

    The NRC seeks to minimize potential negative consequences resulting 
from the cumulative effects of regulation (CER). The NRC believes that 
the de-regulatory impacts of this rulemaking activity are unlikely to 
cause implementation challenges for stakeholders. In addition, during 
the pendency of this rulemaking, the NRC is deprioritizing issuance of 
regulatory actions that might influence the implementation date for the 
new rule requirements (e.g., orders, generic communications, license 
amendment requests, and inspection findings of a generic nature).
    To fully understand any potential CER implications that could 
result from this rulemaking, the NRC is asking the following questions. 
Response to these questions is voluntary and any input will be 
considered during development of the final rule.
    1. The NRC is proposing an effective date that will be 30 days 
after the date of publication of a final rule. The NRC is proposing a 
compliance (implementation) date that will be 180 days after the date 
of publication of the final rule. Does this provide sufficient time to 
implement the proposed requirements and associated guidance? Please 
provide a rationale for your response.
    2. Are there unintended consequences related to this rulemaking and 
how should they be addressed? Please provide a rationale for your 
response.
    3. Please comment on the NRC's cost and benefit estimates in the 
regulatory analysis that supports this proposed rule.

X. Plain Writing

    The Plain Writing Act of 2010 (Pub. L. 111-274) requires Federal 
agencies to write documents in a clear, concise, and well-organized 
manner. The NRC has written this document to be consistent with the 
Plain Writing Act as well as the Presidential Memorandum, ``Plain 
Language in Government Writing,'' published June 10, 1998 (63 FR 
31885). The NRC requests comment on this document with respect to the 
clarity and effectiveness of the language used.

XI. National Environmental Policy Act

    The Commission has determined under the National Environmental 
Policy Act of 1969, as amended, and the Commission's regulations in 
subpart A, ``National Environmental Policy Act--Regulations 
Implementing Section 102(2),'' of part 51, ``Environmental Protection 
Regulations for Domestic Licensing and Related Regulatory Functions,'' 
that this proposed rule, if adopted, would not be a major Federal 
action significantly affecting the quality of the human environment, 
and an environmental impact statement would not be required, because

[[Page 38951]]

implementation of the proposed rule requirements would not have a 
significant environmental effect. The proposed rulemaking would amend 
requirements that are administrative in application, are matters of 
procedure, or provide an equivalent level of safety as existing 
requirements. Therefore, the environmental impacts from the 
implementation of this proposed rule would be similar to those 
occurring under existing requirements.
    The preliminary determination of the Commission's environmental 
assessment and finding of no significant impact is that there would be 
no significant effect on the quality of the human environment from this 
rulemaking action. Comments on any aspect of this environmental 
assessment and finding of no significant impact may be submitted to the 
NRC as indicated under the ADDRESSES section of this document. The 
environmental assessment is available as indicated under the 
``Availability of Documents'' section of this document. This 
environmental assessment and proposed finding of no significant impact 
can be tracked with identification number NEPA ID EAXX-429-00-000-
1771377270. The Commission will consider timely public comments 
received on the environmental assessment and draft finding of no 
significant impact in determining whether to issue a final finding of 
no significant impact for the final rule.

XII. Paperwork Reduction Act

    This proposed rule contains new or amended collections of 
information subject to the Paperwork Reduction Act of 1995 (44 U.S.C. 
3501 et seq.). This proposed rule has been submitted to the Office of 
Management and Budget (OMB) for review and approval of the information 
collections.
    Type of submission: New.
    The title of the information collection: Modernizing Security 
Requirements.
    OMB approval numbers: 3150-0002, 3150-0009, 3150-0011, 3150-0047, 
3150-0104, 3150-0132, 3150-0146, and 3150-0151.
    The form number if applicable: NRC Forms 366, 891, and 892.
    How often the collection is required or requested: Initial 
submission of revised security or cybersecurity plans in response to 
regulatory changes are one-time requirements. Notifications and written 
reports of physical security events, fitness-for-duty policy 
violations, or suspicious activity, are submitted on occasion and must 
be submitted promptly after the event occurs (e.g., within 15 minutes, 
1 hour, 4 hours, 8 hours, or 24 hours, depending on the event's 
significance). Certain collections are required on a quarterly basis, 
such as the submission of blind performance test samples to HHS-
certified laboratories for drug and alcohol testing program oversight. 
Annual requirements include the collection and reporting of fitness-
for-duty program performance data to the NRC. Retention periods for 
records under the proposed rule vary depending on the type of 
information collected, from two to three years, until the completion of 
all related legal proceedings, or until license termination.
    Who will be required or asked to respond: Existing and future 
applicants and licensees under 10 CFR parts 50, 52, and 53.
    An estimate of the number of annual responses: 10 CFR part 26: -
26,077 (-167 reporting responses + -46 recordkeepers + -25,864 third 
party disclosure responses); 10 CFR part 50: 3.6 (3.6 reporting 
responses + 0 recordkeepers + 0 third party disclosure responses); 10 
CFR part 52: 1 (1 reporting responses + 0 recordkeepers + 0 third party 
disclosure responses); 10 CFR part 70: 0.3 (0.3 reporting responses + 0 
recordkeepers + 0 third party disclosure responses); 10 CFR part 73: -
52 (-2 reporting responses + -56 recordkeepers + 6 third party 
disclosure responses); 10 CFR part 95: -20 (0 reporting responses + -20 
recordkeepers + 0 third party disclosure responses).
    The estimated number of annual respondents: 10 CFR part 26: 25,749 
respondents; 10 CFR part 50: 3.6 respondents; 10 CFR part 52: 1 
respondent; 10 CFR part 70: 0.3 respondents; 10 CFR part 73: 56 
respondents; 10 CFR part 95: 20 respondents.
    An estimate of the total number of hours needed annually to comply 
with the information collection requirement or request: 10 CFR part 26: 
-42,271 (-1,092 reporting + -2,644 recordkeeping + -38,535 third party 
disclosure); 10 CFR part 50: -788 (-788 reporting + 0 recordkeeping + 0 
third party disclosure); 10 CFR part 52: -250 (-250 reporting + 0 
recordkeeping + 0 third party disclosure); 10 CFR part 70: -75 (-75 
reporting + 0 recordkeeping + 0 third party disclosure); 10 CFR part 
73: -25,636 (-1 reporting + -25,659 recordkeeping + 24 third party 
disclosure); 10 CFR part 95: -2 (0 reporting -2 recordkeeping + 0 third 
party disclosure).
    Abstract: The NRC is proposing to amend its regulations to reduce 
overly prescriptive requirements and modernize security and fitness-
for-duty requirements to enhance efficiency and regulatory flexibility. 
This effort is consistent with, and implements, the direction in E.O. 
14300 which directs the NRC to conduct a comprehensive review and 
revision of its regulations. The proposed revisions are intended to 
reduce regulatory burden, where appropriate, while continuing to 
provide reasonable assurance that safety and security will be 
adequately maintained at NRC-licensed facilities. The proposed rule 
covers a wide range of topics, including the following areas that would 
result in new or revised changes in recordkeeping and reporting 
requirements:
     FFD Programs. The NRC is proposing effectiveness and 
efficiency improvements to the drug and alcohol testing and fatigue 
management requirements based on lessons learned from implementing 10 
CFR part 26, to align with select changes made by other Federal agency 
drug testing programs, and to address several petitions for rulemaking.
     Security Requirements for ISFSIs. The proposed rule would 
revise security requirements for ISFSIs to improve clarity and 
consistency between the requirements for general license ISFSIs and 
specific license ISFSIs.
     Physical Security Requirements. The NRC is proposing to 
modernize and streamline physical security requirements for nuclear 
power reactors and materials by shifting from prescriptive rules to 
performance-based, risk-informed criteria.
     Facility Security Clearance and Safeguarding of National 
Security Information and Restricted Data. The NRC is proposing to 
revise 10 CFR part 95 to remove requirements that are duplicative and 
to ensure alignment with 32 CFR part 117.
    The proposed rule would impose burden associated with new optional 
information collections in NRC Form 891. NRC Form 366 would be updated 
to remove a regulatory reference. In addition, if paragraph 26.203(e) 
were deleted as proposed, the NRC would no longer need NRC Form 892.
    The NRC is seeking public comment on the potential impact of the 
information collection(s) contained in this proposed rule and on the 
following issues:
    1. Is the proposed information collection necessary for the proper 
performance of the functions of the NRC, including whether the 
information will have practical utility? Please explain your response.
    2. Is the estimate of the burden of the proposed information 
collection accurate? Please explain your response.

[[Page 38952]]

    3. Is there a way to enhance the quality, utility, and clarity of 
the information to be collected? Please explain your response.
    4. How can the burden of the proposed information collection on 
respondents be minimized, including the use of automated collection 
techniques or other forms of information technology?
    A copy of the OMB clearance package and proposed rule are available 
in the ``Availability of Documents'' section of this document may be 
viewed free of charge by contacting the NRC's Public Document Room 
reference staff at 1-800-397-4209, at 301-415-4737, or by email to 
[email protected]. You may obtain information and comment on 
submissions related to the OMB clearance package by searching on 
https://www.regulations.gov under Docket ID NRC-2025-1303.
    You may submit comments on any aspect of these proposed information 
collections, including suggestions for reducing the burden and on the 
above issues, by the following method:
    Federal rulemaking website: Go to https://www.regulations.gov and 
search for Docket ID NRC-2025-1303.
    Submit comments by July 27, 2026. Comments received after this date 
will be considered if it is practical to do so, but the NRC staff is 
able to ensure consideration only for comments received on or before 
this date.

Public Protection Notification

    The NRC may not conduct or sponsor, and a person is not required to 
respond to, a collection of information unless the document requesting 
or requiring the collection displays a currently valid OMB control 
number.

XIII. Executive Orders

    The following are Executive orders that are related to this 
proposed rule:

A. Executive Order 12866: Regulatory Planning and Review (As Amended by 
Executive Order 14215, Ensuring Accountability for All Agencies)

    The Office of Information and Regulatory Affairs (OIRA) has 
determined that this proposed rule is a significant regulatory action 
under section 3(f) of E.O. 12866, though not economically significant 
under section 3(f)(1). Accordingly, the NRC submitted this proposed 
rule to OIRA for review. The NRC is required to conduct an economic 
analysis in accordance with section 6(a)(3)(B) of E.O. 12866. More can 
be found in Section VII of this document, ``Regulatory Analysis.''

B. Executive Order 14154: Unleashing American Energy

    The NRC has examined this proposed rule and has determined that it 
is consistent with the policies and directives outlined in E.O. 14154.

C. Executive Order 14192: Unleashing Prosperity Through Deregulation

    This action is tentatively determined to be a deregulatory action 
as defined by E.O. 14192. The NRC estimates that this rule generates 
$45.2 million in annualized costs savings at a 7 percent discount rate, 
discounted relative to year 2024, over a perpetual time horizon. 
Details on the estimated costs of this proposed rule can be found in 
Section VII of this document.

D. Executive Order 14267: Reducing Anti-Competitive Regulatory Barriers

    E.O. 14267 requires the NRC to identify anti-competitive 
regulations for rescission or modification. The NRC identified several 
such changes in 10 CFR part 26. The proposed rescission/modification of 
the regulations supports the objectives of E.O. 14267 by removing 
regulatory requirements that could create unnecessary barriers to entry 
for new market entrants.
    First, by expanding the acceptable credentials to serve as an SAE 
to include licensed marriage and family therapists, the proposed rule 
would allow licensees to consider additional candidates to potentially 
serve as SAEs. Second, by revising the medical degree requirements for 
MROs to include medical degrees obtained in foreign countries that are 
equivalent to a Doctor of Medicine or Doctor of Osteopathy degree 
obtained in the United States, the proposed rule would expand the 
potential pool of candidates available to provide MRO services. 
Finally, proposed changes to the blind performance testing programs 
would include the removal of the requirement for licensees to submit 
additional blind performance test samples in the initial 90 days of 
testing with a new HHS-certified laboratory. This change would enhance 
competitiveness for new market entrants by removing a potential 
disincentivizing factor for a licensee that may want to change to 
another HHS-certified laboratory.
    Additionally, the proposed rule would remove outdated provisions no 
longer in use by industry. These pertain to LTFs and reflect how the 
free market has driven changes in the drug testing programs under 10 
CFR part 26. At the inception of 10 CFR part 26 FFD programs in 1990, 
many licensees utilized LTFs at their sites to perform initial drug 
testing. Over time, the advantages of LTF testing decreased as the 
performance and capabilities at HHS-certified laboratories (price-
competitive, private, and for-profit entities), significantly improved. 
LTFs have not been a viable testing option for licensees because of the 
increasing sophistication and complexity of drug testing (e.g., 
substances, biological specimens) and the financial burden associated 
with staffing, equipping, and maintaining these facilities. 
Furthermore, removal of LTF provisions, along with the removal of 
barriers to licensees contracting with new laboratories as discussed in 
Section IV.A.(i)(c)1. of this document, would serve to further 
incentivize new market entrants by removing potential barriers to 
entry.

E. Executive Order 14270: Zero-Based Regulatory Budgeting To Unleash 
American Energy

    E.O. 14270 requires the NRC to insert a conditional sunset date 
into all new or amended NRC regulations provided the regulations are 
(1) promulgated under the Atomic Energy Act of 1954, as amended (AEA), 
the Energy Reorganization Act of 1974, as amended (ERA), or the Nuclear 
Waste Policy Act of 1982, as amended (NWPA); (2) not statutorily 
required; and (3) not part of the NRC's permitting regime. The NRC 
determined that the regulatory changes proposed in this rule are part 
of the NRC's regulatory permitting scheme authorized by the AEA, ERA, 
or NWPA. Therefore, the NRC views this rulemaking to be outside the 
scope of E.O. 14270 and did not insert conditional sunset dates for the 
regulatory changes in this proposed rule.

XIV. Voluntary Consensus Standards

    The National Technology Transfer and Advancement Act of 1995, 
Public Law 104-113, requires that Federal agencies use technical 
standards that are developed or adopted by voluntary consensus 
standards bodies unless the use of such a standard is inconsistent with 
applicable law or otherwise impractical. In this proposed rule, the NRC 
would revise the NRC's requirements in 10 CFR parts 26, 72, 73, and 95 
to modernize security and FFD programs by updating and clarifying 
regulatory provisions, streamlining administrative processes, and 
providing additional compliance flexibilities. These proposed changes 
are tailored to the unique safety and security needs of NRC licensees 
and would not create a broadly applicable technical standard suitable 
for adoption by voluntary

[[Page 38953]]

consensus standards bodies. This action would not constitute the 
establishment of a standard that contains generally applicable 
requirements.

XV. Availability of Guidance

    The NRC is issuing draft guidance for public comment, as described 
in this section, to support implementation of the proposed requirements 
in this rulemaking. The draft guidance is available at https://www.regulations.gov by searching for Docket ID NRC-2025-1303. You may 
submit comments on the draft regulatory guidance using the methods 
provided in the ADDRESSES section of this document.
    Draft Regulatory Guides DG-5087, ``Standard Format and Content of 
Safeguards Contingency Plans for Nuclear Power Plants'' (proposed 
Revision 2 to RG 5.54), and DG-5094, ``Physical Protection Programs at 
Nuclear Power Reactors'' (proposed Revision 2 to RG 5.76), contain SGI 
and are therefore withheld from public disclosure. In accordance with 
NRC policy, these DGs will be made available only to affected licensees 
and cleared stakeholders who have an established ``need-to-know'' and 
meet the access requirements of Sec.  73.22(b). Because the majority of 
the changes to these DGs are limited to conforming changes needed to 
align with this proposed rulemaking, and considering the level of 
information provided in this notice, the NRC has determined that access 
to these DGs is not necessary for the general public to offer informed 
comment on the proposed rule. The publicly available draft guidance 
documents supporting this rulemaking are:
     DG-5069, ``Fitness-For-Duty Programs at New Reactor 
Construction Sites,'' proposed Revision 1 to RG 5.84;
     DG-5085, ``Cybersecurity Programs for Nuclear Power 
Reactors,'' proposed Revision 2 to RG 5.71;
     DG-5088, ``Physical Protection of Special Nuclear Material 
of Moderate or Low Strategic Significance,'' proposed Revision 2 to RG 
5.59;
     DG-5089, ``Security Event Notifications, Reports, and 
Records,'' proposed Revision 4 to RG 5.62;
     DG-5090, ``Access Authorization Program for Nuclear Power 
Plants,'' proposed Revision 3 to RG 5.66;
     DG-5093, ``Training and Qualification of Security 
Personnel at Nuclear Power Reactor Facilities,'' proposed Revision 2 to 
RG 5.75;
     DG-5095, ``Insider Mitigation Program,'' proposed Revision 
2 to RG 5.77;
     DG-5097, ``Preemption Authority, Enhanced Weapons 
Authority, and Firearms Background Checks,'' proposed Revision 2 to RG 
5.86;
     DG-5098, ``Suspicious Activity Reports Under 10 CFR part 
73,'' proposed Revision 2 to RG 5.87;
     DG-5099, ``Fatigue Management for Nuclear Power Plant 
Personnel,'' proposed Revision 1 to RG 5.73;
     DG-5102, ``Protection of Safeguards Information,'' 
proposed Revision 1 to RG 5.79;
     DG-5103, ``Establishing Risk-Informed and Technology-
Inclusive Cybersecurity Programs for Commercial Nuclear Plants,'' 
proposed Revision 1 to RG 5.96; and
     DG-5104, ``Access Authorization Program for Commercial 
Nuclear Plants,'' proposed Revision 1 to RG 5.95.
    The NRC is proposing to withdraw RG 5.83, ``Cybersecurity Event 
Notifications.'' As discussed in Section IV.C.(x), ``Cybersecurity,'' 
of this document, the NRC is proposing to eliminate specific cyber 
event notification requirements under Sec.  73.77 and instead redirect 
licensees to established notification processes under parts 50, 53, and 
73. RG 5.62 would be updated to include cybersecurity event 
notifications.
    The NRC is proposing to withdraw NUREG-1304, ``Reporting of 
Safeguards Events.'' NUREG-1304, Revision 0, was temporarily withdrawn 
following publication of the NRC's final rule on ``Enhanced Weapons, 
Firearms Background Checks, and Security Event Notifications'' (88 FR 
15864; March 14, 2023). At that time, the NRC indicated its intent to 
conduct a public workshop after implementation of the new regulations 
in Sec. Sec.  73.1200, 73.1205, and 73.1210, and to issue the workshop 
results as NUREG-1304, Revision 1. In light of the proposed regulatory 
changes in this rulemaking and the accompanying proposed updates to the 
associated guidance, the NRC has determined that NUREG-1304 is no 
longer necessary and proposes to withdraw the NUREG.

XVI. Availability of Documents

    The documents identified in the following table are available to 
interested persons through one or more of the following methods, as 
indicated.

------------------------------------------------------------------------
                                               ADAMS accession No./web
                  Document                      link/Federal Register
                                                       citation
------------------------------------------------------------------------
                         Proposed Rule Documents
------------------------------------------------------------------------
Regulatory Analysis for the Proposed Rule--  ML26113A051.
 Modernizing Security Requirements, June
 2026.
Draft Environmental Assessment for the       ML26113A050.
 Proposed Rule--Modernizing Security
 Requirements, June 2026.
Backfitting and Issue Finality Assessment    ML26113A052.
 for the Proposed Rule--Modernizing
 Security Requirements, June 2026.
Combined OMB Supporting Statement for        ML25309A008.
 Information Collections Contained in
 Modernizing Security Requirements Proposed
 Rule, June 2026.
OMB Clearance Burden Tables for Modernizing  ML26113A021.
 Security Requirements Proposed Rule.
Unofficial Redline Rule Language for the     ML25267A040.
 Proposed Rule--Modernizing Security
 Requirements, June 2026.
------------------------------------------------------------------------
                   Draft Regulatory Guidance Documents
------------------------------------------------------------------------
DG-5069, ``Fitness-For-Duty Programs at New  ML21159A141.
 Reactor Construction Sites,'' Revision 1
 to RG 5.84, June 2026.
DG-5085, ``Cybersecurity Programs for        ML24051A205.
 Nuclear Power Reactors,'' Revision 2 to RG
 5.71, June 2026.
DG-5088, ``Physical Protection of Special    ML25233A199.
 Nuclear Material of Moderate or Low
 Strategic Significance,'' Revision 2 to RG
 5.59, June 2026.
DG-5089, ``Security Event Notifications,     ML25233A197.
 Reports, and Records,'' Revision 4 to RG
 5.62, June 2026.
DG-5090, ``Access Authorization Program for  ML21145A433.
 Nuclear Power Plants,'' Revision 3 to RG
 5.66, June 2026.

[[Page 38954]]

 
DG-5093, ``Training and Qualification of     ML25233A188.
 Security Personnel at Nuclear Power
 Reactor Facilities,'' Revision 2 to RG
 5.75, June 2026.
DG-5095, ``Insider Mitigation Program,''     ML25233A187.
 Revision 2 to RG 5.77, June 2026.
DG-5097, ``Preemption Authority, Enhanced    ML25234A200.
 Weapons Authority, and Firearms Background
 Checks,'' Revision 2 to RG 5.86, June 2026.
DG-5098, ``Suspicious Activity Reports       ML25233A184.
 Under 10 CFR Part 73,'' Revision 2 to RG
 5.87, June 2026.
DG-5099, ``Fatigue Management for Nuclear    ML25233A183.
 Power Plant Personnel,'' Revision 1 to RG
 5.73, June 2026.
DG-5102, ``Protection of Safeguards          ML25234A198.
 Information,'' Revision 1 to RG 5.79, June
 2026.
DG-5103, ``Establishing Risk-Informed and    ML25307A090.
 Technology-Inclusive Cybersecurity
 Programs for Commercial Nuclear Plants,''
 Revision 1 to RG 5.96, June 2026.
DG-5104, ``Access Authorization Program for  ML25318A144.
 Commercial Nuclear Plants,'' Revision 1 to
 RG 5.95, June 2026.
------------------------------------------------------------------------
                            Other References
------------------------------------------------------------------------
Executive Order 12866, ``Regulatory          58 FR 51735.
 Planning and Review,'' October 4, 1993.
Executive Order 14154, ``Unleashing          90 FR 8353.
 American Energy,'' January 29, 2025.
Executive Order 14156, ``Declaring a         90 FR 8433.
 National Energy Emergency,'' January 29,
 2025.
Executive Order 14192, ``Unleashing          90 FR 9065.
 Prosperity Through Deregulation,''
 February 6, 2025.
Executive Order 14215, ``Ensuring            90 FR 10447.
 Accountability for All Agencies,''
 February 24, 2025.
Executive Order 14267, ``Reducing Anti-      90 FR 15629.
 Competitive Regulatory Barriers,'' April
 15, 2025.
Executive Order 14270, ``Zero-Based          90 FR 15643.
 Regulatory Budgeting to Unleash American
 Energy,'' April 15, 2025.
Executive Order 14300, ``Ordering the        90 FR 22587.
 Reform of the Nuclear Regulatory
 Commission,'' May 29, 2025.
Federal Register Notice--Final Rule, ``Risk- 91 FR 15696.
 Informed, Technology-Inclusive Regulatory
 Framework for Advanced Reactors,'' March
 30, 2026.
Federal Register Notice--Direct Final Rule,  90 FR 55621.
 ``The Sunset Rule,'' December 3, 2025.
Federal Register Notice--``Mandatory         88 FR 70768.
 Guidelines for Federal Workplace Drug
 Testing Programs,'' October 12, 2023.
Federal Register Notice--``Mandatory         88 FR 70814.
 Guidelines for Federal Workplace Drug
 Testing Programs,'' October 12, 2023.
Federal Register Notice--Final Rule,         88 FR 27596.
 ``Procedures for Transportation Workplace
 Drug and Alcohol Testing Programs:
 Addition of Oral Fluid Specimen Testing
 for Drugs,'' May 2, 2023.
Federal Register Notice--Final Rule,         88 FR 15864.
 ``Enhanced Weapons, Firearms Background
 Checks, and Security Event
 Notifications,'' March 14, 2023.
Federal Register Notice--Final Rule,         87 FR 71422.
 ``Fitness for Duty Drug Testing
 Requirements,'' November 22, 2022.
Federal Register Notice--Proposed Rule,      87 FR 12254.
 ``Regulatory Improvements for Production
 and Utilization Facilities Transitioning
 to Decommissioning,'' March 3, 2022.
Federal Register Notice--Exemption,          86 FR 73809.
 ``Southern Nuclear Operating Company Inc;
 Vogtle Electric Generating Plant Units 3
 and 4,'' December 28, 2021.
Federal Register Notice--Exemption,          86 FR 67734.
 ``Southern Nuclear Operating Company Inc;
 Vogtle Electric Generating Plant Units 3
 and 4,'' November 29, 2021.
Federal Register Notice--Exemption,          84 FR 27364.
 ``Southern Nuclear Operating Company Inc;
 Vogtle Electric Generating Plant Units 3
 and 4,'' June 12, 2019.
Federal Register Notice--Final Rule,         82 FR 52229.
 ``Procedures for Transportation Workplace
 Drug and Alcohol Testing Programs:
 Addition of Certain Schedule II Drugs to
 the Department of Transportation's Drug-
 Testing Panel and Certain Minor
 Amendments,'' November 13, 2017.
Federal Register Notice--Final Rule,         73 FR 16966.
 ``Fitness for Duty Programs,'' March 31,
 2008.
Medical Review Officer Guidance Manual for   https://www.samhsa.gov/
 Federal Workplace Drug Testing Programs      sites/default/files/mro-
 (Effective February 1, 2024).                guidance-manual-2024.pdf.
NEI 08-09, Revision 7, ``Cyber Security      ML25107A191.
 Plan for Nuclear Power Reactors,'' April
 2025.
NRC Form 366 (Draft), ``Licensee Event       ML26020A117.
 Report (LER)''.
NRC Form 890, ``Single Positive Test Form''  ML25044A086.
NRC Form 891, ``Annual Reporting Form for    ML26016A656.
 Drug and Alcohol Tests''.
NRC Form 891 (Draft), ``Annual Reporting     ML26020A116.
 Form for Drug and Alcohol Tests''.
NRC Letter, ``Quad Cities Nuclear Power      ML20099A499.
 Station, Units 1 and 2--Exemption from
 Select Requirements of 10 CFR Part 26
 (EPID L-2020-LLE-0018 [COVID-19]),'' April
 8, 2020.
NRC Memorandum, ``Summary of July 31, 2025,  ML25351A137.
 Meeting with External Stakeholders
 Discussing Perspectives on Recent Security
 Event Notifications,'' December 18, 2025.
NUREG-2203, ``Glossary of Security Terms     ML17047A669.
 for Nuclear Power Reactors,'' February
 2017.
Petition for Rulemaking PRM 26-4 submitted   ML102030370, ML102000432,
 by California Association of Marriage and    and ML102250058.
 Family Therapists, March 24, 2010, as
 supplemented by letters dated July 12,
 2010, and July 26, 2010.
Petition for Rulemaking PRM 26-7 submitted   ML11256A020.
 by Cheri Swensson on behalf of The
 American Academy of Health Care Providers
 in the Addictive Disorders, regarding
 Section 26.187(b)5--Certification of
 Substance Abuse Expert, May 5, 2011.
Petition for Rulemaking PRM 26-8 submitted   ML12332A137.
 by Thomas L. King regarding the Fitness
 for Duty Program, September 20, 2012.

[[Page 38955]]

 
RG 5.62, Revision 3, ``Physical Security     ML23299A176.
 Event Notifications, Reports, and
 Records,'' September 2024.
RG 5.86, Revision 1, ``Preemption            ML23299A173.
 Authority, Enhanced Weapons Authority, and
 Firearms Background Checks,'' April 2024.
RG 5.87, Revision 1, ``Suspicious Activity   ML23299A172.
 Reports Under 10 CFR Part 73,'' May 2024.
SECY-24-0011, ``Final Rule: Regulatory       ML23258A200.
 Improvements for Production and
 Utilization Facilities Transitioning to
 Decommissioning (3150-AJ59; NRC-2015-
 0070),'' January 31, 2024.
SRM-SECY-16-0073, ``Staff Requirements--     ML16279A345.
 SECY-16-0073--Options and Recommendations
 for the Force-on-Force Inspection Program
 in Response to SRM-SECY-14-0088,'' October
 5, 2016.
SRM-SECY-22-0052, ``Staff Requirements--     ML24326A003.
 SECY-22-0052--Proposed Rule: Alignment of
 Licensing Processes and Lessons Learned
 from New Reactor Licensing (RIN 3150-
 AI66),'' November 20, 2024.
------------------------------------------------------------------------

    The NRC may post materials related to this document, including 
public comments, on the Federal rulemaking website at https://www.regulations.gov under Docket ID NRC-2025-1303. In addition, the 
Federal rulemaking website allows members of the public to receive 
alerts when changes or additions occur in a docket folder. To 
subscribe: (1) navigate to the docket folder (NRC-2025-1303); (2) click 
the ``Subscribe'' button; and (3) enter an email address and click on 
the ``Subscribe'' button.

List of Subjects

10 CFR Part 26

    Administrative practice and procedure, Alcohol abuse, Alcohol 
testing, Appeals, Drug abuse, Drug testing, Employee assistance 
programs, Fitness for duty, Management actions, Nuclear power plants 
and reactors, Privacy, Protection of information, Radiation protection, 
Reporting and recordkeeping requirements.

10 CFR Part 50

    Administrative practice and procedure, Antitrust, Backfitting, 
Classified information, Criminal penalties, Education, Emergency 
planning, Fire prevention, Fire protection, Intergovernmental 
relations, Nuclear power plants and reactors, Penalties, Radiation 
protection, Reactor siting criteria, Reporting and recordkeeping 
requirements, Whistleblowing.

10 CFR Part 52

    Administrative practice and procedure, Antitrust, Combined license, 
Early site permit, Emergency planning, Fees, Inspection, Issue 
finality, Limited work authorization, Manufacturing license, Nuclear 
power plants and reactors, Probabilistic risk assessment, Prototype, 
Reactor siting criteria, Redress of site, Penalties, Reporting and 
recordkeeping requirements, Standard design, Standard design 
certification.

10 CFR Part 72

    Administrative practice and procedure, Hazardous waste, Indians, 
Intergovernmental relations, Nuclear energy, Penalties, Radiation 
protection, Reporting and recordkeeping requirements, Security 
measures, Spent fuel, Whistleblowing.

10 CFR Part 73

    Criminal penalties, Exports, Hazardous materials transportation, 
Imports, Incorporation by reference, Nuclear energy, Nuclear materials, 
Nuclear power plants and reactors, Penalties, Reporting and 
recordkeeping requirements, Security measures.

10 CFR Part 95

    Classified information, Criminal penalties, Penalties, Reporting 
and recordkeeping requirements, Security measures.

    For the reasons set out in the preamble and under the authority of 
the Atomic Energy Act of 1954, as amended; the Energy Reorganization 
Act of 1974, as amended; and 5 U.S.C. 552 and 553, the NRC is proposing 
to amend 10 CFR parts 26, 50, 52, 72, 73, and 95 as follows:

PART 26--FITNESS FOR DUTY PROGRAMS

0
1. The authority citation for part 26 continues to read as follows:

    Authority: Atomic Energy Act of 1954, secs. 53, 103, 104, 107, 
161, 223, 234, 1701 (42 U.S.C. 2073, 2133, 2134, 2137, 2201, 2273, 
2282, 2297f); Energy Reorganization Act of 1974, secs. 201, 202 (42 
U.S.C. 5841, 5842); 44 U.S.C. 3504 note.

0
2. In Sec.  26.3, revise paragraphs (a) through (b) and the 
introductory text to (c) to read as follows:


Sec.  26.3  Scope.

    (a) Licensees who are authorized to operate a nuclear power reactor 
under 10 CFR 50.57, and holders of a combined license under 10 CFR part 
52 after the Commission has made the finding under 10 CFR 52.103(g) 
shall comply with the requirements of this part, except for subparts K 
and M of this part, and implement the FFD program before the initial 
fuel load into the reactor.
    (b) Licensees who are authorized to possess, use, or transport 
formula quantities of strategic special nuclear material (SSNM) under 
part 70 of this chapter, and any corporation, firm, partnership, 
limited liability company, association, or other organization who 
obtains a certificate of compliance or an approved compliance plan 
under part 76 of this chapter, only if the entity elects to engage in 
activities involving formula quantities of SSNM, shall comply with the 
requirements of this part, except for subparts I, K, and M of this 
part.
    (c) Before the initial fuel load into the reactor, the following 
licensees and other entities shall comply with the requirements of this 
part, except for subparts I and M of this part; and, no later than 
initial fuel load into the reactor, the following licensees and other 
entities shall comply with the requirements of this part, except 
subpart M of this part:
* * * * *
0
3. In Sec.  26.4:
0
a. Revise paragraphs (e)(1), (5), and (6)(iv) and (vii);
0
b. Add paragraph (e)(7);
0
c. Revise paragraph (f);
    The revisions and addition read as follows:


Sec.  26.4  FFD program applicability to categories of individuals.

* * * * *
    (e) * * *
    (1) Serves as security personnel required by the NRC before the 
initial fuel load into the reactor, at which time individuals who serve 
as security personnel required by the NRC must meet the requirements 
applicable to

[[Page 38956]]

security personnel in paragraph (a)(5) of this section;
* * * * *
    (5) Supervises or manages the construction of safety- or security-
related SSCs;
    (6) * * *
    (iv) Conducting background investigations or psychological 
assessments used by the licensee or other entity to make access 
authorization determinations, except that he or she shall be subject to 
behavioral observation only when he or she is present at the location 
where the nuclear power plant will be constructed and operated, and 
licensees and other entities may rely on a local hospital or other 
organization that meets the requirements of 49 CFR part 40 to collect 
his or her specimens for drug and alcohol testing;
* * * * *
    (vii) Performing any of the activities or having any of the duties 
listed in paragraph (e)(6) of this section for any C/V upon whom the 
licensee's or other entity's access authorization program will rely; or
    (7) Escorts an individual or small group of individuals, as 
determined by the licensee or other entity.
    (f) Any individual who is constructing or directing the 
construction of safety- or security-related SSCs shall be subject to an 
FFD program that meets the requirements of subpart K, or, if 
applicable, subpart M of this part, unless the licensee or other entity 
subjects the individuals to an FFD program that meets all of the 
requirements of this part, except for subparts I, K, and M of this 
part, or if the individual is escorted.
* * * * *
0
4. In Sec.  26.5:
0
a. Revise the definitions of ``Analytical run'', ``Cancelled test'', 
``Cutoff level'', and ``Directing'';
0
b. Add the definition for ``Escort'';
0
c. Remove the definition of ``Licensee testing facility'';
0
d. Remove the definition of ``Questionable validity'';
0
e. Revise the definitions of ``Positive result'', and ``Rejected for 
testing'';
0
f. Add the definition for ``Sequestration event''; and
0
g. Remove the definitions of ``Validity screening test'', and 
``Validity screening test lot''.
    The revisions and additions read as follows:


Sec.  26.5  Definitions.

* * * * *
    Analytical run means the process of testing a group of urine 
specimens for validity or for the presence of drugs and/or drug 
metabolites. For the purposes of defining the periods within which 
performance testing must be conducted by any HHS-certified laboratory 
that continuously processes specimens, an analytical run is defined as 
no more than an 8-hour period. For a facility that analyzes specimens 
in batches, an analytical run is defined as a group of specimens that 
are handled and tested together.
* * * * *
    Cancelled test means the test result reported by the MRO to the 
licensee or other entity when a specimen has been reported to the MRO 
by the HHS-certified laboratory as an invalid result (for which the 
donor has no legitimate explanation), a specimen has been rejected for 
testing by the HHS-certified laboratory, or the retesting of a single 
specimen or the testing of Bottle B of a split specimen fails to 
reconfirm the original test result. For alcohol testing only, cancelled 
test means a test result that was not acceptable because testing did 
not meet the quality assurance and quality control requirements in 
Sec.  26.91.
* * * * *
    Cutoff level means the concentration or decision criteria 
established for designating and reporting a test result as positive, 
adulterated, substituted, dilute, or invalid (referring to initial or 
confirmatory test results from an HHS-certified laboratory).
* * * * *
    Directing means the exercise of control over a work activity by an 
individual who is directly involved in the execution of the work 
activity, and either makes technical decisions for that activity 
without subsequent technical review or is ultimately responsible for 
the correct performance of that work activity.
* * * * *
    Escort means a person who is designated by the licensee or other 
entity to be responsible for directly observing an individual who has 
been assigned to perform duties and responsibilities or maintain the 
type of access described in Sec.  26.4(f) but is not subject to the 
requirements in this part.
* * * * *
    Positive result means, for drug testing, the result reported by an 
HHS-certified laboratory when a specimen contains a drug or drug 
metabolite equal to or greater than the cutoff concentration. A result 
reported by an HHS-certified laboratory that a specimen contains a drug 
or drug metabolite below the cutoff concentration is also a positive 
result when the laboratory has conducted the special analysis permitted 
in Sec.  26.163(a)(2). For alcohol testing, a positive result means the 
result reported by a collection site when the BAC indicated by testing 
a specimen is equal to or greater than the cutoff concentrations 
established in this part.
* * * * *
    Rejected for testing means the result reported to the MRO by an 
HHS-certified laboratory when no tests can be performed on a specimen.
* * * * *
    Sequestration event means a situation in which personnel remain on-
site at a nuclear power reactor due to unavoidable external conditions 
that pose a risk to the safe, secure, and continuous operation of the 
facility.
* * * * *


Sec.  26.8  [Amended]

0
5. In Sec.  26.8(b), remove the references ``26.125, 26.127, 26.129, 
26.135, 26.137, 26.139,''.
0
6. In Sec.  26.27, revise paragraph (c)(4), and add new paragraph 
(c)(5) to read as follows:


Sec.  26.27  Written policy and procedures

* * * * *
    (c) * * *
    (4) Describe the process to be followed if an individual's behavior 
raises a concern regarding the possible use, sale, or possession of 
illegal drugs on or off site; the possible possession or consumption of 
alcohol on site; or impairment from any cause which in any way could 
adversely affect the individual's ability to safely and competently 
perform his or her duties. The procedure must require that individuals 
who have an FFD concern about another individual's behavior shall 
contact the personnel designated in the procedures to report the 
concern; and
    (5) For licensees and other entities that allow escorting of 
individuals performing activities described in 10 CFR 26.4(f), but do 
not implement an FFD program under subpart K or subpart M during 
construction, describe the process that the licensee or other entity 
will use for the processing, escorting, and control of individuals 
under escort and the duties and responsibilities of escorts.
0
7. In Sec.  26.29, revise the first sentence of paragraph (c)(2) to 
read as follows:


Sec.  26.29  Training.

* * * * *
    (c) * * *
    (2) Individuals shall complete refresher training on a nominal 24-
month frequency, or more frequently where the need is indicated. 
Indications of the need for more frequent training

[[Page 38957]]

include, but are not limited to, an individual's failure to properly 
implement FFD program procedures and the frequency, nature, or severity 
of problems discovered through audits or the administration of the 
program. * * *
* * * * *
0
8. In Sec.  26.31, revise paragraphs (b)(1)(v) and (d)(2)(vii), the 
introductory text to paragraph (d)(2)(i), and (d)(3)(i); remove 
paragraph (d)(3)(ii); revise and redesignate paragraph (d)(3)(iii) as 
paragraph (d)(3)(ii) to read as follows:


Sec.  26.31  Drug and alcohol testing.

* * * * *
    (b) * * *
    (1) * * *
    (v) FFD program personnel shall be subject to a behavioral 
observations program designed to assure that they continue to meet the 
highest standards of honesty and integrity. The MRO, MRO staff, and SAE 
shall be subject to behavioral observation when on site at a licensee's 
or other entity's facility.
* * * * *
    (d) * * *
    (2) * * *
    (i) Be administered in a manner that provides reasonable assurance 
that individuals are unable to predict the time periods during which 
specimens will be collected. At a minimum, the FFD program must--
* * * * *
    (vii) Ensure that the number of random tests performed annually 
meets the sampling requirements described in Sec.  26.31(d)(2)(vii)(A) 
and (B), or in Sec.  26.31(d)(2)(vii)(C) when applicable.
    (A) Random tests must be performed annually for at least 50 percent 
of the population of individuals subject to the FFD program that is 
comprised of all contractors/vendors and the following licensee 
employees: those who are licensed under 10 CFR part 55 to operate a 
power reactor, security personnel under Sec.  26.4(a)(5), FFD program 
personnel under Sec.  26.4(g), and supervisory personnel directing the 
operation or maintenance of safety- or security-related SSCs or 
directing the performance of security duties under Sec.  26.4(a)(5).
    (B) Random tests must be performed annually for at least 25 percent 
of the licensee employee population subject to the FFD program that is 
not covered by random testing performed under Sec.  
26.31(d)(2)(vii)(A).
    (C) If the number of individuals subject to random testing is such 
that Sec.  26.31(d)(2)(vii)(A) and (B) cannot be implemented without 
predictable outcomes, then the licensee or other entity must use a C/
TPA to manage the random testing pool and make selections for testing 
throughout the year. In such instances, the C/TPA must ensure that 
testing rates for the random testing pool from which they sample meet 
the requirements described in Sec.  26.31(d)(2)(vii)(A) and (B).
    (3) * * *
    (i) Testing of specimens collected under Sec.  26.83(b) must be 
performed in a laboratory that is certified by HHS for that purpose, 
consistent with its standards and procedures for certification. Urine 
specimens sent to HHS-certified laboratories must be subject to initial 
validity and initial drug testing by the laboratory. Oral fluid 
specimens sent to HHS-certified laboratories must be subject to initial 
drug testing by the laboratory. Specimens for initial validity or 
initial drug testing that yield positive, positive and dilute, 
adulterated, substituted, or invalid test results must be subject to 
confirmatory testing by the laboratory, except for invalid specimens 
that cannot be tested. Licensees and other entities shall ensure that 
laboratories report results for all specimens sent for testing, 
including blind performance test samples.
    (ii) At a minimum, licensees and other entities shall apply the 
cutoff levels specified in Sec.  26.163(a)(1) for initial drug testing 
and in Sec.  26.163(b)(1) for confirmatory drug testing at the HHS-
certified laboratory. At their discretion, licensees and other entities 
may implement programs with lower cutoff levels in testing for drugs 
and drug metabolites.
* * * * *
0
9. Revise Sec.  26.33 to read as follows:


Sec.  26.33  Behavioral observation.

    (a) Licensees and other entities shall ensure that the individuals 
who are subject to this subpart are subject to behavioral observation.
    (b) Behavioral observation must be performed by individuals who are 
trained under Sec.  26.29 to detect behaviors that may indicate 
possible use, sale, or possession of illegal drugs; use or possession 
of alcohol on site or while on duty; or impairment from fatigue or any 
cause that, if left unattended, may constitute a risk to public health 
and safety or the common defense and security.
    (c) Individuals who are subject to this subpart shall report any 
FFD concerns about other individuals to the personnel designated in the 
FFD policy.


Sec.  26.37  [Amended]

0
10. In Sec.  26.37(e), remove the phrase ``C/Vs providing specimen 
collection services, and licensee testing facility procedures, must'' 
and add in its place the phrase ``C/Vs providing specimen collection 
services must''.
0
11. In Sec.  26.41, revise and republish paragraphs (a), (c), and (g) 
to read as follows:


Sec.  26.41  Audits and corrective action.

    (a) General. Each licensee and other entity who is subject to this 
subpart is responsible for the continuing effectiveness of the FFD 
program, including FFD program elements that are provided by C/Vs, the 
FFD programs of any C/Vs that are accepted by the licensee or other 
entity, and any FFD program services that are provided to the C/V by a 
subcontractor. Each licensee and other entity shall ensure that these 
programs are audited and that corrective actions are taken to resolve 
any problems identified.
* * * * *
    (c) C/Vs.
    (1) FFD services that are provided to a licensee or other entity by 
C/V personnel who are off site or are not under the direct daily 
supervision or observation of the licensee's or other entity's 
personnel must be audited on a nominal 12-month frequency.
    (2) Licensees and other entities need not audit organizations and 
professionals who may provide an FFD program service to the licensee or 
other entity, but who are not routinely involved in providing services 
to a licensee's or other entity's FFD program, as specified in Sec.  
26.4(i)(1).
* * * * *
    (g) Sharing of audits. Licensees and other entities may jointly 
conduct audits, or may accept audits of C/Vs that were conducted by 
other licensees and entities who are subject to this subpart, if the 
audit addresses the services obtained from the C/V by each of the 
sharing licensees and other entities.
    (1) Licensees and other entities shall review audit records and 
reports to identify any areas that were not covered by the shared or 
accepted audit.
    (2) Licensees and other entities shall ensure that FFD program 
elements and services on which the licensee or entity relies are 
audited, if the program elements and services were not addressed in the 
shared audit.
    (3) Sharing licensees and other entities need not re-audit the same 
C/V for the same period of time.
    (4) Each sharing licensee and other entity shall maintain a copy of 
the shared audit, including findings, recommendations, and corrective 
actions.

[[Page 38958]]

0
12. In Sec.  26.75, revise paragraph (h) and remove and reserve 
paragraph (i) to read as follows:


Sec.  26.75  Sanctions.

* * * * *
    (h) A licensee or other entity may not terminate an individual's 
authorization and may not subject the individual to other 
administrative action based solely on a positive drug test result that 
has not been reviewed by the MRO under Sec.  26.185, unless other 
evidence, including information obtained under the process set forth in 
Sec.  26.189, indicates that the individual is impaired or might 
otherwise pose a safety hazard.
    (i) [Reserved]
0
13. In Sec.  26.83, revise paragraph (b) to read as follows:


Sec.  26.83  Specimens to be collected.

* * * * *
    (b) Collect only urine or oral fluid specimens for both initial and 
confirmatory tests for drugs.
    (1) For each condition for testing under Sec.  26.31(c), the 
licensee or other entity shall establish through its policy and 
procedures when a urine or oral fluid specimen is to be collected.
    (2) For each observed collection condition under Sec.  26.115(a), 
the licensee or other entity shall always collect and test the same 
specimen type.
0
14. In Sec.  26.109, revise paragraph (a) to read as follows:


Sec.  26.109  Urine specimen quantity.

* * * * *
    (a) Licensees and other entities who are subject to this subpart 
shall establish a predetermined quantity of urine that donors are 
requested to provide when submitting a specimen. At a minimum, the 
predetermined quantity must include 30 milliliters (mL) to ensure that 
a sufficient quantity of urine is available for initial and 
confirmatory validity and drug tests at an HHS-certified laboratory, 
and for retesting of an aliquot of the specimen if requested by the 
donor under Sec.  26.165(b). The licensee's or other entity's 
predetermined quantity may include more than 30 mL, if the testing 
program follows split specimen procedures or tests for additional 
drugs. Where collected specimens are to be split under the provisions 
of this subpart, the predetermined quantity must include an additional 
15 mL.
* * * * *
0
15. In Sec.  26.111, revise paragraph (d) to read as follows:


Sec.  26.111  Checking the acceptability of the urine specimen.

* * * * *
    (d) Any specimen of 15 mL or more that the collector suspects has 
been diluted, substituted, or adulterated, and any specimen of 15 mL or 
more that has been collected under direct observation under paragraph 
(c) of this section, must be sent to the HHS-certified laboratory for 
testing.
* * * * *
0
16. In Sec.  26.113, revise paragraph (c) to read as follows:


Sec.  26.113  Splitting the urine specimen.

* * * * *
    (c) Licensees and other entities may use aliquots of the specimen 
collected for initial validity and drug testing, as permitted under 
Sec.  26.31(d)(3)(ii), or to test for additional drugs, as permitted 
under Sec.  26.31(d)(1)(i)(A), but only if sufficient urine is 
available for this testing after the specimen has been split into 
Bottle A and Bottle B.
0
17. In Sec.  26.117, revise paragraphs (f), (g), (h), (i) and (j) to 
read as follows:


Sec.  26.117  Preparing drug testing specimens for storage and 
shipping.

* * * * *
    (f) The specimens and Federal CCFs must be packaged for transfer to 
the HHS-certified laboratory. If the specimens are not immediately 
prepared for transfer, they must be appropriately safeguarded during 
temporary storage.
    (g) While any part of the chain of custody procedures is being 
performed, the specimens and custody documents must be under the 
control of the involved collector, except as provided in Sec.  
26.109(b)(1)(ii) for the Federal CCF. The collector may not leave the 
collection site during the interval between presentation of the 
specimen by the donor and securing of the specimens with identifying 
labels bearing the donor's specimen identification numbers and seals 
initialed by the donor. If the involved collector momentarily leaves 
his or her workstation, the sealed specimens and Federal CCFs must be 
secured or taken with him or her. If the collector is leaving for an 
extended period of time, the specimens must be packaged for transfer to 
the HHS-certified laboratory and secured before the collector leaves 
the collection site.
    (h) The specimen(s) sealed in a shipping container must be 
immediately transferred, appropriately safeguarded during temporary 
storage, or kept under the personal control of an authorized individual 
until transferred. These minimum procedures apply to the shipping of 
specimens to HHS-certified laboratories. As an option, licensees and 
other entities may ship several specimens by courier in a locked or 
sealed shipping container.
    (i) Collection site personnel shall ensure that a Federal CCF is 
packaged with its associated specimen bottle. The sealed and labeled 
specimen bottles, with their associated Federal CCFs that are being 
transferred from the collection site to the HHS-certified laboratory, 
must be placed in a second, tamper-evident shipping container. The 
second container must be designed to minimize the possibility of damage 
to the specimen during shipment (e.g., specimen boxes, shipping bags, 
padded mailers, or bulk insulated shipping containers with that 
capability), so that the contents of the shipping containers are no 
longer accessible without breaking a tamper-evident seal.
    (j) Collection site personnel shall arrange to transfer the 
collected specimens to the HHS-certified laboratory. Licensees and 
other entities shall take appropriate and prudent actions to minimize 
false negative results from specimen degradation. Urine specimens that 
have not shipped to the HHS-certified laboratory within 24 hours of 
collection and any urine specimen that is suspected of having been 
substituted, adulterated, or tampered with in any way must be 
maintained cooled to not more than 6 [deg]C (42.8 [deg]F) until they 
are shipped to the HHS-certified laboratory. Oral fluid specimens shall 
be stored under the conditions specified by the oral fluid specimen 
collection device manufacturer. Specimens must be shipped from the 
collection site to the HHS-certified laboratory as soon as reasonably 
practical but, except under unusual circumstances, the time between 
specimen shipment and receipt of the specimen at the HHS-certified 
laboratory should not exceed 2 business days.
* * * * *


Sec.  26.119  [Amended]

0
18. In Sec.  26.119(a), remove the phrase ``within 5 business days'' 
and add in its place the phrase ``within 5 business days (can be 
extended to 10 business days if a justification acceptable to the MRO 
is provided by the donor and documented by the MRO)''.

Subpart F [Reserved]

0
19. Remove and reserve subpart F.
0
20. In Sec.  26.153, revise paragraph (f)(2) to read as follows:


Sec.  26.153  Using certified laboratories for testing specimens.

* * * * *
    (f) * * *

[[Page 38959]]

    (2) The laboratory shall make available qualified personnel to 
testify in an administrative or disciplinary proceeding against an 
individual when that proceeding is based on test results reported by 
the HHS-certified laboratory;
* * * * *


Sec.  26.159  [Amended]

0
21. In Sec.  26.159(b)(1)(ii), remove the last sentence.
0
22. In Sec.  26.165, revise paragraphs (a), (b)(5), and (f)(2) to read 
as follows:


Sec.  26.165  Testing split specimens and retesting single specimens.

    (a) Testing split specimens.
    (1) If a specimen has been split into Bottle A and Bottle B at the 
collection site, the HHS-certified laboratory shall perform initial and 
confirmatory validity and drug testing, if required, on the specimen in 
Bottle A.
    (2) If the specimen in Bottle A is free of any evidence of drugs or 
drug metabolites, and is a valid specimen, then the HHS-certified 
laboratory may discard the specimens in Bottles A and B.
    (b) * * *
    (5) As soon as reasonably practical and not more than 1 business 
day following the day of the donor's request, as permitted in paragraph 
(b)(3) or (b)(4) of this section, the MRO shall ensure that the HHS-
certified laboratory forwards an aliquot of a single specimen or Bottle 
B of a split specimen (as appropriate), to a second HHS-certified 
laboratory that did not test the specimen in Bottle A.
* * * * *
    (f) * * *
    (2) If a donor requests that Bottle B be tested or that an aliquot 
of the single specimen be retested, and either Bottle B or the single 
specimen are not available due to circumstances outside of the donor's 
control (including, but not limited to, circumstances in which there is 
an insufficient quantity of the single specimen or the specimen in 
Bottle B to permit retesting, either Bottle B or the original single 
specimen is lost in transit to the second HHS-certified laboratory, or 
Bottle B has been lost at the HHS-certified laboratory), the MRO shall 
cancel the test, report a cancelled test result to the licensee or 
other entity for the donor's specimen, and inform the licensee or other 
entity that another collection is required under direct observation as 
soon as reasonably practical. The donor shall receive no notice of the 
collection requirement before he or she is instructed to proceed to the 
collection site. The licensee or other entity shall continue to 
administratively withdraw the individual's authorization, as required 
by Sec.  26.165(f)(1) until the results of the second specimen 
collection have been received by the MRO. The licensee or other entity 
shall eliminate from the donor's personnel and other records any matter 
that could link the donor to the original positive, adulterated, or 
substituted test result(s) and any temporary administrative action, and 
may not impose any sanctions on the donor for a cancelled test. If test 
results from the second specimen collected are positive, adulterated, 
or substituted and the MRO determines that the donor has violated the 
FFD policy, the licensee or other entity shall impose the appropriate 
sanctions specified in subpart D of this part, but may not consider the 
original confirmed positive, adulterated, or substituted test result 
that was reported as a cancelled test by the MRO under Sec.  
26.159(b)(2) in determining the appropriate sanctions.
0
23. In Sec.  26.167, revise paragraph (d)(1) to read as follows:


Sec.  26.167  Quality assurance and quality control.

* * * * *
    (d) * * *
    (1) Any initial drug test performed by an HHS-certified laboratory 
must use an immunoassay or an alternate technology that is permitted 
for use in Federal workplace drug testing programs for this purpose.
* * * * *
0
24. In Sec.  26.168, revise paragraphs (a) through (d), (f), and (i)(1) 
through (3) to read as follows:


Sec.  26.168  Blind performance testing.

    (a) Each licensee and other entity shall submit blind performance 
test samples to each HHS-certified laboratory under contract to perform 
specimen testing.
    (1) A licensee or other entity may submit blind performance test 
samples for each site (e.g., a location with one or more nuclear power 
reactors) or for its entire fleet (e.g., nuclear power reactors at 
multiple sites), as applicable.
    (2) In each calendar quarter, the number of blind performance test 
samples submitted must be a minimum of one percent of all specimens (up 
to a maximum of 100) or ten blind performance test samples, whichever 
is greater.
    (3) In each calendar quarter, licensees and other entities should 
attempt to submit blind performance test samples at a frequency that 
corresponds to the submission frequency for other specimens.
    (b) Approximately 60 percent of the blind performance test samples 
submitted to the HHS-certified laboratory must be positive for one or 
more drugs or drug metabolites per sample and submitted so that all of 
the drugs for which the FFD program is testing are included at least 
once each calendar quarter.
    (c) The positive blind performance test samples must be positive 
for only those drugs for which the FFD program is testing and 
formulated at concentrations established in paragraph (g)(2) of this 
section.
    (d) To challenge the HHS-certified laboratory's ability to limit 
false negatives, approximately 10 percent of the blind performance test 
samples submitted to the laboratory each quarter or at least one sample 
per quarter, whichever is greater, must be formulated at the 
concentrations established in paragraph (g)(3) of this section.
* * * * *
    (f) Approximately 10 percent of the blind performance test samples 
submitted to the HHS-certified laboratory each quarter or at least one 
sample per quarter, whichever is greater, must be negative, as 
specified in paragraph (g)(1) of this section.
* * * * *
    (i) * * *
    (1) The licensee or other entity shall submit blind performance 
test samples to the HHS-certified laboratory using the same channels 
(i.e., from the licensee's or other entity's collection site) through 
which donors' specimens are sent to the laboratory;
    (2) The collector shall use a Federal CCF, place fictional initials 
on the specimen bottles' labels/seals, and indicate for the MRO on the 
MRO's copy that the specimen is a blind performance test sample; and
    (3) The licensee or other entity shall ensure that all blind 
performance test samples include split samples, when the FFD program 
includes split specimen procedures.
0
25. In Sec.  26.169, revise paragraphs (h)(4) through (7) to read as 
follows:


Sec.  26.169  Reporting Results.

* * * * *
    (h) * * *
    (4) Number of specimens reported as adulterated;
    (5) Number of specimens reported as substituted;
    (6) Number of specimens reported as positive and dilute;
    (7) Number of specimens reported as invalid; and
* * * * *

[[Page 38960]]

0
26. In Sec.  26.183, revise paragraph (a), revise the introductory text 
to paragraph (b), and revise paragraphs (c), (d)(2)(ii), (iii), and 
(iv) to read as follows:


Sec.  26.183  Medical review officer.

    (a) Qualifications. The MRO shall be knowledgeable of this part and 
of the FFD policies of the licensees and other entities for whom the 
MRO provides services. The MRO shall be a physician holding either a 
Doctor of Medicine or Doctor of Osteopathy degree, or an equivalent 
foreign degree, and who is licensed to practice medicine by any State 
or Territory of the United States, the District of Columbia, or the 
Commonwealth of Puerto Rico. The MRO shall have passed an examination 
administered by a nationally-recognized MRO certification board or 
subspecialty board for medical practitioners in the field of medical 
review of Federally mandated drug tests.
    (b) Relationships. The MRO may be an employee of the licensee or 
other entity or a contractor. However, the MRO may not be an employee 
or agent of, or have any financial interest in, an HHS-certified 
laboratory for whom the MRO reviews drug test results. Additionally, 
the MRO may not derive any financial benefit by having the licensee or 
other entity use a specific drug testing laboratory and may not have 
any agreement with such parties that may be construed as a potential 
conflict of interest. Examples of relationships between laboratories 
and MROs that create conflicts of interest, or the appearance of such 
conflicts, include, but are not limited to--
* * * * *
    (c) Responsibilities. The primary role of the MRO is to review and 
interpret positive, positive and dilute, adulterated, substituted, and 
invalid results obtained through the licensee's or other entity's 
testing program and to identify any evidence of subversion of the 
testing process. The MRO is also responsible for identifying any issues 
associated with collecting and testing specimens, and for advising and 
assisting FFD program management in planning and overseeing the overall 
FFD program.
    (1) In carrying out these responsibilities, the MRO shall examine 
alternate medical explanations for any positive, positive and dilute, 
adulterated, substituted, or invalid test result. This action may 
include, but is not limited to, conducting a medical interview with the 
donor, reviewing the donor's medical history, or reviewing any other 
relevant biomedical factors. The MRO shall review all medical records 
that the donor may make available when a positive, positive and dilute, 
adulterated, substituted, or invalid test result could have resulted 
from responsible use of legally prescribed medication, a documented 
condition or disease state, or the demonstrated physiology of the 
donor.
    (2) The MRO may only consider the results of tests of specimens 
that are collected and processed under this part, including the results 
of testing split specimens, in making his or her determination, as long 
as those split specimens have been stored and tested under the 
procedures described in this part.
    (d) * * *
    (2) * * *
    (ii) The staff reviews of positive, positive and dilute, 
adulterated, substituted, and invalid test results must be limited to 
reviewing the Federal CCF to determine whether it contains any errors 
that may require corrective action and to ensure that it is consistent 
with the information on the MRO's copy. The staff may resolve errors in 
Federal CCFs that require corrective action(s), but shall forward the 
Federal CCFs to the MRO for review and approval of the resolution.
    (iii) The staff may not conduct interviews with donors to discuss 
positive, positive and dilute, adulterated, substituted, or invalid 
test results nor request medical information from a donor. Only the MRO 
may request and review medical information related to a positive, 
positive and dilute, adulterated, substituted, or invalid test result 
or other matter from a donor.
    (iv) Staff may not report nor discuss with any individuals other 
than the MRO and other MRO staff any positive, positive and dilute, 
adulterated, substituted, or invalid test results received from the 
HHS-certified laboratory before those results have been reviewed and 
confirmed by the MRO. Any MRO staff discussions of confirmed positive, 
adulterated, substituted, invalid, or dilute test results must be 
limited to discussions only with the licensee's or other entity's FFD 
program personnel and may not reveal quantitative test results or any 
personal medical information about the donor that the MRO may have 
obtained in the course of reviewing confirmatory test results from the 
HHS-certified laboratory.
0
27. In Sec.  26.185, revise paragraphs (b), (j)(3), and (m) to read as 
follows:


Sec.  26.185  Determining a fitness-for-duty policy violation.

* * * * *
    (b) Reporting of initial test results prohibited. Neither the MRO 
nor MRO staff may report positive, positive and dilute, adulterated, 
substituted, or invalid initial test results that are received from the 
HHS-certified laboratory to the licensee or other entity.
* * * * *
    (j) * * *
    (3) If the MRO determines that the donor has used another 
individual's prescription medication, the MRO shall report to the 
licensee that the donor has violated the FFD policy.
* * * * *
    (m) Result scientifically insufficient. Based on the review of 
inspection and audit reports, quality control data, multiple specimens, 
and other pertinent results, the MRO may determine that a positive, 
adulterated, substituted or invalid test result is scientifically 
insufficient for further action and may declare that a drug or validity 
test result is not an FFD policy violation, but that a negative test 
result was not obtained. In this situation, the MRO may request 
retesting of the original specimen before making this decision. The MRO 
is neither expected nor required to request such retesting, unless in 
the sole opinion of the MRO, such retesting is warranted. The MRO may 
request that the reanalysis be performed by the same laboratory, or 
that an aliquot of the original specimen be sent for reanalysis to 
another HHS-certified laboratory. The HHS-certified laboratory shall 
assist in this review process, as requested by the MRO, by making 
available the individual(s) responsible for day-to-day management of 
the HHS-certified laboratory, or other individuals who are forensic 
toxicologists or who have equivalent forensic experience in urine drug 
testing, to provide specific consultation as required by the MRO.
* * * * *
0
28. In Sec.  26.187, revise paragraph (b)(4); redesignate paragraph 
(b)(5) as paragraph (b)(6) and add new paragraph (b)(5); and revise the 
introductory text to paragraph (g)(1) to read as follows:


Sec.  26.187  Substance abuse expert.

* * * * *
    (b) * * *
    (4) A licensed or certified employee assistance professional;
    (5) A State-licensed or -certified marriage and family therapist; 
or
* * * * *
    (g) * * *
    (1) The SAE shall make determinations of fitness in at least the 
following three circumstances:
* * * * *
0
29. In Sec.  26.189, revise the introductory text to paragraph (c) to 
read as follows:

[[Page 38961]]

Sec.  26.189  Determination of fitness.

* * * * *
    (c) A determination of fitness that is conducted for cause (i.e., 
because of observed behavior or a physical condition) must be conducted 
through face-to-face interaction between the subject individual and the 
professional making the determination. An electronic means of 
communication (i.e., video teleconference technology) may be used as 
long at the communication method provides sufficient visual and aural 
clarity to complete the assessment. A determination of fitness that is 
performed by electronic means must be supported by someone who is 
present in-person with the individual being assessed only for for-cause 
drug and alcohol testing determinations under Sec.  26.31(c)(2) and 
fatigue assessments performed for cause under Sec.  26.211(a)(1). The 
supporting person must be trained in accordance with the requirements 
in Sec.  26.29.
* * * * *


Sec.  26.202  [Reserved].

0
30. In Sec.  26.202, remove and reserve paragraph (e).
0
31. In Sec.  26.203, revise paragraphs (d)(4) and (5), add paragraph 
(d)(6), remove paragraph (e), and redesignate paragraph (f) as 
paragraph (e).
    The revisions and additions read as follows:


Sec.  26.203  General provisions.

* * * * *
    (d) * * *
    (4) The documentation of work hour reviews that is required in 
Sec.  26.205(e)(3) and (e)(4);
    (5) The documentation of fatigue assessments that is required in 
Sec.  26.211(g); and
    (6) The documentation of utilization of the exception for 
sequestration events that is required in Sec.  26.207(e)(3), including 
the bases for utilization of the exception.
* * * * *
0
32. In Sec.  26.207, revise the last sentence in paragraph (a)(1)(ii), 
and add paragraph (e) to read as follows:


Sec.  26.207  Waivers and exceptions.

    (a) * * *
    (1) * * *
    (ii) * * * For licensees and other entities in Sec.  26.3(a), (c), 
(d), and (f), the assessment may be performed remotely using electronic 
communications. In such instances, the assessment must be supported by 
someone who is present in-person with the individual whose alertness 
may be impaired, and that supporting person must be trained under the 
requirements of either Sec. Sec.  26.29 and 26.203(c) or Sec. Sec.  
26.202(c) and 26.608.
* * * * *
    (e) Sequestration events. During a sequestration event as defined 
in Sec.  26.5, a licensee may follow the requirements in Sec.  
26.207(e)(1) through (4) as an alternative to the requirements of Sec.  
26.205(c) and (d). If a licensee chooses to utilize these alternative 
requirements during a sequestration event, then the licensee must 
follow the requirements in Sec.  26.207(e)(1) through (4) until the 
conclusion of the sequestration event.
    (1) During the sequestration event, the licensee shall implement 
alternative work hour controls and fatigue management measures that 
provide reasonable assurance that personnel sequestered on site will 
continue to meet the performance objectives of Sec.  26.23(e) for the 
duration of the sequestration event.
    (2) During the sequestration event, the licensee shall implement 
alternative work hour controls that, at a minimum, ensure:
    (i) Individuals shall not work more than 16 hours in any 24-hour 
period and not more than 86 hours in any 7-day period, excluding shift 
turnover time;
    (ii) A minimum 10-hour break is provided between successive work 
periods;
    (iii) 12-hour shifts are limited to no more than 14 consecutive 
days;
    (iv) A minimum of 6 days off is provided in any rolling 30-day 
period;
    (3) Licensees shall document the bases for invoking a sequestration 
event exception.
    (4) Licensees shall restore compliance with Sec.  26.205(c) and (d) 
as soon as practicable following the conclusion of a sequestration 
event, but no more than 60 days following the start of the event.
0
33. In Sec.  26.211, revise the last sentence in the introductory text 
to paragraph (b) to read as follows:


Sec.  26.211  Fatigue assessments.

* * * * *
    (b) * * * For licensees and other entities in Sec.  26.3(a), (c), 
(d), and (f), a fatigue assessment may be performed remotely using 
electronic communications. In such instances, the fatigue assessment 
must be supported by someone who is present in-person with the 
individual whose alertness may be impaired, and that supporting person 
must be trained in accordance with the requirements of either 
Sec. Sec.  26.29 and 26.203(c) or Sec. Sec.  26.202(c) and 26.608.
* * * * *
0
34. In Sec.  26.401, revise paragraph (b) to read as follows:


Sec.  26.401  General.

* * * * *
    (b) Licensees and other entities who intend to implement an FFD 
program under this subpart shall submit a description of the FFD 
program and its implementation as part of the license, permit, or 
limited work authorization application.
* * * * *
0
35. In Sec.  26.403, revise paragraph (a) and add paragraph (b)(4) to 
read as follows:


Sec.  26.403  Written policy and procedures.

    (a) Licensees and other entities who implement an FFD program under 
this subpart shall ensure that a clear, concise, written FFD policy 
statement is provided to individuals who are subject to the program or 
escorted. The policy statement must be written in sufficient detail to 
provide affected individuals with information on what is expected of 
them and what consequences may result from a lack of adherence to the 
policy.
    (b) * * *
    (4) The processing, escorting, and control of individuals under 
escort and the duties and responsibilities of escorts.
0
36. In Sec.  26.405:
0
a. Revise the introductory text to paragraph (c)(3);
0
b. In paragraph (d), remove the phrase ``urine are collected'' and add 
in its place the phrase ``those collected under Sec.  26.83(b)''; and
0
d. Revise paragraphs (f) and (g).
    The revisions and addition read as follows:


Sec.  26.405  Drug and alcohol testing.

* * * * *
    (c) * * *
    (3) Post-event. As soon as practical after an event involving a 
human error that was committed by an individual specified in Sec.  
26.4(f), where the human error may have caused or contributed to the 
event. The licensee or other entity shall test the individual(s) who 
committed the error(s), and need not test individuals who were affected 
by the event but whose actions likely did not cause or contribute to 
the event. The individual(s) who committed the human error(s) shall be 
tested if the event resulted in--
* * * * *
    (f) Testing of urine and oral fluid specimens for drugs and 
validity must be performed in a laboratory that is certified by HHS for 
that purpose, consistent with its standards and procedures for 
certification. Specimens for initial validity or initial drug testing 
that yield positive, adulterated, substituted, or invalid test results 
must

[[Page 38962]]

be subject to confirmatory testing by the HHS-certified laboratory, 
except for invalid specimens that cannot be tested. Testing of other 
specimens that yield positive initial drug test results must be subject 
to confirmatory testing by a laboratory that meets stringent quality 
control requirements that are comparable to those required for 
certification by the HHS.
    (g) Licensees and other entities shall provide for an MRO review of 
positive, positive and dilute, adulterated, substituted, and invalid 
confirmatory drug and validity test results to determine whether the 
donor has violated the FFD policy, before reporting the results to the 
individual designated by the licensee or other entity to perform the 
suitability and fitness evaluations required under Sec.  26.419.
0
37. Revise Sec.  26.419 to read as follows:


Sec.  26.419  Suitability and fitness evaluations.

    Licensees and other entities who implement FFD programs under this 
subpart shall develop, implement, and maintain procedures for 
evaluating whether to assign individuals to the duties specified in 
Sec.  26.4(f). These procedures must provide reasonable assurance that 
the individuals are fit to safely and competently perform their duties, 
and are trustworthy and reliable, as demonstrated by the avoidance of 
substance abuse.
0
38. In Sec.  26.606:
0
a. Revise paragraph (b)(6); and
0
b. Add paragraph (b)(7).
    The revision and addition read as follows:


Sec.  26.606  Written policy and procedures

* * * * *
    (b) * * *
    (6) Measures to prevent subversion of drug and alcohol tests 
conducted onsite and offsite, and
    (7) For licensees and other entities that allow escorting of 
individuals performing activities described in 10 CFR 26.4(f), but do 
not implement an FFD program under subpart K (or a program that meets 
all the requirements of part 26, except subpart M and subpart K) during 
construction, describe the process that the licensee or other entity 
will use for the processing, escorting, and control of individuals 
under escort and the duties and responsibilities of escorts.
0
39. In Sec.  26.607, add a last sentence to paragraph (b)(2)(vi) and 
revise paragraphs (c)(4) and (5) to read as follows:


Sec.  26.607  Drug and alcohol testing.

* * * * *
    (b) * * *
    (2) * * *
    (vi) * * * In such instances, the consortium/third-party 
administrator must ensure that the testing rate for the random testing 
pool from which they sample meets the requirement in paragraph 
(b)(2)(v).
* * * * *
    (c) * * *
    (4) For all test conditions in paragraph (b) of this section and 
for MRO-directed tests under Sec.  26.185, drug testing must be 
performed at an HHS-certified laboratory for the specific biological 
specimen to be tested. Only HHS-certified laboratory test results from 
urine and oral fluid specimens may be used for the issuance of a 
sanction required under this part.
    (5) The licensee or other entity must establish and maintain a 
contract with an HHS-certified laboratory for each specimen to be 
tested. Each contract must stipulate the following:
    (i) The laboratory must permit representatives of the NRC and any 
licensee or other entity using the laboratory's services to inspect or 
audit the laboratory at any time, including unannounced inspections;
    (ii) Laboratory records and documents must be provided and/or able 
to be photocopied and removed from the premises to support the 
inspection or audit;
    (iii) The laboratory must comply with the applicable provisions of 
any State licensor requirements;
    (iv) The laboratory must make available qualified personnel to 
testify in an administrative or disciplinary proceeding against an 
individual when that proceeding is based on test results reported by 
the HHS-certified laboratory;
    (v) The laboratory shall maintain test records in confidence, 
consistent with the requirements of Sec.  26.37, and use them with the 
highest regard for individual privacy.
    (vi) Consistent with the principles established in section 503 of 
Public Law 100 71, any employee of a licensee or other entity who is 
the subject of a drug test (or his or her representative designated 
under Sec.  26.37(d)) must, on written request, have access to the 
laboratory's records related to his or her validity and drug test and 
any records related to the results of any relevant certification, 
review, or revocation-of-certification proceedings; and
    (vii) The laboratory may not enter into any relationship with the 
licensee's or other entity's MRO(s) that may be construed as a 
potential conflict of interest, including, but not limited to, the 
relationships described in Sec.  26.183(b), and may not derive any 
financial benefit by having a licensee or other entity use a specific 
MRO.
* * * * *
0
40. Revise Sec.  26.715 to read as follows:


Sec.  26.715  Recordkeeping requirements for collection sites and 
laboratories certified by the Department of Health and Human Services.

    (a) Collection sites providing services to licensees and other 
entities who are subject to this subpart and HHS-certified laboratories 
shall maintain and make available documentation of all aspects of the 
testing process for at least 2 years or until the completion of all 
legal proceedings related to a determination of an FFD violation, 
whichever is later. This 2-year period may be extended on written 
notification by the NRC or by any licensee or other entity for whom 
services are being provided.
    (b) Documentation that must be retained includes, but is not 
limited to, the following:
    (1) Personnel files, including training records, for all 
individuals who have been authorized to have access to specimens, but 
are no longer under contract to or employed by the collection site;
    (2) Chain of custody documents (other than forms recording 
specimens with negative test results and no FFD violations or 
anomalies, which may be destroyed after appropriate summary information 
has been recorded for program administration purposes);
    (3) Quality assurance and quality control records;
    (4) Superseded procedures;
    (5) All test data (including calibration curves and any 
calculations used in determining test results);
    (6) Test reports;
    (7) Records pertaining to performance testing;
    (8) Records pertaining to the investigation of testing errors or 
unsatisfactory performance discovered in quality control or blind 
performance testing, in the testing of actual specimens, or through the 
processing of appeals and MRO reviews, as well as any other errors or 
matters that could adversely reflect on the integrity of the testing 
process, investigation findings, and corrective actions taken, where 
applicable;
    (9) Performance records on certification inspections;
    (10) Records that summarize any test results that the MRO 
determined to be scientifically insufficient for further action;
    (11) Either printed or electronic copies of computer-generated 
data;

[[Page 38963]]

    (12) Records that document the dates, times of entry and exit, 
escorts, and purposes of entry of authorized visitors, maintenance 
personnel, and service personnel who have accessed secured areas of 
HHS-certified laboratories; and
    (13) Records of the inspection, maintenance, and calibration of 
EBTs.
0
41. In Sec.  26.717:
0
a. In paragraph (b)(2) remove the word ``dilute'';
0
b. Revise paragraphs (b)(7) and (8);
0
c. Remove paragraph (d); and
0
d. Redesignate paragraphs (e) through (g) as paragraphs (d) through 
(f).
    The revisions to read as follows:


Sec.  26.717  Fitness-for-duty program performance data.

* * * * *
    (b) * * *
    (7) Number of subversion attempts by type; and
    (8) Summary of management actions.
* * * * *
0
42. In Sec.  26.719, revise the introductory text to paragraphs (b) and 
(b)(2), and revise paragraph (c) to read as follows:


Sec.  26.719  Reporting requirements.

* * * * *
    (b) Significant FFD policy violations or programmatic failures. The 
following significant FFD policy violations and programmatic failures 
must be reported to the NRC Headquarters Operations Center by telephone 
within 24 hours after the licensee or other entity discovers the 
violation:
* * * * *
    (2) Any acts by any person licensed under 10 CFR part 55 to operate 
a power reactor, as well as any acts by SSNM transporters, FFD program 
personnel, or any supervisory personnel directing the operation or 
maintenance of safety- or security-related SSCs or directing the 
performance of security duties under Sec.  26.4(a)(5) who are 
authorized under this part, if such acts--
* * * * *
    (c) Drug and alcohol testing errors.
    (1) Within 30 days of completing an investigation of any testing 
errors or unsatisfactory performance discovered in performance testing 
at an HHS-certified laboratory, in the testing of quality control or 
actual specimens, or through the processing of reviews under Sec.  
26.39 and MRO reviews under Sec.  26.185, as well as any other errors 
or matters that could adversely reflect on the integrity of the random 
selection or testing process, the licensee or other entity shall submit 
to the NRC a report of the incident and corrective actions taken or 
planned. If the error involves an HHS-certified laboratory, the NRC 
shall ensure that HHS is notified of the finding.
    (2) If a false positive or false negative error occurs on a blind 
performance test sample submitted to an HHS-certified laboratory, the 
licensee or other entity shall notify the NRC within 24 hours after 
discovery of the error.
* * * * *

PART 50--DOMESTIC LICENSING OF PRODUCTION AND UTILIZATION 
FACILITIES

0
43. The authority citation for part 50 continues to read as follows:

    Authority: Atomic Energy Act of 1954, secs. 11, 101, 102, 103, 
104, 105, 108, 122, 147, 149, 161, 181, 182, 183, 184, 185, 186, 
187, 189, 223, 234 (42 U.S.C. 2014, 2131, 2132, 2133, 2134, 2135, 
2138, 2152, 2167, 2169, 2201, 2231, 2232, 2233, 2234, 2235, 2236, 
2237, 2239, 2273, 2282); Energy Reorganization Act of 1974, secs. 
201, 202, 206, 211 (42 U.S.C. 5841, 5842, 5846, 5851); Nuclear Waste 
Policy Act of 1982, sec. 306 (42 U.S.C. 10226); National 
Environmental Policy Act of 1969 (42 U.S.C. 4332); 44 U.S.C. 3504 
note.

0
44. In Sec.  50.34, revise paragraphs (a)(3)(i) and (ii), (c)(2), 
(d)(2), (e), and (f)(2)(xxviii) to read as follows:


Sec.  50.34  Contents of applications; technical information.

    (a) * * *
    (3) * * *
    (i) The principal design criteria for the facility. Appendix A, 
General Design Criteria for Nuclear Power Plants, establishes minimum 
requirements for the principal design criteria for water-cooled nuclear 
power plants similar in design and location to plants for which 
construction permits have previously been issued by the Commission and 
provides guidance to applicants for construction permits in 
establishing principal design criteria for other types of nuclear power 
units. For each application for an operating license for a utilization 
facility submitted after [EFFECTIVE DATE], safety and security must be 
considered together in the design process such that, where possible, 
security issues are effectively resolved through design and engineered 
security features;
    (ii) The design bases and the relation of the design bases to the 
principal design criteria; and
* * * * *
    (c) * * *
    (2) Each applicant for an operating license for a utilization 
facility that will be subject to the requirements of Sec.  73.55 or 
Sec.  73.100 of this chapter must include a physical security plan, a 
training and qualification plan in accordance with the criteria set 
forth in appendix B to part 73 of this chapter or Sec.  73.100 of this 
chapter, and a cybersecurity plan in accordance with the criteria set 
forth in Sec.  73.54 or Sec.  73.110 of this chapter.
    (d) * * *
    (2) Each application for a license to operate a utilization 
facility that will be subject to Sec.  73.55 or Sec.  73.100 of this 
chapter must include a licensee safeguards contingency plan in 
accordance with the criteria set forth in section II of appendix C to 
part 73 of this chapter. The ``implementing procedures'' required in 
section II of appendix C to part 73 of this chapter do not have to be 
submitted to the Commission for approval.
* * * * *
    (e) Protection against unauthorized disclosure. Each applicant for 
an operating license for a production or utilization facility, who 
prepares a physical security plan, a safeguards contingency plan, a 
training and qualification plan, or a cybersecurity plan, shall protect 
the plans and other related Safeguards Information against unauthorized 
disclosure in accordance with the requirements of Sec.  73.21 of this 
chapter.
    (f) * * *
    (2) * * *
    (xxviii) Evaluate potential pathways for radioactivity and 
radiation that may lead to control room habitability problems under 
accident conditions resulting in an accident source term \6\ release 
and make necessary design provisions to preclude such problems. 
(III.D.3.4)
* * * * *

PART 52--LICENSES, CERTIFICATIONS, AND APPROVALS FOR NUCLEAR POWER 
PLANTS

0
45. The authority citation for part 52 is revised to read as follows:

    Authority: Atomic Energy Act of 1954, secs. 103, 104, 147, 149, 
161, 181, 182, 183, 185, 186, 189, 223, 234 (42 U.S.C. 2133, 2134, 
2167, 2169, 2201, 2231, 2232, 2233, 2235, 2236, 2239, 2273, 2282); 
Energy Reorganization Act of 1974, secs. 201, 202, 206, 211 (42 
U.S.C. 5841, 5842, 5846, 5851); 44 U.S.C. 3504 note.
0
46. In Sec.  52.79:
0
a. Revise paragraphs (a)(4)(i) and (ii) and (a)(36)(ii) through (v); 
and
0
b. In footnote 8, add the phrase ``or Sec.  73.100'' after the phrase 
``Sec.  75.55''.
    The revisions read as follows:


Sec.  52.79  Contents of applications; technical information in final 
safety analysis report.

    (a) * * *
    (4) * * *
    (i) The principal design criteria for the facility. Appendix A to 
part 50 of this

[[Page 38964]]

chapter, ``General Design Criteria for Nuclear Power Plants,'' 
establishes minimum requirements for the principal design criteria for 
water-cooled nuclear power plants similar in design and location to 
plants for which construction permits have previously been issued by 
the Commission and provides guidance to applicants in establishing 
principal design criteria for other types of nuclear power units. For 
each application for a combined license submitted after [EFFECTIVE 
DATE], safety and security must be considered together in the design 
process such that, where possible, security issues are effectively 
resolved through design and engineered security features;
    (ii) The design bases and the relation of the design bases to the 
principal design criteria; and
* * * * *
    (36) * * *
    (ii) A training and qualification plan in accordance with the 
criteria set forth in appendix B to 10 CFR part 73 or Sec.  73.100 of 
this chapter;
    (iii) A cybersecurity plan in accordance with the criteria set 
forth in Sec.  73.54 or Sec.  73.110 of this chapter;
    (iv) A description of the implementation of the safeguards 
contingency plan, training and qualification plan, and cybersecurity 
plan; and
    (v) Each applicant who prepares a physical security plan, a 
safeguards contingency plan, a training and qualification plan, or a 
cybersecurity plan, shall protect the plans and other related 
Safeguards Information against unauthorized disclosure in accordance 
with the requirements of Sec.  73.21 of this chapter.
* * * * *

PART 72--LICENSING REQUIREMENTS FOR THE INDEPENDENT STORAGE OF 
SPENT NUCLEAR FUEL, HIGH-LEVEL RADIOACTIVE WASTE, AND REACTOR-
RELATED GREATER THAN CLASS C WASTE

0
47. The authority citation for part 72 continues to read as follows:

    Authority: Atomic Energy Act of 1954, secs. 51, 53, 57, 62, 63, 
65, 69, 81, 161, 182, 183, 184, 186, 187, 189, 223, 234, 274 (42 
U.S.C. 2071, 2073, 2077, 2092, 2093, 2095, 2099, 2111, 2201, 2210e, 
2232, 2233, 2234, 2236, 2237, 2238, 2273, 2282, 2021); Energy 
Reorganization Act of 1974, secs. 201, 202, 206, 211 (42 U.S.C. 
5841, 5842, 5846, 5851); National Environmental Policy Act of 1969 
(42 U.S.C. 4332); Nuclear Waste Policy Act of 1982, secs. 117(a), 
132, 133, 134, 135, 137, 141, 145(g), 148, 218(a) (42 U.S.C. 
10137(a), 10152, 10153, 10154, 10155, 10157, 10161, 10165(g), 10168, 
10198(a)); 44 U.S.C. 3504 note.
0
48. In Sec.  72.13, add paragraph (e) to read as follows:


Sec.  72.13  Applicability

* * * * *
    (e) The following sections apply to activities associated with a 
general license, where the licensee has elected to provide for physical 
protection of the spent fuel in accordance with Sec.  72.212(b)(9)(iv): 
Sec.  72.1; Sec.  72.2(a)(1), (b), (c), and (e); Sec. Sec.  72.3 
through 72.6(c)(1); Sec. Sec.  72.7 through Sec.  72.13(a) and (e); 
Sec.  72.30(b), (c), (d), (e), and (f); Sec.  72.32(c) and (d); Sec.  
72.44(b) and (f); Sec.  72.48; Sec.  72.50(a); Sec.  72.52(a), (b), 
(d), and (e); Sec.  72.60; Sec.  72.62; Sec. Sec.  72.72 through 
72.80(f); Sec. Sec.  72.82 through 72.86; Sec. Sec.  72.104 through 
72.106; Sec. Sec.  72.122 through 72.126; Sec. Sec.  72.140 through 
72.176; Sec. Sec.  72.180 through 72.186; Sec.  72.190; Sec.  72.194; 
Sec. Sec.  72.210 through 72.220; and Sec.  72.240(a).


Sec.  72.32  [Amended]

0
49. In Sec.  72.32, in paragraphs (a)(8) and (b)(8), remove the phrase 
``NRC operations center'' and add in its place the phrase ``NRC 
Headquarters Operations Center''.


Sec.  72.44  [Amended]

0
50. In Sec.  72.44, in the last sentence of paragraph (e), remove the 
time period ``two months'' and add in its place the phrase ``12 
months''.


Sec.  72.186  [Amended]

0
51. In Sec.  72.186, in the second sentence of paragraph (b), remove 
the time period ``two months'' and add in its place the phrase ``12 
months''.
0
52. In Sec.  72.212, revise paragraph (b)(9) to read as follows:


Sec.  72.212  Conditions of general license issued under Sec.  72.210.

* * * * *
    (b) * * *
    (9) Protect the spent fuel against the design basis threat of 
radiological sabotage in accordance with the same provisions and 
requirements as are set forth in the licensee's physical security plan 
pursuant to Sec.  73.55 of this chapter with the following additional 
conditions and exceptions:
    (i) The physical security organization and program for the facility 
must be modified as necessary to assure that activities conducted under 
this general license do not decrease the effectiveness of the 
protection of vital equipment in accordance with Sec.  73.55 of this 
chapter;
    (ii) Storage of spent fuel must be within a protected area, in 
accordance with Sec.  73.55 of this chapter, but need not be within a 
separate vital area. Existing protected areas may be expanded for the 
purpose of storage of spent fuel in accordance with this general 
license;
    (iii) For the purpose of this general license, the licensee is 
exempt from requirements to interdict and neutralize threats in Sec.  
73.55 of this chapter;
    (iv)(A) When a separate protected area is established outside of an 
existing protected area for the purpose of storage of spent fuel, the 
licensee may, as an alternative to the requirements of Sec.  
72.212(b)(9)(i) and (b)(9)(ii), provide for the physical protection of 
the spent fuel under subpart H of this part and Sec.  73.51 of this 
chapter;
    (B) Upon NRC docketing of the certifications required under Sec.  
50.82(a)(1) of this chapter or Sec.  52.110(a) of this chapter or Sec.  
53.1070(a) of this chapter, and when all spent fuel has been placed in 
dry cask storage at the facility, the licensee may, as an alternative 
to the requirements of Sec.  72.212(b)(9)(i) and (b)(9)(ii), provide 
for physical protection of the spent fuel under subpart H of this part 
and Sec.  73.51 of this chapter;
    (C) A licensee who elects to provide physical protection under 
subpart H of this part and Sec.  73.51 of this chapter must submit 
their physical security plan to the NRC under Sec.  50.54(p) of this 
chapter; and
    (v) Each general licensee that receives and possesses power reactor 
spent fuel and other radioactive materials associated with spent fuel 
storage shall protect Safeguards Information against unauthorized 
disclosure in accordance with the requirements of Sec.  73.21 and the 
requirements of Sec.  73.22 or Sec.  73.23 of this chapter, as 
applicable.
* * * * *

PART 73--PHYSICAL PROTECTION OF PLANTS AND MATERIALS

0
53. The authority citation for part 73 continues to read as follows:

    Authority: Atomic Energy Act of 1954, secs. 53, 147, 149, 161, 
161A, 170D, 170E, 170H, 170I, 223, 229, 234, 1701 (42 U.S.C. 2073, 
2167, 2169, 2201, 2201a, 2210d, 2210e, 2210h, 2210i, 2273, 2278a, 
2282, 2297f); Energy Reorganization Act of 1974, secs. 201, 202 (42 
U.S.C. 5841, 5842); Nuclear Waste Policy Act of 1982, secs. 135, 141 
(42 U.S.C. 10155, 10161); 44 U.S.C. 3504 note.
    Section 73.37(b)(2) also issued under Sec. 301, Public Law 96-
295, 94 Stat. 789 (42 U.S.C. 5841 note).

0
54. In part 73, wherever it may appear, the term or phrase in the left 
column in the following table is removed and the term or phrase in the 
right column is added in its place.

[[Page 38965]]



------------------------------------------------------------------------
                 Remove                                Add
------------------------------------------------------------------------
cyber attacks..........................  cyberattacks.
cyber security.........................  cybersecurity.
Division of Physical and Cyber Security  Division of Physical and
 Policy.                                  Cybersecurity Policy.
NRC Operations Center..................  NRC Headquarters Operations
                                          Center.
------------------------------------------------------------------------

0
55. In Sec.  73.2:
0
a. Revise the definitions of ``Contraband'', ``DOE and Department of 
Energy'', ``Physical barrier'', and ``Security Storage Container''; and
0
b. Add, in alphabetical order, the definition for ``Target set'' to 
read as follows:


Sec.  73.2  Definitions.

* * * * *
    Contraband means unauthorized firearms, explosives, incendiary 
devices, or other items that may be carried or concealed by personnel, 
packages, materials, or vehicles and could be used to commit 
radiological sabotage.
* * * * *
    DOE and Department of Energy means the Department of Energy 
established by the Department of Energy Organization Act (Pub. L. 95-
91, 91 Stat. 565, 42 U.S.C. 7101 et seq.), to the extent that the 
Department, or its duly authorized representatives, exercises functions 
formerly vested in the U.S. Atomic Energy Commission, its Chairman, 
members, officers and components and transferred to the U.S. Energy 
Research and Development Administration and to the Administrator 
thereof pursuant to sections 104(b), (c) and (d) of the Energy 
Reorganization Act of 1974 (Pub. L. 93-438, 88 Stat. 1233 at 1237, 42 
U.S.C. 5814) and retransferred to the Secretary of Energy pursuant to 
section 301(a) of the Department of Energy Organization Act (Pub. L. 
95-91, 91 Stat. 565 at 577-578, 42 U.S.C. 7151).
* * * * *
    Physical barrier means:
    (1) Fencing composed of durable wire fabric, topped by barbed wire 
or similar material on brackets, with an overall height sufficient to 
achieve the purpose for which the barrier is intended, as determined by 
a site-specific analysis;
    (2) Building walls, ceilings and floors constructed of stone, 
brick, cinder block, concrete, steel or comparable materials (openings 
in which are secured by grates, doors, or covers of construction and 
fastening of sufficient strength such that the integrity of the wall is 
not lessened by any opening), or walls of similar construction, not 
part of a building, provided with a barbed or similar material topping 
as described in paragraph (1), and of a height as described in 
paragraph (1).
    (3) Any other physical obstruction constructed in a manner and of 
materials suitable for the purpose for which the obstruction is 
intended that is considered equivalent to paragraphs (1) and (2).
* * * * *
    Security Storage Container includes any of the following 
repositories: (1) For storage in a building located within a protected 
or controlled access area, a steel filing cabinet equipped with a steel 
locking bar and a three position, changeable combination, GSA approved 
padlock; (2) A security filing cabinet that bears a Test Certification 
Label on the side of the locking drawer, or interior plate, and is 
marked, General Services Administration Approved Security Container on 
the exterior of the top drawer or door; (3) A bank safe-deposit box; 
and (4) Other repositories which in the judgment of the NRC, would 
provide comparable physical protection.
* * * * *
    Target set means the minimum combination of equipment, operator 
actions, or structures, which, if all are prevented from performing 
their intended function or prevented from being accomplished, barring 
extraordinary actions by plant operations, would likely result in a 
release of radionuclides from any source that would exceed the dose 
reference values defined in Sec.  50.34(a)(1)(ii)(D)(1) and (2) of this 
chapter, Sec.  52.79(a)(1)(vi)(A) and (B) of this chapter, or Sec.  
53.210 of this chapter, as applicable.
* * * * *


Sec.  73.8  [Amended]

0
56. In Sec.  73.8, in paragraph (b), remove the reference ``73.58,''.
0
57. In Sec.  73.15:
0
a. In paragraphs (e)(6) and (r)(1) and (2), remove the phrase ``Sec.  
50.90, Sec.  70.34, or Sec.  72.56 of this chapter'' and add in its 
place the phrase ``Sec.  50.90, Sec.  53.1510, Sec.  70.34, or Sec.  
72.56 of this chapter''; and
0
b. Revise paragraphs (b)(2) and (s)(3) and the introductory text of 
paragraph (s)(4) to read as follows:


Sec.  73.15  Authorization for use of enhanced weapons and preemption 
of firearms laws.

* * * * *
    (b) * * *
    (2) With respect to the possession and use of firearms by all other 
NRC licensees, the Commission's requirements in effect before April 13, 
2023, remain applicable, except to the extent that those requirements 
are modified by an NRC order or regulations applicable to these 
licensees.
* * * * *
    (s) * * *
    (3) Licensees must have completed their transition from the 
confirmatory orders to the requirements of this rule by January 8, 
2024.
    (4) Effective January 8, 2024, the following orders were withdrawn:
* * * * *


Sec.  73.17  [Amended]

0
58. In Sec.  73.17:
0
a. In paragraph (b)(4)(ii), remove the word ``personal'' and add in its 
place the word ``personnel''; and
0
b. In paragraph (r), add a comma after the date ``April 13, 2023''.
0
59. In Sec.  73.20, revise paragraph (a) to read as follows:


Sec.  73.20  General performance objective and requirements.

    (a) In addition to any other requirements of this part, each 
licensee who is authorized to operate a spent fuel reprocessing plant 
pursuant to part 50 or part 70 of this chapter; possesses or uses 
formula quantities of strategic special nuclear material at any site or 
contiguous sites subject to control by the licensee; is authorized to 
transport or deliver to a carrier for transportation pursuant to part 
70 of this chapter formula quantities of strategic special nuclear 
material; takes delivery of formula quantities of strategic special 
nuclear material free on board (f.o.b.) the point at which it is 
delivered to a carrier for transportation; or imports or exports 
formula quantities of strategic special nuclear material, shall 
establish and maintain or make arrangements for a physical protection 
system which will have as its objective to provide reasonable assurance 
that activities involving special nuclear material are not inimical to 
the common defense and security, and do not constitute an unreasonable 
risk to the public health and safety. The physical protection system 
shall be designed to protect against the design basis threats of theft 
or diversion of strategic special nuclear

[[Page 38966]]

material and radiological sabotage as stated in Sec.  73.1(a).
* * * * *
0
60. In Sec.  73.22, revise paragraph (f)(3) and (g) to read as follows:


Sec.  73.22  Protection of Safeguards Information: Specific 
requirements.

* * * * *
    (f) * * *
    (3) Except under emergency or extraordinary conditions, Safeguards 
Information shall be transmitted outside an authorized place of use or 
storage only by encrypted means, provided that transmitters and 
receivers implement processes that will provide reasonable assurance 
that Safeguards Information is protected before and after the 
transmission or electronic mail through the internet. Digital voice 
communication of Safeguards Information shall utilize a commercially 
available encryption system that is compliant with an active, approved 
version of Federal Information Processing Standard (FIPS) 140. 
Documents containing Safeguards Information shall be processed on a 
self-contained secure computer system and only transferred to a 
networked system for transmission once it has been appropriately 
encrypted. The recipient shall only decrypt the Safeguards Information 
on a self-contained computer system. Symmetric keys or passwords for 
encrypted Safeguards Information shall be transmitted to the recipient 
by a means other than that used to transmit the encrypted data. 
Physical or cybersecurity events required to be reported pursuant to 
the reporting requirements in this part are considered to be 
extraordinary conditions.
    (g) Processing of Safeguards Information on electronic systems.
    (1) Safeguards Information may be stored, processed or produced on 
a stand-alone computer (or computer system) for processing of 
Safeguards Information. ``Stand-alone'' means a computer or computer 
system to which access is limited to individuals authorized access to 
Safeguards Information. A stand-alone computer or computer system shall 
not be physically or in any other way connected to a network accessible 
by users who are not authorized access to Safeguards Information.
    (i) Each computer not located within an approved and lockable 
security storage container that is used to process Safeguards 
Information must have a removable storage medium with a bootable 
operating system. The bootable operating system must be used to load 
and initialize the computer. The removable storage medium must also 
contain the software application programs. Data may be saved on either 
the removable storage medium that is used to boot the operating system, 
or on a different removable storage medium. The removable storage 
medium must be secured in a locked security storage container when not 
in use.
    (ii) A mobile device (such as a laptop computer) may also be used 
for the processing of Safeguards Information provided the device is 
secured in a locked security storage container when not in use. Other 
systems may be used if approved for security by the appropriate NRC 
office.
    (iii) Any electronic system that has been used for storage, 
processing or production of Safeguards Information must be free of 
recoverable Safeguards Information prior to being returned to 
nonexclusive use.
    (2) As an alternative to paragraph (g)(1) of this section, 
Safeguards Information may be stored, processed or produced on a 
computer or computer system and viewed through a network connection, 
provided that the computer or computer system used to store the 
Safeguards Information is stored in a security storage container and 
information security controls are implemented that ensure the 
Safeguards Information is accessible only by individuals authorized 
access to Safeguards Information.
    (i) Authorized users may access the Safeguards Information using a 
thin client, virtual desktop, or similar architecture that ensures the 
Safeguards Information cannot be intentionally or inadvertently 
transferred or stored on computers not authorized to store the 
information.
    (ii) Computers or servers used to implement this alternative shall 
be physically located within a security storage container.
    (iii) Computers or servers used to implement this alternative shall 
be protected by the cybersecurity controls described in an active and 
approved version of National Institute of Standards and Technology 
(NIST) Special Publication 800-171, Protecting Controlled Unclassified 
Information in Nonfederal Systems and Organizations.
    (iv) Persons implementing this alternative shall describe in 
processes, procedures, and other records how the security controls in 
NIST SP 800-171 are implemented.
* * * * *
0
61. In Sec.  73.23, revise paragraph (f)(3) and in paragraph (g)(2), 
remove the phrase ``to Federal Information Processing Standards (FIPS) 
140-2 or later'' and add in its place the phrase ``to an active, 
approved version of the Federal Information Processing Standards (FIPS) 
140 standard''.
    The revision to read as follows:


Sec.  73.23  Protection of Safeguards Information--Modified Handling: 
Specific requirements.

* * * * *
    (f) * * *
    (3) Except under emergency or extraordinary conditions, Safeguards 
Information designated as Safeguards Information-Modified Handling must 
be transmitted electronically only by protected telecommunications 
circuits (including facsimile) that utilizes a commercially available 
encryption system that is compliant with an active, approved version of 
Federal Information Processing Standard (FIPS) 140. For the purpose of 
this section, emergency or extraordinary conditions are defined as any 
circumstances that require immediate communications in order to report, 
summon assistance for, or respond to a security contingency event or an 
event that has potential security significance. Physical security 
events required to be reported pursuant to Sec. Sec.  73.1200 and 
73.1205 are considered to be extraordinary conditions.
* * * * *
0
62. In Sec.  73.46:
0
a. Revise paragraph (b).
0
b. In paragraph (h)(3) remove the word ``availabiliy'' and add in its 
place the word ``availability''; and
0
c. Remove paragraph (i).
    The revision reads as follows:


Sec.  73.46  Fixed site physical protection systems, subsystems, 
components, and procedures.

* * * * *
    (b) Security organization.
    (1) The licensee shall establish a security organization, including 
guards. If a contract guard force is utilized for site security, the 
licensee's written agreement with the contractor will clearly show that 
(i) the licensee is responsible to the Commission for maintaining 
safeguards in accordance with Commission regulations and the licensee's 
security plan, (ii) the NRC may inspect, copy, and take away copies of 
all reports and documents required to be kept by Commission 
regulations, orders, or applicable license conditions whether such 
reports and documents are kept by the licensee or the contractor, (iii) 
the requirement, in Sec.  73.46(b)(4) of this section that the licensee 
demonstrate the ability of physical security personnel to perform their 
assigned duties and responsibilities, include demonstration

[[Page 38967]]

of the ability of the contractor's physical security personnel to 
perform their assigned duties and responsibilities in carrying out the 
provisions of the Security Plan and these regulations, and (iv) the 
contractor will not assign any personnel to the site who have not first 
been made aware of these responsibilities.
    (2) The licensee shall have onsite at all times at least one full 
time member of the security organization with authority to direct the 
physical protection activities of the security organization.
    (3) The licensee shall have a management system to provide for the 
development, revision, implementation, and enforcement of security 
procedures. The system shall include:
    (i) Written security procedures which document the structure of the 
security organization and which detail the duties of the Tactical 
Response Team, guards, watchmen, and other individuals responsible for 
security. The licensee shall retain a copy of the current procedures as 
a record until the Commission terminates the license for which these 
procedures were developed and, if any portion of these procedures is 
superseded, retain the superseded material for three years after each 
change; and
    (ii) Provision for written approval of such procedures and any 
revisions thereto by the individual with overall responsibility for the 
security function.
    (4) The licensee may not permit an individual to act as a Tactical 
Response Team member, armed response person, guard, or other member of 
the security organization unless the individual has been trained, 
equipped, and qualified to perform each assigned security duty in 
accordance with the licensee security plans and appendix B of this 
part, ``General Criteria for Security Personnel.'' In addition, 
Tactical Response Team members, armed response personnel, and guards 
shall be trained, equipped, and qualified for use of their assigned 
weapons in accordance with paragraphs (b)(6) and (b)(7) of this 
section. Tactical Response Team members, armed response personnel, and 
guards shall also be trained and qualified in accordance with paragraph 
(b)(10) of this section. Upon the request of an authorized 
representative of the Commission, the licensee shall demonstrate the 
ability of the physical security personnel, whether licensee or 
contractor employees, to carry out their assigned duties and 
responsibilities. Each Tactical Response Team member, armed response 
person, and guard, whether a licensee or contractor employee, shall 
requalify in accordance with appendix B of this part. Tactical Response 
Team members, armed response personnel, and guards shall also requalify 
in accordance with paragraph (b)(7) of this section at least once every 
12 months. The licensee shall document the results of the qualification 
and requalification. The licensee shall retain the documentation of 
each qualification and requalification as a record for 3 years after 
each qualification and requalification.
    (5) Within any given period of time, a member of the security 
organization may not be assigned to, or have direct operational control 
over, more than one of the redundant elements of a physical protection 
subsystem if such assignment or control could result in the loss of 
effectiveness of the subsystem.
    (6) Each guard shall be armed with a handgun, as described in 
appendix B of this part. Each Tactical Response Team member shall be 
armed with a 9-mm semiautomatic pistol. All but one member of the 
Tactical Response Team shall be armed additionally with either a 
shotgun or semiautomatic rifle, as described in appendix B of this 
part. The remaining member of the Tactical Response Team shall carry, 
as an individually assigned weapon, a rifle of no less caliber than .30 
inches or 7.62 mm.
    (7) In addition to the weapons qualification and requalification 
criteria of appendix B of this part, Tactical Response Team members, 
armed response personnel, and guards shall qualify and requalify, at 
least every 12 months, for day and night firing with assigned weapons 
in accordance with appendix H of this part. Tactical Response Team 
members, armed response personnel, and guards shall be permitted to 
practice fire prior to qualification and requalification but shall be 
given only one opportunity to fire for record on the same calendar day. 
If a Tactical Response Team member, armed response person, or guard 
fails to qualify or requalify, the licensee shall remove the individual 
from security duties which require the use of firearms and retrain the 
individual prior to any subsequent attempt to qualify or requalify. If 
an individual fails to qualify or requalify on two successive attempts, 
he or she shall be required to receive additional training and 
successfully fire two consecutive qualifying scores prior to being 
reassigned to armed security duties.
    (i) In addition, Tactical Response Team members, armed response 
personnel, and guards shall be prepared to demonstrate day and night 
firing qualification with their assigned weapons at any time upon 
request by an authorized representative of the NRC.
    (ii) The licensee or the licensee's agent shall document the 
results of weapons qualification and requalification for day and night 
firing. The licensee shall retain the documentation of each 
qualification and requalification as a record for 3 years after each 
qualification and requalification.
    (8) In addition to the training requirements contained in appendix 
B of this part, Tactical Response Team members shall successfully 
complete training in response tactics. The licensee shall document the 
completion of training. The licensee shall retain the documentation of 
training as a record for three years after training is completed.
    (9) The licensee shall conduct Tactical Response Team and guard 
exercises to demonstrate the overall security system effectiveness and 
the ability of the security force to perform response and contingency 
plan responsibilities and to demonstrate individual skills in assigned 
team duties. The licensee shall use these exercises to demonstrate its 
capability to respond to attempts of theft or diversion of strategic 
special nuclear material. On an annual basis, each shift that 
implements the safeguards contingency plan and licensee protective 
strategy must participate in two tactical response drills, one of which 
must test security response using the minimum necessary response force 
and a mock adversary team to execute the scenario. Every 3 years, each 
shift that implements the safeguards contingency plan and licensee 
protective strategy must participate in one force-on-force exercise. 
The licensee must conduct at least one force-on-force exercise 
annually. Force-on-force exercises conducted to satisfy the NRC 
triennial evaluation requirement can be used to satisfy the annual 
force-on-force requirement for the personnel that participate in the 
capacity of the security response organization. The licensee shall 
document the results of all exercises. The licensee shall retain the 
documentation of each exercise as a record for three years after each 
exercise is completed.
    (10) In addition to the medical examinations and physical fitness 
requirements of paragraph I.C of appendix B of this part, each Tactical 
Response Team member, armed response person, and guard, except as 
provided in paragraph (b)(10)(v) of this section, shall participate in 
a physical fitness training program, to include a

[[Page 38968]]

physical fitness test, on an initial and continuing basis.
    (i) The licensee must administer a physical fitness test to all 
Tactical Response Team members, armed response personnel, and guards 
once every 6 months. Individuals who exceed 6 months without having 
been administered the test due to excused time off from work must be 
tested within 15 calendar days of returning to duty as a Tactical 
Response Team member, armed response person, or guard.
    (ii) The physical fitness test must address the physical 
capabilities needed by armed response personnel during strenuous 
tactical engagements, and include physical exertion, levels of stress, 
and exposure to the elements as they pertain to each individual's 
assigned security duties for both normal and emergency operations. The 
test must simulate site specific conditions under which the individual 
will be required to perform assigned duties and responsibilities.
    (iii) The licensee shall give Tactical Response Team members, armed 
response personnel, and guards a medical examination including a 
determination and written certification by a licensed physician that 
there are no medical contraindications, as disclosed by the medical 
examination, to participate in the physical fitness test. The medical 
examination must be given within 30 days prior to the first 
administration of the physical fitness test, and on an annual basis 
thereafter.
    (iv) Licensees may temporarily waive an individual's participation 
in the physical fitness test on the advice of the licensee's examining 
physician, during which time the individual may not be assigned duties 
as a Tactical Response Team member, armed response person, or guard.
    (v) Guards whose duties are to staff the central or secondary alarm 
station and those who control exit or entry portals are exempt from the 
physical fitness training program specified in paragraph (b)(10) of 
this section, provided that they are not assigned temporary response 
guard duties.
    (vi) The licensee shall place Tactical Response Team members, armed 
response persons, and guards, who do not meet the licensee-established 
qualification criteria, in a monitored remedial physical fitness 
training program and relieve them of security duties until they 
satisfactorily meet the licensee-established qualification criteria.
0
63. In Sec.  73.51:
0
a. Revise paragraphs (a) and (b)(1);
0
b. In paragraph (d)(1), remove the phrase ``, typically 20 feet wide 
each, on both sides of this barrier,'';
0
c. In paragraph (d)(3), in the last sentence, remove the word 
``redundant'' and add in its place the word ``additional'';
0
d. In paragraph (d)(11), remove the phrase ``of the'' in the last 
sentence; and
0
e. In paragraph (d)(12), in the first sentence, remove the number 
``24'' and add in its place the number ``36''.
    The revisions read as follows:


Sec.  73.51  Requirements for the physical protection of stored spent 
nuclear fuel and high-level radioactive waste.

    (a) Applicability. Notwithstanding the provisions of Sec.  73.20, 
73.50, or 73.67, the physical protection requirements of this section 
apply to each licensee that stores spent nuclear fuel and high-level 
radioactive waste:
    (1) Under a specific license issued pursuant to part 72 of this 
chapter:
    (i) At an independent spent fuel storage installation (ISFSI) or
    (ii) At a monitored retrievable storage (MRS) installation; or
    (2) At a geologic repository operations area (GROA) licensed 
pursuant to part 60 or 63 of this chapter; or
    (3) Under a general license issued pursuant to part 72 of this 
chapter:
    (i) When a separate protected area is established outside of an 
existing protected area for the purpose of storage of spent fuel and a 
submittal has been made to the NRC under the provisions of Sec.  
72.212(b)(9)(iv)(C) of this chapter; or
    (ii) Upon the NRC's docketing of the certifications required under 
Sec.  50.82(a)(1) of this chapter or Sec.  52.110(a) of this chapter or 
Sec.  53.1070(a) of this chapter, when all spent fuel has been placed 
in dry cask storage at the facility, and a submittal has been made to 
the NRC under the provisions of Sec.  72.212(b)(9)(iv)(C) of this 
chapter.
    (b) * * *
    (1) Each licensee subject to this section shall establish and 
maintain a physical protection system with the objective of providing 
reasonable assurance that activities involving spent nuclear fuel and 
high-level radioactive waste do not constitute an unreasonable risk to 
public health and safety.
* * * * *
0
64. Revise Sec.  73.54 to read as follows:


Sec.  73.54  Protection of digital computer and communication systems 
and networks.

    (a) Each licensee subject to the requirements of this section shall 
provide reasonable assurance that digital computer and communication 
systems and networks are adequately protected against cyberattacks, up 
to and including the design basis threat as described in Sec.  73.1.
    (1) The licensee shall protect digital computer and communication 
systems and networks associated with:
    (i) Safety-related and important-to-safety functions;
    (ii) Security functions;
    (iii) Emergency preparedness functions, including offsite 
communications; and
    (iv) Support systems and equipment which, if compromised, would 
adversely impact safety, security, or emergency preparedness functions.
    (2) The licensee shall protect the systems and networks identified 
in paragraph (a)(1) of this section from cyberattacks that would:
    (i) Adversely impact the integrity or confidentiality of data and/
or software;
    (ii) Deny access to systems, services, and/or data; and
    (iii) Adversely impact the operation of systems, networks, and 
associated equipment.
    (b) To accomplish this, the licensee shall:
    (1) Analyze digital computer and communication systems and networks 
and identify those assets that must be protected against cyberattacks 
to satisfy paragraph (a) of this section; and
    (2) Establish, implement, and maintain a cybersecurity program for 
the protection of the assets identified in paragraph (b)(1) of this 
section.
    (3) [Reserved]
    (c) The cybersecurity program must be designed to:
    (1) Implement security controls to protect the assets identified by 
paragraph (b)(1) of this section from cyberattacks;
    (2) Apply and maintain defense-in-depth protective strategies to 
ensure the capability to detect, respond to, and recover from 
cyberattacks;
    (3) Mitigate the adverse effects of cyberattacks; and
    (4) Ensure that the functions of protected assets identified by 
paragraph (b)(1) of this section are not adversely impacted due to 
cyberattacks.
    (d) As part of the cybersecurity program, the licensee shall:
    (1) Ensure that appropriate facility personnel, including 
contractors, are aware of cybersecurity requirements and receive the 
training necessary to perform their assigned duties and 
responsibilities.
    (2) Evaluate and manage cyber risks.
    (3) Ensure that modifications to assets, identified by paragraph 
(b)(1) of this section, are evaluated before implementation to ensure 
that the cybersecurity performance objectives

[[Page 38969]]

identified in paragraph (a)(1) of this section are maintained.
    (4) Conduct cybersecurity event notifications in accordance with 
the provisions of Sec.  73.77.
    (e) The licensee shall establish, implement, and maintain a 
cybersecurity plan that implements the cybersecurity program 
requirements of this section.
    (1) The cybersecurity plan must describe how the requirements of 
this section will be implemented and must account for the site-specific 
conditions that affect implementation.
    (2) The cybersecurity plan must include measures for incident 
response and recovery for cyberattacks. The cybersecurity plan must 
describe how the licensee will:
    (i) Maintain the capability for timely detection and response to 
cyberattacks;
    (ii) Mitigate the consequences of cyberattacks;
    (iii) Correct exploited vulnerabilities; and
    (iv) Restore affected systems, networks, and/or equipment affected 
by cyberattacks.
    (f) The licensee shall develop and maintain written policies and 
implementing procedures to implement the cybersecurity plan. Policies, 
implementing procedures, site-specific analysis, and other supporting 
technical information used by the licensee need not be submitted for 
Commission review and approval as part of the cybersecurity plan but 
are subject to inspection by NRC staff on a periodic basis.
    (g) The licensee must establish and implement cybersecurity reviews 
to assess the effectiveness of the implementation of the cybersecurity 
program.
    (1) The licensee must review each element of the cybersecurity 
program at a frequency commensurate with the importance or significance 
to safety of plant operations to ensure timely identification and 
documentation of vulnerabilities, improvements, and corrective actions.
    (2) Cybersecurity reviews must be performed by individuals 
independent of those personnel responsible for program management and 
any individual who has direct responsibility for implementing the 
cybersecurity program.
    (3) The licensee must establish and perform self-assessments to 
ensure the effective implementation of the cybersecurity program.
    (4) The results and recommendations of the cybersecurity program 
reviews, management's findings regarding program effectiveness, and any 
actions taken as a result of recommendations from prior program 
reviews, must be documented in a report and must be maintained in an 
auditable form and available for inspection.
    (h) The licensee shall retain all records and supporting technical 
documentation required to satisfy the requirements of this section as a 
record until the Commission terminates the license for which the 
records were developed, and shall maintain superseded portions of these 
records for at least three (3) years after the record is superseded, 
unless otherwise specified by the Commission.
0
65. Revise Sec.  73.55 to read as follows:


Sec.  73.55  Requirements for physical protection of licensed 
activities in nuclear power reactors against radiological sabotage.

    (a) Introduction.
    (1) Each licensee that is licensed to operate a nuclear power plant 
under 10 CFR part 50 and each holder of a combined license under 10 CFR 
part 52 must identify achievable target sets in accordance with Sec.  
73.55(f) and develop, implement, and maintain a physical protection 
program under the following requirements:
    (i) Each licensee that demonstrates no achievable target sets exist 
in accordance with Sec.  73.55(f), and does not credit any active 
measures (e.g., operator action, mitigative action, detection, 
assessment, armed response) in making that demonstration, is exempt 
from the remaining requirements of this section. The requirements of 10 
CFR part 26, 10 CFR part 37, and Sec. Sec.  73.21, 73.22, 73.23, 73.54, 
73.67, 73.110, and 73.120 must be implemented as applicable.
    (ii) Each licensee that demonstrates no achievable target sets 
exist in accordance with Sec.  73.55(f), and credits active measures in 
making that demonstration, must implement the requirements of this 
section through its physical security plan, training and qualification 
plan, safeguards contingency plan, and cybersecurity plan, referred to 
collectively hereafter as ``security plans,'' before initial fuel load 
into the reactor (or, for a fueled manufactured reactor, before 
initiating the removal of features to prevent criticality); for such 
licensees, the requirements of Sec.  73.55(b)(2) and (b)(3) shall be 
deemed satisfied if the physical protection program is designed to 
ensure that the credited active measures will be implemented in 
response to threats up to and including the design basis threat of 
radiological sabotage or,
    (iii) Each licensee that demonstrates achievable target sets exist, 
in accordance with Sec.  73.55(f), must implement the requirements of 
this section through its physical security plan, training and 
qualification plan, safeguards contingency plan, and cybersecurity 
plan, referred to collectively hereafter as ``security plans,'' before 
initial fuel load into the reactor (or, for a fueled manufactured 
reactor, before initiating the removal of the features to prevent 
criticality).
    (2) The implementation of security plans must identify, analyze, 
describe, and account for site-specific conditions, including target 
sets that affect the licensee's capability to satisfy the requirements 
of this section.
    (i) The security plans must describe how the performance objective 
and requirements set forth in this section will be implemented.
    (ii) The licensee must protect the security plans and other 
security-related information against unauthorized disclosure in 
accordance with the requirements of Sec.  73.21.
    (3) The licensee is responsible for maintaining the onsite physical 
protection program in accordance with Commission regulations through 
the implementation of security plans and written security implementing 
procedures.
    (b) General performance objective and requirements.
    (1) The licensee must establish, implement, and maintain a physical 
protection program and a security organization, which will have as its 
objective to provide reasonable assurance that activities involving 
special nuclear material are not inimical to the common defense and 
security and do not constitute an unreasonable risk to the public 
health and safety.
    (2) To satisfy the general performance objective of paragraph 
(b)(1) of this section, the physical protection program must protect 
against the design basis threat of radiological sabotage as stated in 
Sec.  73.1.
    (3) The physical protection program must be designed to prevent a 
release of radionuclides from any source that exceeds the dose 
reference values defined in Sec.  50.34(a)(1)(ii)(D)(1) and (2), Sec.  
52.79(a)(1)(vi)(A) and (B), or Sec.  53.210 of this chapter, as 
applicable. Specifically, the program must:
    (i) Ensure that the capabilities to detect, assess, interdict, and 
neutralize threats up to and including the design basis threat of 
radiological sabotage as stated in Sec.  73.1, are maintained at all 
times.
    (ii) Provide defense in depth in achieving performance requirements 
through the integration of engineered systems, technologies, 
administrative

[[Page 38970]]

controls, implementing procedures and management measures as needed to 
ensure the effectiveness of the physical protection program.
    (iii) For licensee physical protection programs that rely upon 
design and engineered security features to meet the requirements of 
this section, ensure that the reliability and availability of the 
structures, systems, and components (SSCs) for demonstrating compliance 
are maintained at all times.
    (4) Upon the request of an authorized representative of the 
Commission, the licensee must demonstrate the ability to meet 
Commission requirements through the implementation of the physical 
protection program, including the ability of armed and unarmed 
personnel to perform assigned duties and responsibilities required by 
the security plans and licensee procedures.
    (5) The licensee must establish, maintain, and implement a 
performance evaluation program in accordance with appendix B to this 
part, to demonstrate and assess the effectiveness of armed responders 
and armed security officers to implement the licensee's protective 
strategy.
    (i) For licensees that rely upon SSCs in accordance with paragraph 
(b)(3)(iii) of this section, the performance evaluations must include 
methods appropriate and necessary to assess, test, and challenge the 
integration of the physical protection program's functions to protect 
against the design basis threat, including measures to protect against 
cyberattack and engineered systems designed to protect against the 
design basis threat standalone ground vehicle bomb attack.
    (A) The licensee must establish the frequencies for performance 
evaluations of the engineered security features commensurate with their 
security significance to the physical protection program.
    (B) The licensee must document processes and procedures for 
implementing the performance evaluations. The licensee must maintain 
records, including results, findings, and corrective actions identified 
during the performance evaluations.
    (ii) [Reserved]
    (6) The licensee must establish, maintain, and implement an access 
authorization program in accordance with Sec.  73.56 and must describe 
the program in the Physical Security Plan.
    (7) The licensee must establish, maintain, and implement a 
cybersecurity program in accordance with Sec.  73.54 or Sec.  73.110 
and must describe the program in the cybersecurity plan.
    (8) The licensee must establish, maintain, and implement an insider 
mitigation program and must describe the program in the Physical 
Security Plan.
    (i) The insider mitigation program must monitor the initial and 
continuing trustworthiness and reliability of individuals granted or 
retaining unescorted access authorization to a protected or vital area, 
and implement defense-in-depth methodologies to minimize the potential 
for an insider (active, passive, or both) to adversely affect, either 
directly or indirectly, the licensee's capability to protect against 
the design basis threat of radiological sabotage as described in 10 CFR 
73.55(b)(3).
    (ii) The insider mitigation program must contain elements from:
    (A) The access authorization program described in Sec.  73.56;
    (B) The fitness-for-duty program described in part 26 of this 
chapter;
    (C) The cybersecurity program described in Sec.  73.54 or Sec.  
73.110; and
    (D) The physical protection program described in this section.
    (9) The licensee must track, trend, correct and prevent recurrence 
of failures and deficiencies in the implementation of the requirements 
of this section.
    (10) Implementation of security plans and associated procedures 
must be coordinated with other onsite plans and procedures to preclude 
conflict during both normal and emergency conditions and ensure the 
adequate management of the safety and security interface.
    (11)(i) The licensee must ensure that the firearms background check 
requirements of Sec.  73.17 are met for all members of the security 
organization whose official duties require access to covered weapons or 
who inventory enhanced weapons.
    (ii) The provisions of this paragraph are only applicable to 
licensees subject to this section that are also subject to the firearms 
background check provisions of Sec.  73.17.
    (c) Security implementing procedures.
    (1) The licensee must have a management system to provide for the 
development, implementation, revision, and oversight of security 
policies and procedures that implement Commission requirements and the 
security plans.
    (i) Implementing procedures must document the conduct of security 
operations, maintenance, training and qualification, contingency 
responses, and as applicable security design and configuration 
controls.
    (ii) The revisions to security implementing procedures must satisfy 
the requirements of this section.
    (2) [Reserved]
    (d) Security organization.
    (1) The licensee must establish and maintain a security 
organization that is staffed, trained, qualified, and equipped to 
implement the physical protection program under the requirements of 
this section, section VI of appendix B of this part, and the security 
plans.
    (2) The security organization must include at least one member, 
onsite and available at all times, who has the authority to direct the 
activities of the security organization and who is assigned no other 
duties that would interfere with this individual's ability to perform 
these duties in accordance with the security plans and the licensee 
protective strategy.
    (3) As applicable, the licensee must--
    (i) Establish a process for the approval of designs, policies, 
processes, and procedures and changes by the individual with overall 
responsibility for the physical protection program; and
    (ii) Ensure that revisions and changes to the physical protection 
program and implementing policies, processes, and procedures satisfy 
the requirements of this section.
    (e) Physical barriers.
    (1) Each licensee must implement physical barriers as needed to 
satisfy the physical protection program design requirements of Sec.  
73.55(b). The licensee must identify and analyze site-specific 
conditions to determine the specific use, type, function, and placement 
of the physical barriers.
    (2) Consistent with the stated function to be performed, openings 
in any barrier or barrier system established to meet the requirements 
of this section must be secured and monitored to prevent exploitation 
of the opening.
    (3) Bullet resisting physical barriers. The reactor control room, 
the central alarm station, and the location within which the last 
access control function for access to the protected area is performed 
must be bullet-resisting.
    (4) Protected area.
    (i) The protected area perimeter must be protected by physical 
barriers that are designed and constructed to limit access into the 
protected area to only those personnel, vehicles, and materials 
required to perform official duties.
    (ii) All exterior areas within the protected area, except for areas 
that must be excluded for safety reasons, must be periodically checked 
to detect and deter unauthorized personnel, vehicles, and materials.
    (5) Vital areas.
    (i) Vital equipment must be located only within vital areas, which 
must be located within a protected area so that access to vital 
equipment requires

[[Page 38971]]

passage through at least two physical barriers, except as otherwise 
identified in the security plans.
    (ii) At a minimum, the following must be considered vital areas, as 
applicable:
    (A) The reactor control room;
    (B) The spent fuel pool; and
    (C) The central alarm station.
    (iii) At a minimum, the following shall be located within a vital 
area:
    (A) The secondary power supply systems for alarm annunciation 
equipment; and
    (B) The secondary power supply systems for non-portable 
communications equipment.
    (6) Land and waterborne vehicle control measures. Consistent with 
the physical protection program design requirements of Sec.  73.55(b), 
and in accordance with the site-specific analysis, the licensee must 
establish and maintain as applicable, land and waterborne vehicle 
control measures, as necessary, to protect against the design basis 
threat of radiological sabotage land and waterborne vehicle bomb 
assaults.
    (i) Licensee must provide periodic surveillance and observation of 
land and waterborne vehicle barrier systems adequate to detect 
indications of tampering and degradation or to otherwise ensure that 
each vehicle barrier and barrier system is able to satisfy the intended 
function.
    (ii) [Reserved]
    (f) Target sets.
    (1) The licensee must identify complete and accurate target sets. 
Preventative operator actions may be credited as target set elements 
when: sufficient time to implement exists; environmental conditions 
allow operator actions to be completed successfully; adversary 
interference is precluded; all equipment required for operator actions 
is available, dedicated, staged, and maintained; approved procedures 
exist specific to the task being performed; and training is maintained 
for proficiency of the credited operator action.
    (2) The identification of target sets must not assume the success 
of the security organization; except that licensees may consider delay 
provided by the security organization when assessing the availability 
of operator actions.
    (3) The licensee must consider cyberattacks in the identification 
of target sets.
    (4) The licensee must identify and analyze site-specific 
conditions, including achievable target sets, that may affect the 
physical protection program needed to implement the requirements of 
this section. The licensee must account for these conditions in 
demonstrating compliance with the requirements of this section.
    (5) The licensee must document and maintain the process used to 
identify achievable target sets, to include the site-specific analyses 
and methodologies used to determine and group the target set equipment 
or elements, including elements not contained in a protected or vital 
area.
    (6) The licensee must further identify achievable target sets 
through site-specific analyses. Achievable target sets are described by 
the following conditions:
    (i) Are within the capabilities of the design basis threat 
adversary to compromise, destroy, or render non-functional;
    (ii) Cannot be mitigated after adversary interference is precluded 
and prior to a release of radionuclides exceeding dose reference values 
defined in Sec.  50.34(a)(1)(ii)(D)(1) and (2), Sec.  
52.79(a)(1)(vi)(A) and (B), or Sec.  53.210 of this chapter, as 
applicable.
    (iii) If defeated, result irreversibly in exceedance of the dose 
reference values defined in Sec.  50.34(a)(1)(ii)(D)(1) and (2), Sec.  
52.79(a)(1)(vi)(A) and (B), or Sec.  53.210 of this chapter, as 
applicable.
    (7) The licensee must implement a process for the oversight of 
target set equipment and systems to ensure that changes to the 
configuration of the identified equipment and systems are considered in 
the licensee's protective strategy. Where appropriate, changes must be 
made to documented target sets.
    (8) The licensee must maintain the site-specific analyses for 
achievable target sets as a record in accordance with paragraph (q) of 
this section.
    (g) Access controls.
    (1) Barriers.
    (i) Consistent with the function of each barrier or barrier system, 
the licensee must control personnel, vehicle, and material access, as 
applicable, at each access control point in accordance with the 
physical protection program design requirements of Sec.  73.55(b).
    (ii) As applicable, the licensee must assign an individual the 
responsibility for the last access control function (controlling 
admission to the protected area) in accordance with Sec.  73.55(e)(3).
    (2) Protected areas.
    (i) Before granting access into the protected area, the licensee 
must:
    (A) Confirm the true identity of individuals.
    (B) Verify the authorization for access of individuals, vehicles, 
and materials.
    (C) Confirm, in accordance with industry shared lists and databases 
that individuals are not currently denied access to another licensed 
facility.
    (D) Search individuals, vehicles, and materials in accordance with 
paragraph (h) of this section.
    (ii) [Reserved]
    (3) Vehicles in the protected area.
    (i) The licensee must exercise control over all vehicles inside the 
protected area to ensure that they are used only by authorized persons 
and for authorized purposes.
    (ii) Vehicles transporting hazardous materials inside the protected 
area must be escorted by an armed member of the security organization.
    (4) Vital areas.
    (i) Licensees must control access into vital areas consistent with 
access authorization lists.
    (ii) In response to a site-specific credible threat or other 
credible information, implement a two-person (line-of-sight) rule for 
all personnel in vital areas so that no one individual is permitted 
access to a vital area.
    (5) Emergency or exigent conditions.
    (i) The licensee shall design the access control system to 
accommodate the potential need for rapid ingress or egress of 
authorized individuals during emergency conditions or situations that 
could lead to emergency conditions.
    (ii) In instances where licensees need to manage exigent 
circumstances, licensees can permit access in accordance with 
paragraphs (g)(7) and (8) of this section.
    (6) Access control devices.
    (i) The licensee must control all keys, locks, combinations, 
passwords and related access control devices used to control access to 
protected areas, vital areas and security systems to reduce the 
probability of compromise.
    (ii) The licensee must implement a personnel identification system 
for all individuals authorized unescorted access to the protected area 
and vital areas.
    (7) Visitors.
    (i) The licensee may permit escorted access to protected and vital 
areas to individuals who have not been granted unescorted access in 
accordance with the requirements of Sec.  73.56 and part 26 of this 
chapter. The licensee must:
    (A) Implement procedures for processing, escorting, and controlling 
visitors.
    (B) Confirm the identity of each visitor through physical 
presentation of a recognized identification card issued by a local, 
State, or Federal government agency that includes a photo or contains 
physical characteristics of the individual requesting escorted access.
    (ii) Individuals not employed by the licensee but who require 
frequent or extended unescorted access to the protected area and/or 
vital areas to

[[Page 38972]]

perform duties and responsibilities required by the licensee at 
irregular or intermittent intervals, must satisfy the access 
authorization requirements of Sec.  73.56 and part 26 of this chapter.
    (8) Escorts.
    (i) The licensee must ensure that all escorts are trained to 
perform escort duties and provided a means of timely communication with 
security personnel to summon assistance when needed.
    (ii) Each licensee must describe visitor to escort ratios for the 
protected area and vital areas in physical security plans. Implementing 
procedures must provide necessary observation and control requirements 
for all visitor activities.
    (h) Search programs.
    (1) The licensee must establish and implement searches through the 
use of technology or personnel to detect, deter, and prevent the 
introduction of unauthorized firearms, explosives, incendiary devices, 
or other items which could be used to commit radiological sabotage. The 
licensee must search individuals, vehicles, and materials consistent 
with the physical protection program design requirements in paragraph 
(b) of this section, and the function to be performed at each access 
control point or portal before granting access into the protected area, 
and where necessary to meet the performance objectives, in the owner 
controlled area.
    (i) Licensees that meet the requirements of Sec.  73.55(b)(3)(iii) 
must be capable of detecting and denying unauthorized access to persons 
and pass-through of contraband materials (e.g., weapons, incendiary 
devices, explosives) to protected areas.
    (ii) For each vehicle access portal, the licensee must describe in 
implementing procedures areas of a vehicle to be searched before access 
is granted. Areas of the vehicle to be searched must include, but are 
not limited to, the cab, engine compartment, undercarriage, and cargo 
area.
    (iii) Searches at vehicle access control points must be monitored 
to ensure that a response can be initiated if needed.
    (2) Prior to granting access to the protected area, licensees must 
search all personnel, vehicles and materials to meet the requirements 
of Sec.  73.55(h)(1) and ensure that all items are clearly identified.
    (i) The licensee must subject all persons to search upon entry to 
the protected area except for official Federal, State, and local law 
enforcement personnel on official duty or individuals under the active 
protection of the United States Secret Service. Armed response 
personnel who are on duty and have exited the protected area may re-
enter the protected area without being searched for firearms.
    (ii) Exceptions to the protected area search requirements for 
materials may be granted for safety or operational reasons provided the 
design criteria of Sec.  73.55(b) are satisfied, the materials are 
clearly identified, the types of exceptions to be granted are described 
in the security plans, and the specific security measures to be 
implemented for excepted items are detailed in site procedures.
    (iii) To the extent practicable, excepted materials must be 
positively controlled, stored in a locked area, and opened at the final 
destination by an individual familiar with the items.
    (iv) Bulk material excepted from the protected area search 
requirements must be escorted by an armed member of the security 
organization to its final destination or to a receiving area where the 
excepted items are offloaded and verified.
    (v) To the extent practicable, bulk materials excepted from search 
must not be offloaded adjacent to a vital area.
    (i) Detection and assessment systems.
    (1) The licensee must establish and maintain intrusion detection 
and assessment systems that satisfy the design requirements of Sec.  
73.55(b) and provide, at all times, the capability to detect and assess 
unauthorized persons and facilitate the effective implementation of the 
licensee's protective strategy.
    (2) Intrusion detection equipment must annunciate, and video 
assessment equipment must display concurrently, in at least two 
continuously staffed onsite alarm stations, at least one of which must 
be protected in accordance with the requirements of the central alarm 
station within this section.
    (3) The licensee's intrusion detection and assessment systems must 
be designed to:
    (i) Detect both attempted and actual penetration of the protected 
area perimeter barrier.
    (ii) Provide real-time and play-back/recorded video images of the 
detected activities adjacent to the protected area perimeter barrier 
before and after each alarm annunciation.
    (iii) Ensure that alarm devices to include transmission lines to 
annunciators are tamper indicating and self-checking.
    (iv) Provide an automatic indication when the alarm system or a 
component of the alarm system fails, or when the system is operating on 
the backup power supply.
    (v) Ensure intrusion detection and assessment equipment at the 
protected area perimeter remains operable from an uninterruptible power 
supply in the event of the loss of normal power.
    (4) Alarm stations.
    (i) Both alarm stations required by paragraph (i)(2) of this 
section must be designed and equipped to ensure that a single act, in 
accordance with the design basis threat of radiological sabotage 
defined in Sec.  73.1(a)(1), cannot disable both alarm stations. The 
licensee must ensure the survivability of at least one alarm station to 
maintain the ability to perform the following functions:
    (A) Detect and assess alarms;
    (B) Initiate and coordinate an adequate response to an alarm;
    (C) Summon offsite assistance; and
    (D) Provide command and control.
    (ii) Licensees must:
    (A) Locate the central alarm station inside a protected area.
    (B) Continuously staff each alarm station with at least one trained 
and qualified alarm station operator. The alarm station operator must 
not be assigned other duties or responsibilities which would interfere 
with the ability to execute the functions described in Sec.  
73.55(i)(4)(i) of this section.
    (C) Ensure that an alarm station operator cannot change the status 
of a detection point or deactivate a locking or access control device 
at a protected or vital area portal, without the knowledge and 
concurrence of the alarm station operator in the other alarm station.
    (D) Ensure that operators in both alarm stations are knowledgeable 
of the final disposition of all alarms.
    (5) Surveillance, observation, and monitoring.
    (i) The physical protection program must include surveillance, 
observation, and monitoring as needed to satisfy the design 
requirements of Sec.  73.55(b), identify indications of tampering, or 
otherwise implement the site protective strategy.
    (ii) [Reserved]
    (6) Illumination.
    (i) The licensee must ensure that all areas of the facility are 
provided with illumination, low-light, or other equivalent technology 
necessary to satisfy the design requirements of Sec.  73.55(b) and 
implement the protective strategy.
    (ii) [Reserved]
    (j) Communication requirements.
    (1) The licensee must establish and maintain continuous 
communication capability with onsite and offsite resources to ensure 
effective command and control during both normal and emergency 
situations.

[[Page 38973]]

    (2) A method of communication between alarm stations and security 
personnel must remain operable from independent power sources in the 
event of the loss of normal power.
    (k) Response requirements.
    (1) Response performance objective.
    (i) The licensee must establish and maintain, at all times, 
properly trained, qualified and equipped personnel required to 
interdict and neutralize threats up to and including the design basis 
threat of radiological sabotage as defined in Sec.  73.1, to prevent a 
release of radionuclides from any source from exceeding the dose 
reference values defined in Sec.  50.34(a)(1)(ii)(D)(1) and (2), Sec.  
52.79(a)(1)(vi)(A) and (B), or Sec.  53.210 of this chapter, as 
applicable.
    (ii) [Reserved]
    (2) Armed response personnel.
    (i) The licensee must provide armed response personnel consisting 
of armed responders which may be augmented with armed security officers 
to carry out armed response duties within predetermined timelines 
specified by the site protective strategy.
    (ii) [Reserved]
    (3) Armed responders.
    (i) The licensee must determine the minimum number of armed 
responders necessary to satisfy the design requirements of Sec.  
73.55(b) and implement the protective strategy. The licensee must 
document this number in the security plans.
    (ii) Armed responders must be available at all times inside the 
protected area and may not be assigned other duties or responsibilities 
that could interfere with their assigned response duties.
    (4) Armed security officers.
    (i) Armed security officers, designated to strengthen onsite 
response capabilities, must be onsite and available at all times to 
carry out their assigned response duties.
    (ii) The minimum number of armed security officers designated to 
strengthen onsite response capabilities must be documented in the 
security plans.
    (5) Alternative response requirements.
    (i) The licensee may fulfill the requirements of Sec.  73.55(k)(1) 
through (4) through alternative means provided that the alternative is 
described in the physical security plan and that a technical basis is 
maintained for demonstrating compliance with the performance 
requirements of Sec.  73.55(b).
    (A) A licensee with prior approval by the Commission may entirely 
rely on law enforcement or other offsite armed responders.
    (B) Structures, systems, and components relied on for delay 
functions must be designed to allow for timely security responses to 
adversary attacks with adequate defense in depth.
    (ii) [Reserved]
    (6) Offsite armed response personnel.
    (i) A licensee relying entirely or partially on law enforcement or 
other off site armed responders must:
    (A) Fully describe in the safeguards contingency plan the role that 
law enforcement or other offsite armed responders will implement in the 
licensee's protective strategy. The description must provide sufficient 
detail to enable the NRC to determine that the licensee's physical 
protection program provides reasonable assurance of adequate protection 
against threats up to and including the design basis threat of 
radiological sabotage; and
    (B) The physical protection program must be designed to provide 
layers of security response, with each layer assuring that a single 
failure does not result in the loss of capability to neutralize the 
design basis threat adversary.
    (C) Provide timely security response to interdict and neutralize 
adversary attacks up to and including the design basis threat of 
radiological sabotage.
    (D) The security response may rely on the use of onsite responders, 
law enforcement or other offsite armed responders, or a combination 
thereof, to fulfill the interdiction and neutralization functions 
required by paragraph (b)(3)(i) of this section. A licensee relying 
entirely or partially on law enforcement or other offsite armed 
responders must--
    (1) Maintain the capability to detect, assess, interdict, and 
neutralize threats as required by paragraphs (b)(3)(i) and (b)(3)(ii) 
of this section;
    (2) Provide adequate delay to enable law enforcement or other 
offsite armed responders to fulfill the interdiction and neutralization 
functions for threats up to and including the design basis threat of 
radiological sabotage;
    (3) Identify criteria and measures to compensate for the 
degradation or absence of law enforcement or other offsite armed 
responders and propose suitable compensatory measures that meet the 
requirements of paragraph (o) of this section.
    (4) For licensees relying entirely or partially on law enforcement 
responders to fulfill the interdiction and neutralization functions 
required by paragraph (b)(3)(i) of this section, the training and 
qualification requirements related to armed response personnel in 
paragraphs (d) of this section do not apply to law enforcement 
responders. The licensee must continue to satisfy the performance 
evaluation requirements in paragraph (b)(5) of this section for all 
armed response personnel, including law enforcement.
    (5) Provide necessary information about the facility and make 
available periodic training to law enforcement or other offsite armed 
responders who will fulfill the interdiction and neutralization 
functions for threats up to and including the design basis threat of 
radiological sabotage.
    (ii) [Reserved]
    (7) Protective strategy.
    (i) The licensee must establish, maintain, and implement a written 
protective strategy in accordance with the requirements of this section 
and part 73, appendix C, section II. Upon receipt of an alarm or other 
indication of a threat, the licensee must implement its safeguards 
contingency plan.
    (ii) [Reserved]
    (8) Law enforcement liaison.
    (i) To the extent practicable, licensees must document and maintain 
current agreements with applicable law enforcement agencies to include 
estimated response times and capabilities.
    (ii) [Reserved]
    (9) Heightened security.
    (i) Licensees must establish, maintain, and implement a threat 
warning system which identifies specific graduated protective measures 
and actions to be taken to increase licensee preparedness against a 
heightened security threat.
    (ii) Licensees must ensure that the specific protective measures 
and actions identified for each threat level are consistent with the 
security plans and other emergency plans and procedures.
    (iii) Upon notification by an authorized representative of the 
Commission, licensees must implement the specific threat level 
indicated by the Commission representative.
    (l) Safety/Security Interface.
    (1) The licensee must assess and manage the potential for adverse 
effects on safety and security, including the site emergency plan, 
before implementing changes to plant configurations, facility 
conditions, or security.
    (2) [Reserved]
    (m) Security program reviews.
    (1) The licensee must establish and implement security reviews to 
assess the effectiveness of the implementation of the physical 
protection program. Security reviews must be performed by individuals 
independent of those personnel responsible for program management and 
any individual who has direct responsibility for implementing the 
onsite physical protection program.
    (2) The licensee must review each element of the physical 
protection

[[Page 38974]]

program at a frequency commensurate with the importance or significance 
to safety of plant operations to ensure timely identification and 
documentation of vulnerabilities, improvements, and corrective actions. 
The objective of these reviews must be to maintain effective 
implementation of the engineered and administrative controls required 
to achieve the physical protection program functions, and the 
management system required to implement programs and requirements in 
this section.
    (3) The licensee must establish and perform self-assessments to 
ensure the effective implementation of the physical protection program 
functions of detection, assessment, communication, delay, and 
interdiction and neutralization to protect against the design basis 
threat of radiological sabotage. As applicable, the licensee must 
perform design verification and assessments of the capabilities of 
active and passive engineering systems relied on to protect against the 
design basis threat.
    (4) Reviews of the security program must include, but are not 
limited to, an audit of the effectiveness of the physical protection 
program, security plans, implementing procedures, cybersecurity 
programs, safety/security interface activities, the testing, 
maintenance, and calibration program, and response commitments by 
local, State, and Federal law enforcement authorities.
    (5) The results and recommendations of the onsite physical 
protection program reviews, management's findings regarding program 
effectiveness, and any actions taken as a result of recommendations 
from prior program reviews, must be documented in a report and must be 
maintained in an auditable form and available for inspection.
    (n) Maintenance, testing, and calibration.
    (1) The licensee must:
    (i) Establish, maintain, and implement a maintenance, testing and 
calibration program to ensure that security systems and equipment, 
including secondary and uninterruptible power supplies, are tested for 
operability and performance at predetermined intervals, maintained in 
operable condition, and are capable of performing their intended 
functions.
    (ii) Describe the maintenance, testing and calibration program in 
the physical security plan. Implementing procedures must specify 
operational and technical details required to perform maintenance, 
testing, and calibration activities to include, but not limited to, 
purpose of activity, actions to be taken, acceptance criteria, and the 
intervals or frequency at which the activity will be performed.
    (iii) The licensee must implement corrective actions to ensure 
resolution of identified vulnerabilities and deficiencies to satisfy 
the requirements of this section.
    (iv) Security equipment or systems must be tested in accordance 
with the site maintenance, testing and calibration procedures before 
being placed back in service after each repair or inoperable state.
    (2) [Reserved]
    (o) Compensatory measures.
    (1) The licensee must identify criteria and measures to compensate 
for degraded or inoperable equipment, systems, and components to meet 
the requirements of this section.
    (2) Compensatory measures must provide a level of protection that 
is equivalent to the protection that was provided by the degraded or 
inoperable, equipment, system, or components.
    (3) Compensatory measures must be implemented within specific time 
frames necessary to meet the requirements stated in paragraph (b) of 
this section and described in the security plans.
    (p) Suspension of security measures.
    (1) The licensee may suspend implementation of affected 
requirements of this section under the following conditions:
    (i) In accordance with Sec. Sec.  50.54(x) and 50.54(y) or Sec.  
53.740(h) of this chapter, the licensee may suspend any security 
measures under this section in an emergency when this action is 
immediately needed to protect the public health and safety and no 
action consistent with license conditions and technical specifications 
that can provide adequate or equivalent protection is immediately 
apparent. This suspension of security measures must be approved as a 
minimum by a licensed senior operator or a generally licensed reactor 
operator before taking this action.
    (ii) During severe weather, the licensee may suspend any security 
measures under this section when this action is immediately needed to 
protect the personal health and safety of security force personnel and 
no other immediately apparent action consistent with the license 
conditions and technical specifications can provide adequate or 
equivalent protection. This suspension of security measures must be 
approved, as a minimum, by a licensed senior operator or a generally 
licensed reactor operator, as applicable, with input from the security 
supervisor or manager, before taking this action.
    (2) Suspended security measures must be reinstated as soon as 
conditions permit.
    (3) The suspension of security measures must be reported and 
documented in accordance with the provisions of Sec. Sec.  73.1200 and 
73.1205 of this part.
    (q) Records.
    (1) The Commission may inspect, copy, retain, and remove all 
reports, records, and documents required to be kept by Commission 
regulations, orders, or license conditions, whether the reports, 
records, and documents are kept by the licensee or a contractor.
    (2) The licensee must maintain all records required to be kept by 
Commission regulations, orders, or license conditions, until the 
Commission terminates the license for which the records were developed, 
and must maintain superseded portions of these records for at least 3 
years after the record is superseded, unless otherwise specified by the 
Commission.
    (3) The licensee must retain, in accordance with Sec.  73.70, all 
analyses, assessments, calculations, and descriptions of the technical 
basis for demonstrating compliance with the performance requirements of 
this section. The licensee must protect these records in accordance 
with the requirements for protecting safeguards information in 
Sec. Sec.  73.21 and 73.22.
    (4) If a contracted security force is used to implement the onsite 
physical protection program, the licensee's written agreement with the 
contractor must be retained by the licensee as a record for the 
duration of the contract.
    (5) Review and audit reports must be maintained and available for 
inspection, for a period of 3 years.
    (r) Alternative measures.
    (1) The Commission may authorize an applicant or licensee to 
provide a measure for protection against radiological sabotage other 
than one required by this section if the applicant or licensee 
demonstrates that:
    (i) The measure meets the same performance objectives and 
requirements specified in paragraph (b) of this section; and
    (ii) The proposed alternative measure provides protection against 
radiological sabotage equivalent to that which would be provided by the 
specific requirement for which it would substitute.
    (2) The licensee must submit proposed alternative measure(s) to the 
Commission for review and approval in accordance with Sec.  50.4 and 
Sec.  50.90, or Sec.  53.040 and Sec.  53.1510 of this chapter before 
implementation.
    (3) In addition to fully describing the desired changes, the 
licensee must

[[Page 38975]]

submit a technical basis for each proposed alternative measure. The 
basis must include an analysis or assessment that demonstrates how the 
proposed alternative measure provides a level of protection that is at 
least equal to that which would otherwise be provided by the specific 
requirement of this section.
    (4) The licensee may implement alternatives from the following 
specific requirements through the use of technology, without prior 
Commission approval, provided that the alternative is described in the 
physical security plan and that a technical basis is maintained for 
demonstrating compliance with the performance requirements of Sec.  
73.55(b):
    (i) The requirement in paragraph (d)(2) of this section that a 
member of the security organization who has the authority to direct the 
activities of the security organization be onsite at all times;
    (ii) The requirement in paragraph (e)(3) of this section that the 
reactor control room, the central alarm station, and the location 
within which the last access control function for access to the 
protected area is performed be bullet-resisting.
0
66. Amend Sec.  73.56 as follows:
0
a. Revise the section heading;
0
b. Revise paragraph (a)(1);
0
c. Remove and reserve paragraphs (a)(2) and (3);
0
d. Revise paragraphs (c) and (d)(3);
0
e. In paragraph (f)(3), remove the phase ``re-evaluation or '';
0
f. In the heading for paragraph (h)(4)(ii)(A), remove the word 
``Update'' and add in its place the word ``Reinstatements'';
0
g. Revise paragraph (h)(4)(ii)(B);
0
h. Revise paragraphs (i)(1)(iv) and (i)(1)(v)(A), the introductory text 
to paragraphs (i)(1)(v)(B) and (i)(1)(v)(B)(4), and paragraph (j);
0
i. In paragraph (n)(1), remove the number ``24'' wherever it may appear 
and add in its place the number ``36''; and in paragraph (n)(2), remove 
the number ``12'' wherever it may appear and add in its place the 
number ``24'';
0
j. In paragraph (n)(6), remove the reference ``Sec.  73.55(b)(10)'' and 
add in its place the reference ``Sec.  73.55(b)(9)''; and
0
k. In paragraphs (o)(2), remove the number ``5'' wherever it may appear 
and add in its place the number ``3''.
    The revisions and additions to read as follows:


Sec.  73.56  Personnel access authorization requirements for commercial 
nuclear power plants.

    (a) * * *
    (1) Except as described in Sec.  73.120(a), each applicant for an 
operating license under the provisions of part 50 of this chapter, each 
holder of a combined license under the provisions of part 52 of this 
chapter, and each applicant for an operating license or holder of a 
combined license under part 53 of this chapter must implement the 
requirements of this section before initial fuel load into the reactor 
(or, for a fueled manufactured reactor, before initiating the removal 
of features to prevent criticality).
* * * * *
    (c) General performance objective. The licensee's or applicant's 
access authorization program must provide reasonable assurance that the 
individuals who are specified in paragraph (b)(1), and, if applicable, 
paragraph (b)(2) of this section are trustworthy and reliable, such 
that they do not constitute an unreasonable risk to public health and 
safety or the common defense and security, including the potential to 
commit radiological sabotage.
    (d) * * *
    (3) Verification of true identity. Licensees, applicants, and 
contractors or vendors shall verify the true identity of an individual 
who is applying for unescorted access or unescorted access 
authorization in order to ensure that the applicant is the person that 
he or she has claimed to be. As part of this verification, licensees 
and applicants shall determine whether the results of the 
fingerprinting required under Sec.  73.57 confirm the individual's 
claimed identity, if such results are available.
* * * * *
    (h) * * *
    (4) * * *
    (ii) * * *
    (B) Update of unescorted access or unescorted access authorization. 
For individuals whose last unescorted access or unescorted access 
authorization status has been interrupted for greater than 365 calendar 
days but fewer than 3 years the licensee, applicant or contractor or 
vendor shall evaluate the period of time since the individual last held 
unescorted access or unescorted access authorization status, up to and 
including the day the individual applies for updated unescorted access 
authorization. For the 1-year period preceding the date upon which the 
individual applies for unescorted access authorization, the licensee, 
applicant, or contractor or vendor shall ensure that the employment 
history evaluation is conducted with every employer, regardless of the 
length of employment. For the remaining period, the licensee, applicant 
or contractor or vendor shall ensure that the employment history 
evaluation is conducted with the employer by whom the individual claims 
to have been employed the longest within each calendar month. In 
addition, the individual shall be subject to the psychological 
assessment required in Sec.  73.56(e).
* * * * *
    (i) * * *
    (1) * * *
    (iv) The individual's supervisor interacts with the individual with 
a frequency that allows the supervisor to form an informed and 
reasonable opinion regarding the individual's behavior, 
trustworthiness, and reliability; or the individual is subject to an 
annual (within 365 calendar days) supervisory review conducted in 
accordance with the requirements of the licensee's or applicant's 
behavioral observation program.
    (v) * * *
    (A) A criminal history update for any individual with unescorted 
access. The criminal history update must be completed within 5 years of 
the date on which these elements were last completed or, for licensees 
or approved applicants that participate in a U.S. Government monitoring 
and notification program through a Memorandum of Understanding with the 
NRC, within 10 years of the date on which these elements were last 
completed.
    (B) For individuals who perform one or more of the job functions 
described in this paragraph that are critical to the safe and secure 
operation of the facility, the trustworthiness and reliability 
determination must be based on a criminal history update within 5 years 
of the date on which these elements were last completed or, for 
licensees or approved applicants that participate in a U.S. Government 
monitoring and notification program through a Memorandum of 
Understanding with the NRC, within 10 years of the date on which these 
elements were last completed, or more frequently, based on job 
assignment as determined by the licensee or applicant; and a 
psychological re-assessment within 5 years of the date on which this 
element was last completed:
* * * * *
    (4) Individuals who have access, extensive knowledge, or 
administrative control over plant digital computer and communication 
systems and networks as identified in Sec.  73.54 or Sec.  73.110, as 
applicable, including--
* * * * *
    (j) Access to vital areas. Licensees or applicants shall establish, 
implement, and maintain a list of individuals who

[[Page 38976]]

are authorized to have unescorted access to specific nuclear power 
plant vital areas during non-emergency conditions. The list must 
include only those individuals who have a continued need for access to 
those specific vital areas in order to perform their duties and 
responsibilities. The list must be approved by a cognizant licensee or 
applicant manager or supervisor who is responsible for directing the 
work activities of the individual who is granted unescorted access to 
each vital area, and updated and re-approved no less frequently than 
every 31 days or, for licensees that participate in a U.S. Government 
monitoring and notification program through a Memorandum of 
Understanding with the NRC, no less frequently than every 6 months.
* * * * *
0
67. In Sec.  73.57, revise paragraph (b)(2)(v) to read as follows:


Sec.  73.57  Requirements for criminal history records checks of 
individuals granted unescorted access to a nuclear power facility, a 
non-power reactor, or access to Safeguards Information.

* * * * *
    (b) * * *
    (2) * * *
    (v) Individuals who have a valid unescorted access authorization to 
a non-power reactor facility on November 7, 2012, are not required to 
undergo a new fingerprint-based criminal history records check pursuant 
to paragraph (g) of this section, until such time that the existing 
authorization expires, is terminated, or is otherwise to be renewed.
* * * * *


Sec.  73.58  [Reserved]

0
68. Remove and reserve Sec.  73.58.
0
69. In Sec.  73.59, revise paragraph (j) to read as follows:


Sec.  73.59  Relief from fingerprinting, identification and criminal 
history records checks and other elements of background checks for 
designated categories of individuals.

* * * * *
    (j) Representatives of the International Atomic Energy Agency 
(IAEA) who have been certified by the NRC;
* * * * *


Sec.  73.61  [Amended]

0
70. In Sec.  73.61(h), remove the phase ``engaged in activities 
associated with the U.S./IAEA Safeguards Agreement''.
0
71. In Sec.  73.67, revise paragraphs (b)(1)(i), (d), and the 
introductory text of paragraph (f) to read as follows:


Sec.  73.67  Licensee fixed site and in-transit requirements for the 
physical protection of special nuclear material of moderate and low 
strategic significance.

* * * * *
    (b) * * *
    (1) * * *
    (i) Special nuclear material which is not readily separable from 
other radioactive material and which has a total external radiation 
level more than 1 gray (100 rad) per hour at 1 meter (3.3 feet) from 
any accessible surface without intervening shielding, or
* * * * *
    (d) Fixed site requirements for special nuclear material of 
moderate strategic significance. Except as allowed by paragraph (b)(2) 
of this section and except those who are licensed to operate a nuclear 
power reactor pursuant to part 50, part 52, or part 53 of this chapter, 
provided that the special nuclear material is located within a 
protected area and protected under Sec.  73.55 or Sec.  73.100, each 
licensee who possesses, stores, or uses quantities and types of special 
nuclear material of moderate strategic significance at a fixed site or 
contiguous sites must meet the following general performance objectives 
and requirements, in addition to those in paragraph (a) of this 
section:
    (1)(i) Store or use the material only within a controlled access 
area;
    (ii) Provide prompt detection and assessment of unauthorized access 
or activities by an external adversary within the controlled access 
area,
    (iii) Provide prompt detection of removal of special nuclear 
material by an external adversary from a controlled access area.
    (iv) Mitigate the risk of bulk theft of special nuclear material;
    (v) Delay an external adversary from completing a bulk theft of 
special nuclear material sufficiently to allow response forces to 
impede the adversary and facilitate recovering the special nuclear 
material;
    (vi) Analyze and identify in the security plan site-specific 
conditions that may affect the specific measures needed to implement 
the requirements of this subpart and must account for these conditions 
in the design of the physical protection program;
    (vii) Provide defense-in-depth through the integration of systems, 
technologies, programs, equipment, supporting processes, and security 
implementing procedures as needed to ensure the effectiveness of the 
physical protection program;
    (viii) Coordinate the implementation of the security plan and 
associated procedures with other onsite plans and procedures to 
preclude conflict during normal conditions and minimize conflict during 
emergency conditions;
    (ix) Assess and manage the potential for adverse effects on safety, 
security, and material control and accounting before implementing 
changes to facility configurations, facility conditions, or security;
    (x) Communicate potential conflicts among safety, security, and 
material control and accounting to appropriate licensee personnel and 
take compensatory and/or mitigating actions to maintain safety, 
security, and material control and accounting at the facility.
    (2) In addition, the licensee must:
    (i) Establish and maintain written response procedures for dealing 
with threats of thefts or thefts of Category II quantities of SNM.
    (ii) Provide a process for the written approval of security 
implementing procedures and revisions by an individual with overall 
responsibility for the physical protection program.
    (iii) Identify and analyze site-specific conditions to determine 
the specific use, type, function, and placement of physical barriers 
needed to delay an external adversary from removal of special nuclear 
material and completing a vehicle-assisted bulk theft of special 
nuclear material to allow response forces to impede the adversary or 
facilitate recovery of the special nuclear material.
    (iv) Establish an access authorization program to include a 
background investigation to ensure that the individuals granted 
unescorted access to special nuclear material are trustworthy and 
reliable. The background investigation must include at a minimum:
    (A) Consideration of criminal history based on fingerprinting and 
an FBI identification and criminal history records check in accordance 
with Sec.  73.57;
    (B) Verification of the true identity of the individual who is 
applying for unescorted access to ensure that the applicant is who he 
or she claims to be;
    (C) Verification of employment history, including military history;
    (D) Verification of the individual's educational history; and
    (E) Consideration of an individual's character and reputation 
determination.
    (v) Monitor with an intrusion alarm or other device or procedures 
the controlled access areas to detect unauthorized penetration or 
activities involving Category II quantities of SNM.
    (vi) Provide surveillance, observation, and monitoring, as needed, 
to satisfy the general performance objective and requirements, and 
identify indications

[[Page 38977]]

of tampering of components of the physical protection program 
including, but not limited to, barriers, access control devices, and 
intrusion detection equipment.
    (vii) Establish and maintain continuous communication capability 
with onsite and offsite resources to ensure effective command and 
control during both normal and emergency situations.
    (viii) To the extent practicable, document and maintain current 
agreements with applicable law enforcement agencies to include 
estimated response times and capabilities. In addition, the licensee 
must provide necessary information about the site and nuclear material 
locations and make available periodic training to law enforcement to 
support response actions.
    (ix) Establish, implement, and maintain a threat warning system 
that identifies specific graduated protective measures and actions to 
be taken to increase licensee preparedness against a heightened 
security threat.
    (x) Upon receipt of an alarm or other indication of a threat, 
determine the existence and level of the threat in accordance with pre-
established assessment methodologies, initiate response actions to 
promptly detect attempts to remove SNM and notify local law enforcement 
agencies to recover SNM in accordance with security implementing 
procedures.
    (xi) Review each element of the physical protection program:
    (A) At least every 24 months;
    (B) More frequently as necessary based upon site-specific analysis, 
assessments, or other performance indicators; and
    (C) Within 12 months following initial implementation of the 
physical protection program or a change in personnel, procedures, 
equipment, or facilities that could adversely affect security.
    (xii) Establish, maintain, and implement a maintenance, testing, 
and calibration program to ensure that physical protection systems and 
equipment, including secondary and uninterruptible power supplies, are 
tested for operability and performance at predetermined intervals, 
maintained in operable condition, and can perform their intended 
functions.
    (xiii) Identify criteria and measures to compensate for degraded or 
inoperable equipment, systems, and components of the physical 
protection program.
    (A) Compensatory measures must provide a level of protection that 
is equivalent to the protection that was provided by the degraded or 
inoperable equipment, systems, or components, when fully functional.
    (B) Compensatory measures must be implemented within specific 
timeframes necessary to meet the general performance objective and 
requirements and described in the security plan.
    (C) Compensatory measures must not be used in lieu of performing 
timely repair on the degraded or inoperable equipment, systems, or 
components.
    (xiv) Maintain all reports, records, or documents required to be 
kept by Commission regulations, orders, or license conditions, until 
the Commission terminates the license for which the records were 
developed and must maintain superseded portions of these records for at 
least 3 years after the record is superseded, unless otherwise 
specified by the Commission.
    (A) The Commission may inspect, copy, and retain copies of all 
reports, records, and documents required to be kept by Commission 
regulations, orders, or license conditions, whether the reports, 
records, and documents are kept by the licensee or a contractor.
    (B) If a contracted security force is used to implement the onsite 
physical protection program, the licensee's written agreement with the 
contractor must be retained by the licensee as a record for the 
duration of the contract.
    (C) Review and audit reports must be maintained and available for 
inspection, for a period of 3 years.
    (3) In addition to the fixed-site requirements set forth in this 
section, the Commission may incorporate or eliminate, depending on the 
individual facility and site conditions, any existing, alternate, or 
additional measures deemed necessary to protect against theft or 
diversion of Category II special nuclear material.
    (4) Alternative measures. The Commission may authorize an applicant 
or licensee to use a measure other than one required by this section, 
if the applicant or licensee demonstrates that the measure meets the 
same performance objectives and requirements in paragraphs (a) and 
(b)(1) of this section.
    (i) The licensee must submit the proposed alternative measures to 
the Commission for review and approval in accordance with Sec.  50.90, 
Sec.  53.1510, or Sec.  70.34 of this chapter, as applicable, before 
implementation.
    (ii) In addition to fully describing the desired changes, the 
licensee must submit a technical basis for each proposed alternative 
measure. The basis must include an analysis or assessment that 
demonstrates how the proposed alternative measure provides a level of 
protection that is at least equal to that which would otherwise be 
provided by the specific requirement of this subpart for which the 
alternative measure is proposed.
* * * * *
    (f) Fixed site requirements for special nuclear material of low 
strategic significance. Each licensee who possesses, stores, or uses 
special nuclear material of low strategic significance at a fixed site 
or contiguous sites, except those who are licensed to operate a nuclear 
power reactor pursuant to part 50, part 52, or part 53, provided that 
the special nuclear material is located within a protected area and 
protected under Sec.  73.55 or Sec.  73.100, shall:
* * * * *


Sec.  73.70  [Amended]

0
72. In Sec.  73.70, in paragraph (b), remove the phrase ``and badge 
numbers'' and add in its place the phrase ``badge numbers or a 
personnel identification system''; and in paragraph (d), remove the 
phrase ``badge number'' and add in its place the phrase ``badge number 
or personnel identification system''.
0
73. Revise Sec.  73.77 to read as follows:


Sec.  73.77  Cybersecurity event notifications.

    (a) Each licensee subject to the provisions of Sec.  73.54 or Sec.  
73.110 must notify the NRC Headquarters Operations Center of a 
cyberattack that adversely impacted a safety or security function using 
the procedures of Sec.  50.72 or Sec.  53.1630 of this chapter or Sec.  
73.1200 of this part based on the function adversely impacted (safety 
or security).
    (b) If it is later determined that the cause of a previously 
reported event was from a cyberattack, the NRC shall be notified using 
one of the following applicable methods:
    (1) Follow up notification process as specified in Sec.  50.72 or 
Sec.  53.1630 of this chapter;
    (2) Significant supplemental information process as specified in 
Sec.  73.1200 of this part; or
    (3) Submission of a Licensee Event Report as specified in Sec.  
50.73 or Sec.  53.1640 of this chapter, or Sec.  73.1205 of this part.
0
74. In Sec.  73.100, revise paragraph (a)(1) to read as follows:

Subpart J--Security Notifications, Reports, and Recordkeeping


Sec.  73.100  Technology-inclusive requirements for physical protection 
of licensed activities at commercial nuclear plants against 
radiological sabotage.

    (a) * * *
    (1) Each licensee that is licensed to operate a commercial nuclear 
plant

[[Page 38978]]

under 10 CFR part 53 of this chapter and elects to implement the 
requirements of this section, and each licensee that is licensed to 
operate a nuclear power plant under 10 CFR part 50 or 52 of this 
chapter after [EFFECTIVE DATE] and elects to implement the requirements 
of this section, must identify achievable target sets in accordance 
with paragraph (b)(5) of this section and develop, implement, and 
maintain a physical protection program under the following 
requirements:
* * * * *
0
75. In Sec.  73.110, revise paragraph (a) and the introductory text to 
paragraph (b) to read as follows:


Sec.  73.110  Technology-inclusive requirements for protection of 
digital computer and communication systems and networks.

    (a) Each licensee that is licensed to operate a commercial nuclear 
plant under 10 CFR part 53 and elects to implement the requirements of 
this section, and each licensee that is licensed to operate a nuclear 
power plant under 10 CFR part 50 or 52 after [EFFECTIVE DATE] and 
elects to implement the requirements of this section, must establish, 
implement, and maintain a cybersecurity program that is commensurate 
with the potential consequences resulting from cyberattacks, up to and 
including the design basis threat as described in Sec.  73.1 of this 
part. The cybersecurity program must provide reasonable assurance that 
digital computer and communication systems and networks are adequately 
protected against cyberattacks that are capable of causing the 
following consequences:
    (1) Adversely impacting the safety, security, and emergency 
preparedness functions performed by digital assets that prevent a 
postulated fission product release resulting in offsite doses exceeding 
the values in Sec.  50.34(a)(1)(ii)(D), Sec.  52.47(a)(2)(iv), or Sec.  
53.210 of this chapter, as applicable.
    (2) Adversely impacting the security functions performed by digital 
assets necessary for implementing the physical security requirements in 
Sec.  53.860(a) of this chapter or Sec.  73.55 of this part, as 
applicable.
    (b) To protect digital computer and communication systems and 
networks associated with the functions described in paragraphs (a)(1) 
and (2) of this section (including support systems and equipment which 
if compromised adversely impact these functions), the licensee must-- * 
* *
* * * * *
0
76. In Sec.  73.120, revise paragraph (a) to read as follows:


Sec.  73.120  Access authorization program for commercial nuclear 
plants.

    (a) Introduction and scope.
    (1) Each applicant for or holder of an operating license or 
combined license under part 50, 52, or 53 of this chapter, who 
demonstrates compliance with Sec.  73.55(a)(1)(i) or Sec.  
73.100(a)(1)(i), as applicable, must establish, maintain, and implement 
an access authorization program that meets the requirements of this 
section before initial fuel load into the reactor (or, for a fueled 
manufactured reactor, before initiating the removal of features to 
prevent criticality).
    (2) The licensee or applicant may accept, in part or whole, an 
access authorization program implemented by a contractor or vendor to 
satisfy appropriate elements of their access authorization program in 
accordance with the requirements of this section. Only a licensee may 
grant an individual unescorted access, and only a licensee or applicant 
may certify an individual's unescorted access authorization. Licensees 
and applicants are responsible for maintaining, denying, terminating, 
or withdrawing unescorted access authorization.
* * * * *
0
77. Amend Sec.  73.1200 as follows:
0
a. Revise the section heading;
0
b. Revise paragraph (b)(3)(ii);
0
c. Revise and republish paragraph (c)(1)(i);
0
d. Revise paragraphs (e)(1)(iv) and (v), (e)(2), and (e)(3)(i), (g)(1), 
the introductory text to paragraphs (m)(1) and (n)(1), and paragraph 
(o)(3);
0
e. Redesignate paragraph (q)(2) as paragraph (q)(3) and add new 
paragraph (q)(2); and
0
f. Revise paragraphs (s) and (t).
    The revisions and additions to read as follows:


Sec.  73.1200  Notification of security events.

* * * * *
    (b) * * *
    (3) * * *
    (ii) Briefly describe the nature of the hostile action or event, 
including:
    (A) Type of hostile action or event (e.g., armed assault, vehicle 
bomb, theft of shipment, sabotage, etc.); and
    (B) The current status (i.e., imminent, in progress, or 
neutralized).
* * * * *
    (c) * * *
    (1) * * *
    (i) Any event in which there is reason to believe that a person has 
committed or caused, or attempted to commit or cause, or has made a 
threat to commit or cause:
    (A) The theft or diversion of a Category I, II, or III quantity of 
SSNM; a Category II or III quantity of special nuclear material (SNM); 
SNF; or HLW;
    (B) Significant physical damage to any nuclear power reactor, to a 
facility possessing a Category I or II quantity of SSNM, or to a 
facility storing or disposing of SNF and/or HLW;
    (C) The unauthorized operation, manipulation, or tampering with any 
nuclear power reactor's controls or with structures, systems, and 
components (SSCs) that results in the interruption of normal operation 
of the reactor; or
    (D) The unauthorized operation, manipulation, or tampering with any 
Category I SSNM facility's SSCs that results in an accidental 
criticality.
* * * * *
    (e) * * *
    (1) * * *
    (iv) The attempted introduction of contraband into a PA, VA, or 
MAA;
    (v) The discovery that a weapon that is authorized by the 
licensee's security plan is lost within a PA, VA, or MAA;
* * * * *
    (2) An event related to the licensee's implementation of their 
security program for which a notification was made to local, State, or 
Federal law enforcement officials (other than a suspicious activity 
report made under Sec.  73.1215 of this part) provided that the event 
does not otherwise require a notification under paragraphs (a) through 
(h) of this section.
    (3)(i) An event involving a law enforcement response to the 
facility that could reasonably be expected to result in public or media 
inquiries and that does not otherwise require a notification under 
paragraphs (a) through (h) of this section, or in other NRC regulations 
such as Sec.  50.72(b), Sec.  53.1630(b), or Sec.  72.75(b)(2) of this 
chapter, or under Sec.  73.1215 of this part.
* * * * *
    (g) Eight-hour notifications--facilities. (1) Each licensee subject 
to the provisions of Sec.  73.20, Sec.  73.45, Sec.  73.46, Sec.  
73.50, Sec.  73.51, Sec.  73.55, Sec.  73.60, Sec.  73.67, or Sec.  
73.100 must notify the NRC Headquarters Operations Center within 8 
hours after time of discovery of the following facility security 
program failures or cybersecurity events involving--
    (i) Any failure, degradation, or vulnerability in a security or 
safeguards system, for which compensatory measures have not been 
employed within the required timeframe, that could allow unauthorized 
or undetected access of--
    (A) Unauthorized personnel into a PA, VA, MAA, or CAA; or

[[Page 38979]]

    (B) Contraband into a PA, VA, or MAA;
    (ii) The unauthorized operation, manipulation, or tampering with 
any nuclear power reactor's controls or with SSCs that does not result 
in the interruption of normal operation of the reactor;
    (iii) The unauthorized operation, manipulation, or tampering with 
any Category I SSNM facility's SSCs that does not result in the 
interruption of normal operation of the facility or an accidental 
criticality; or
    (iv) For licensees subject to the provisions of Sec.  73.77 of this 
part, a cybersecurity event that impacted the ability of the facility's 
SSCs to perform their intended security functions.
* * * * *
    (m) Enhanced weapons notifications--stolen or lost. (1) Each 
licensee possessing enhanced weapons in accordance with Sec.  73.15 of 
this part must--
* * * * *
    (n) Enhanced weapons--adverse ATF findings. (1) Each licensee 
possessing enhanced weapons in accordance with Sec.  73.15 of this part 
must--
* * * * *
    (o) * * *
    (3) Notifications required by this section that contain Safeguards 
Information may be made to the NRC Headquarters Operations Center 
without using secure communications systems under the exception of 
Sec.  73.22(f)(3) of this part for the communication of emergency or 
extraordinary conditions.
* * * * *
    (q) * * *
    (2) Licensees desiring to retract a previous cybersecurity event 
notification made under paragraph (g) of this section, which has been 
determined to be invalid or not reportable in accordance with the 
requirements of paragraph (g) of this section must telephonically 
notify the NRC Headquarters Operations Center in accordance with 
paragraph (o) of this section and indicate the report that is being 
retracted and the basis for the retraction.
* * * * *
    (s) Elimination of duplication.
    (1) Licensees with notification obligations under paragraphs (a) 
through (h), (m), and (n) of this section and Sec.  50.72, 53.1630, 
63.73, 70.50, 72.75, or 95.57 of this chapter may notify the NRC of 
events in a single communication.
    (2) A licensee notifying the NRC of multiple events in a single 
communication must identify each regulation under which the licensee is 
reporting an event.
    (t) Classified information.
    (1) A licensee's notifications regarding security events associated 
with the deliberate disclosure, theft, loss, compromise, or possible 
compromise of classified documents, information, or material must 
comply with the requirements found in Sec.  95.57 of this chapter.
    (2) A licensee notifying the NRC of an event involving both 
information security issues (regarding classified documents, 
information, or material) pursuant to Sec.  95.57 of this chapter and 
physical security issues pursuant to paragraphs (a) through (h), (m), 
and (n) of this section, may notify the NRC in a single communication 
under paragraph (s) of this section.
0
78. In Sec.  73.1205, revise the section heading and paragraphs (a)(2) 
and (e) to read as follows:


Sec.  73.1205  Written follow-up reports of security events.

    (a) * * *
    (2) As an exemption, licensees are not required to submit a written 
follow-up report subsequent to a telephonic notification made--
    (i) Under the provisions of Sec. Sec.  73.1200(a) and (b) regarding 
15-minute event notifications;
    (ii) Under the provisions of Sec. Sec.  73.1200(g) and (h) 
regarding 8-hour event notifications;
    (iii) Under the provisions of Sec. Sec.  73.1200(e) and (f) 
regarding interactions with a Federal, State, or local law-enforcement 
agency;
    (iv) Under the provisions of Sec.  73.1200(m) regarding lost or 
stolen enhanced weapons; or
    (v) Under the provisions of Sec.  73.1200(n) regarding adverse 
findings from the Bureau of Alcohol, Tobacco, Firearms and Explosives 
(ATF) for enhanced weapons possessed by the licensee.
* * * * *
    (e) Records retention. Licensees must maintain a copy of a written 
follow-up report as a record for a period of 3 years from the date of 
the report or until termination of the license, whichever is earlier.
0
79. In Sec.  73.1210, revise the section heading, paragraphs (b)(2) and 
(3)(iii), and paragraph (e) to read as follows:


Sec.  73.1210  Recordkeeping of security events.

* * * * *
    (b) * * *
    (2) Licensees must retain these records for a period up to 3 years 
after the last entry is recorded, or until their license is terminated, 
whichever is earlier.
    (3) * * *
* * * * *
    (iii) Licensees must ensure that Safeguards Information or 
classified security information associated with these records is 
created, stored, and handled in accordance with the provisions of 
Sec. Sec.  73.21 and 73.22 of this part, or of part 95 of this chapter, 
as applicable.
* * * * *
    (e) Uncontrolled weapons events.
    (1) The discovery that an authorized weapon is uncontrolled within 
a licensee's PA, VA, or MAA.
    (2) Uncontrolled authorized weapons are defined as weapons that are 
authorized under the licensee's security plan and are not in the 
possession of authorized personnel or are not in an authorized weapons' 
storage location.
* * * * *
0
80. In Sec.  73.1215:
0
a. Revise paragraphs (a) and (c);
0
b. In paragraph (d)(1)(v), remove the phrase ``aircraft activities'' 
and add in its place the phrase ``crewed/uncrewed aviation-related 
assets engaging in overflight activities''.
    The revisions read as follows:


Sec.  73.1215  Suspicious activity reports.

    (a) Purpose. This section sets forth the reporting criteria and 
process for licensees to use in reporting suspicious activities. 
Licensees are required to report suspicious activities to the local law 
enforcement agency (LLEA), the applicable Federal Bureau of 
Investigation (FBI) field office, the NRC, and the applicable Federal 
Aviation Administration (FAA) facility if crewed/uncrewed aviation-
related assets are a part of the suspicious activity.
* * * * *
    (c) General requirements.
    (1)(i) Licensees subject to paragraphs (d), (e), and (f) of this 
section must report suspicious activities that are applicable to their 
facility, material, or shipping activity.
    (ii) If a suspicious activity requires a physical security event 
notification pursuant to Sec.  73.1200, then the licensee is not 
required to also report the occurrence as a suspicious activity 
pursuant to this section.
    (iii) If a suspicious activity report results in a LLEA response 
the licensee must notify the NRC in accordance with the requirements of 
Sec.  73.1200.
    (iv) Licensees subject to paragraph (d) of this section and part 37 
of the chapter who are reporting suspicious activities at their 
facility per this section are not required to submit a duplicate report 
under Sec.  37.57 of this chapter.

[[Page 38980]]

    (2)(i) Licensees must promptly assess whether an activity is 
suspicious. Licensees may review additional information as part of an 
assessment process, including interactions with their LLEA. However, 
such assessments and any subsequent reporting must be completed as soon 
as possible, but within 4 hours of the time of discovery. The licensee 
must base its assessment upon its best available information on the 
activity, which may include its knowledge of its locale and the local 
population.
    (ii) The licensee's assessment of a potential suspicious activity, 
and any discussion of this activity with its LLEA, does not constitute 
a conclusion, in and of itself, that the activity is suspicious.
    (iii) Licensees are not required to report activities that, based 
on their assessment, appear to be innocent or innocuous.
    (3) For a suspicious activity specified under paragraph (d) of this 
section, the licensee must make the following reports. A licensee may 
depart from the standard order of precedence of these reports, if it 
determines the circumstances warrant such action:
    (i) First, to their LLEA;
    (ii) Second, to their applicable FBI field office;
    (iii) Third, to the NRC Headquarters Operations Center; and
    (iv) Lastly, to the applicable FAA facility if the suspicious 
activity involves crewed/uncrewed aviation-related assets that are 
engaged in overflights in proximity to the licensee's facility.
    (4) For a suspicious activity specified under paragraphs (e) and 
(f) of this section, the licensee or its designated movement control 
center must make the following reports, in the order indicated. A 
licensee or its movement control center may depart from the standard 
order of precedence of these reports, if it determines the 
circumstances warrant such action:
    (i) First, to the applicable LLEA;
    (ii) Second, to the applicable FBI field office; and
    (iii) Lastly, to the NRC Headquarters Operations Center.
    (iv) For licensees making such reports related to shipping 
activities, the licensee responsible for the security of the shipment 
must contact the applicable FBI field office.
    (v) For a movement control center making such reports related to 
shipping activities, the applicable FBI field office is as requested by 
the FBI. As such, the FBI may direct the use of the FBI field office 
applicable to the movement control center itself or to the FBI field 
office applicable to the licensee responsible for the security of the 
shipment.
    (5)(i) Licensees subject to paragraphs (d) and (f) of this section 
must establish a point of contact with their applicable FBI field 
office.
    (ii) Licensees subject to paragraph (d) of this section must 
establish a point of contact with their applicable FAA facility.
    (6)(i) For licensees subject to paragraph (e) of this section who 
are responsible for the security of the shipment(s), the licensee must 
establish a point of contact with their applicable FBI field office.
    (ii) For licensees subject to paragraph (e) of this section who are 
employing the services of a movement control center, the movement 
control center must establish a point of contact with its applicable 
FBI field office.
    (7) Licensees and movement control centers reporting suspicious 
activities to the NRC must notify the NRC Headquarters Operations 
Center by the telephone number specified in Table 1 of appendix A of 
this part.
    (8)(i) Licensees and movement control centers reporting suspicious 
activities must document the LLEA and FBI points of contact in written 
security communication procedures or route approvals, as applicable.
    (ii) Licensees reporting suspicious crewed/uncrewed aviation-
related assets engaging in overflight activities must document the FAA 
point of contact in written communication procedures.
* * * * *
0
81. In appendix A to part 73, revise and republish table 1 and table 2 
to read as follows:

Appendix A to Part 73--U.S. Nuclear Regulatory Commission Offices and 
Classified Mailing Addresses

                       Table 1--Mailing Addresses, Telephone Numbers, and Email Addresses
----------------------------------------------------------------------------------------------------------------
                                               Address            Telephone  (24-hour)            Email
----------------------------------------------------------------------------------------------------------------
NRC Headquarters Operations Center...  USNRC, Division of       (301) 816-5100; (301)    [email protected];
                                        Preparedness and         816-5151 (fax).          [email protected]
                                        Response, Washington,                             (secure).
                                        DC 20555-0001.
Region I: Connecticut, Delaware,       USNRC, Region I, 475     (610) 337-5000, (800)    RidsRgn1MailCenter@nrc.
 District of Columbia, Maine,           Allendale Road, Suite    432-1156 TDD: (301)      gov.
 Maryland, Massachusetts, New           102, King of Prussia,    415-5575.
 Hampshire, New Jersey, New York,       PA 19406-1415.
 Pennsylvania, Rhode Island, and
 Vermont.
Region II: Alabama, Florida, Georgia,  USNRC, Region II, 245    (404) 997-4000, (800)    RidsRgn2Mail
 Kentucky, North Carolina, Puerto       Peachtree Center         877-8510, TDD: (301)     [email protected]
 Rico, South Carolina, Tennessee,       Avenue, NE., Suite       415-5575.
 Virginia, Virgin Islands, and West     1200, Atlanta, GA
 Virginia.                              30303-1257.
Region III: Illinois, Indiana, Iowa,   USNRC, Region III, 2056  (630) 829-9500, (800)    RidsRgn3MailCenter@nrc.
 Michigan, Minnesota, Missouri, Ohio    Westings Ave, Suite      522-3025, TDD: (301)     gov
 and Wisconsin.                         400, Naperville, IL      415-5575.
                                        60563-2657.
Region IV: Alaska, Arizona, Arkansas,  US NRC, Region IV, 1600  (817) 200-1100, (800)    RidsRgn4MailCenter@nrc.
 California, Colorado, Hawaii, Idaho,   E Lamar Blvd.,           952-9677, TDD: (301)     gov.
 Kansas, Louisiana, Mississippi,        Arlington, TX 76011-     415-5575.
 Montana, Nebraska, Nevada, New         4511.
 Mexico, North Dakota, Oklahoma,
 Oregon, South Dakota, Texas, Utah,
 Washington, Wyoming, and the U.S.
 territories and possessions in the
 Pacific.
----------------------------------------------------------------------------------------------------------------


[[Page 38981]]


                  Table 2--Classified Mailing Addresses
------------------------------------------------------------------------
                                                   Address
------------------------------------------------------------------------
NRC Headquarters..................  U.S. NRC, 11555 Rockville Pike, P.O.
                                     Box 2500, Rockville, MD 20852-2738.
Region I..........................  U.S. NRC, 475 Allendale Road, Suite
                                     102, King of Prussia, PA 19406-
                                     1415.
Region II.........................  USNRC, P.O. Box 56267, Atlanta, GA
                                     30343.
Region III........................  USNRC, Region III, 2056 Westings
                                     Ave, Suite 400, Naperville, IL
                                     60563-2657.
Region IV.........................  US NRC, Region IV, 1600 E. Lamar
                                     Blvd., Arlington, TX 76011-4511.
------------------------------------------------------------------------

* * * * *
0
82. Revise and republish Appendix B to part 73 to read as follows:

Appendix B to Part 73--General Criteria for Security Personnel

Table of Contents

Introduction.
Definitions.
Criteria.
I. Employment suitability and qualification.
    A. Suitability.
    B. Physical and mental qualifications.
    C. Medical examination and physical fitness qualifications.
    D. Contract security personnel.
    E. Physical and medical requalification.
    F. Documentation.
II. Training and qualifications.
    A. Training requirements.
    B. Qualification requirements.
    C. Contract personnel.
    D. Security knowledge, skills, and abilities.
    E. Requalification.
III. Weapons training and qualification.
IV. Weapons qualification and requalification program.
V. Guard, armed response personnel, and armed escort equipment.
VI. Nuclear Power Reactor Training and Qualification Plan for 
Personnel Performing Security Program Duties.
    A. General Requirements and Introduction.
    B. Employment Suitability and Qualification.
    C. Duty Training.
    D. Duty Qualification and Requalification.
    E. Weapons Training.
    F. Weapons Qualification and Requalification Program.
    G. Weapons Maintenance.
    H. Records.
    I. Reviews.
    J. Definitions.

Introduction

    Applicants and power reactor licensees subject to the 
requirements of Sec.  73.55 shall comply with the requirements of 
section I, ``Employment Suitability and Qualification,'' paragraphs 
I.A, I.B.1.a., I.B.1.b.(1),(a)-(b), I.B.1.b.(2),(a)-(c) and section 
VI of this appendix for armed and unarmed individuals who are 
assigned security duties. All other licensees, applicants, or 
certificate holders shall comply only with sections I through V of 
this appendix.
    Security personnel who are responsible for the protection of 
special nuclear material on site or in transit and for the 
protection of the facility or shipment vehicle against radiological 
sabotage should, like other elements of the physical security 
system, be required to meet minimum criteria to ensure that they 
will effectively perform their assigned security-related job duties. 
In order to ensure that those individuals responsible for security 
are properly equipped and qualified to execute the job duties 
prescribed for them, the NRC has developed general criteria that 
specify security personnel qualification requirements.
    These general criteria establish requirements for the selection, 
training, equipping, testing, and qualification of individuals who 
will be responsible for protecting special nuclear materials, 
nuclear facilities, and nuclear shipments.
    When required to have security personnel that have been trained, 
equipped, and qualified to perform assigned security job duties in 
accordance with the criteria in this appendix, the licensee must 
establish, maintain, and follow a plan that shows how the criteria 
will be met. The plan must be submitted to the NRC for approval and 
must be implemented within 30 days after approval by the NRC unless 
otherwise specified by the NRC in writing.

Definitions

    Terms defined in parts 50, 53, 70, and 73 of this chapter have 
the same meaning when used in this appendix.

Criteria

I. Employment Suitability and Qualification

    A. Suitability.1. Before employment, or assignment to the 
security organization, an individual shall:
    a. Possess a high school diploma or pass an equivalent 
performance examination designed to measure basic mathematical, 
language, and reasoning skills, abilities, and knowledge required to 
perform security duties and responsibilities;
    b. Have attained the age of 18 for an unarmed capacity; or have 
attained the age of 18 or the minimum age required by applicable 
State law for an armed capacity, whichever is older;
    c. Not have any felony convictions that reflect on the 
individual's reliability; and
    d. Not be disqualified, in accordance with applicable state or 
Federal law from possessing or using firearms or ammunition.
    (1) Licensees may use the information that has been obtained 
during the completion of the individual's background investigation 
for unescorted access to determine suitability; or
    (2) Licensees may use the satisfactory completion of a firearms 
background check for the individual under Sec.  73.17 of this part 
to also fulfill this requirement.2. The qualification of each 
individual to perform assigned duties and responsibilities must be 
documented.
    B. Physical and mental qualifications.
    1. Physical qualifications:
    a. Individuals whose security tasks and job duties are directly 
associated with the effective implementation of the licensee 
physical security and contingency plans shall have no physical 
weaknesses or abnormalities that would adversely affect their 
performance of assigned security job duties.
    b. In addition to a. above, guards, armed response personnel, 
armed escorts, and central alarm station operators shall 
successfully pass a physical examination administered by a licensed 
physician. The examination shall be designed to measure the 
individual's physical ability to perform assigned security job 
duties as identified in the licensee physical security and 
contingency plans. Armed personnel shall meet the following 
additional physical requirements:
    (1) Vision:
    (a) For each individual, distant visual acuity in each eye shall 
be correctable to 20/30 (Snellen or equivalent) in the better eye 
and 20/40 in the other eye with eyeglasses or contact lenses. If 
uncorrected distance vision is not at least 20/40 in the better eye, 
the individual shall carry an extra pair of corrective lenses. Near 
visual acuity, corrected or uncorrected, shall be at least 20/40 in 
the better eye. Field of vision must be at least 70[deg] horizontal 
meridian in each eye. The ability to distinguish red, green, and 
yellow colors is required. Loss of vision in one eye is 
disqualifying. Glaucoma shall be disqualifying, unless controlled by 
acceptable medical or surgical means, provided such medications as 
may be used for controlling glaucoma do not cause undesirable side 
effects which adversely affect the individual's ability to perform 
assigned security job duties, and provided the visual acuity and 
field of vision requirements stated above are met. On-the-job 
evaluation shall be used for individuals who exhibit a mild color 
vision defect.
    (b) The use of corrective eyeglasses or contact lenses shall not 
interfere with an individual's ability to effectively perform 
assigned security job duties during normal or emergency operations.
    (2) Hearing:
    (a) Individuals shall have no hearing loss in the better ear 
greater than 30 decibels average at 500 Hz, 1,000 Hz, and 2,000 Hz 
with no level greater that 40 decibels at any one frequency (by ISO 
389 ``Standard Reference Zero for the Calibration of Puritone 
Audiometer'' (1975) or ANSI S3.6-1969 (R. 1973) ``Specifications for 
Audiometers''). ISO 389 and ANSI S3.6-1969 have been approved for 
incorporation by reference by the Director of the Federal Register. 
A copy of each

[[Page 38982]]

standard is available for inspection at the NRC Library, 11545 
Rockville Pike, Rockville, Maryland 20852-2738.
    (b) A hearing aid is acceptable provided suitable testing 
procedures demonstrate auditory acuity equivalent to the above 
stated requirement.
    (c) The use of a hearing aid shall not decrease the effective 
performance of the individual's assigned security job duties during 
normal or emergency operations.
    (3) Diseases--Individuals shall have no established medical 
history or medical diagnosis of epilepsy or diabetes, or, where such 
a condition exists, the individual shall provide medical evidence 
that the condition can be controlled with proper medication so that 
the individual will not lapse into a coma or unconscious state while 
performing assigned security job duties.
    (4) Addiction--Individuals shall have no established medical 
history or medical diagnosis of habitual alcoholism or drug 
addiction, or, where such a condition has existed, the individual 
shall provide certified documentation of having completed a 
rehabilitation program which would give a reasonable degree of 
confidence that the individual would be capable of performing 
assigned security job duties.
    (5) Other physical requirements--An individual who has been 
incapacitated due to a serious illness, injury, disease, or 
operation, which could interfere with the effective performance of 
assigned security job duties shall, prior to resumption of such 
duties, provide medical evidence of recovery and ability to perform 
such security job duties.2. Mental qualifications: a. Individuals 
whose security tasks and job duties are directly associated with the 
effective implementation of the licensee physical security and 
contingency plans shall demonstrate mental alertness and the 
capability to exercise good judgment, implement instructions, 
assimilate assigned security tasks, and possess the acuity of senses 
and ability of expression sufficient to permit accurate 
communication by written, spoken, audible, visible, or other signals 
required by assigned job duties.
    b. Armed individuals, and central alarm station operators, in 
addition to meeting the requirement stated in paragraph a. above, 
shall have no emotional instability that would interfere with the 
effective performance of assigned security job duties. The 
determination shall be made by a licensed psychologist or 
psychiatrist, or physician, or other person professionally trained 
to identify emotional instability.
    c. The licensee shall arrange for continued observation of 
security personnel and for appropriate corrective measures by 
responsible supervisors for indications of emotional instability of 
individuals in the course of performing assigned security job 
duties. Identification of emotional instability by responsible 
supervisors shall be subject to verification by a licensed, trained 
person.
    C. Medical examinations and physical fitness qualifications--
Guards, armed response personnel, armed escorts and other armed 
security force members shall be given a medical examination 
including a determination and written certification by a licensed 
physician that there are no medical contraindications as disclosed 
by the medical examination to participation by the individual in 
physical fitness tests. Subsequent to this medical examination, 
guards, armed response personnel, armed escorts and other armed 
security force members shall demonstrate physical fitness for 
assigned security job duties by performing a practical physical 
exercise program within a specific time period. The exercise program 
performance objectives shall be described in the license training 
and qualifications plan and shall consider job-related functions 
such as strenuous activity, physical exertion, levels of stress, and 
exposure to the elements as they pertain to each individual's 
assigned security job duties for both normal and emergency 
operations. The physical fitness qualification of each guard, armed 
response person, armed escort, and other security force member shall 
be documented by a licensee security supervisor or a qualified 
training instructor. The licensee shall retain this documentation as 
a record for three years from the date of each qualification.
    D. Contract security personnel--Contract security personnel 
shall be required to meet the suitability, physical, and mental 
requirements as appropriate to their assigned security job duties in 
accordance with section I of this appendix.
    E. Physical requalification--At least every 12 months, central 
alarm station operators shall be required to meet the physical 
requirements of B.1.b of this section, and guards, armed response 
personnel, and armed escorts shall be required to meet the physical 
requirements of paragraphs B.1.b (1) and (2), and C of this section. 
The licensee shall document each individual's physical 
requalification and shall retain this documentation of 
requalification as a record for three years from the date of each 
requalification.
    F. Documentation--The results of suitability, physical, and 
mental qualifications data and test results must be documented by 
the licensee or the licensee's agent. The licensee or the agent 
shall retain this documentation as a record for three years from the 
date of obtaining and recording these results.
    G. Nothing herein authorizes or requires a licensee to 
investigate into or judge the reading habits, political or religious 
beliefs, or attitudes on social, economic, or political issues of 
any person.

II. Training and Qualifications

    A. Training requirements--Each individual who requires training 
to perform assigned security-related job tasks or job duties as 
identified in the licensee physical security or contingency plans 
shall, prior to assignment, be trained to perform these tasks and 
duties in accordance with the licensee or the licensee's agent's 
documented training and qualifications plan. The licensee or the 
agent shall maintain documentation of the current plan and retain 
this documentation of the plan as a record for three years after the 
close of period for which the licensee possesses the special nuclear 
material under each license for which the plan was developed and, if 
any portion of the plan is superseded, retain the material that is 
superseded for three years after each change.
    B. Qualification requirements--Each person who performs 
security-related job tasks or job duties required to implement the 
licensee physical security or contingency plan shall, prior to being 
assigned to these tasks or duties, be qualified in accordance with 
the licensee's NRC-approved training and qualifications plan. The 
qualifications of each individual must be documented by a qualified 
training instructor or a security supervisor. The licensee shall 
retain this documentation of each individual's qualifications as a 
record for three years after the employee ends employment in the 
security-related capacity and for three years after the close of 
period for which the licensee possesses the special nuclear material 
under each license, and superseded material for three years after 
each change.
    C. Contract personnel--Contract personnel shall be trained, 
equipped, and qualified as appropriate to their assigned security-
related job tasks or job duties, in accordance with sections II, 
III, IV, and V of this appendix. The qualifications of each 
individual must be documented by a qualified training instructor or 
a licensee security supervisor. The licensee shall retain this 
documentation of each individual's qualifications as a record for 
three years after the employee ends employment in the security-
related capacity and for three years after the close of period for 
which the licensee possesses the special nuclear material under each 
license, and superseded material for three years after each change.
    D. Security knowledge, skills, and abilities--Each individual 
assigned to perform the security related task identified in the 
licensee physical security or contingency plan shall demonstrate the 
required knowledge, skill, and ability in accordance with the 
specified standards for each task as stated in the NRC approved 
licensee training and qualifications plan.
    E. Requalification--Security personnel shall be requalified at 
least every 12 months to perform assigned security-related job tasks 
and duties for both normal and contingency operations. 
Requalification shall be in accordance with the NRC-approved 
licensee training and qualifications plan. The results of 
requalification must be documented and attested by a licensee 
security supervisor or a qualified training instructor. The licensee 
shall retain this documentation of each individual's requalification 
as a record for three years from the date of each requalification.

III. Weapons Training

    A. Guards, armed response personnel and armed escorts requiring 
weapons training to perform assigned security related job tasks or 
job duties shall be trained in accordance with the licensees' 
documented weapons training programs. Each individual shall be 
proficient in the use of their assigned weapon(s) and shall meet 
licensee-prescribed standards for firearms handling and 
functionality.

IV. Weapons Qualification and Requalification Program

    Qualification firing for the handgun and the rifle must be for 
daylight firing, and each individual shall perform night firing for

[[Page 38983]]

familiarization with assigned weapon(s). The results of weapons 
qualification and requalification must be documented by the licensee 
or the licensee's agent. Each individual shall be requalified at 
least every 12 months. The licensee shall retain this documentation 
of each qualification and requalification as a record for three 
years from the date of the qualification or requalification, as 
appropriate.
    A. Individuals shall qualify with all assigned firearms through 
completion of a law enforcement course or an equivalent nationally 
recognized course of fire.
    B. Qualifying score must be an accumulated total of 70 percent 
with handgun and shotgun, and 80 percent with semiautomatic rifle 
and/or enhanced weapons, of the maximum obtainable target score.
    C. Enhanced weapons--Armed members of the security organization, 
assigned duties and responsibilities involving the use of enhanced 
weapons, authorized under Sec.  73.15 of this part, must qualify in 
accordance with the licensee's NRC-approved training and 
qualification plan as specified under the provisions of Sec.  
73.15(f)(3) and (h) of this part.
    D. Requalification--Individuals shall be weapons requalified at 
least every 12 months in accordance with the NRC approved licensee 
training and qualifications plan, and in accordance with the 
requirements stated in A, B, and C of this section.

V. Guard, Armed Response Personnel, and Armed Escort Equipment

    Fixed site guards, fixed site armed response personnel, and 
transportation armed escorts shall either be equipped with or have 
available the following security equipment appropriate to the 
individual's assigned contingency security related tasks or job 
duties as described in the licensee physical security and 
contingency plans:
    A. Automatic or semiautomatic rifles.
    B. 12 gauge shotguns.
    C. Semiautomatic pistols or revolvers.
    D. Short-barreled rifles.
    E. Ammunition.
    1. Each individual assigned contingency security job duties must 
maintain an adequate and readily available supply of ammunition for 
assigned weapons as determined by security job duties and 
responsibilities, as described in the licensee physical security and 
contingency plans.
    2. The quantity of ammunition available for fixed sites must be 
maintained at a level sufficient to ensure the effective 
implementation of the Commission-approved security plans.
    F. The licensee shall ensure that each individual is equipped or 
has readily available personal equipment or devices required for the 
effective implementation of the Commission-approved security plans.
    G. Escort vehicles must be bullet resisting and equipped with 
communications systems or any other equipment as needed for the 
effective implementation of the Commission-approved security plans.

VI. Nuclear Power Reactor Training and Qualification Plan for Personnel 
Performing Security Program Duties

A. General Requirements and Introduction

    1. The licensee must ensure that all individuals who are 
assigned duties and responsibilities required to implement the 
Commission-approved security plans, licensee response strategy, and 
implementing procedures, meet minimum training and qualification 
requirements to ensure each individual possesses the knowledge, 
skills, and abilities required to effectively perform the assigned 
duties and responsibilities.
    2. Licensee physical protection programs that meet the 
requirements of 10 CFR 73.55(b)(3)(iii) must establish and maintain 
a training and qualification program that ensures personnel who are 
responsible for implementation of the physical protection of the 
facility against radiological sabotage are trained and qualified 
with the applicable portions of this section to effectively perform 
their assigned security-related job duties. The training and 
qualification program must be described in the Commission-approved 
training and qualification plan.
    3. The licensee may not allow any individual to perform any 
security function, assume any security duties or responsibilities, 
or return to security duty, until that individual satisfies the 
training and qualification requirements of this appendix and the 
Commission-approved training and qualification plan, unless 
specifically authorized by the Commission.
    4. Annual requirements must be scheduled at a nominal 12-month 
periodicity. Annual requirements may be completed up to 3 months 
before or 3 months after the scheduled date. However, the next 
annual training must be scheduled 12 months from the previously 
scheduled date rather than the date the training was actually 
completed.

B. Employment Suitability and Qualification

    1. Suitability.
    (a) Before employment, or assignment to the security 
organization, an individual serving in an armed capacity must not be 
disqualified from possessing or using firearms or ammunition in 
accordance with applicable state or Federal law, to include 18 
U.S.C. 922. Licensees must use information that has been obtained 
during the completion of the individual's background investigation 
for unescorted access to determine suitability.
    (b) The qualification of each individual to perform assigned 
duties and responsibilities must be documented and attested by a 
qualified training instructor or a security supervisor.
    2. Physical qualifications.
    (a) General physical qualifications.
    (1) Individuals whose duties and responsibilities are directly 
associated with the effective implementation of the Commission-
approved security plans, licensee protective strategy, and 
implementing procedures, may not have any physical conditions that 
would adversely affect their performance of assigned security duties 
and responsibilities.
    (2) Armed and unarmed individuals assigned security duties and 
responsibilities must be subject to a physical examination designed 
to measure the individual's physical ability to perform assigned 
duties and responsibilities as identified in the Commission-approved 
security plans, licensee protective strategy, and implementing 
procedures.
    (3) This physical examination must be administered by a licensed 
health professional with the final determination being made by a 
licensed physician to verify the individual's physical capability to 
perform assigned duties and responsibilities.
    (4) The licensee must ensure that both armed and unarmed 
individuals who are assigned security duties and responsibilities 
identified in the Commission-approved security plans, the licensee 
protective strategy, and implementing procedures, meet the following 
minimum physical requirements, as required to effectively perform 
their assigned duties.
    (b) Existing medical conditions.
    (1) Individuals may not have an established medical history or 
medical diagnosis of existing medical conditions which could 
interfere with or prevent the individual from effectively performing 
assigned duties and responsibilities.
    (2) If a medical condition exists, the individual must provide 
medical evidence that the condition can be controlled with medical 
treatment in a manner which does not adversely affect the 
individual's fitness-for-duty, mental alertness, physical condition, 
or capability to otherwise effectively perform assigned duties and 
responsibilities.
    (c) Addiction. Individuals may not have any established medical 
history or medical diagnosis of habitual alcoholism or drug 
addiction, or, where this type of condition has existed, the 
individual must provide certified documentation of having completed 
a rehabilitation program which would give a reasonable degree of 
confidence that the individual would be capable of effectively 
performing assigned duties and responsibilities.
    (d) Other physical requirements. An individual who has been 
incapacitated due to a serious illness, injury, disease, or 
operation, which could interfere with the effective performance of 
assigned duties and responsibilities must, before resumption of 
assigned duties and responsibilities, provide medical evidence of 
recovery and ability to perform these duties and responsibilities.
    3. Psychological qualifications.
    (a) Armed and unarmed individuals must demonstrate the ability 
to apply good judgment, mental alertness, the capability to 
implement instructions and assigned tasks, and possess the acuity of 
senses and ability of expression sufficient to permit accurate 
communication by written, spoken, audible, visible, or other signals 
required by assigned duties and responsibilities.
    (b) A licensed psychologist, psychiatrist, or physician trained 
in part to identify emotional instability must determine whether 
armed members of the security organization and alarm station 
operators in addition to meeting the requirement stated in paragraph 
(a) of this section, have no emotional instability that would 
interfere

[[Page 38984]]

with the effective performance of assigned duties and 
responsibilities.
    (c) A person professionally trained to identify emotional 
instability must determine whether unarmed individuals in addition 
to meeting the requirement stated in paragraph (a) of this section, 
have no emotional instability that would interfere with the 
effective performance of assigned duties and responsibilities.
    4. Medical examinations and physical fitness qualifications.
    (a) Armed members of the security organization must be subject 
to a medical examination by a licensed physician, to determine the 
individual's fitness to participate in physical fitness tests.
    (1) The licensee must obtain and retain a written certification 
from the licensed physician that no medical conditions were 
disclosed by the medical examination that would preclude the 
individual's ability to participate in the physical fitness tests or 
meet the physical fitness attributes or objectives associated with 
assigned duties.
    (2) [Reserved]
    (b) Before assignment, armed members of the security 
organization must demonstrate physical fitness for assigned duties 
and responsibilities by performing a practical physical fitness 
test.
    (1) The physical fitness test must include physical attributes 
and performance objectives that demonstrate the strength, endurance, 
and agility, consistent with assigned duties in the Commission-
approved security plans, licensee protective strategy, and 
implementing procedures during normal and emergency conditions.
    (2) The licensee must describe the physical fitness test in the 
Commission-approved training and qualification plan.
    (3) The physical fitness qualification of each armed member of 
the security organization must be documented and attested by a 
qualified training instructor or a security supervisor.
    5. Physical requalification.
    (a) At least annually, armed and unarmed individuals must be 
required to demonstrate the capability to meet the physical 
requirements of this appendix and the licensee training and 
qualification plan.
    (b) The physical requalification of each armed and unarmed 
individual must be documented and attested by a qualified training 
instructor or a security supervisor.

C. Duty Training

    1. On-the-job training.
    (a) The licensee training and qualification program must include 
on-the-job training performance standards and criteria to ensure 
that each individual demonstrates the requisite knowledge, skills, 
and abilities needed to effectively carry-out assigned duties and 
responsibilities in accordance with the Commission-approved security 
plans, licensee protective strategy, and implementing procedures, 
before the individual is assigned the duty or responsibility.
    (b) In addition to meeting the requirement stated in paragraph 
C.1.(a) of this appendix, before assignment, individuals (e.g., 
response team leaders, alarm station operators, armed responders, 
and armed security officers designated as a component of the 
protective strategy) assigned duties and responsibilities to 
implement the Safeguards Contingency Plan must complete on-the-job 
training to demonstrate their ability to effectively apply the 
knowledge, skills, and abilities required to effectively perform 
assigned contingency duties and responsibilities in accordance with 
the approved safeguards contingency plan, other security plans, 
licensee protective strategy, and implementing procedures. On-the-
job training must be documented and attested by a qualified training 
instructor or a security supervisor.
    2. Performance Evaluation Program.
    (a) Licensees must develop, implement and maintain a Performance 
Evaluation Program that is documented in procedures which describes 
how the licensee will demonstrate and assess the effectiveness of 
their onsite physical protection program and protective strategy, 
including the capability of the armed response team to carry out 
their assigned duties and responsibilities during safeguards 
contingency events. The Performance Evaluation Program and 
procedures must be referenced in the licensee's Training and 
Qualifications Plan.
    (b) The Performance Evaluation Program must include procedures 
for the conduct of tactical response drills and force-on-force 
exercises designed to demonstrate and assess the effectiveness of 
the licensee's physical protection program, protective strategy and 
contingency event response by all individuals with responsibilities 
for implementing the safeguards contingency plan.
    (c) The licensee must conduct tactical response drills and 
force-on-force exercises in accordance with Commission-approved 
security plans, licensee protective strategy, and implementing 
procedures.
    (d) Tactical response drills and force-on-force exercises must 
be designed to challenge the site protective strategy against 
elements of the design basis threat and ensure each participant 
assigned security duties and responsibilities identified in the 
Commission-approved security plans, the licensee protective 
strategy, and implementing procedures demonstrate the requisite 
knowledge, skills, and abilities.
    (e) Tactical response drills, force-on-force exercises, and 
associated contingency response training must be conducted under 
conditions that simulate, as closely as practicable, the site-
specific conditions under which each member will, or may be, 
required to perform assigned duties and responsibilities.
    (f) The scope of tactical response drills conducted for training 
purposes must be determined by the licensee and must address site-
specific, individual or programmatic elements, and may be limited to 
specific portions of the site protective strategy.
    (g) Each tactical response drill and force-on-force exercise 
must include a documented post-exercise critique in which 
participants identify failures, deficiencies or other findings in 
performance, plans, equipment or strategies.
    (h) Licensees must document scenarios and participants for all 
tactical response drills and annual force-on-force exercises 
conducted.
    (i) Findings, deficiencies and failures identified during 
tactical response drills and force-on-force exercises that adversely 
affect or decrease the effectiveness of the protective strategy and 
physical protection program must be addressed to ensure that timely 
corrections are made to the appropriate program areas.
    (j) Findings, deficiencies and failures associated with the 
onsite physical protection program and protective strategy must be 
protected as necessary in accordance with the requirements of 10 CFR 
73.21.
    (k) For the purpose of tactical response drills and force-on-
force exercises, licensees must:
    (1) Use no more than the total number of armed responders and 
armed security officers documented in the security plans.
    (2) Minimize the number and effects of artificialities 
associated with tactical response drills and force-on-force 
exercises.
    (3) Implement the use of systems or methodologies that simulate 
the realities of armed engagement through visual and audible means 
or other technologies and reflect the capabilities of armed 
personnel to neutralize a target through the use of firearms.
    (4) Ensure that each scenario used provides a credible, 
realistic challenge to the protective strategy and the capabilities 
of the security response organization.
    (l) The Performance Evaluation Program must be designed to 
ensure that:
    (1) Each member of each shift who is assigned duties and 
responsibilities required to implement the safeguards contingency 
plan and licensee protective strategy must participate in security 
drills and exercises.
    (i) The licensee must conduct at least one fully integrated 
Force-on-Force exercise on an annual basis.
    (ii) Each member of each shift must participate in one fully 
integrated Force-on-Force exercise every 3 years.
    (iii) Each member of each shift must participate in two tactical 
response drills, one of which must be a limited scope tactical 
response drill, on an annual basis.
    (A) Participation in a fully integrated Force-on-Force exercise 
or NRC triennial evaluation would count as credit for the limited 
scope tactical response drill. The NRC triennial evaluation can be 
used to satisfy the annual fully integrated Force-on-Force exercise.
    (B) [Reserved].
    (2) The mock adversary force replicates, as closely as possible, 
adversary characteristics and capabilities of the design basis 
threat described in 10 CFR 73.1(a)(1), and is capable of exploiting 
and challenging the licensee's protective strategy, personnel, 
command and control, and implementing procedures.
    (3) Protective strategies can be evaluated and challenged 
through the conduct of tactical response tabletop demonstrations.
    (4) Drill and exercise controllers are trained and qualified to 
ensure that each controller has the requisite knowledge and 
experience to control and evaluate exercises.
    (5) Tactical response drills and force-on-force exercises are 
conducted safely and in accordance with site safety plans.

[[Page 38985]]

    (m) Scenarios.
    (1) Licensees must develop and document multiple scenarios for 
use in conducting tactical response drills and force-on-force 
exercises.
    (2) Licensee scenarios must be designed to test and challenge 
any components or combination of components, of the onsite physical 
protection program and protective strategy.
    (3) Each scenario must use a unique target set or target sets to 
ensure that the combination of all scenarios challenges every 
component of the onsite physical protection program and protective 
strategy to include, but not limited to, equipment, implementing 
procedures, and personnel.

D. Duty Qualification and Requalification

    1. Qualification demonstration.
    (a) Armed and unarmed individuals must demonstrate the required 
knowledge, skills, and abilities to carry out assigned duties and 
responsibilities as stated in the Commission-approved security 
plans, licensee protective strategy, and implementing procedures.
    (b) [Reserved].
    2. Requalification.
    (a) Armed and unarmed individuals must be requalified at least 
annually in accordance with the requirements of this appendix and 
the Commission-approved training and qualification plan.
    (b) The results of requalification must be documented and 
attested by a qualified training instructor or a security 
supervisor.

E. Weapons Training

    1. General firearms training.
    (a) Armed members of the security organization must be trained 
and qualified in accordance with the requirements of this appendix 
and the Commission-approved training and qualification plan.
    (b) Firearms instructors must maintain a certification for each 
weapon type from a national or state recognized entity.
    (c) The Commission-approved training and qualification plan must 
describe training on firearms handling and functionality.
    (d) The licensee must ensure that each armed member of the 
security organization is instructed on the use of deadly force as 
authorized by applicable State law.

F. Weapons Qualification and Requalification Program

    1. General weapons qualification requirements.
    (a) Qualification firing must be accomplished in accordance with 
Commission requirements and the Commission-approved training and 
qualification plan for assigned weapons.
    (b) The results of weapons qualification and requalification 
must be documented and retained as a record.
    2. Tactical weapons qualification. The licensee Training and 
Qualification Plan must describe the firearms used, the firearms 
qualification program, and other tactical training required to 
implement the Commission-approved security plans, licensee 
protective strategy, and implementing procedures. Licensee developed 
tactical qualification and requalification courses must describe the 
performance criteria needed to include the site specific conditions 
(such as lighting, elevation, fields-of-fire) under which assigned 
personnel must be required to carry-out their assigned duties.
    3. Firearms qualification courses. The licensee must conduct the 
following qualification courses for each weapon used.
    (a) Annual daylight qualification course. Qualifying score must 
be an accumulated total of 70 percent with handgun and shotgun, and 
80 percent with semiautomatic rifle and/or enhanced weapons, of the 
maximum obtainable target score.
    (b) Annual night fire qualification course. Qualifying score 
must be an accumulated total of 70 percent with handgun and shotgun, 
and 80 percent with semiautomatic rifle and/or enhanced weapons, of 
the maximum obtainable target score.
    (c) Annual tactical qualification course. Qualifying score must 
be an accumulated total of 80 percent of the maximum obtainable 
score.
    (d) Individuals shall qualify with all assigned firearms through 
completion of a law enforcement course or an equivalent nationally 
recognized course of fire.
    (e) Enhanced weapons. Armed members of the security 
organization, assigned duties and responsibilities involving the use 
of any weapon or weapons not described previously, must qualify in 
accordance with applicable standards established by a law 
enforcement course or an equivalent nationally recognized course for 
these weapons.
    4. Firearms requalification.
    (a) Armed members of the security organization must be 
requalified for each assigned weapon at least annually in accordance 
with Commission requirements and the Commission-approved training 
and qualification plan, and the results documented and retained as a 
record.
    (b) Firearms requalification must be conducted using the courses 
of fire outlined in paragraphs F.2 and F.3 of this section.

G. Weapons Maintenance

    1. Firearms maintenance program. Each licensee must implement a 
firearms maintenance and accountability program in accordance with 
the Commission regulations and the Commission-approved training and 
qualification plan. The program must include:
    (a) Semiannual test firing for accuracy and functionality.
    (b) Firearms maintenance procedures that include cleaning 
schedules and cleaning requirements.
    (c) Program activity documentation.
    (d) Control and accountability (weapons and ammunition).
    (e) Firearm storage requirements.
    (f) Armorer certification.
    2. [Reserved].

H. Records

    1. The licensee must retain all reports, records, or other 
documentation required by this appendix in accordance with the 
requirements of Sec.  73.55(q).
    2. The licensee must retain each individual's initial 
qualification record for three (3) years after termination of the 
individual's employment and must retain each requalification record 
for three (3) years after it is superseded.
    3. The licensee must document data and test results from each 
individual's suitability, physical, and psychological qualification 
and must retain this documentation as a record for three (3) years 
from the date of obtaining and recording these results.

I. Reviews

    The licensee must review the Commission-approved training and 
qualification program in accordance with the requirements of Sec.  
73.55(m).

J. Definitions

    Terms defined in parts 50, 70, and 73 of this chapter have the 
same meaning when used in this appendix.
    83. Revise and republish appendix C to part 73 to read as 
follows:

Appendix C to Part 73--Licensee Safeguards Contingency Plans

I. Safeguards Contingency Plan

    Licensees, applicants, and certificate holders, with the 
exception of those who are subject to the requirements of Sec.  
73.55 or 73.100, must comply with the requirements of section I of 
this appendix.

A. Introduction

    A licensee safeguards contingency plan is a documented plan to 
give guidance to licensee personnel in order to accomplish specific 
defined objectives in the event of threats, thefts, or radiological 
sabotage relating to special nuclear material or nuclear facilities 
licensed under the Atomic Energy Act of 1954, as amended. An 
acceptable safeguards contingency plan must contain:
    1. A predetermined set of decisions and actions to satisfy 
stated objectives;
    2. An identification of the data, criteria, procedures, and 
mechanisms necessary to efficiently implement the decisions; and
    3. A stipulation of the individual, group, or organizational 
entity responsible for each decision and action.
    The goals of licensee safeguards contingency plans for 
responding to threats, thefts, and radiological sabotage are:
    1. To organize the response effort at the licensee level;
    2. To provide predetermined, structured responses by licensees 
to safeguards contingencies;
    3. To ensure the integration of the licensee response with the 
responses by other entities; and
    4. To achieve a measurable performance in response capability.
    Licensee safeguards contingency planning should result in 
organizing the licensee's resources in such a way that the 
participants will be identified, their several responsibilities 
specified, and the responses coordinated. The responses should be 
timely.
    It is important to note that a licensee's safeguards contingency 
plan is intended to be complementary to any onsite emergency plans.

[[Page 38986]]

B. Contents of the Plan

    Each licensee safeguards contingency plan must include five 
categories of information:
    1. Background
    2. Generic Planning Base
    3. Licensee Planning Base
    4. Responsibility Matrix
    5. Implementing Procedures
    Although the implementing procedures (the fifth category of Plan 
information) are the culmination of the planning process, and 
therefore are an integral and important part of the safeguards 
contingency plan, they entail operating details subject to frequent 
changes. They need not be submitted to the Commission for approval, 
but will be inspected by NRC staff on a periodic basis. The licensee 
is responsible for ensuring that the implementing procedures reflect 
the information in the Responsibility Matrix, appropriately 
summarized and suitably presented for effective use by the 
responding entities.
    The following paragraphs describe the contents of the safeguards 
contingency plan.
    1. Background. Under the following topics, this category of 
information must identify and define the perceived dangers and 
incidents with which the plan will deal and the general way it will 
handle these:
    a. Perceived Danger--A statement of the perceived danger to the 
security of special nuclear material, licensee personnel, and 
licensee property, including covert diversion of special nuclear 
material, radiological sabotage, and overt attacks. The statement of 
perceived danger should conform with that promulgated by the Nuclear 
Regulatory Commission. (The statement contained in 10 CFR 73.1 or 
subsequent Commission statements will suffice.)
    b. Purpose of the Plan--A discussion of the general aims and 
operational concepts underlying implementation of the plan.
    c. Scope of the Plan--A delineation of the types of incidents 
covered in the plan.
    d. Definitions--A list of terms and their definitions used in 
describing operational and technical aspects of the plan.
    2. Generic Planning Base. Under the following topics, this 
category of information must define the criteria for initiation and 
termination of responses to safeguards contingencies together with 
the specific decisions, actions, and supporting information needed 
to bring about such responses:
    a. Identification of those events that will be used for 
signaling the beginning or aggravation of a safeguards contingency 
according to how they are perceived initially by licensee's 
personnel. Such events may include alarms or other indications 
signaling penetration of a protected area, vital area, or material 
access area; material control or material accounting indications of 
material missing or unaccounted for; or threat indications--either 
verbal, such as telephoned threats, or implied, such as escalating 
civil disturbances.
    b. Definition of the specific objective to be accomplished 
relative to each identified event. The objective may be to obtain a 
level of awareness about the nature and severity of the safeguards 
contingency in order to prepare for further responses; to establish 
a level of response preparedness; or to successfully nullify or 
reduce any adverse safeguards consequences arising from the 
contingency.
    3. Licensee Planning Base. This category of information must 
include the factors affecting contingency planning that are specific 
for each facility or means of transportation. To the extent that the 
topics are treated in adequate detail in the licensee's approved 
physical security plan, they are not necessary to be repeated in 
this plan. The following topics should be addressed:
    a. Licensee's Organizational Structure for Contingency 
Responses--A delineation of the organization's chain of command and 
delegation of authority as these apply to safeguards contingencies.
    b. Physical Layout--(i) Fixed Sites--A description of the 
physical structures and their location on the site, and a 
description of the site in relation to nearby town, roads, and other 
environmental features important to the effective coordination of 
response operations. Particular emphasis should be placed on main 
and alternate entry routes for law-enforcement assistance forces and 
the location of control points for marshalling and coordinating 
response activities.
    (ii) Transportation--A description of the vehicles, shipping 
routes, preplanned alternate routes, and related features.
    c. Safeguards Systems Hardware--A description of the physical 
security and accounting system hardware that influence how the 
licensee will respond to an event. Examples of systems to be 
discussed are communications, alarms, locks, seals, area access, 
armaments, and surveillance.
    d. Law Enforcement Assistance--A listing of available local law 
enforcement agencies and a description of their response 
capabilities and their criteria for response; and a discussion of 
working agreements or arrangements for communicating with these 
agencies.
    e. Policy Constraints and Assumptions--A discussion of State 
laws, local ordinances, and company policies and practices that 
govern licensee response to incidents. Examples that may be 
discussed include:
    (i) Use of deadly force;
    (ii) Use of employee property;
    (iii) Use of off-duty employees; and
    (iv) Site security jurisdictional boundaries.
    f. Administrative and Logistical Considerations--Descriptions of 
licensee practices that may have an influence on the response to 
safeguards contingency events. The considerations must include a 
description of the procedures that will be used for ensuring that 
all equipment needed to effect a successful response to a safeguards 
contingency will be easily accessible, in good working order, and in 
sufficient supply to provide redundancy in case of equipment 
failure.
    4. Responsibility Matrix. This category of information consists 
of detailed identification of the organizational entities 
responsible for each decision and action associated with specific 
responses to safeguards contingencies. For each initiating event, a 
tabulation must be made for each response entity depicting the 
assignment of responsibilities for all decisions and actions to be 
taken in response to the initiating event. (Not all entities will 
have assigned responsibilities for any given initiating event.) The 
tabulations in the Responsibility Matrix must provide an overall 
picture of the response actions and their interrelationships. 
Safeguards responsibilities must be assigned in a manner that 
precludes conflict in duties or responsibilities that would prevent 
the execution of the plan in any safeguards contingency.5. 
Procedures. In order to aid execution of the detailed plan as 
developed in the Responsibility Matrix, this category of information 
must detail the actions to be taken and decisions to be made by each 
member or unit of the organization as planned in the Responsibility 
Matrix.

C. Audit and Review

    1. For nuclear facilities subject to the requirements of Sec.  
73.46, the licensee must provide for a review of the safeguards 
contingency plan at intervals not to exceed 24 months.
    2. A licensee subject to the requirements of Sec.  73.46 must 
ensure that the review of the safeguards contingency plan is by 
individuals independent of both security program management and 
personnel who have direct responsibility for implementation of the 
security program. The review must include an audit of safeguards 
contingency procedures and practices, and an audit of commitments 
established for response by local law enforcement authorities.
    3. The licensee must document the results and the 
recommendations of the safeguards contingency plan review, 
management findings on whether the safeguards contingency plan is 
currently effective, and any actions taken as a result of 
recommendations from prior reviews in a report to the licensee's 
plant manager and to corporate management at least one level higher 
than that having responsibility for the day-to-day plant operation. 
The report must be maintained in an auditable form, available for 
inspection for a period of 3 years.

II. Nuclear Power Plant Safeguards Contingency Plans

A. Introduction

    The safeguards contingency plan is a documented plan that 
describes how licensee personnel implement their physical protection 
program to defend against threats to their facility, up to and 
including the design basis threat of radiological sabotage.
    Licensee safeguards contingency planning should result in 
organizing the licensee's resources in such a way that the 
participants will be identified, their responsibilities specified, 
and the responses coordinated. The responses should be timely and 
include personnel who are trained and qualified to respond in 
accordance with a documented training and qualification program.
    The evaluation, validation, and testing of this portion of the 
program must be conducted in accordance with appendix B, section VI 
of this part, Nuclear Power Reactor Training and Qualification Plan 
for Personnel Performing Security Program Duties. The licensee's 
safeguards contingency plan is intended to maintain effectiveness 
during the implementation of onsite emergency plans.

[[Page 38987]]

B. Contents of the Plan

    Each safeguards contingency plan must include five (5) 
categories of information:
    (1) Background.
    (2) Generic planning base.
    (3) Licensee planning base.
    (4) Responsibility matrix.
    (5) Implementing procedures.
    Although the implementing procedures (the fifth category of plan 
information) are the culmination of the planning process, and are an 
integral and important part of the safeguards contingency plan, they 
entail operating details subject to frequent changes. They need not 
be submitted to the Commission for approval, but are subject to 
inspection by NRC staff on a periodic basis.
    1. Background. This category of information must identify the 
perceived dangers and incidents that the plan will address and a 
general description of how the response is organized.
    a. Perceived Danger--Consistent with the design basis threat 
specified in Sec.  73.1(a)(1), licensees must identify and describe 
the perceived dangers, threats, and incidents against which the 
safeguards contingency plan is designed to protect.
    b. Purpose of the Plan--Licensees must describe the general 
goals, objectives and operational concepts underlying the 
implementation of the approved safeguards contingency plan.
    c. Scope of the Plan--A delineation of the types of incidents 
covered by the plan.
    (i) How the onsite or offsite response effort is organized and 
coordinated to effectively respond to a safeguards contingency 
event.
    (ii) How the onsite or offsite response for safeguards 
contingency events has been integrated in other site emergency 
response procedures.
    d. Definitions--A list of terms and their definitions used in 
describing operational and technical aspects of the approved 
safeguards contingency plan.
    2. Generic Planning Base. Licensees must define the criteria for 
initiation and termination of responses to security events to 
include the specific decisions, actions, and supporting information 
needed to respond to each type of incident covered by the approved 
safeguards contingency plan. To achieve this result the generic 
planning base must:
    a. Identify those events that will be used for signaling the 
beginning or aggravation of a safeguards contingency event according 
to how they are perceived initially by licensee's personnel. 
Licensees must ensure detection of unauthorized activities and must 
respond to all alarms or other indications signaling a security 
event, such as penetration of a protected area, vital area, or 
unauthorized barrier penetration (vehicle or personnel); tampering, 
bomb threats, or other threat warnings--either verbal, such as 
telephoned threats, or implied, such as escalating civil 
disturbances.
    b. Define the specific objective to be accomplished relative to 
each identified safeguards contingency event. The objective may be 
to obtain a level of awareness about the nature and severity of the 
safeguards contingency to prepare for further responses; to 
establish a level of response preparedness; or to successfully 
nullify or reduce any adverse safeguards consequences arising from 
the contingency.
    c. Identify the data, criteria, procedures, mechanisms and 
logistical support necessary to achieve the objectives identified.
    3. Licensee Planning Base. This category of information must 
include factors affecting safeguards contingency planning that are 
specific for each facility. To the extent that the topics are 
treated in adequate detail in the licensee's approved physical 
security plan, they may be incorporated by reference in the 
Safeguards Contingency Plan. The following topics must be addressed:
    a. Organizational Structure. The safeguards contingency plan 
must describe the organization's chain of command and delegation of 
authority during safeguards contingency events, to include a general 
description of how command and control functions will be coordinated 
and maintained.
    b. Physical Layout. The safeguards contingency plan must include 
a site map depicting the physical structures located on the site, 
including onsite independent spent fuel storage installations, and a 
description of the structures depicted on the map. Plans must also 
include a description and map of the site in relation to nearby 
towns, transportation routes (e.g., rail, water, and roads), 
pipelines, airports, hazardous material facilities, and pertinent 
environmental features that may have an effect upon coordination of 
response activities. Descriptions and maps must indicate main and 
alternate entry routes for law enforcement or other offsite response 
and support agencies and the location for marshaling and 
coordinating response activities.
    c. Safeguards Systems. The safeguards contingency plan must 
include a description of the physical security systems that support 
and influence how the licensee will respond to an event in 
accordance with the design basis threat described in Sec.  73.1(a). 
The licensee's description must begin with onsite physical 
protection measures implemented at the outermost facility perimeter, 
and must move inward through those measures implemented to protect 
target set equipment.
    (i) Physical security systems and security systems hardware to 
be discussed include security systems and measures that provide 
defense-in-depth, such as physical barriers, alarm systems, locks, 
area access, armaments, surveillance, and communications systems.
    (ii) The specific structure of the security response 
organization to include the total number of armed responders and 
armed security officers documented in the approved security plans as 
a component of the protective strategy and a general description of 
response capabilities must also be included in the safeguards 
contingency plan.
    (iii) Armed responders must be available to respond from 
designated areas inside the protected area at all times and may not 
be assigned any other duties or responsibilities that could 
interfere with assigned armed response team duties and 
responsibilities.
    (iv) Licensees must develop, implement, and maintain a written 
protective strategy to be documented in procedures that describe in 
detail the physical protection measures, security systems and 
deployment of the armed response team relative to site specific 
conditions, to include but not be limited to, facility layout, and 
the location of target set equipment and elements. The protective 
strategy should support the general goals, operational concepts, and 
performance objectives identified in the licensee's safeguards 
contingency plan. The protective strategy must:
    (1) Be designed to meet the performance requirements and 
objectives of Sec.  73.55(a) through (k) or 73.100(a) through (j), 
as applicable.
    (2) Identify predetermined actions, areas of responsibility and 
timelines for the deployment of armed personnel.
    (3) Contain measures that limit the exposure of security 
personnel to possible attack, including incorporation of bullet 
resisting protected positions.
    (4) Contain a description of the physical security systems and 
measures that provide defense-in-depth, such as physical barriers, 
alarm systems, locks, area access, armaments, surveillance, and 
communications systems.
    (5) Describe the specific structure and responsibilities of the 
armed response organization to include:
    (i) The authorized minimum number of armed responders, available 
at all times inside the protected area.
    (ii) The authorized minimum number of armed security officers, 
available onsite at all times.
    (iii) The total number of armed responders and armed security 
officers documented in the approved security plans as a component of 
the protective strategy.
    (6) Provide a command and control structure, to include response 
by off-site law enforcement agencies, which ensures that decisions 
and actions are coordinated and communicated in a timely manner to 
facilitate response.
    d. Law Enforcement Assistance. Provide a listing of available 
law enforcement agencies and a general description of their response 
capabilities and their criteria for response and a discussion of 
working agreements or arrangements for communicating with these 
agencies.
    e. Policy Constraints and Assumptions. The safeguards 
contingency plan must contain a discussion of State laws, local 
ordinances, and company policies and practices that govern licensee 
response to incidents and must include, but is not limited to, the 
following.
    (i) Use of deadly force.
    (ii) Recall of off-duty employees.
    (iii) Site jurisdictional boundaries.
    (iv) Use of enhanced weapons, if applicable.
    f. Administrative and Logistical Considerations. Descriptions of 
licensee practices which influence how the security organization 
responds to a safeguards contingency event to include, but not 
limited to, a description of the procedures that will be used for 
ensuring that equipment needed to facilitate response will be 
readily accessible, in good working order, and in sufficient supply.
    4. Responsibility Matrix. This category of information consists 
of the detailed

[[Page 38988]]

identification of responsibilities and specific actions to be taken 
by licensee organizations and/or personnel in response to safeguards 
contingency events.
    a. Licensees must develop site procedures that consist of 
matrixes detailing the organization and/or personnel responsible for 
decisions and actions associated with specific responses to 
safeguards contingency events. The responsibility matrix and 
procedures must be referenced in the licensee's safeguards 
contingency plan.
    b. Responsibility matrix procedures must be based on the events 
outlined in the licensee's Generic Planning Base and must include 
the definition of the specific objective to be accomplished relative 
to each identified safeguards contingency event. The objective may 
be to obtain a level of awareness about the nature and severity of 
the safeguards contingency to prepare for further responses, to 
establish a level of response preparedness, or to successfully 
nullify or reduce any adverse safeguards consequences arising from 
the contingency.
    c. Responsibilities must be assigned in a manner that precludes 
conflict of duties and responsibilities that would prevent the 
execution of the safeguards contingency plan and emergency response 
plans.
    d. Licensees must ensure that predetermined actions can be 
completed under the postulated conditions.
    5. Implementing Procedures. Licensees must establish and 
maintain written implementing procedures that provide specific 
guidance and operating details that identify the actions to be taken 
and decisions to be made by each member of the security organization 
who is assigned duties and responsibilities required for the 
effective implementation of the security plans and the site 
protective strategy.

C. Records and Reviews

    1. Licensees must review the safeguards contingency plan in 
accordance with the requirements of Sec.  73.55(m) or 73.100(f).
    2. The safeguards contingency plan audit must include a review 
of applicable elements of the Physical Security Plan, Training and 
Qualification Plan, implementing procedures and practices, the site 
protective strategy, and response agreements made by local, State, 
and Federal law enforcement authorities.
    3. Licensees must retain all reports, records, or other 
documentation required by this appendix in accordance with the 
requirements of Sec.  73.55(q) or 73.100(j).

PART 95--FACILITY SECURITY CLEARANCE AND SAFEGUARDING OF NATIONAL 
SECURITY INFORMATION AND RESTRICTED DATA

0
84. The authority citation for part 95 continues to read as follows:

    Authority: Atomic Energy Act of 1954, secs. 145, 161, 223, 234 
(42 U.S.C. 2165, 2201, 2273, 2282); Energy Reorganization Act of 
1974, sec. 201 (42 U.S.C. 5841); 44 U.S.C. 3504 note; E.O. 10865, as 
amended, 25 FR 1583, 3 CFR, 1959-1963 Comp., p. 398; E.O. 12829, 58 
FR 3479, 3 CFR, 1993 Comp., p. 570; E.O. 12968, 60 FR 40245, 3 CFR, 
1995 Comp., p. 391; E.O. 13526, 75 FR 707, 3 CFR, 2009 Comp., p. 
298.

0
85. Revise Sec.  95.1 to read as follows:


Sec.  95.1  Purpose.

    The regulations in this part establish procedures for obtaining 
facility security clearance and for safeguarding Secret and 
Confidential National Security Information and Restricted Data received 
or developed in conjunction with activities licensed, certified or 
regulated by the Commission, in accordance with the National Industrial 
Security Program, as described in title 32 of the Code of Federal 
Regulations (32 CFR), part 117, ``National Industrial Security Program 
Operating Manual (NISPOM).'' This part does not apply to Top Secret 
information because Top Secret information may not be forwarded to 
licensees, certificate holders, or others within the scope of an NRC 
license or certificate.
0
86. In Sec.  95.5:
0
a. In the definition ``Cognizant Security Agency (CSA)'', remove the 
phrase ``department of Energy'' and add in its place the phrase 
``Department of Energy''; and
0
b. Add introductory text and remove the definitions of ``Combination 
lock'', ``Need to know'', ``Protective personnel'', ``Restricted 
area'', ``Security area'', and ``Security container''.
    The additions read as follows:


Sec.  95.5  Definitions.

    Terms defined in section 117.3 of title 32 have the same meaning 
when used in this part.
* * * * *


Sec.  95.8  [Amended]

0
87. In Sec.  95.8, in paragraph (b):
0
a. Remove the references ``95.18,'' ``95.25,'' and ``95.45,''; and
0
b. Add the reference ``95.24,'' in numerical order.
0
88. In Sec.  95.11, revise the section heading and introductory text to 
read as follows:


Sec.  95.11  Specific exemptions and waivers.

    The NRC may, upon application by any interested person or upon its 
own initiative, grant exemptions from the requirements of the 
regulations of this part, or waivers to the provisions of 32 CFR part 
117 that are--
* * * * *
0
89. In Sec.  95.17, revise the section heading and revise paragraph (a) 
to read as follows:


Sec.  95.17  Facility clearance process.

    (a) Following the receipt of an acceptable request for facility 
clearance, the NRC will either accept an existing facility clearance 
granted by a current CSA and authorize possession of license or 
certificate related classified information, or process the facility for 
a facility clearance. Processing will include--
    (1) A determination based on review and approval of a Standard 
Practice Procedures Plan that granting of the Facility Clearance would 
not be inconsistent with the national interest, including a finding 
that the facility is not under foreign ownership, control, or influence 
to such a degree that a determination could not be made. An NRC finding 
of foreign ownership, control, or influence is based on factors 
concerning the foreign intelligence threat, risk of unauthorized 
technology transfer, type and sensitivity of the information that 
requires protection, the extent of foreign influence, record of 
compliance with pertinent laws, and the nature of international 
security and information exchange agreements.
    (2) An acceptable operational readiness review conducted by the 
NRC;
    (3) Submitting key management personnel, as defined in 32 CFR 
117.7, for personnel clearances (PCLs); and
    (4) Appointing a U.S. citizen employee as the facility security 
officer.
* * * * *


Sec.  95.18  [Reserved]

0
90. Remove and reserve Sec.  95.18.


Sec.  95.19  [Amended]

0
91. In Sec.  95.19, remove paragraph (c).
0
92. Add Sec.  95.24 to read as follows:


Sec.  95.24  Safeguarding National Security Information and Restricted 
Data.

    (a) Classified National Security Information and Restricted Data 
shall be protected in accordance with 32 CFR 117.15.
    (b) Licensees will develop procedures for safeguarding National 
Security Information and Restricted Data in accordance with 32 CFR 
117.7.
    (c) Supervision of keys and padlocks. Use of key-operated padlocks 
are subject to the following requirements:
    (1) A key and lock custodian shall be appointed to ensure proper 
custody and handling of keys and locks used for protection of 
classified matter;
    (2) A key and lock control register must be maintained to identify 
keys for each lock and their current location and custody;
    (3) Keys and locks must be audited each month;
    (4) Keys must be inventoried with each change of custody;
    (5) Keys must not be removed from the premises;

[[Page 38989]]

    (6) Keys and spare locks must be protected equivalent to the level 
of classified matter involved;
    (7) Locks must be changed or rotated at least every 12 months, and 
must be replaced after loss or compromise of their operable keys; and
    (8) Master keys may not be made.


Sec.  95.25  [Reserved]

0
93. Remove and reserve Sec.  95.25.


Sec.  95.27  [Reserved]

0
94. Remove and reserve Sec.  95.27.


Sec.  95.29  [Reserved]

0
95. Remove and reserve Sec.  95.29.


Sec.  95.31  [Reserved]

0
96. Remove and reserve Sec.  95.31.
0
97. Revise Sec.  95.33 to read as follows:


Sec.  95.33  Security training and briefings.

    (a) Security training and briefings shall be conducted in 
accordance with 32 CFR 117.12.
    (b) Records reflecting an individual's initial and refresher 
security briefings and security terminations must be maintained for 3 
years after termination of the individual's access authorization.
0
98. Revise Sec.  95.34 to read as follows:


Sec.  95.34  Visits and meetings.

    Visits and meetings shall be conducted in accordance with 32 CFR 
117.16.


Sec.  95.35  [Reserved]

0
99. Remove and reserve Sec.  95.35.
0
100. Revise Sec.  95.37 to read as follows:


Sec.  95.37  Classification and marking of documents.

    (a) Documents shall be classified in accordance with 32 CFR 117.13.
    (b) Classified documents shall be marked in accordance with 32 CFR 
117.14.
0
101. Revise Sec.  95.39 to read as follows:


Sec.  95.39  External transmission of documents and material.

    Classified information shall be transmitted in accordance with 32 
CFR 117.15(f).
0
102. Revise Sec.  95.43 to read as follows:


Sec.  95.43  Reproduction of classified information.

    Each licensee, certificate holder, or other person possessing 
classified information will follow the requirements established in 32 
CFR 117.15(e)(6) for the reproduction of classified information.


Sec.  95.45  [Reserved]

0
103. Remove and reserve Sec.  95.45.
0
104. Revise Sec.  95.47 to read as follows:


Sec.  95.47  Destruction of matter containing classified information.

    Each licensee, certificate holder, or other person possessing 
classified information will follow the requirements established in 32 
CFR 117.15(g) for the destruction of classified information.
0
105. Revise Sec.  95.49, to read as follows:


Sec.  95.49  Authorization to operate national security systems.

    Classified data or information may not be stored, processed, or 
transmitted on information technology or operational technology systems 
without an authority to operate issued by the NRC authorization 
official for licensee classified systems based on 32 CFR 117.18, 
``Information system security.''


Sec.  95.51  [Reserved]

0
106. Remove and reserve Sec.  95.51.
0
107. Revise Sec.  95.57 to read as follows:


Sec.  95.57  Reports.

    Each licensee, applicant for a license, certificate holder, 
construction-permit holder, or other person having a facility clearance 
must report to the NRC any incidents specified in 32 CFR 117.8. If the 
NRC is not the applicable CSA, then the licensee, applicant for a 
license, certificate holder, construction-permit holder, or other 
person must first report any incidents specified in 32 CFR 117.8 to 
their applicable CSA and then to the NRC.
    (a) All actual or suspected losses or compromises of classified 
information must be reported to the NRC in accordance with the 
requirements set forth in 32 CFR 117.8(d). Initial reports, as 
prescribed in 32 CFR 117.8(d)(2), must be submitted to the NRC within 
the following timeframes:
    (1) Confirmed or Suspected Compromise: If a loss, compromise, or 
suspected compromise is confirmed or reasonably suspected, an initial 
report must be submitted to the NRC Headquarters Operations Center 
within 1 hour of discovery. A written confirmation of the incident must 
be submitted in accordance with Sec.  95.9 of this part within forty-
eight (48) hours of the event.
    (2) No Compromise Determined: If it is determined that no loss, 
compromise, or suspected compromise occurred, a written report 
documenting this determination must be submitted in accordance with 
Sec.  95.9 of this part within forty-eight (48) hours of reaching that 
conclusion.
    (b) In addition, NRC requires records for all classification 
actions (documents classified, declassified, or downgraded) to be 
submitted to the NRC Division of Security Operations. These may be 
submitted either on an ``as completed'' basis or monthly. The 
information may be submitted either electronically by an on-line system 
(NRC prefers the use of a dial-in automated system connected to the 
Division of Security Operations) or by paper copy using NRC Form 790.

    Dated: June 24, 2026.

    For the Nuclear Regulatory Commission.
Tomas Herrera,
Acting Secretary of the Commission.
[FR Doc. 2026-12989 Filed 6-25-26; 8:45 am]
BILLING CODE 7590-01-P