Office of the ClerkUnited States Court of Appeals for the Ninth Circuit

95 Seventh StreetPost Office Box 193939

San Francisco, California 94119-3939Cathy A. CattersonClerk of Court (415) 355-8000

May 11, 2007

U.S. Court of Appeals Docket Number:Agency Number:Short Title:

07-718681OCFRPublic Citizen v. NRC

Dear Counsel:

Your Petition for Review has been received in the Clerk's Office of the UnitedStates Court of Appeals for the Ninth Circuit.

The U.S. Court of Appeals docket number shown above has been assigned to thiscase. Always indicate this Court of Appeals docket number when correspondingwith this office about your case.

The due dates for filing the parties' briefs and otherwise perfecting thepetition have been set by the enclosed "Time Schedule Order," pursuant toapplicable FRAP rules. These dates can be extended only by court order.Failure of the petitioner to comply with the time schedule order will result inautomatic dismissal of the petition. 9th Cir. R. 42-1.

The following information is being provided in an attempt to answer the mostfrequently asked questions regarding the appellate process. Please review thisinformation very carefully. For convenience, we use the term "Circuit Rules"instead of "Rules of the United States Court of Appeals for the Ninth Circuit" and"FRAP" instead of "Federal Rules of Appellate Procedure.",

Enclosed with this letter is an appellate processing schedule along with a caseprocessing checklist to help you monitor the progress of your case.

Petitioners who are filing pro se should refer to the accompanyinginformation sheet regarding the filing of informal briefs.

UNITED STATES COURT OF APPEALS

FOR THE NINTH CIRCUIT

PUBLIC CITIZEN; SAN LUIS OBISPO No. 07-71868MOTHERS FOR PEACE, NRC No. 1OCFR

Petitioners,TIME SCHEDULE

v. ORDER

NUCLEAR REGULATORYCOMMISSION,

Respondent.

The parties shall meet the following time schedule:

Appellant/petitioner shall immediately file the civil appeals docketingstatement (CADS), pursuant to Circuit Rule 33-1;

7/30/07 Appellant/petitioner's opening brief and excerpts of record shall beserved and filed pursuant to FRAP 32 and 9th Cir. R. 32-1;

8/29/07 The brief of appellee/respondent shall be filed and served, pursuant toFRAP 32 and 9th Cir. R. 32-1

Failure of the appellant to comply with the Time Schedule Order will result inautomatic dismissal of the appeal. 9th Cir. R. 42-1

Appellants/Petitioners without representation of counsel in a prisoner appealmay have their case submitted on the briefs and record without oralargument, pursuant to FRAP 34(a). Within 10 days of the filing of theappellant's opening brief, parties may file a statement setting forth thereasons why, in the opinion of the parties, oral argument should be heard.

FOR THE COURT:

Cathy A. CattersonClerk of Court

By: David VignolDeputy Clerk

MRY-11-2007 17:20 P.02/26

RECEIVEDCATHY A. CATTERSON, CLERK

U.S. COURT OF APPEALS

IN THE UNITED STATES COURT OF APPEALSFOR THE NINTH CIRCUIT MAY 1 12007

FILED_

DOCKETEDDATE INITIAL

No.__ _

PUBLIC CITIZEN, INC., and SAN LUIS OBISPO MOTHERS FOR PEACE,&R 0 Petitioners,

UNITED STATES NUCLEAR REGULATORY COMMISSION,Respondent.

PETITION FOR REVIEW

Pursuant to 42 U.S.C. § 2239(b) and 28 U.S.C. § 2344, petitioners Public Citizen, Inc.,

and San Luis Obispo Mothers for Peace, through their undersigned counsel, hereby petition for

review of the United States Nuclear Regulatory Commission's final rule, published at 72 Federal

Register 12705 on March 19, 2007, revising the Commission's "design basis threat" regulation,

10 C.F.R. § 73.1, which describes the types of terrorist threats against which nuclear power

plants and certain other facilities must maintain effective security measures. A copy of the final

rule is attached.

sumitted,

SCOTr L. NELSONADINA H. ROSENBAUMBRIAN WOLFMANPUBLIC CITIZEN LITIGATION GROUP1600 20th Street, N.W.Washington, D.C. 20009(202) 588-1000

Counsel for PetitionersDated: May 11, 2007

MAY-11-200? 17:20 P. 03/26

Federal Register / Vol. 72, No. 52/ Monday, March 19, 2007 / Rules and Regulations 12705

rule modified existing debt refinancingeligibility language and inadvertentlyomitted three key words that existedprior to the final rule taking effect. Thisrule inserts those three words back intothe debt refinancing eligibility language,

List of Subjects in 7 CFR Part 4279

Business and industry, Loanprograms, Rural areas. Ruraldevelopment assistance.

a Accordingly, chapter XLH, title 7,Code of Federal Regulations, isamended as follows:

PART 4279--GUARANTEEDLOANMAKING

a 1. The authority citation for part 4279continues to read as follows:

Authority: a U.S.C. 301 and 7 U.S.C. lose.

Subpart B-Business and IndustryLoans

W 2. In § 4279.113, paragraph (r) isrevised to read as follows:

§4279.113 ElIgible loan purposs.

(rW To refinance outstanding debtwhen it is determined that the project isviable and refinancing Is necessary toimprove cash flow and create new orsave existing jobs. Except as providedfor in § 4279,108(d}(4) of this subpart,existing lender debt may be includedprovided that, at the time of application,the loan has been current for at least thepast 12 months (unless such status isachieved by the lender forgiving theborrower's debt) and the lender isproviding better rates or terms.Subordinated owner debt is not eligibleunder this paragraph. Unless theamount to be refinanced is oweddirectly to the Federal government or isfederally guaranteed, the existing lenderdebt refinancing must be a secondarypart (less than 50 percent) of the overallloan,

Dated: 'ubruary 23,2007.Jackii 1. Gleaoan,Administrator, Rural Buslness-CooperafiveSurvicc.jIF Doc. E7-4920 Filed 3-16-0O7; 8;45 am]BUNSO cooEl o410-XY-P

NUCLEAR REGULATORYCOMMISSION

10 CFR Part 73RIN 3150-AH60

Design Basis Threat

AGENCY: Nuclear RegulatoryCommission,ACTION: Final rule.

sUMMARY: The Nuclear RegulatoryCommission (NRC) is amending itsregulations that govern the requirementspertaining to the design basis threats(DBTs). This final rule makesgenerically applicable securityrequirements similar to those previouslyimposed by the Commission's April 29,2003 DBT Orders, based uponexperience and insights gained by theCommission during implementation,and redefines the level of securityrequirements necessary to ensure thatthe public health and safety andcommon defense and security areadequately protected. Pursuant toSection 170E of the Atomic Energy ActMAEA). the final rule revises the DBTrequirements for radiological sabotage,generally applicable to power reactorsand Category I fuel cycle facilities, andfor theft or diversion of NRC-licensedStrategic Special Nuclear Material(SSNM, applicable to Category I fuelcycle facilities. Additionally, a petitionfor rulemaking (PRM-;3-12), filed bythe Committee to Bridge the Cap, wasconsidered as part of this rulamakIng.The NRC partially granted PRM-73-12in the proposed rule, but deferred actionon other aspects of the petition to thefinal rule. The NRC's final disposition ofPRM-73-12 is contained in thisdocument,DATES: Effective Date: April 18, 2007.FOR FURTHER JNFORMATION CONTACT:Manash X, Bagchl, Office of NuclearReactor Regulation, U.S. NuclearRegulatory Commission, Washington,DC 20555-0001. telephone 301-415-2005, e-mail MKB2@NC.GOV,SUPPLEMENTARY INFORMATION:

Table of Contents1. Background11 A.nalysis of Public Communts and

Conliduration of the 22 Factors of theRnergy Policy Act of 2005

M. Summasry of Specific Changes Made to theProposed Rule 4a a Result of PublicComments

IV. Section by Section AnalysisV. GuidanceVI. Resolution ofPoLetion (PRM-73-12)VII. Criminal PenaltiesVIIIM Compatibility of Agreement State

Regulations

IX. Availability of DocumentsX, Plain LanguageXl. Voluntary Consensus StandardsX11. Finding of No SignificanL Envlranrmenal

Impacti Environmental Assessment:Availability

Xm. PaperworkLReduction Act StatementXIV, Regulatory .AnalysimXV, Regulatory Flexibility Act CortiflcaLionXVL BackfltAnalysisXVUI, Co•gresbianel Review Act

I. BackgroundThe DBT requirements in 10 CFR 73.1

describe general adversarycharacteristics that designated licenseesmust defend against with highassurance. These NRC requirementsinclude protection against radiologicalsabotage [generally applied to powerreactors and Category I fuel cyclefacilities) and thelft or diversion of NRC-licensed SSNM (generally applied toCategory I fuel cycle facilities). OnNovember 7, 2005 (70 FR 67380), theCommission published a proposed rulefor public comment seeking to amendIts regulation that governs therequirements pertaining to the DBTs.The DBTs are used by licensees to formthe basis for site-specific defensivestrategies implemented throughphysical security plans, safeguardscontingency plans, and securitypersonnel training end qualificationsplans. Amendment of the DBT rule wasinfluenced by a number of rctorsdescribed below.. Following the terrorist attacks on

Soptember 12, 2001, the NRC conducteda thorough review of security practicesto ensure that nuclear power plants andother licensed facilities continued tohave effective security measures inplace to address the changing threatenvironment. The NRC recognized thatsome elements of the DBTs requiredenhancement. After soliciting andreceiving comments from Federal, State,and local agencies, and industrystakeholders, and reviewing an analysisot Intelligence information regarding thetrends and capabilities of potentialadversaries, the NRC imposedsupplemental DBT requirements byorder on April 29, 2003. TheCommission deliberated on theresponsibilities of the local, State, andFederal stakeholders to protect thenation and the responsibility of thelicensees to protect individual nuclearfacilities before issuing -lie April 29,2003 DBT Orders.

The April 29, 2003 DBT Ordersrequired nuclear power reactors andCategory I fuel cycle facility licensees torevise their physical security plans,security personnel training and .qualification plans, and safeguardscontingency plans to defend against the

MRY-11-2007 17:21 P. 04/26

12706 Federal Register/Vol. 72, No. 52/Monday. March 19, 2007/Rules and Regulations

supplemental DBT requirements. Theorders required licensees to makesecurity enhancements such as:Augmented security forces andcapabilities; increased, patrols;additional security posts and physicalbarriers; vehicle checks at greaterstandoff distances; enhancedcoordination with law enforcement andmilitary authorities; augmented securityand emergency response training,equipment, and communication; andmore restrictive site access controls forpersonnel, including expanded,expedited, and more thorough initialand follow-an screening of powerreactor and Category I fuel cycle facilityemployees. After gaining experiencewith implementation of those orders,the Commission concluded that thegeneral attributes of the orders shouldbe generically imposed by regulation oncertain classes of licensees.

In addition, PRM-73-12 was fled bythe Committee to Bridge the Gap on July23, 2004, and was published forcomment (So Fl? 64690; November 8,2004). PRM-73-12 requests that theNRC amend its regulations to revise theDBT regulations (in terms of thenumbers, teams, capabilities, planning,willingness to die, and othercharacteristics of adversaries) to a levelthat encompasses, with a sufficientmargin of safety, the terroristcapabilities evidenced by the attacks ofSeptember 11, 2001. The petition alsorequests that.security plans, systems.inspections, and force-on-force (FOF)exercises be revised in accordance withthe amended DBTs, and that arequirement be added to pert 73 toconstruct shields against air attack (theshields are referred to as "beamhenges")which the petition asserts would enablenuclear power plants to withstand an airattack from a jumbo jet. The NRCpartially granted PRM-73-12 in theproposed rule, but deferred action onother aspects of the petition to the finalrulemaking. The NRC's final dispositionof PRM-73-12 is discussed in SectionVI of this document.

Finally, the Energy Policy Act (EPAct)of 2005 was signed into law on August8. 2005. Section 651(a) of the EPActamended the AEA by adding Section170E, that required the Commission toinitiate a rulemaking to revise the DBTs.In addition, Section 170E also directedthe Commission to consider but not belimited to, the 12 factors specified in thestatute in the course of that rulemaking.A,; stated in the proposed rule, thasafactors are:

(I) The events of September 11, 2001;(2) An assessment of physical, cyber,

biochemical, and other terrorist threats;

(3) The potential for attack onfacilities by multiple coordinated teamsof a large number of individuals;

(4) The potential for assistance in anattack from several persons employed atthe facility:

(5) The potential for suicide attacks-(6) The potential Cor water-based and

air-based threats;(7] The potential use of explosive

devices of considerable size and othermodern weaponry;

(8) The potential for attacks bypersons with a sophisticated knowledgeof facility operations;

(9) The potential for fires, especiallyfires of long duration:-

(10) The potential for attacks on spentfuel shipments by multiple coordinatedteams of a large number of individuals;

.(12) The adequacy of planning toprotect the public health and safety atand around nuclear facilities, asappropriate, in the event of a terroristattack against a nuclear facility, and

(12) The. potential for theft ordiversion of nuclear material from suchfacilities:

The Commission took into account anumber of issues and sources inconducting this rulemaking, whichincluded its experience in theimplementation of the DBT Orders, theissues raised in PRM-73-12, EPActrequirements, and the public comnentson the proposed rule. The Commissionhas considered and deliberated on the12 factors identified in the EPAct. Theresults of its consideration are set forthin Section II of this document.Additionally, the Commissionspecifically invited public comments onhow these factors should be addressedin the rule. Many of the commentsreceived substantively focused on the 12factors. Those comments and theCommission's responses are alsodiscussed in Section I1.

It Is important to note that theCommission was careful to set forth ruletext in the final rule that does notcompromise licensee security, but alsoacknowledges the necessity to keep thepublic informed of the types of attacksagainst which nuclear power plants andCategory I fuel cycle facilities arerequired to defend. To this end, the finalrule maintains a level of detail in therule language that is generallycomparable to the previous regulation,while updating the general DBTattributes in a manner consistent with.the insights gained from the applicationof supplemental security requirementsImposed by the April 29, 2003 DBTOrders, the EPAct, and consideration ofpublic comments,

The final rule contains the DBT withwhich licensees must legally comply,

More specific details (e.g., specificweapons, ammunition, etc.) areconsolidated in adversarycharacteristics documents (ACDs) whichcontain classified or SafeguardsInformation (SGI). The technical basesfor the ACDs are derived largely fromintelligence information. They alsocontain classified or SCI that cannot bepublicly disclosed. These documentsmust he withheld from publicdisclosure and made available only ana need-to-know basis to those who arecleared for access.

Because the regulatory guides (RGs)and the ACDs are guidance documentsthat provide details to the licenseesregarding Implementation andcompliance with the DBTs, thesedocuments may be updated from time totime as a result of the NRC's periodicthreat reviews. The NRC has beenconducting threat reviews since 1979,These threat reviews are performed inconjunction with the intelligence andlaw enforcement communities toidentify changes in the threatenvironment which may, in turn,require adjustments of NRC securityrequirements. Future revisions to theAGs. would not require changes to theD8T regulations in 10 CFR 73.1,provided the changes remain within thescope of the rule text.

[I. Analysis of Public Comments andConsideration of tei 12 Factors of theEPAct

The proposed rule provided a 75-daypublic comment period that ended onJanuary 23, 2006. The comment periodwas extended by another 30 days inresponse to a request from the NuclearEnergy Institute (NEI), an industrygroup, to allow additional time forreview of the proposed rule because thecomment period overlapped the year-end holidays. The extended commentperiod ended on February ZZ, 200. Atotal of 919 comments were receivedfrom about 903 individuals, one county,13 citizen groups, one utility involvedin nuclear activities, and two nuclearindustry groups. The comments covereda range of issues, some of which werebeyond the scope of this rulemakingbecause they were specific to protectivemeasures but did not relate to theadversary characteristics. The commontrhave boon organized under three groups:Group I, Consideration of the 12 Factorsin the EPAct; Group 1i, In-Scope-comments, that includes commentsraising issues and concerns directlyrelated to the contents of the DBT rule;and Group 1Ml, Out-of-Scope comments,that includes comments raising issuesand questions that are not directlyrelated to the DBT rule, although they

MAY-i1-2007 17:22 P. 05/26

Federal Register/Vol. 72, No. 52/Monday, March 19, 2007/Rules and Regulations 12707

are generally. relevant to the secuxity ofnuclear facilities. Responses areprovided in the following format:

Group 1: Consideration of the 12 Factorsin die Energy Policy Act

The Commission's consideration,public comments, and responses to thepublic comments are provided for the12 factars described in Section A.

Group 1: In Scope CommentsComments in Groups IU and MI are

organized under the following generalcategories. The Commission's respoosesto these comment categories areprovided in Section 8:

1. Definition of the Design BasisThreats

2. Applicability of the Enemy of theState Rule

3. Compliance with AdministrativuProcedure Act (APA) Notice andComment Requirements

4. Ambiguous Rule Text5. Differentiation in Treatment of

General and Specific Licenses for ISFSIG. Applicability of the Radiological

Sabotage DBT to New Nuclear PowerPlants

7. Consideration of the Uniqueness ofEach Plant in Application of the DBTs

8. Continued Exemption of Researchand Test Reactors from the DBTRequirements

0. Changes in Security Requirementsto be Addressed Under Backfit Rule

10. Compliance with the PaperworkReduction Act

11. Adequacy of the RegulatoryAnalysis

12. Compliance with the NationalEnvironmental Policy Act WNEPA)

13. Issuance of Annual Report Cardon Individual Licensees

Group I.I: Out of Scope Comments

14. Federalization of Security15. Force-on-Force Tests of Security

* 16. Screening of Workers in NuclearPower Plants

17, Self-Sufficient DefenseCapabilities

18. Security of Dry Cask Storage10. Security of Spent Fuel Pools20, Inherent Design Problems that

make Reactors VulnerableA Comments Matrix has been

provided in Appendix A, that referenceseach topic with comments. The NRC'sresponse to each topic is listed below:

Section A

Group I. Consideration of the 12 Factorsin the Energy Policy Act

As discussed above, Section 170E ofthe AEA, as amended by Section 651(a)of the EPAct, directed the Commissionto consider but not be limited to, the 12

factors specified In the statute in thecourse of the DBT rulemaking. Many ofthe comments received by theCommission focused on one or more ofthese factors, Prior to discussing thesubstance of the 22 factors, theCommialion notes that severalcomrentars charged that theCommission violated Section 170E bynot considering some of the 12 factors,and by deferring final consideration ofsome of the provisions to the final rule.Those commenters suggested that thisnot only violated the mandate of Section170E, but also'the AdministrativeProcedure Act (APA) by not providingadequate notice of the substance of therule, and thus, the rule should bewithdrawn and re-proposed.

To be clear, Section 170E stated thatthe Commission "shall consider," butnot be limited to, the 12 factors whenconducting the DBT rulemaking.However, the EPAct did not require thatthe Commission explicitly include anyof the 12 factors in the proposed or finalrule text. The Commission carefullyconsidered intelligence information,vulnerability assessments, otherCommission-sponsored studies, andeach of the 12 factors In formulating thefinal rule. Accordingly, a number ofprovisions or rule changes were adoptedthat specifically incorporate certainlanguage used in the 12 factors. Forinstance, the final rule contains specificprovisions related to multiple.coordinated groups' of attackers (Factor3), suicide attacks (Factor 5), insiderassistance (Factors 4 and 8), endwaterborne attacks (Factor 6).Additionally, based on dhe '-2 factors,public comment, and other intelligenceand law enforcement information, theCommission has decided to explicitlyinclude a cyber threat as an attribute ofthe DBTa (Factor 2).

After careful consideration, theCommission also chose not to adoptelements related to some EPAct factorsas part of the rule text. However, thatdecision should not be misconstrued aslack of consideration of the factorsthemselves. Nor should theCommission's statement in the proposedrule soliciting comments on "whether orhow the 12 factors should be addressedin the DBT rule" be interpreted to meanthat the Commission deferredconsideration of the factors until after it

I For puTpopos of this rule, there is no substanUvedifferance between the terms "g'oup." and "team"In reeretnco to the oporational capabisles of thaDBT advorsary farme. The meaulars of the form"roup?" is the some si the meaahia at the form'team, used In the propoedd rula. The term "team"wa presgrvod in thd final ruloonly when

wm'msunlzian comments an the proposed tulo or tho12 Factors of the EPAct.

received comments. Rather, theCommission proposed requirements thatwould require licensees to defendagainst threats the Commissionconsidered appropriate at that time,subject to change in the final rule afterfurther consideration of publiccomments.

Several commenters specificallycharged that the Commission deferredits consideration of air-based threats tothe final rule, thus underminingstakeholders' abilities to know theCommission's position on that factor. Atthe time that the proposed rule wasptublished, the Commission maintainedtsview that protection against airborneattack could best be provided by thestrengthening of airport and airlinesecurity measures. Accordingly. theCommission did not propose to includea provision in the proposed rule thatwotld require licensees to providedefense against an airborne attack butthe Commission specifically soughtcomment on the issue in thu proposedDBT rule and has remained open tochanging its position. In addition tobeing raised in PRM-73-12, theCormuisalon has received numerouscomments on the airborne threat. It hascarefully considered those commentsand he. responded to them below. Theassertion about the lack of APA noticewith regard to the EPAct's 12 factors iswithout merit. The proposed rulediscussion contained, under a sectiondesignated "Proposed Regulations." (70FR 67381) a detailed listing andclarifying discussion of the 12 factorsand a specific request for publiccomment on "whether or how the 12factors should be addressed in the DBTrule." (70 FR 67382).

Factor 1. The Events of September ii,2001

The Commission's Consideration: Theevents of September 22, 2001, have beoncentral to the Commission's efforts inreevaluating the DiTs. As a result ofthese attacks, the NRC promptlyreevaluated the DBTa and imposedadditional requirements on licenseesthrough orders, including the April 29,2003 Orders on the DBTs. A number ofrevisions to the DBTs have resultedfrom consideration of the events ofSeptember 11, 2001. Those revisionsinclude increased adversaries'willingness to kill or be killed, and thecapability to operate in several differentmodes of attack, including multipleadversary groups, and multipleadversary entry points.

Public Comment: Several commentersspecifically challenged the proposedrule's consideration of the events ofSeptember 11, 2001, expressing concern

MAY-11-2007 17:22 P. 06/26

12708 Federal Register/Vol. 72, No. 52/Monday, March 19, 2007/Rules and RegulationsI

that the DBT rule does not requirelicensees to defend against a number ofattackars comparable to the number ofterrorists (19) who participated in theattacks on September 11, 2001.

Response to Public Comment: TheCommission disagrees with thecomment. The Commission'sconsideration of the number of attackerscomprising the DBT is discussed inmore detail below under Factor 3.However, with respect to the assertionthat the number ofattackers should becomparable to the number of September11, 2001, attackers (19), the Commissionnotes that the official U.S. Governmentterrorism report for 2001, "Patterns ofGlobal Terrorism," states that theSeptember 11, 2001, attacks consisted of"four separate but coordinated aircrafthijackings," not a single attackinvolving 19 assailants. However, in itsannual terrorism report for 2001, theFederal Bureau of Investigation (FBI)considered the attacks as one act ofinternational terrorism by "fourcoordinated teams of terrorists."Consideration of seemingly inconsistentviews was just one part of a significantstatistical analysis conducted by theNRC as part of the post-September 11,2001, DBT process to determine theDBT adversary force size. In summary:

9 NRC position: Disagrees with thecomment.* Action: No action required.

Factor 2. An Assessment of Physical,Cyber, Biochemical, and Other TerroristThreats

The Commission 's Consideration:Although the DBT rule does notelaborate on the specifics of vehiclebomb size, numbers of adversaries, orexact types of weapons for operationBIsecurity purposes, the Commissionbelieves they are appropriate. The DBTsare the result of the NRC's continuousevaluation of current threats. Thatevaluation is not limited to a particularkind of threat, but naturally includesconsideration of physical threats, cyberthreats, and biochemical threats. TheDBT rule reflects the Commission'sdetermination of the composite set ofadversary features against which privatesecurity forces should reasonably haveto defend.

The DBT rule has been amended Inseveral significant respects to reflect thecurrent physical. cybor, biochemical,and other terrorist throats. For example,the radiological sabotage DDT has beenenhanced to reflect the requirement thatthe licensees have a capability to defendagainst attackers with the ability tooperate In several modes of attack,including as multiple groups, attackingfrom multiple entry points.

Additionally, in § 73.1(a)(I)(i)(C), thephrase "up to and including" waschanged to simply "including" toprovide flexibility in defining the rangeof weapons available to the compositeadversary force.

One significant change to the rulerelates to physical threats from the useof vehicles, either as modes oftransportation or as vehicle bombs.Section 73.1 (a[l()(0){13, for example,effectively expands the scope ofvehicles available for the transportationof adversaries by deleting the referenceto "four-wheel drive" and by addingwater-based vehicles.

In addition, § 73.1(a)(1)(iii) (the landvehicle bomb provision) is similarlyrevised to delete the "four-wheel drive"limitation, auid to add a capability thatthe vehicle bomb "may be coordinatedwith an external assault," maximizingits destructive potential. Further, anentirely new capability has been addedto the DBT involving a waterbornevehicle bomb, which also isencompassed in the coordinated attackconcept

The Commission has also carefullyconsidered biochemical threats bothbefore and after the events of September11. 2001. The previous rule alreadycontained requirements that providedthe capability of usin "incapacitatingagents," and that attribute has beenretained In the final rule. In addition.armed responders are required to beequipped with gas masks to effectively.Implement the protective strategy andmitigate the effects of the Incapacitatingagents.

Public Comment: Although many ofthe public comments could generally becharacterized as addressing Factor 2,only a few comments specifically fallunder this factor. One commenter statedthat the NRC needs to engageindependent experts to develop acomprehensive computer vulnerabilityand cyber attack threat assessment, thatmust evaluate the vulnerability of thefall range of nuclear power plantcomputer systems and the potentialconsequences of these vulnerabilities.The commenter further suggested thatthe revised DBTs must incorporate thesefindings and include a protocol forquickly detecting such an attack andrecovering key computer functions inthe event of an attack.

Two other commentaers stated that theregulations do not reflect protectionsagainst explosive devices ofconsiderable size, other modernweaponry, and cyber, biochemical, andother terrorist threats. Anothercommenter did not believe the proposedDBTs protected against all conceivableattacks, such as launching a large

explosive device from a boat, cloggingthe water intakes, dropping aconventional bomb into spent fuelpools, insider sabotage, etc. .

Response to Public Commeni:Regarding the threat of cyber snackcomment, the NRC agrees with thestatement submitted by the commenterand explicitly included a cyber attack asan element of the DBTs in the final rule.The basis for this addition, andimplications of the rule change arediscussed further in Section III of thisdocument. in addition, the proposed 10CFR 73.55(m), "Digital Computer andCommunication Networks," that isincluded in the proposed rule, "PowerReactor Security Requirements," (71 FR62664; October 26, 2006), containsproposed measures to mitigate a cyberattack.

With respect to the other commentsregarding protection against explosivesof considerable size and modernweaponry, as stated earlier, the detailsof the adversary capabilities can not bespecified publicly, but the Commissionbelieves they are appropriate.Furthermore, the land vehicle bombassault may be coordinated with anexternal assault, maximizing itsdestructive potential.

The NRC does not intend the DBTs torepresent "worst case" scenarios or allconceivable attacks. It is impossible toaddress all possible attack scenarios,because there is no theoretical limit towhat attack scenarios can be conceived.Therefore, the NRC staff considers thetactics that have been observed in use,discussed, or trained for by potentialadversaries. Those tactics and DBTprovisions are subjected to aninteragency review process whereFederal law enforcement andintelligence conimunity agencies,comment and provide feedback. ifchanges develop in adversary tacticsthat could significantly impact nuclearfacility security, the staff would requestthat the Commission consider thosetactics for inclusion In the DDTprovisions, In summary:

* NRC p osition: Agrees with oneelement o0 comment-include cyberthreat as an attribute; disagrees with theother two elements.

* Action: Final rule includes cyborattack-as en explicit element of theDBTs. No other action required.Factor 3. The Potential for Attack onFacilities by Multiple CoordinatedTeams of a Large Number of Individuals

The Commission's Consideration: Thenumber of attackers and the iectics usedby those attackers is now and hasalways been a core consideration of theDBT. Although the NRC obviously

MAY-11-2007 17:23 P. 07/26

Federal Register/Vol. 72, No. 52/Monday, March 19, 2007/Rules and Regulations 13709

cannot comment on the size (specificnumber of attackers) of the DBTadversary force for operational securityreasons, it can address the process howthese numbers are derived. As noted inthe Commission's consideration ofFactor 1, the size of the DBT adversaryforce and the number of assault teamswere derived through a careful anddeliberative process involving not onlythe NRC staff, but Federal lawenforcement, and intelligencecommunity, and homeland securityagencies using a variety of classified andunclassified sources. A statisticalanalysis was done on terrorist groupsize by looking at hundreds of terroristattacks over several years. andcomparing them wildi previous groupsize analyses for changes in long-terratrends. Large "outlier" terrorist events,although few in number, were includedin this analysis. This statistical analysiswas factored into a parallel analysis ofknown terrorist attacks against protectedfacilities (also few in number) andterrorist training, tactics, and doctrinalmanuals concerning armed assaultsagainst facilities.

In addition, the NRC found that thevague qualifiers ("several persons" and"small group") in the previousadversary descriptions in 10 CFR 73.1did little to add to the clarity of the rulebecause the phrases are highlysubjective. Thus, the final rule nowcontains the more specific language "byan adversary force capable of operatingin each of the following modes: a singlegroup attacking through one entry point,multiple groups attacking throughmultiple entry points, a combination ofone or niore groups and one or moreindividuals attacking through multipleontry points, or individuals attacking'through separate entry points." Byrevising the language in the rule andeliminating the reference to "severalpersons" and "small group." the NRCactually increased the potentialflexibility of the design basis adversary.The use of multiple adversary groups isnot necessarily tactically advantageousto the attacking force in all possiblescenarios. In some instances, theadversary force, as simulated in Force.on-Force (FOF) exercises can, based onits analysis of the licensee's protectivestrategy, concentrate its force in a singlegroup if necessary to beet attack afacility. In other instances, a licensee'sprotective strategy may bb inorevulnerable to multiple groups ofattackers attempting entry from differentlocations. In any event, the final DBTrule now provides enough flexibility toaccount for all of these scenarios, while

dte guidance provides sufficientspecificity.

Public Comment: Several cornmenterscontend that for nuclear power plants,the regulations should provideprotection against coordinated attacksby multiple large groups of up to twodozen sophisticated and knowledgeableadversaries.

Response to Public Comment: Asstated above, the Commission hasrevised the rule to reflect theseconsiderations and to provide maximumflexibility in developing threat scenarioswhich licensees must defend against. Insummiary:

s* N position: Agrees partially withthe comment.

a Action: No additional actionrequired, beyond adoption of morespecific language in the final rule.

Factor 4. The Potential for Assistance inan Attack From Several PersonsEmployed at the Facility

The Commission ' Consideration: TheCommission has always considered thethreat of insider assistance to be a veryreel and significant threat. Thus, theDB3Ts have long contained a provisionrequiring licensees to protect againstinsider assistance. Also, other NRCregulations contain substantialrequirements for access authorizationprograms (10 CFR 73.56, 'PersonnelAccess Authorization Requirements forNuclear Power Plants," and 10 CFR73.57, "Requirements for CriminalHistory Checks of Individuals GrantedUnescorted Access to a Nuclear PowerFacility or Access to SafeguardsInformation by Power ReactorLicensees"). However, the final rule hasamended this requirement to expand thethreat of insider assisrance. Forinstance, 10 CFR 73.1(a)(I)(A) and(2)(i)(A) add language indicating thatthe adversaries have "sufficientknowledge to identify specificequipment or locations necessary for asuccessful attack." Therefore, thisprovision suggests that this knowledgecould be obtained krom an insider whohas such knowledge.

The insider assistance provision itselfhas also been revised. The final ruledeletes the term "individual" to provideflexibility in defining the number ofpersons who may be involved inproviding inside assistance.

Public Comment: One commenterstated that the insider attribute mustinclude an active participant in anattack and should include thepossibility of first responders and orNational Guardsman providing insiderassistance.

Response to Public Comment: The"NRC agrees with part one of this

comment. The capability of "active"insider assistance is clearly stated inboth 10 CFR 73.1(a)(1)(i)(B) forradiological sabotage and 10 CPR73.1(a)(2)(i)(B) for theft or diversion ofstrategic special nuclear material,Further, the "active" assistancecapability has long been a component ofthe DBTs. The use of the conjunction"or" provides for increased tacticalflexibility on the part of the adversary,based on dte specific situation. It doesnot preclude an active insider in favorof a passive one,

The NRC disagrees with the secondpart of this comment. National Guard,local law enforcement and other non-liceasee security personnel alreadystationed at the owner-controlledboundary or entry portals of somelicensee facilities are not part of thelicensee workforce and not subject toNRC regulatory authority; hence, theyare considered beyond the scope of theDBTs. Typically, these organizationshave their own internal screeningprocedures to determine reliabiliiy andtrustworthiness. The NRC recognizesthat those processes exist and providean appropriate level of assurance againstan insider threat to that organization.

turthermore, first responders, lawenforcement, and National Guardpersonnel are not given unescortedaccess to the Protected Area (PA).

First responders, law enforcement,and other external security personnelresponding to an emergency or securityevent at a site would do so according toestablished emergency responseprotocols. If a particular respondingorganization had been penetrated by onadversary insider, then that adversarywould be considered en externaladversary for purposes of the DBTs. Therequirement that licensees protectagainst "A determined violent externalassault, attack by stealth, or deceptiveactions, including diversionaryactions," as described in §§ 73.1(a)(1))ii,and 73.1(a)(2](i), anticipates such an.adversary. In summary:

. NRC Position: Agrees with the firstelement of the comment, disagrees withthe second element of the comment.

o Action: No action required.

Factor 5, The Potential for SuicideAttacks

The CommJsigion Conrideration: Thefinal rule contains language reflectingthe potential for suicide attacks, Thislevel of commitment has been assumedsince the first DBTs were established bythe NRC. Language has been added to§§ 73.1(1)(i)(A) and 73a1(Z)(i)(A)indicating that potential adversarieshave the attribute of a willingness to"kill or be killed."

MAY-11-2007 17:24 P. 08/26

13710 Federal Register/Vol. 72, No. 52/Monday, March 19, 200./Ruiles and Regulations

Public Comment: No public commentreceived.

Response to Public Comment: Noresponse required.

Factor 6. The Potential for Water-Basedand Air-Based Threats

a. The Commissions Consideration:Certainly one of the most substantialconsiderations of the Commission, NRClicensees, the Federal government, andthe public is the threat of airborneattacks against critical infrastructures,As stated below, the vast majority ofcomments received by the Commissionon the proposed DBT rule regarded theairborne threat, The Commission hasbeen evaluating the issue of air-basedthroats long before it was required bythe EPAct, and Its position on thenecessity to add this atribute to theDBTs prior to this rulemaking has beenwell documented. The Commission'sevaluation of the airborne threat hasbeen an ongoing process, and it hasspent a significant amount of time andresources as part of this rulemaking inconsidering whether to make some typeof airborne threat part of the DBTs.Ultimately, the Commnission hasdetermined that active protectionagainst the airborne threat requiresmilitary weapons and ordnance thatrightfully are the responsibilities of theDepartment of Defense (DOD), such asground-based air defense missiles, andthus, the airborne threat is one that isbeyond what a private security force canreasonably be expected to defendagainst. This does not mean that theCommission is discounting the airbornethreat: merely that the responsibility foractively protecting against the threat lieswith other organizations of the Federalgovernment, as it does for any U.S.commercial lnfrastructurs,

Beyond active protection, theCommission believes that someconsiderations Involving airborne attackrelate to the development of specificprotective strategies and physicalprotection measures that are not withinthe scope of the DITs. The deploymentof ground-based air defense weaponswould be a decision for the Departmentsof Defense, Homeland Security,Transportation and Justice, not the NRC.In addition, the NRC believes thatapplication of ground-based air defenseweapons would present significantcommand and control challenges,particularly relating to the time requiredto Identify and confirm the presence ofa hostile aircraft and for a commercialandtiy to get permission to engage. Thepotential for collateral damage to thesurrounding community also wouldhave to be considered. Deployment ofprotective measures such as no-fly

zones, combat air patrols, and ground-based air defenses are undertaken bymany other Federal organizationsworking on preventing and protectingcritical infrastructure from terroristattacks, including the U.S. NorthernCommand (USNORTHCOM) and NorthAmerican Aerospace Def'ense Command(NORAD), the Transportation SecurityAdministration (TSA), end the FederalAviation Administration (FAA). TheFAA has issued a Notice to Airmen(NOTAM) strongly advising pilots toavoid the airspace above, or Inproximity to, such sites as power plants(nuclear, hydro-electric, or coal), dams,refineries, industrial complexes.military facilities and other similarfacilities. Pilots are warned not to loiterIn the vicinity of these types offacilities. The significant increase inaviation security since September 11,2001, goes a long way toward protectingthe United States, including nuclearfacilities, from an aerial attack. Some ofthese improvements include:

s Criminal history chocks on flightcrew;

@ Reinforced cockpit doors:s Checking of passenger lists against"no-fly" lists;• Increased control of cargo;* Random inspections:

Increased Federal Air Marshalpresence;

e .Improved screening of passengersand baggage:

a Foderal Flight Deck OfficerProgram;

* Controls on foreign passengercarriers;

" Requirements on charter aircraft;" Enhanced vigilance of flight

training; andv Improved coordination and

communication between civilian andmilitary authorities,

In February 2002, the Commission, inaddition to the actions of other Federalentities, directed nuclear power plantlicensees to develop specific plans andstrategies to respond to a wide range ofthreats, including the impact of anaircraft attack. NRC staff conductedmock exercises to practice imminent airattack responses with each licensee. TheNRC has continued to work withlicensees on these issues and hasinspected licensee actions to identifyand implement mitigation strategies tolimit the effects of such an event. TheNRC has conducted detailed, site-specific engineering studies of a limitednumber of plants to gain insights onpotential vulnerabilitles of nuclearpower plants to deliberate attacksinvolving large commercial aircraft. Theresults of these studies have confirmedthe effectiveness of the February 2002

NRC-ordered mitigative measures, andhave identified the need for someadditional enhancements. For thefacilities analyzed, the studies confirmthe low likelihood of both damaging thereactor core and releasing radioactivitythat could affect public health andsafety. Even in the unlikely event of aradiological release due to a terrorist useof a large aircraft against a nuclearpower plant, the studies indicate thatthere would be time to implement therequired on-size mitigating actions.These results have also validated thepotential radioactive source term for off-site emergency planning basis.Nevertheless, on June 20, 2006, the NRCissued orders to appropriate powerreactor licensees requiring theimp lamentation of additional keyradiological protection and mitigationstrategies to reduce potentialconsequences from the loss of largeareas of the plant due to large fires orexplosions. This information isdiscussed in, "In the Matter ofOperating Power Reactor LicenseesIdentified in Attachment 1; OrdersModifying Licensees (EffectiveImmediately)," (71 FR 36554; June 27,2006). Additional studies are beingconsidered to further assess mitigativecapabilities. The NRC will continue tocoordinate with the Department ofHomeland Security (DHS) on thisinitiative. (See Factor 9 for furtherdiscussion of a related topic, "Thepotential for fires, especially rires oflong duration.,"

Finally, in early March 2006, the NRChosted an Interagency Aircraft AttackTabletop Exercise at NRC Headquarters.Representatives from the DHS. the DOD/USNORTHCOM, and the FBI attended.The purpose of the exercise was toexplore Federal responsibilities andinterfaces, consistent with the NationalInfr•structure Protection Plan andNational Response Plan, for terroristincidents at nuclear power plants, with

.a focus on an aircraft attack on thefacility. The tabletop exercisereconfirmed the respectiveresponsibilities of the participatingorganizations (NRC, DHS, DOD, andFBI) in the event of a nuclear plantaircraft attack and clarified protocols forresponse-related interagencycommunication end coordination.

The final DBT contains two newprovisions that account for thecapability of a water-based attack, asdiscussed under Factor 2. Thesecapabilities were included based onconclusions drawn from the NRC'scontinuing review of intelligenceinformation and liaison with Federallaw enforcement, intelligencecommunity, and homeland security

MAY-11-2007 17:24 P. 09/26

Federal Register/Vol. 72, No. 52 /Monday. March 19, 2007 /Rules and Regulations 12711

agencies. Sections 73.1(a)(2Ii•}E) and73.1(a)(2)(i)(E) add the capability to usewater-based vehicles for transportingpersonnel and equipment to theproximity of vital areas. Sections73.1(a)(1)(iv) and 73.1[a)(2)Xiv) add anew provision for a waterborne vehiclebomb assault. The NRC has concludedthat defense against these new DBTprovisions will provide a high-assurance of protection against thewaterborne threat.

Public Comment: Approximately 820comments indicated that the"beamihenges" concept or similar barriermethod of protection should beconsidered for protection againstairborne attacks, As genericallydescribed by the commentaers, a"beamhenge" shield is constructed outof an interlocking series of steel I-beamsand cables that would be built atsufficient stand-off distances fromsafery-related buildings at nuclearpower plants to protect against anaircraft attack. Comments also indicatedthat a "no-fly" zone should be imposedaround nuclear power plants and thatground based-air defense systemsshould be deployed to protect each site.

Further, multiple commentarsexpressed concerns regarding thevulnerabilities of nuclear power plantsand other licensed facilities to terroristwaterborne attacks. Commenterssuggested that the revised DBTs shouldrequire nuclear powerplants and otherlicensed facilities situated on navigablewaterways to be equipped with visible,engineered physical barriers.

Response to Public Comment: TheCommission has spent considerabletime and resources considering thethreat of Airborne and waterborneattacks on nuclear facilities. Based onthese considerations, tlle NRC haschosen a two-trnck approach to respondto these threats ini order to assureadequate protection. First, the NRC hasdetermined that active protectionagainst the airborne threat rests withother organizations of the Federalgovernment, such as NORTHCOM andNORAD, TSA, and FAA. The NRC willcontinue to test these relationshipsthrough exorcises. Second, licenseeshave been directed to implement certainmitigati ve measures to limit the effectsof an aircraft strike. To the extent thatcomrnmenters have suggested theimposition of specific physical securitymeasures such as the "beamhenges"concept, the NRC has considered on theissue, but has rejected the conceptbecause it believes that the mitigationmeasures In place are sufficient toensure adequate protection of the publichealth and safety.

With respect to the waterborne attackthreat, the DBT rule has been revised toreflect two new water-basedcapabilities. However, requirements ofphysical barriers for the protection ofthe nuclear power plants and otherlicensed facilities under waterborneattack are not in the scope of DBT rule.Requirements for physical barriers areaddressed in a separate rulemaking toamend 10 CFR 73.55; The securityrequirements in the proposedrulemaking that would amend 10 CFR73.55 (71 FR 62684; October 28, 20o6)address protective strategies andsecurity measures for nuclear powerplants and other licensed facilitiesunder waterborne attacks, and requirelicensees to defend against the DBTs. In

e NRarPosition: Agrees with thewaterborne comment. Disagrees with"no-fly" zones and "beamuhongos"concept comments,

* Action: No action required.Factor 7. The Potential Use of ExplosiveDevices of Considerable Size and OtherModern Weaponry

The Commission's Consideration: Aspart of its consideration of Factor 2, theCommission assessed the potential useof explosive devices of considerable sizeand other modem weaponry. TheCommission notes that the DBTs havebeen revised to specifically reflect thesetwo considerations, First,§$ 73.2(a)(1)(i)(C) and 73.1(a)[2)i)(C)were amended to revise the phrase "upto and Including" to simply "including"to increase the flexibility in defining theavailable range of weapons. Second, thevehicle bomb threat has been expandedto include waterborne vehicles. Thisfactor has been further articulated inFactor 2.

Public Comment: Refer to Factor 2.Response to Comment: Refer to Factor

2.In summary:a NRC Position: Agrees with dte

com-menet.@ Action: No action required,

Factor 8. The Potential for Attacks byPersons With a SophisticatedKnowledge of Facility Operations

The Commission's Consideration: Asnoted above under the discussion ofFactor 4, §§ 73.1(a)(1)(i)(A) and73. 1(a)(2)(i)(A) added languageindicating that the adversaries have"sufficient knowledge to identifyspecific equipment or locationsnecessary for a successful attack."

Public Comment: No public commentreceived.

Response to Comment: No responserequired.

Factor 9. The Potential for Fires,Especially Fires of Long Duration

The Commission's Consideration: TheDBTs describe specific adversarycharacteristics against which licenseesmust be prepared to defend. Fires, incontrast, are not adversarycharacteristics, but result from aparticular adversary attack.Nevert.heless, the NRC considered Iirouresulting from several possible initiatingevents, both accidental and malicious innature, The NRC conductedvulnerability assessments for someoperating nuclear power plants in the

g970s.and 2980s to establish thetechnical basis for securityrequirements. The NRC also routinelyevaluated the potential impacts ofterrorist attacks on power reactors aspart of the FOP exercise program on aplant-by-plant basis. After the terroristattacks on September 11, 2001, the NRCpromptly assessed the potential for andconsequences of terrorlsts tage ti ag anuclear power plant, including its spentfuel storage facilities, for an aircraftattack, the physical effects of such astrike, and how compounding factors(e.g.. fires, meteorology, etc.) wouldaffect the impact of potential radioactivereleases. As part of a comprehensiveassessment, the NRC conducted detailedsite-specific engineering studies of alimited number of nuclear power plantsto assess potential vulnerabilities ofdeliberate attacks involving a largecommercial aircraft. AdditionalCommission considerations areprovided under the discussion of Factor6. A summary of the assessment studyis available in A publicly availabledocument.

Public Comment: One commenterstated that the proposed rule did notconsider the potential for fires,especially fires of long duration andthus asserts that the proposed rule doesnot comply with the Congressionaldirective because it fails to mention thefire threat.

Response to Public Comment: TheNRC disagrees with the statementsubmitted by the cormnenter. As statedabove, the NRC considered fire to be aresult of several possible threats.Adversary forces, bombs, and explosivescan all result in fires, and potentials forfires have been considered during diuDBT rulemaking process. The followingis provided as background informationrelated to this comment.

As part of a larger NRC effort toenhance the safety and security of theNation's nuclear powar plants, anilitiative was undertaken as part of aFebruary 2002 NRC Order. h oorderrequired licensees to look at what might

MAY-11-2007 17:25P P. 10/26

12712 Federal Register/Vol. 72, No. 52/Monday, March 19, 2007 /Rules and Regulations

happen if a nuclear power plant lostlarge areas due to explosions or fires.The licensees then were required toidentify and later implement strategiesthat would maintain or restore coolingfor the reactor core, containmentbuilding, and spent fuel pool. Therequirements listed in Section B.5.b ofthis order directed licensees to identify"nmitigative strategies" (meaning themeasures licensees could take to reducethe potential consequences of a largefire or explosion) that could beimplemented with resources alreadyexisting or "readily available." The NRChold inspections in 2003 and 2=03 toidentify if licensees had implementedthe required mitigative strategies.

These inspections, as wall asadditional studies, showed significantdifferences in the strategiesimplemented by the plants. As a result.the NRC developed additionalmitigative strategy uidance. Theguidance was based on "lessonslearned" from NRC engineering studiesand included a list of ' best practices"for mitigating losses of large areas of theplant. Each plant was requested toconsider implementation of applicableadditional strategies by August 31, 2005.The NRC inspected each plant in 2005to review their implementation of anyadditional mitigative measures. TheNRC is continuing to ensure licenseesappropriately implement thesemeasures.

Finally, aircraft attack, another threatlikely to result in firs was alsoconsidered and studies analyzing theconsequences of successful commercialairline attacks were performed. Inconducting these studies, the NRC drewon national experts from several DOElaboratories using state-of-the-artstructural and fire analyses. The NRCalso enhanced its ability to realisticallypredict accident progression andradiological release consequences. Forthe facilities analyzed, the studies foundthat the likelihood of both damaging thereactor core and releasing radioactivitythat could affect public health andsafety Is low. Even in the unlikely eventof a radiological release due to terroristuse of a large aircraft, there would betime to implement mitigating actionsand off-site emergency plans such thatthe NRC's emergency planning basisremains valid (71 FR 36554: June 27,2006). Additional site-specific studies ofoperating nuclear power plants areunderway or being planned todetermine the need, if any, foradditional mitigating capability on asite-specific basis. In summary, the NRCconsidered the potential for fires duringthe DBT rulemaking process, as requiredby the EIAct.

9 NRC position: Disagrees with thecomment.

9 Action: No action required.Factor 10, The Potential for Attacks onSpent Fuel Shipments by MultipleCoordinated Teams of a Large Numberof Individuals

The Commission's Consideration: Asstated in response to Factor 3, theCommission considered the potentialfor attacks on nuclear facilities bymultiple coordinated groups of a largenumber of individuals. The number ofattackers and the tactics used by thoseattackers is now and has always been acore consideration of the DBTs. Inaddition, the Commission hasconsidered the potential for attacks onspent fuel shipments and issued anorder, requiring specific protectivemeasures. The Commission is planminugto propose a rule on spent fuelshipmeants in the near future.

Public Comment; No public commentreceived.

Response to Public Comment: Noresponse required.Factor ii. The Adequacy of Planning ToProtect the Public Health and Safety atand Around Nuclear Facilities, asAppropriate, in the Event of a TerroristAttack Against a Nuclear Facility

The Com mission's Consideration: TheDBT rule does not include requirementsimposing specific emergency planningconsiderations. Nevertheless, theCommission considered theimplications of security-relatedincidents on emergency planning. Aspart of those efforts. following theterrorist attacks of September 11, 2001.the NRC evaluated the emergencypreparedness (EP:) planning basis enddtermirned that the planning basis fornuclear power reactors remains valid.Further, the NRC issued ordersrequiring compensatory measures fornuclear security and safety, andobserved licensee performance duringsecurity-based EP drills and exercisesand security FOF exercise evaluations.Also, the NRC reviewed current publicradiological protective action guidance,and discussed security-based EP issueswith various stakeholders, includinglicensees and Federal, State and localgovernment officials. Based on theinformation obtained from the reviewsand evaluations, the NRC determinedthat EP of nuclear power plants could beenhanced. The Commission approvedthe communication of enhancements toEl and response actions for security-based events to power reactor licensees.NRC Bulletin 2005-02, "EmergencyPreparedness and Response Actions forSecurity-Based Events, dated July 18,

2005. communicated enhancements Inthe followiing areas:

• Securlty-based emergencyclassification levels and emergencyaction levels;

* A 15 minute .rompt notification tothe NRC for security-based events:

* On-site protective actions tomaximize personnel safety duringsecarity-based events;

* Enhanced emergency responseorganization augmentation: and

• Development of a security-basedemergency drill and exercise program.

As of February 18. 2006. all powerreactor licensees have implemented theenhancements to their EP programs withthe exception of the drill and exerciseprogram. A majority of nuclear powerplant licensees indicated that adoptionof the security-based EP drill andexercise program is contingent on NRCand the Department of HomelandSecurity (DHS) endorsement. The NRCcontinues to work with OHS and theNuclear Energy Institute to develop andimplement a security-based drill andexercise program at power reactorlicensees. This program is beingconducted in a phased approach.Tabletop drills at four power reactorsites and a facility drill were conductedsuccessfully. and areas for improvententwere identified and incorporated by theindustry into draft guidelines. Over thenext three years, the industry plans toconduct security-based EP drills at eachpower reactor licensee with an end stateof the integration of security-based EPscenarios into the biennial EP exerciseprogram.

In addition to those security-relatedemergency planning efforts, the NRCand DHS worked together to developand improve EP for a terrorist attackthrough foderal initiatives such ascomprehensive review programs aadIntegrated response planning efforts.The NRC and DHS have enhanced dtecoordination of integrated EP programsthrough evaluations of licensee andStatellocal/tribal response capabilities,and reviews of critical infrastructurepreparedness and response plans forcommercial nuclear power plants. Ourcombined efforts have resulted inspecific enhancements to security-related EP measures, and continuedimprovement in capabilities forlicensees and off-site responseorganizations to respond to a widespectrum of events,

Public Comment: No public communtreceived.

Response to Public. Comment; No* response required.

MAY-11-2007 17:26 P. 11/26

Federal Register/Vol. 72, No. 52/Monday. March 19, 2007/Rules and Regulations 12713

Factor 12, The Potential for Theft orDiversion of Nuclear Material FromSuch Facilities

The Commission's Consideration: TheDST rule includes two separatecomponents, the DBT of radiologicalsabotage, and the DBT of theft ordiversion of formula quantities ofspecial nuclear materials. Although theleoal requirements of the radiologicalsabotage DBT and the theft or diversionDBT, as embodied in the rule text of§§ 73.1(e)(1) and in 73.1(a8[2).respectively, are the same, the ACDsand RGs differ in describing how powerreactor and Category I fuel cycle facilitylicensees should implement and complywith the separate rules, Thesedifferences are classified and are notelaborated on here.

As stated in 10 CFR 73.55(a), powerreactor licensees are only required toprotect against the threat of radiologicalsabotage. Spent fuel is not an attractivetheft or diversion target due to its largephysical size and high thermal heat andradioactivity (most power reactor spentfuel Is considered "self-protecting"]. Asstated in the response to Group IIlComments No. 15 (Security of Dry CaskStorage] and 19 (Security of Spent FuelPools). the NRC has required thatlicensees take additional security andmitigating measures against aradioactive release of spent fuel.

The NRC has authonzed the DukeEnergy Corporation, owner and operatorof the Catawba plant, to irradiate fourfuel assemblies of Mixed-Oxide (MOX)fuel at the Catawba plant on a test basisas part of its license amendment issuedon March 3. 2005, MOX fuel technicallymeets the criteria of a formula quantityof Strategic Special Nuclear Material, inthis case plutonium, and would besubject to the DBT provisions of§ 73.1(a)(2) for theft or diversion.However, the NRC staff found that MOXfuel is not attractive to potentialadversaries from a theft and diversionstandpoint at the reactor site due to itslow plutonium concentration,composition, end form (size andweight). The MOX fuel consists ofplutonium oxide particles dispersed ina ceramic matrix of depleted uraniumoxide with a plutonium concentration ofless than six weight percent. The MOXFuel assemblies are the same form asconventional fuel assemblies designedfor a commercial light-water powerreactor and are over 12 feet long andweigh approximately 1,500 pounds. Alarge quantity of MDX fuel and anelaborate extraction process would herequired to yield enough material foruse in an improvised nuclear device orweapon. On the "attractiveness" bases,

the NRC staff found-that the completeapplication of 10 CFR 73.45(d)(1)(iv),73.46 (C)(I), 73.46(hli(3). 73.46(b)(3)-(b)(12), 73.46(d)(9), and 73.46(e)(3) forMOX fuel was not necessary. The stafftherefore approved the exemptionsrequested to these regulations, findingthat they were authorized by law, andwill not endanger life or property or thecommon defense and security, and thatare otherwise In the public interest. TheCommission later approved thisdetermination in an adjudicatory orderissued on June 20, 2005. Duke EnergyCorporation (Catawba Nuclear Station,Units I and 2), CLI-05-014, 61 NRC359,3g3 (2005).

Furthermore, transportation of theMOX fuel assemblies to Catawba will bedone by the Department of Energy's(DOE's) Office of Secure Transportation,that has legal responsibility for the MOXfuel assemblies until custody istransferred to the licensee. Afterwards,the spent MOX fuel is cooled and storedlike other spent fuel on site and issubject to the radiological sabotage DBTwhile stored in the spent fuel poolinside the P•rotected Area of the plant.

Public Comment: No public commentreceived.

Response to Public Comment: Noresponse required.

Section 8

Group I. In Scope Comments1. Defining the "Design Basis Threat"

Public Comment: Multiplecommentators expressed concern thatthe NRC has not publicly defined orexplained the "design basis threat."Specifically, commenters were unclearwhat the Commission means by thestatement that the DBTS are based on a"determination as to the attacks againstwhich a private security force canreasonably be expected to defend."These commenters suggested that theCommissions's failure to articulate theDBT concept creates an ambiguity inestablishing the division ofresponsibility between NRC licenseesand the DOD, or DHS. Severalcommenters suggested that if the NRCdoes not require plants to defend againstair attack because It is unreasonable fora private security force to be able to doso, then it has no choice but tofederalize security by requesting thatDHS or the military assume fullresponsibility for the protection ofnuclear power facilities.

Other commentero suggested that theNRC's rationale for limiting thecharacteristics of the DBTs to the attacksagainst which a private security forcecould reasonably be expected to defendappears to be based on cost

considerations, which is not permittedfor measures that are necessary for theprotection of public safety.

Other commenters representing thenuclear industry, while agreeing that theDBT scape must be clear, asserted thatthe D1T can not be greater than thelargest threats against which privatesector facilities can reasonably berequested to defend themselves, andthreats beyond the DBT are reasonablythe responsibility of the nationaldefense system.

Response to Public Comment: TheCommission has determined that theDBTs, as articulated In the rule, arebased on adversary characteristicsagainst which a private security forcecan reasonably be expected to defend.This formulation provides theCommission with the flexibilitynecessary to make reasoned, well.informed decisions regarding the DBTs,In contrast, detailed, prescriptivecriteria would be unduly restrictive, andwould unnecessarily limit theCommission's judgment. This judgmentis guided by the Conunisslon'sconsiderable expertise in nuclearsecurity matters, developed over thecourse of 30 years of experienceregulating the physical protection ofnuclear facilities.

With regard to the federalization ofnuclear plants security forces, theCommission does not have the authorityto federalize nuclear security forces andcannot demand deploymdnt of militaryforces to protect nuclear facilities. NorhasCongress chosen to require thesemeasures. As it has stated publiclymany times, the Commission isconfident that neither measure isnecessary or even prudent. A primaryreason for this is that the introductionof a federalized nuclear security force ormilitary unit to provide day-to-daysecurity would create command andcontrol issues for plant managementbecause it would essentially establishtwo classes of employees at conunercirlnuclear facilities, both of whom wouldbe responsible for reactor safety in theevent of a terrorist attack This couldresult in a reduction in the licensee'sability to ensure reactor safety. Incontrast, the continued use of privatenuclear security officers responsible tothe licensee maintains a unitarycommand structure focused on a unitaryobjective, The tightly-regulated privatenuclear security forces In use today arewell trained on the unique securityconsiderations specific to nuclear powerfacilities and through rigorous FOPtraining have proven themselves to beeffective and reliable, These conclusionswere also documented when theCommission originally studied the issue

MRY-11-200? 17:26 P. 12/26

12714 Federal Register/Vol. 72, No. 52/Monday, March 19, 2007/Rules and Regulations

in 1976 in a report to Congress titled the"Security Agency Study."

The DBT rule is also guided by theCommission's knowledge that, inaddition to being among the most robustindustrial facilities in the world, nuclearpower plants are arguably the mostphysically secured industrial facilities.No other civilian industry security forceis subject to as much regulatoryoversight as the nuclear industry.However, the Commissionacknowledges that the use of privatesecurity forces to defend nuclear powerfacilities faces limitations. For instance,there are legal limitations on the typesof weapons and tactics available toprivate security forces. Generally,nuclear security officers have accessonly to weapons that are available tocivilians, Although authority recentlygranted the Commission under theEPAct of 2005 will allow theCommission to authorize the use ofmore sophisticated weaponry. the mostpowerful weapons and defensivesystems will remain reserved for useonly by the military and law

* enforcement. Thus, it would beunreasonable to establish a DBT thatcould only be defended against withweapons unavailable to private securityforces. In addition, the Commissionpreviously decided not to requirelicensees to defend against attacks by"Enemies of the State" so defined by 10CFR 50,13.

However, these limitations onweapons and defensive systemsavailable to private security forces donot undermine the Commission'sconfidence in those forces to provideadequate protection, The defense of ournation's critical infrastructure is ashared responsibility between the NRC,the DOD, the DHS, Federal and Statelaw enforcement, and other Federalagencies. A reasonable approach indetermining the threat requires makingcertain assumptions about these sharedresponsibilities. Although licensees arenot required to develop protectivestrategies to defend against beyond-DBTevents, it should not be concluded thatlicensees can provide no defense againstthose threats.

The Commission's regulations at 10CFR 73.55(a) require power reactorlicensees' security programs to provide"high assurance that activities involvingspecial nuclear material are not inimicalto the common defense and security anddo not constitute an unreasonable riskto the public health and safety." Withinthis requirement is the expectation that,if confronted by an adversary beyond Itsmaximumn legal capabilities, on-sitesecurity would continue to respondwith a graded reduction in effectiveness.

The Commission Is confident that alicensee's security force would respondto any threat no matter the size orcapabilities that may present itself. TheCommission expects that licensees andState and Federal authorities will usewhatever resources ar necessary inresponse to both DBT and beyond-DBTeventS.

Several commenters felt that the DBTrule should define clearly demarcatedboundaries where the responsibilities ofthe licensee end and those of theGovernment begin for defending nuclearfacilities. In the Commission's view,establishing set boundaries demarcatinga.divialon of responsibilities is neitherpossible nor desirable. The betterapproach is for the Commission tocontinue its efforts to encouragelicensees and Government organizationsto integrate and complement theirrespective security and Incident-response duties so that facilities subjectto the DETs have the benefit of allavailable incident-response resourcesduring the widest possible range ofsecurity events. Currently, theseintegrated response planning effortsinclude prearranged plans with locallaw enforcement and emergencyplanning coordination. Licensees alsomust comply with event reportingrequirements to the NRC so that aFederal response is readily available, ifnecessary.

However, the DBTs are not defined bycost considerations, as suggested byseveral commenters. The rule text setforth at § 73.1 represents the largestadversary against which theCommission believes private securityforces can reasonably be expected todefend. Thus, when dte DBT rule isused by licensees to design their sitespecific protective strategies. theCommission is thereby provided withreasonable assurance that the publichealth and safety and common defenseand security are adequately protected.The Commission agrees with thecommenters that it may not legallyconsider economic factors indetermining the level of adequateprotection of public health and safetyand common defense end security(Union of Concerned Scientists v. NRC,824 F,2d 108, 117128 (D.C. Cir. 2087)).and it did not do so in deciding whatlevel of protection it considers to beadequate in this rulemaking, Rather, asthe Commission has clearly set forthabove, the requirements in the DBT ruleare determined by the Commission'sconsideration of the staff's threatassessments based on coordination withlaw enforcement, intelligence, andhomeland sectrity agencies, theCommission's considerable experience

in these matters, and the legal.limitations on security forces availableto licensees. In contrast, theCommission's determination of specificaspects of implementation of andcompliance with the DBT rule, asdescribed in the ACDs and regulatoryguidance, may involve consideration,along with other factors, of the relativecosts of various methods ofimplementing particular requirementsof the DBTs. In summary:•a •NRC position: Disagrees with the

comments.- Action: No action required.

2. Applicability of the Enomy of theState Rule

Public Comment: Several conimontersalso suggested that the proposed ruledoes not clearly distinguish between athreat posed by an "enemy of the state"excluded by 10 CFR 50.13, and threatscovered by the DBTS. They assorted thatthe phrase "enemy of the state" isambiguous and can no longer be reliedon to preclude the development ofdefensive measures at nuclear powerplants. Those cormuentors againexpressed concern that the division ofresponsibilities between the licenseesand the national defense system areambiguous.

Other commenters argued that theCommission has failed to explain whythe DBTe exclude an "AI-Qaeda liketerrorist organization" as an "enemy ofthe state" notwithstanding theCommission's statements in the vehiclebomb rulemaking, that described thecharacteristics of an "enemy of thestate," that seemingly would haveincluded organization like an AI-Qaeda.

Commenters representing industrystated that licensees are not and shouldnot be required to defend against threatsposed by enemies of the United States.They argued that the DBTs represent thelargest threat against which a privatesecurity force can reasonably beexpected to defend, and that anyescalation of this adversary would heinconsistent with 1o CR 50.23. Thesethreats are properly the responsibility ofthe national defense establishment andother security agencies.

fivaponso to Public Comment: Theenemy of the state rule, 10 CFR 50.13,was promulgated in 1967 amid concernsthat Cuba might lawich attacks againstnuclear power plants in Florida, Thatrule (32 FR 13455; September 26, 1067)was primarily intended to make clearthat privately-owned nuclear facilitieswere not responsible for defendingagainst attacks that typically could onlybe carried out by foreign militaryorganizations. By contrast, the DBT ruledoes not focus on the identity,

MAY-11-2007 17:27 P. 13/26

Federal Register/Vol. 72, No. 52 /Monday, March 19, 2007/Rules and Regulations 12715

sponsorship, or nationality of theadversaries. Instead, it affirmativelydefines a range of attacks andcapabilitles against which nuclearpower plants and Category I fuel cyclefacilities must be prepared to defend.An adversary force that falls outside ofLhe range of attacks against whichnuclear facilities are reasonablyexpected to defend is considered to be"beyond-DBT," regardless of whether itwould or would not be deemed an"enemy of the state." The Commissiondisagrees that any extension of the DBTsautomatically conflicts with 10 CPR5o.13. The Commission may revise theDBTs in response to changes In thethreat environment without necessarilyimplicating 10 CFR 50.13. To be clear,"beyond-DBT" and "enemy of the state"are not equivalent concepts. In addition,improved response capabilities maybecome available to private securityforces in the future. In that case,potential increases to the DBTs may be"reasonable to expect a private force toprotect against" without coming intoconflict with "enemy of the state." In

Nrc position- Disagrees with the

commnont.a Action: No action required.

3. Compliance With AdministrativeProcedure Act (APA) Notice andComment Requirements

Public Comment: Multiplecommenters stated that sharing theACDs with an exclusive group of partiesconstitutes a violation of the APAbecause the technical basis for theproposed rule is contained in thosedocuments. Those commenters statedthat the NRC should disclose the generaland legal principles discussed in theexchange of the documents withoutreleasing Safeguards Information.Another commenter expressed concernthat the DBT rule is based on ex partecommunications received from thenuclear industry after sharing thecontents of the proposed rule only withcertain parties. Also, because thegeneral public has no idea what generallegal or technical principles werediscussed in these privatecommunications, it could notintelligently comment on the proposedrule.

Other commenters charged that theDBT rulemaking is simply codifyingsecret orders to avoid public scrutiny.Thus, they suggest that because theproposed rule did not contain specificsof the DBTs, the NRC Is free to changethe specific requirements without noticeto the public, effectively conducting asecret rulemaking in violation of theAPA.

Industry commenters suggested thatthe ACDs and RGs should beincorporated by reference into the DBTrule to ensure adequate stakeholderparticipation In changes to the specificdetails of the DBTs. Otherwise, thesecommenters argue that the use of the.ACDs and RGs bap the potential forcircumventing the APA and PaperworkReduction Act.

Response to Public Comment: TheCommission is confident that therulemaking process for the DBT rulecomplies with the APA. As set forth inthe statements of consideration to theproposed rule (70 FR 67380, 87382:November 7, 2005). the Commission hascarefully balanced the public interest inknowing the security considerations forthe protection of special nuclearmaterial end the need for meaningfulcomment with security interests relatedto the disclosure of specific details ofDBT adversaries. The result is a DBTrule that defines in reasonable detail arange of attacks against which licenseesare required to defend. The DBT rulecontains all of the requirements withwhich licensees must legally comply.No additional information wasnecessary to understand or to commenton the proposed DBT rule.

The ACDs and RGs are guidancedocuments containing SGI andclassified information, and describehow licensees can comply with theregulations. The ACDs and RGs are notregulations, and are not legallyenforceable. The APA permits agenciesto develop guidance documents like theACDs and RGs without followingnotice-and-comment rulemakingrequirements (5 U.S.C. 553(b)(3)(Afl.Changing the guidance in the ACIDs orRGs based on changes to the threatenvironment would not change therequirements of the rule.

The text of the proposed ruleprovided ample information to enablemeaningful comment on what thecurrent level of protection for nuclearpower plants and Category I fuel cyclefacilities should entail. Members of thepublic can and have provided theCommission their views in thisrulemaking on the number of attackers.amounts of explosives, and types ofweapons that licensees should berequired to defend against, even withouthaving access to classified informationor SGI. Therefore, access to the ACDsand the RGs was not necessary to enablemeaningful public comment on theproposed DBT rule.

One commenter suggested that it wasimproper for the Commission to sharethe draft ACDs and RGs with membersof the nuclear industry but not membersof the general public. The NRC shared

the draft AC0s and RGswith licenseesat the request of NEI before expirationof the initial comment period becauseNEL, in its capacity as the representativeof the nuclear industry, had theappropriate clearance and a specificneed to know the information in orderto assist licensees in planning anddesigning protective strategies capableof defending against the DBTs. The NRCalso shared those documents with theStates of New Jersey and Illinois thathad established a need to know andobtained appropriate clearance. OtherNRC stakeholders do not necessarilyshare this need to know, and therefore,have not been granted access to theclassified and SGI ACDs and RCs.

The NRC did not provide the draftACDs and RGs to enable industrycomments on the rule, nor has theCommission received or considerednon-public comments on the rule. TheCommission reiterates that no SGl orclassified information was necessary toenable public comment, nor were anynon-public comments received orconsidered over the course of thisrulemaking. All of the commentsreceived and considered in thisrulemaking have been made publiclyavailable.• Finally, the Commission disagreesthat the ACDs and RGs should beincorporatedby reference in the text ofthe final rule. As explained above, theACDs and RGs are guidance documents.The logally-binding requirements arecontained in the text of the rule.Incorporating these documents byreference would not only beinconsistent with that approach. butwould potentially subject thesedocuments to public disclosure basedon the requirements of Section 552 ofthe APA, and the Office of the FederalRegister regulations, In summary:

a NRC position: Disagrees with thecomments.

* Action: No action required.4. Ambiguous Rule Text

Public Comment: Several commentersstated that the continued use of thephrase "one or more teams" in the ruleignores the Inherent ambiguity or thistype of construction, as identified in theAtomic Safety and Licensing Board's2005 decision in the Catawba licensingproceedings. See Duke EnergyCorporation (Catawba Nuclear Station,Units i and zA, LBP-Os-io, a6 NRC 241,297 (2005). The commentors argued thatthis construction i.e. use of theconjunction "or") permits licensees TO

select from one of two options (i.e.either one team or more teams), andthus permits licensees to develop theirprotective stratagy ignoring the

A¥Y-11-2007 17:28 P. 14/26

12716 Federal Register/Vol. 72, No. 52/Monday, March 19, 2007/Rules and Reglations

possibility of three teams or more. Thecommenters therefore suggested that therule be revised to eliminate use of thisambiguous construction. Onecommenter suggested rule text that reed"-capable of operating in multiple teams,up to the maximum number of teamsthat can be formed from the adversaryforce, where a team has no fewer thantwo members."

Response to Public Comment; Thoughthe Commission does not necessarilyagree that the phrase "capable ofoperating as one or more teons" isambiguous, In the final rule, it hasnevertheless modified this language tobe clear that licensees are required todefend against multiple modes of attack,including both a single group as well asmultiple groups. Notably, the priorradiological sabotage DST rule did notcontain language rn.uairing licensees todefend against multiple groups ofadversanes, as specified in the theft ordiversion DBT. The final rule adds arequirement to the radiological sabotageDBT that licensees protect against maadversary "capable of operating in eachof the following modes: a single groupattacking through one entry point,multiple groups anacking throughmultiple entry points, a combination ofone or more groups and one or moreindividuals attacking through multipleentry pointsor individuals attackingthrough separate entry points," and thetheft or diversion DBT has been revisedfor consistency. The rule thereforerequires that licensees evaluate a widerange of possible attack scenarios whendeveloping their protective strategies.Under the final rule, licensees must beable to defend against an attack frommultiple entry points by a number ofgroups and/or individuals. Neither aprotective strategy that is only capableof defending against a single group norone that is only capable of defendingagainst a number of smaller groupswould moet the requirements of therule. The revision of this language doesnot, however, change the scope of thisprovision as originally intended by theCommission in the proposed rule. Thepurpose of the change Is merely toprovide the clearest possiblearticulation of the rule's requirements,In summary:

a NRC position: Disagrees with thecomments,

* Action: No action required.

5. Differentiation in Treatment ofGeneral and Specific Licenses for ISFSI

Publio Comment: One cornmenterstated that the NRC did not provide aspecific rationale in the proposed ruleas to why a specific license ISFSI withsecurity requirements arising from the

security requirements in 10 CFR 72.1B2should be subject to a different DBTthan a general license ISFSI withsecurity requirements arising from 10CFR 72.212, especially when nearlyIdentical spent fael In Identical storagecasks is stored at these two classes oflicensees. The commenter requestedthat the NRC describe why these twotypes of ISFSIs should be treateddifferently from a DBT perspective inthe final rule, or indicate that theselicensees are subject to the samesecurity requirements.

Response to Public Comment: Theconmmenter is correct in noting thatspecifically-licensed and generally-licensed ISFSIs are treated differently inthe current regulations. For example,the current regulation In 10 CFR 73.2(a)contains an exemption for specifically-licensed ISFSIs, subject to 10 CFR72.182. However, the physicalprotection regulations for specifically-licensed ISFSbs, found at 10 CFR 72.180and 72,182, do not require protectionagainst the DBT. so it Is unnecessary toexempt specifically-licensed ISFSIsfrom the DBT regulation. By contrast,generally-licensed ISFSls are required toprotect against the DBT for radiologicalsabotage by 10 CFR 72.212(b)(5), but bythe saone regulation, are excepted fromceartain specific requirements containedin the DBT. Ultimately, thesediscrepancies have no effect on thesecurity of the facilities because bothgenerally-licensed and specifically-licensed ISFSIe have equivalentprotective measures In place, includingthose imposed by the October 2002Order. The intent of this rulemakingwas to update the DBTs applicable topower reactors and Category I fuel cycleacilities. Conforming changes were

made to preserve the existing regulatorystructure for other licensees. However,the NRC is currently considering futurerulemakings to align the generally.licensed and specifically-licensed ISFSIrequirements and to evaluate theapplication of the DBT. In summary:

s NRC position: Agrees with thecomments.

6 Action: No action required as partof this rulemaking.

6. Applicability of the RadiologicalSabotage DBT to New Nuclear PowerPlants

Public Comments: Two commentersstated that the DBT for new nuclearpower plants should be the same as foroperating nuclear power plants. Onecommenter specifically stated that theproposed r"ie did not justify theadoption of different DBTs for newnuclear power plant. The commesiterbelieves that the NRC has already set the

DBTs at the level of the largest threatagainst which a private guard force cartreasonably be expected to defend.Therefore, there Is no reason to have adifferent set of DBTs for new nuclearpower plants. The conrarnnter expresseda concern that different DBTs [or nuwplants could result in two different setsof DBTs for the same nuclear powerplant site with a currently operatingnuclear power plent.

Response to Public Comment: TheNRC agrees with the commenters thatthe radiological sabotage DST should beuniformly applicable to new andcurrently operating nuclear powerplanti, In fict, the NRC did not proposedifferent radiological sabotage DBTs fornew nuclear power plants in theproposed rule. As stated by theCommission in the staff requirementsmemorandum on SECY-05-120,"Security Design Expectations for NewReactor Licensing Activities," theexpectation is that new reactors will bedesigned and constructed to beinherently more secure with lessreliance on other elements of atraditional security program. To assessthe security of new reactors, the NRC isdeveloping proposed requirements fornew reactor licensees to submit securityassessments as part of their licenseapplication package, In summary:

e NRC position: Agrees with thecomments.

- Action: No action required as pertofi this rulmnaking.

7. Consideration of the Uniqueness ofEach Facility in Application of the DBTo

Public Comment: One commenterstated that each nuclear facility isunique due to its location andsurrounding population, and therefore.the DBT for each facility must have itsown specific requirements. The DBTcannot be a one-size fits all program.

Response to Public Con ment: TheDBT rule specifies threat characteristics,and does not specify or includerequirements ?or any specific programs.Site-specific security requirements areembodied in site security plans andsecurity measures. The NRC does notagree with the statement submitted bythe comnmenter that each facility moswthave its own specific requirements. Site-specific requirements are taken intoaccount by licensees duringdevelopment of their physical securityplans. The NRC considers the site-specific requirements when It reviewsand approves the plans, and tests theadequacy of the site-specificrequirements when it conducts FOFexercises at nuclear power plants.

It should be noted that the DBTs arecomprised of attributes selected from

SMAY-11-2007 17:29 P. 15/26

Federal Register/Vol. 72, No. 52/Monday, March 19, 2007/Rules and Regulations 12717

the overall threat environment, Thetechnical bases for the DBTs are basedon the NRC's periodic threatassessments performed in conjunctionwith the Federal intelligence and lawenforcement communities foridentification of changes in the threatenvironment. The assessments containclassified and SGI that cannot bepublicly disclosed. The NRC believesthat the DSTs should be uniformlyapphlcable to all comparable nuclearfacilities and will continue to ensureadequate protection of public health endsafety rndthe common defense andsecurity by requiring the secure use andmanagement of radioactive materials. In

e NRposition: Disagrees with the

Comments.9 Action: No action required,

8. Continued Exemption of Researchand Test Reactors From the DBTRequirements

Public Comment: Two commnenatersstated that research reactors possessingCategory I quantities of highly-enricbeduranium ({EU) must provide protectionagainst theft at the same level as anyother Category I facility.

Response ro Public Comment: TheNRC disagrees with this comment TheNRC has made a policy decision thatResearch end Test Reactors (RTRs] whopossess Category 1 quantities of SpecialNuclear Material protect this material asspecified in the physical protectionrequirements for non-power reactor fuelin 10 CFR 73.60(a) through (e) and73.67. These regulations do not requirelicensees to protect against either theradiological sabotage or the theft ordiversion DBT. Under 10 CFR 73.60,non-power reactor licensees whopoasess or use 5 kilograms or greater ofHEU are exempt from the requirementsin 10 CFR 73.60(a) through (e) If theHEU is not readily separable and has atotal external radiation dose rate inexcess of 100 rems per hour at adistance of 3 feet from any accessiblesurihce without intervening shielding.

It should also be noted that mostRTRs possess lnimted quantities ofnuclear material on-site, and that thenature and form of this material is noteasily dispersed or handled. As a result,the NRC has determined that RTRs posea relatively low risk to public health andsafety from potential radiation exposureand has tailored the securityrequirements mad oversight for thesefacilities consistent with their relativelylow risk.

The NRC requires that RTR licenseeshave security plans and/or proceduresthat reflect a graded approach whichconsiders the attractiveness of the

reactor fuel as a target, and the risk ofradiological release. RTR securityprograms and systems provide fordetection and response to unauthorizedactivities. In general. these programsinclude access control to the facilities,observation of activities within thefacilities, and alarms or other devices todetect unauthorized presence. RTRs alsohave emergency plans in place torespond to emergency situations.

Those RTRs that are still licensed touse HEU are either already scheduled toconvert to low-enriched uranimn CLEU)or intend to do so. The DOE is the leadagency for converting RTRe to LEO fuel,The NRC has been working with theDOE to facilitate this effort. In summary:

# NRC Position: Disagrees with thecomment.

9 Action: No action required.

a. Changes In NRC SecurityRequirements To Be Addressed Underthe Backfit Rule

Public Comment: One commentatorstated that the Backfit Rule requires thatthe NRC perform a backftt analysis forchanges in regulatory position. Thecommenter observed that the NRC hasdetermined that a backfit analysis is notnecessary in connection with thechanges to the DBTs because thechanges result from redefining the levelof protection that should be regarded asadequate, but that such a determinationshould be supported by a documentedevaluation and the proposed rulemakingdoes not provide such an evaluation,and each future change to the ACDa andRGs will require a separate backfitanalysis.

Response to Public Comment: TheCommission disagrees with thecomment that the proposed rulemakingdoes not provide a documentedevaluation of its decision. As stated inthe Federal Register (70 FR 67387;November 7, zoos), te NRC hasdetermined, pursuant to the exceptionin 10 CFR 50.109(a)(4)lihi) and 10 CFR70.76(a)(4)(iv), that a backfit analysis isunnecessary for this rule. Sections50,100 and 70.76(a)(4)(iv) state, inpertinent part, that a backflt analysis isnot required if the Commission findsand declares with appropriatedocumented evaluation for its findingthat a "regulatory action involvesdefining or redefining what level ofprotection to the public health andsafety or common defense and securityshould be regarded as adequate." Whenthe Commission imposed securityenhancements by order in April 2003, itdid so in response to an escalateddomestic threat level. Since that time,the Commission has continued tomonitor intelligence reports regarding

plausible threats from terroristscurrently threatening the U.S. TheCommission has also gained experiencefrom implementing the orderrequirements and reviewing revisedlicensee security plans. TheCommission has considered all of thisinformation and finds that the securityrequirements similar to those previouslyImposed by the April 29, 2003 Orders,which applied only to existinglicensees, should be made genericallyapplicable. The Commission furtherfinds that the rule redefines the securityrequirements stated in existing NRCregulations, and is necessary to ensurethat the public health and safety andcommon defense and security areadequately protected in the current,post-September 11, 2001, environment.

The Commission concurs with thecommenter's position that documentedevaluation should be performed whenthere are changes in ACDs and RGsnecessitated by changes in the threatenvironment, In summary:

* NRC position: Dlsagrees with firstelement of the comment. Concurs withthe second element of the comment.

a Action: No current action isrequired. Future changes in the ACDsand RGCs will require a documentedevaluation.1O. Compliance With the PaperworkReduction Act

Public Comment: Several commn ntersstated that the Paperwork Reduction Actis circumvented by this approach. Thecommenters assert that the proposedapproach using RGs and ACDs toestablish the details of the DBTs has thepotential for circumventing thePaperwork Reduction Act, and avoidingproper regulatory analyses and backitanalyses. The rule provides broad.requirements that lack details andprovides the NRC with significantflexibility to change the details of theDBTs, which drives the design ofprotective measures and protectivestrategies without appropriate inputfrom the affected regulated licensees.

The Paperwork Reduction ActStatement in the proposed rule (70 FR67380; November 7, 2005) states that:"This proposed rule does not containnew or amended information collectionrequirements subject to the PaperworkReduction Act of 1995." The commnunterbelieves that this statement is incorrectand underestimates the impact onlicensees due to future changes to theRG9 and ACDs. The PaperworkReduction Act Statement is flawed andshould be revised.

Response to Public Comment; ThADBT rule specifies threat characteristicsused by licensees to design their

MAY-11-2007 17:29 P. 16/26

12715i Federal Register/Vol. 72, No. 52/Monday, March 19. 2007/Rules and Regulations12718

protective strategies. The rule does notcontain prescriptive measures to beadopted by individual licensees. TheACDs and RCs include certain detailsand guidance related to such threatcharacteristics. This approach has beenadopted because the ACIN and RGscontain SGI or classified informationthet cannot be disclosed in the publicdomain and would be useful topotential adversaries. This approach isnot a circumvention of the PaperworkReduction Act, but reflects the inherentdichotomy of the DBT rulemaking intrying to reach a balance between theneeds for meaningful publicparticipation and the requirement toprotect SGI and classified information,where public disclosure of specificattributes or details of security designsor protective measures would have thepotential of Taking them ineffective.

The statement. "'his proposed ruledoes not contain new or amendedinformation collection' .Act of1995," is accurate. The final ruleconsolidates the supplementalrequirements put in place by the orderswith the previous DBT9 in § 73.1(a), anddoes not impose additional burden forthe current licensees even though therule contains a cyber threat as anadditional attribute of the threat. This isbecause the licensees subject to theDBTs were directed by the InterimCompensatory Measures (1CM) Order(EA-02-020) to consider and addresscyber safety and security vulnerabilities.In April 2003, the Orders [EA-03.-086)and (FA-03-087) that supplemented theDBT, also contained languageconcerning the cyber threat. Licenseeswere subsejuently provided with acyber security self-assessmentmethodology, the results of pilotstudies, and a guidance documentissued by the NEI to facilitatedevelopment of site cyber securityrograms. The designated licenseesave done so accordingly.The burden

for future licensees will be coveredunder 10 CFR Part 52 (3150-0151). Insummary:

* NRC Position: Disagrees with thecomment.

s Action: No action required,11, Adequacy of the Regulatory Analysis

Public Comment: A commenter statedthat the regulatory analysis Is based onan incorrect premise and should berevised. A statement in the RegulatoryAnalysis states that "Impacts upon thelicensees from this proposed rule wouldbe minimal. Because the adversarycharacteristics would remain consistentwith those promulgated by orders, notechnical changes will be required.Licensees may need to update

references in their security plandocumentation, which could beaccomplished without NRC review andin conjunction with future planupdates." One cosmmenter believes thatthis statement is incorrect andunderestimates the impact on licensees.

Response to Public Comment: TheCommission disagrees with thecommenter that the regulatory analysisis based on an incorrect premise andshould be revised. The regulatoryanalysis contained in- the proposed rulestated that, "The proposed regulatoryaction would not involve imposition ofany new requirements, and would notexpand the DBTs beyond therequirements in place under NRCregulations and orders." Consequently.the DBT amendments would not requireexisting licensees to make additionalchanges to their current NRC-approvedsecurity plans. This premise was correctthen and is correct even now because aoyber threat is explicitly included as anattribute of the final rule. Even thoughthe regulatory action involves theimposition of a cyber threat as enexplicit requirement, this does notimpose additional burden for thelicensees. This is because the licenseessubject to the DBTs were directed by theICM Order (EA-02-.026) to consider andaddress cyber safety and securityvulnerabilities, Licensees weresubsequently provided with a cybersecurity self-assessment methodology,the results of pilot studies, and aguidance document issued by the NEI tofacilitate development of site cybarsecurity programs. This additionalrequirement in the final rule does notexpand the DBTs beyond therequirements currently in place underexisting NRC regulations and orders,Consequently, DBT amendments willnot require existing licensees to makeadditional changes to their current NRC-approved security plans. However, theNRC acknowledges that any futurechanges to the threat environment mayeffect the ACDs and RCs, and couldpossibly effect the licensees' securityplans that would require either NRC'sapproval or official communicationsnoting the changes to the NRC. Thismay also impose additional burden onthe licensees. In those events, theregulatory analysis would be changedaccordingly. In summary:

m NRC Position: Disagrees with thecomment.

e Action: Regulatory Analysis to bechanged when there is change in thethreat environment In the future.

12. Compliance With the NationalEnvironmental Policy Act (NEPA)

Public Comment: Several commentersstated that the proposed rule fails tosatisfy NEPA, and the NRC mustprepare an Environmental ImpactStatement MElS) for the proposed rulebecause this Is a major federal actionsignificantly affecting the quality of thehuman environment, These commentersstated that the action is significantbecause "the NRC's limitations on thescope of adversaries against which 'aprivate security force could reasonablybo expected to defend' bears directly onthe degree to which public health andthe environment will be protectedagainst the impacts of accidents causedby terrorist attacks." Further,commenters suggested that the NEPAcommenting process would be a betterforum to disclose and discuss the policyconsiderations associated withdevelopment of the DBTs.

Response to Public Comment: TheCommission disagrees that this rulerequires the completion of an EIS, andthat the NEPA commenting processwould provide a better forum fordiscussion of sensitive security issues.The NEPA and the Commission'sregulations at 10 CFR 51.20(a)(1 onlyrequire preparation of an EIS if theproposed action is a major Federalaction significantly affecting the qualityof the human environment. The NRCprepared an environmental assessment

.EA) for the proposed rule (70 PR 67387;November 7, 2005) and found that therewould be no significant environmentalimpact associated with implementationof the proposed rule if adopted; andtherefore, concluded that no EIS wasnecessary. NEPA (40 CFR,1500.8(b))only requires that the Commissionconsider the "reasonably foreseeable"environmental effects of its actions indetermining whether an EIS isnecessary. Effects that are remote,speculative, or embody the worst-caseoutcome of aparticular action do notrequire an EIS,2 In this instance, theconsequences of a terrorist attack cannotbe said to be "an effect" of this rule, andanalyzing the effects of a terrorist attack

oTho Comminion nw8ni2as that its posltion anthe necessity of a terrorism nnalynhis , pst, or anguavronrnentai review for a spactric prripas'dfacility hn* buii csltld into quastion by a roconideeaian in tho Oth Circuit CoUtt •f Appials (SanLu'o Oblipo Ma0iisnfar Peace v. NRC, 440 ".s3dtole (9th Cit. 2006)). Howovor, the oth Cnrcultrada'tumnimation that the potential onvironmonteloffacta of a twroridt uttack ae a trostlt of thelimanrtmK of an Independent Spent Fuel Star8ooInstallation should b6 constdirtd. does tnotnucwwtly lead to the conclusion that such offectsshould be consir,•iwd as pan ofttis ruiamanklngaction.

MAY-11-2007 17:30 P. 17/26

Federal Register/Vol. 72, No. 52/Monday, March 19, 2007/Rules and Regulations 12719

would be speculative at best. NEPAdoes not require such an inquiry.• The Commission does not agree thatthe NEPA process would provide abetter forum for disclosure enddiscussion of the DBT rule than thisrulemaking action. It is not clear howpublishing an EIS for public commentwould result in the disclosure ofadditional information because NEPAdoes not provide any other mechanismhow additional information on aproposed rule could be obtained bycommenters; the APA notice andcomment process provides ampleopportunity to comment and providepertinent Information on the proposedrules. Nor does a request by a memberof the public to have access toadditional information on a particularagency action mandate that the agencyconduct a full MIS. All informationnecessary for public comment on theproposed rule has been made availableand therefore, no greater level of detailcontained in the ACDs and RCs need tobe discussed in the NEPA commentprocess. The Commission's publiccomment process in developing an EISis not a forum for sensitive securityissues. In summary:

a NRC Position: Disagrees with thecomment.

@ Action: No action required.13. Issuance of Annual Report Card anIndividual Licensees

Public Comment; One commenterstated that the NRC should publish anannual report card assessing specificplant performance to defeat attacks inongoing "table top" und mock "force-on-force" exercises.

Response to Public Comment: TheNRC partially agrees with the statementssubmitted by the commenter. Section552 of the EPAct required that theCommission submit two annual reportsto the Congress, one classified andanother unclassified, describing theresults of the Commission's force-on-force exercises and related correctiveactions. The detailed results of security-related drills and exercises are, and willremain, protected as SGl because thisinformation can provide insights topotential adversaries in planning ofattacks. The Commission recentlysubmitted the first set of these reports toCongress. The unclassified version ofthe annual report to the Congress ispublicly available, and posted on theNRC's website. Through these reports,the NRC provides information regardingthe overall security performance of thecommercial nuclear power plants tokeep Congress.and the public informedof the NRC's efforts to help protect ournation's electric power in[restructure

against terrorist attacks. In addition, theNRC recently revised its policy onpublic availability of secrlty Inspectionresults. Under the revised policy, theexistence of inspection findings for aspecific site's FOF exercises will beidentified in the publicly availablecover letter transmitting the inspectionresults to the licensee. In summary:

e NRC Position: Partially agrees withthe comment.

* Action; No action required as partof this rulemaking.

Group Mf. Out of Scope CommentsThough the following topics and

comments are pertinent to the securityissues of nuclear facilities, they are notdirectly relevant to the DBT rulemaking.The DBT rule identifies general threatcharacteristics, but does not requirespecific protective strategies andsecurity measures to defend against andthwart attacks. Accordingly, thefollowing comments are deemed outsidethe scope of this rule. However, relevantinformation is provided as backgroundmaterial to facilitate a betterunderstanding of the existing securitymeasures in place and planned for thefuture, and to answer the underlyingquestions and Issues raised in thefollowing public comments.

14. Federalization of SecurityPublic Comment: Commenters stated

that the proposed rule should indicatethat the threat of an air attack exceedsthe defensive capabilities of a plant'ssecurity forces, and that the Federalgovernment should either take over thesecurity of the plant and/or integrate theresponse from local, State, and Federalgovernment resources.

Response to Public Comment: TheCommission disagrees with thecomment. Federalization of nuclearpower plant security is outside of thescope of the proposed rule. However,the following background information isprovided for a clearer understanding ofthe issues involved and the rationale ofthe Commission's position.

The Issue of a Federal protectivesecurity force to provide protection atcommercial power reactors was initiallystudied by the NRC and documented ina report to Congress, "Security AgencyStudy." (August 1976). The study foundthat the ", * creation of a Federalguard force would not result in a higherdegree of guard force effectiveness thancan be achieved by the use of privateguards, properly trained, qualified,trained and certified by the NRC."Shortly after September 11, 2001, thisissue was again raised.. The NRCcontinues to support the concept that aprivate security guard force with special

emphasis on performance based trainingend full accountability is the best.approach to securing our nation'scommercial nuclear facilities. Thesecurity for nuclear facilities should beaddressed in ?be context of theprotection of other sensitiveinfrastructure. Society should allocateits security resources accordin to therelative risks, and, as a result, theseparation of nuclear facilities from allotder types of sensitive infrastructurewill fragment the analysisinappropriately.

Past legislation proposed tlhat the NRCestablish a security force for aensitivenuclear facilities. Current security forcesat sensitive nuclear facilities are well-trained, and have high retention rutes.This change would bring about afundamental shift in the responsibilityand mission of the NRC, diverting theagency from being an independentre guator of nuclear safety and securitytobeing a provider of nuclear security.This could create command and conraelissues because it would establish twoclasses of employees at nuclear sites:licensee staff to ensure the safe•operation of the reactors and Federalstaff to ensure security. This could leadto conflicts and confusion In emergencysituations, that could diminish nuclearsafety.

The change would serve to increasethe Federal budget needlessly.Presumably, given the enhancement inthe security threat against which theguard force would be required todefend, the NRC would be required tohire more guards than currently exists atsensitive nuclear facilities (more than7,000 new Federal workers, which ismore than twice the number or staff nowemployed by the NRC.) These nowworkers would have to undergoextensive background checks, be trainedand qualified, and be armed andequipped. The training of this forcealone would likely overload any Federallaw enforcement agency's trainingcapability. Presumably, the NRC wouldhave to assume the responsibility forestablishment of new security barriersand communications capabilities at thenuclear facilities that by itself raisescomplicated issues associated with theinterplay of security barriers and safetycons[derations, The NRC estimates thatthe additional cost to the Federalgovernment to implement these changesmay well be over $1 billion a year.

Supplementing the guard force withFederal forces inside the plant areasraises similar concerns. National Guardforces and local/State law enforcementunits have been used successfully at 4number of facilities to provideadditional security external to the plants

MAY-11-2007 17:3P P. 18/26

12720 Federal Register/Vol. 72, No. 52/Monday. March 19, 2007/Rules and RegulationsI I __ ! I

when deemed necessary, circumventingdifficult command end control issues.Such an external capability can moreeasily be -surged" when needed. Insum, the Commission does not believesuch a change is needed. In theCommission's view, the qualified,trained, and tightly regulated privateguard forces at nuclear plants shoudnor be replaced by a new Federalsecurunry:seuNR post:en: Disagrees with the

comnment.o Action: No action required.

3 5. Force-on-Force (FOF) Testing ofSecurity

Public Comment: Several commentersstated that security and FOF exercisesmust be upgraded in order todemonstrate a high degree of confidencethat site security forces are able to repelan assault like the September 12, 2001,attack. in addition, under Section651 (a)(]i)(b) of the EPAct, the NRC shallmitigate any potential conflict of .interest that could influence the resultsof a FOP exercise. In some instances, thesame contractor had supplied both thesecurity guards as well as the mockterrorists.

Response to Public Comment: TheCommission disagrees with thecomment. The requirements related toFOF testing are outside the scope of thisrule. However, the following is providedas background information pertinent tothis comment.

The NRC FOe exercise program isdesigned to provide a realisticevaluation of the proficiency of licenseesecurity forces against a threatconsistent with the supplemented DBTsreflected in the orders issued by theCommission on April 29. 2003. After theattacks of September 11, 2001, theagency has expanded and refined itsFOF program to make the exercisesmore realistic. These changes havesignificantly Increased the level ofcomplexity for each exercise in terms ofplanning, preparation, and logistical

The NRC agrees that a credible, well-trained, and consistent mock adversaryforce Is vital to the NRC's FOP program.Therefore, the NRC has worked with thenuclear industry to develop a compositeadversary force (CAF) that is trained tothe standards Issued by theCommission. The new CAF has beenused for all FOF exercises conductedafter October 2004 and represents asignificant improvement in ability,consistency, and effectiveness over theprevious adversary forces. The NRCcontinues to evaluate the CAP at eachexercise using rigorous NRCperformance standards.

The CAP is currently managed by acompany (Wackenhut) that providesmuch of the security for U.S, nuclearpower plants and is, therefore, well-versed In the security operations ofnuclear power plants. The NRCrecognizes that there may be aperception of a conflict of interest. TheNRC established a clear separation offunctions between the CAP and plantsecurity force to ensure an independent,reliable, and credible mock adversaryforce. In addition, the CAF compositionincludes security officers that are notemployed by Wackenhut and nomember of the CAF may participate inan exercise at his or her home site.

It is Important to emphasize that theNRC, not the CAP, designs, runs, andevaluates the results of the FOFexercises. Because the CAF does notestablish the exercise objectives,boundaries, or timelines, and the CAF'sperformance is subject to continualobservation and evaluation by the NRCand Its contractors, the agency controlsthe exercise. If the industry is unable tomaintain an adequate and objective CAPthat meets the standards mandated bythe NRC, the NRC will take thenecessary actions to ensure theeffectiveness of the force-on-forceevaluation program. The NRC isdocumenting requirements for theperformance of FOF testing as well asimplementing EPAct requirements forthe mitigation of conflict of interest ina separate rulemaklng. In summary_

* NRC Position: Disagrees with thecomment.

9 Action: No action required.

16, Screening of Workers in NuclearPower Plants

Public Comment: One commenterstated that the NRC must be able toregulate or at least oversee the initialand follow-up screening of temporaryand permanent workers who will haveaccess to the reactor vessel, the spentfuel pool, and the related valves,generators, pumps, electrical systems.and miles of piping that are required forthe plant's operation and are vulnerableas terrorist targets,

Response to Public Conunent: TheCommission agrees with the comment tothe extent that the NRC does regulatethe screening of both permanent andtemporary workers with unescoredaccess to the protected area, The DBTrule does not regulate or overseespecific programs. Instead, It defines thegeneral threat against which licenseesmust be able to defend against with highassurance. Accordingly, NRC regulationor oversight of screening of workers atnuclear power plants is outside thescope of this rule.

However, it should be noted dtat theNRC requires licensees to have anaccess authorization program that meetsNRC requirements. 10 CFR 73.56,"Personnel access authorizationrequirements for nuclear power plants."requires all 10 CFR 50 and 52 licons~eesto include the required accessauthorization program as part of theirsite Physical Security Plan. Specifically,10 CFR 73.56 states that the licensee isresponsible for granting, denying, orrevoking unescortad accessauthorization to any contractor, vendor,or otlier affected organization employee.Those requirements are intended toonsure that personnel grantedunescorted access to vital areas of anuclear power plant are trustworthy andreliable, and do not constitute anunreasonable risk to the health andsafety of the public, including apotential to commit radiologicalsabotage. In summary:

@ NRC Position: Agrees with thecomment.

9 Action: No action required.

17. Self-Sufficient Defense CapabilitiesPublic Comment: Two commentors

stated that in some regions, notably inlarge metropolitan areas,communication and transportationmodes make it impossible to provideoutside help in time to aid in facilitydefense fol lowing a terrorist attack.

Response to Public Comment. TheCommission disagrees with thecomment. The capabilities of off-siteresponders are beyond the scope of thisrule. However, the following providesan overview of the existing progIunnand policies in place for addressingissues raised in this comment.

After the September 11, 2001 attacks,the NRC has worked with licensees, theDHS, and State and local governmentsto improve the capabilities of firstresponders as part of the NationalInfrastructure Protection Plan. Part ofthis program Includes conductingComprehensive Reviews of commercialnuclear site security. TheComprehensive Review, led by the 13HS.is a Government and private sectoranalysis of critical Infrastructurefacilities to determine the facilities'exposure to potential terrorist attack, theconsequences of such an attack, and theintegrated prevention and responsecapabilities of the owner/operator, locallaw enforcement, and emergencyrasponse organizations.

The results are used to enhance thesecurity posture of the facilities andcommunity first responders by usingshort-term improvements in equipment,training, and processes: and informinglonger-term risk-based investments and

MA~Y-11-2007 17:31 P. 19/26

Federal Register/Vol. 72, No. 52/Monday, March 19, 2007/Rules and Regulations 12721

science and technology decisions. Inless than a year, ComprehensiveReviews have resulted in identifyingreadily adaptable, low-cost protectivemeasures for increased readiness andpreparedness in the event of a terroristattack or natural disaster. The nuclearsector was the first of the sectors toparticipate in these reviews. A numberof Federal agencies participated invarious assessments Involving thesefacilities. Although recognizing thatnuclear plants are the best-protectedassets of our critical infrastructure,those Federal agencies and the nuclearindustry also recognized the value of aunified, collaborative effort to enhancethe protection of these vital assets. In

.NRuCPosition: Disagrees with thecomment.

v Action: No action required.18. Security of Dry Cask Storage

Public Comment: Multiplecommenters expressed concernsregarding vulnerabilities of dry caskstorage at nuclear power plants underterrorist attacks. The commenterssuggested that dry cask storage shouldbQ. protected by-,(b) Separationwith a minimum

spacing of 50 yards between each cask.(H) ardening with beamhenge, and/

or(iii] Burial in earthen mounds,One commenter stated that the NRC

must require herming of dry storagecasks as part of the DBT.

.Response to Public Comment: TheCommission disagrees with thecommenters' statements. In addition,requirements related to the security ofdry cask storage are beyond the scope ofthis rulemaking, However, design besiaand vulnerabilities assessment of drycask storage facilities are providedbelow as background information forbetter understanding of existingrequirements.

Dry cask storage facilities (e.g.,independent spent fuel storageinstallations (ISFSIs)) at nuclear powerplants are designed to protect againstexternal events such as tornados,hurricanes, fires, floods, andearthquakes. The standards in 10 CFRPart 72 Subpart E, "Siting EvaluationFactors," and Subpart F, "CeneralDesign Criteria," ensure that the drycask storage designs are very rugged androbust. The casks must maintainstructural, thermal, shielding, criticality,and confinement integrity during avariety of postulated external eventsincluding cask drops, tip-over, andwind driven missile impacts.

After the terrorist attacks ofSeptember 11, 2001, the Commission

initiated a program in 2002 to asseus thecapability of nuclear facilities towithstand terrorist attacks. As part ofthe program, the Commission analyzedthe performance of ISFSIs under aircraftattacks and has evaluated the results ofdetailed security assessments involvinglarge commercial aircraft attacks, whichwere performed on four representativespent fuel casks, The large aircraftimpact studies included structuralanalyses of the aircraft impact into asingle cask and the resulting cask-to-cask interactions. Those evaluationsindicate diat It is highly unlikely that asignificant release of radioactivitywould occur from an aircraft Impact ona dry spent hfel storage cask

• The Commission is finalizing thesecurity assessments for a number ofrepresentative spent fuel storage casksfor additional types of attacks andweaponry (including ground attacks],and will continue to evaluate the resultsof the ongoing assessments. Based uponthese results and any other newinformation, the Commission willevaluate whether any change to its spentfuel storage policy is warranted. TheCommission issued a security order forISFSIa in October 2002, and roquiredthe licensees to implement additionalenhancement measures for dry caskstorage. These enhancements to securityincluded increased vehicle standoffdistances, additional security posts, andimproved coordination with lawenforcement and intelligencecommunities, as well as strengthenedsafety.related mitigation procedures andstrategies. In summary:

, NRC Position: Disagrees with thecomment.

a Action: No action required.

10. Security of Spent Fuel Pools

Public Comment: Pour conmmentersexpressed concerns regardingvulnerabilities of spent fuel storagepools at nuclear power reactors underterrorist attacks. The commentsreferenced the summary of the studyperformed by the National Academy ofScience [NAS) which indicated that aterrorist attack on spent fuel pools is acredible threat and may lead to a releaseof a large amount of radioactivematerials to the environnent if it weresuccessful. One comment specificallystated that not only is the NRC'sresponse to the findings of the NASstudy slow, but also, that the NRC hasno Intention of addressing these riskissues. It further stated that the apparentabsence of a concerted spent fuelsecurity program in the revised DBT isfurther evidence of the NRC's failure torecognize and address the problem.

Response to Public Comment:Security program requirements are thesubject of another rulamaking, namely10 CFR 73,55. Accordingly, the heed fora concerted spent fuel security programin the revised DBT is beyond the scopeof this rule. In addition, the Conmmissiondisagrees with the statements subinittedby the commenters. The following isprovided as background informationpertinent to these comments.

The NRC bee taken numerous actionsto enhance the security of spent oucluarfuel, and will take appropriateadditional action as necessary as a resultof on-going evaluations. BeforeSeptember 11, 2001, spent fuel was wellprotected by physical barriers. armedguards, intrusion detection systems.area surveillance systems, accesscontrols, and access authorizationrequirements far employees workinginside the plants. After September 11,2001, the NRC has enhanced itsrequirements, and licensees haveincreased their resources to improvesecurity at nuclear power plants. Forexample, the NRC's February 25. 2002Order to power reactor licensees dealtwith spent fuel pool cooling capabilitiesin the event of a tarroriet attack. As aresult of the supplemented DBT, thesecurity of spent fuel pools has boonenhanced at operating power reactors.

The NRC also initiated a progara in2002 to assess the capability of nuclearfacilities to withstand a terrorist attack.The early focus of that program was onpower reactors, including spent fuelpools. As the results of that programnbecame available, theNRC providedpower reactor licensees additionalguidance in February 2005 on theimplementation af the February 2002Order regarding spent fuel mitigationmeasures. The power reactor licenseesresponded to those additional specificrecommendations in May 2005.Mitigating measures that are being orhave been established Include thosespecifically recommended in the NASstudy regarding fuel distribution andenhamed cooling capabilities.

The NRC is working with industry toconduct additional plant-specificdamage assessments for a range ofpotential attack scenarios. The NRCcontinues to evaluate spent fuel poolsecurity in FOF exercises, which theNRC conducts at least once every threeyears at each power reactor site. Insurunmary;

o NRPosition: Disagrees with thecomment.

P Action; No action required.20. Inherent Design Problems That

Make Power Reactors VulnerablePublic Comment: One commenter

stated that the present DBTs ignore

MAY-11-2007 17:32 P. 20/26

12722 Federal Register/Vol. 72, No, 52/Monday, March 19, 2007/Rules and Regulations I

vulnerabilities inherent in the design ofnuclear facilities. The commentar statedthat the NRC has granted exemptionsfrom certain safety regulations fe.g.,AppendLx R fire protection standards) tomany licensees that present obvious andunacceptable vulnerabilities, Thecommenter stated that the vulnerabilityof fire-safoty related pump rooms at anuclear power plant under an attackscenario was disregarded. Thecommenter further related thedocumentation of concerns ofvulnerabilities regarding inherentdesign problems through numerouspetitions and allegations to the NRC.

Response to Public Comment: TheCommission disagrees with thecommeater's statement that the presentDBTs ignore vulnerabilities inherent inthe design of nuclear facilities. TheCommission has high assurance that thedesigns of currently operating reactorsare safe, and provide adequate securityprotection. Moreover, the notion of"inherent design vulnerabilities" ofnuclear facilities is beyond the scope ofthis rule. since the DBTs do not specifyspecific protective measures, such asdesign features. However, plant specificvulnerabilities are considered duringthe process of target set developmentand are utilized during force-on-forcetesting to assure the licensee is capableof defending the plant. In addition, theNRC is undertaking several separaterulemakings related to this issue. Forinstance, the Commission has proposeda rule that would amend its regulationsrelated to security requirements forpower reactors (71 FR 62664; October26, 2006]. Also, the Commission isconsidering issuing a proposed rule thatwould require applicants to assessspecific design features that would beincorporated into the final design tosup port overall security effectiveness ofnucieur power plants.

With respect to the commenter'sstatement on the exemptions fromcertain safety regulations (e.g.,Appendix X fire protection standards),the NRC staff believes that the commentis out of scope of this rulemaking.However, a response to the issue raisedin this question is in order. To that end,the following information Is provided asbackground information,

Plants licensed to operate beforeJanuary 1. 1979, must comply with fireprotection requirements as specified In10 CFR 50,48(b) that backfit paragraphsMI.G, J and 0 of Appendix R. Plantslicensed to operate after January 1, 1979,must comply with the approved fireprotection program incorporated intotheir operating license, When theCommission promulgated 10 CFR Part50, Appendix R, the Commission

recognized that there would be plantspecific conditions and configurationswhere strict compliance with theprescriptive features specified inAppendix R would not significantlyenhance the level of fire safety alreadyprovided by the licensee. Therefore, incertain cases, where the licensee coulddemonstrate an equivalent lovel of firesafety that satisfied the underlyingpurpose of the rule, the licensee couldapply for a specific exemption fromAppendix R. Thus, the exemptionprocess allowed through 10 CFR 50,12provides a means of allowing licenaaesto meet Appendix R through alternatemeans.

The NRC has granted and continues togrant exemptions when a licensee meetsthe criteria of 10 CFR 5o.12 anddemonstrates that the alternate meansprovide an adequate level of fire safety.The NRC believes that individual fireprotection exemptions have had a smallimpact on plant risk.

Regarding the commenter's statementconcerning the petitions end allegationsdocumented and submitted to the NRC,the NRC is currently preparingresponses to those that have beenreceived.

a NRC Position: Disagrees with thecomment that the present DBTs ignorevulnerabilities inherent in the design ofnuclear facilities.

v Action: No action Is required withrespect to this DBT rulemaking.However, the NRC will provide properresponses to the petitions andallegations that have been received.

M. Summary of Specific Changes Madeto the Proposed Rule. as a RXesut ofPublic Comment

One change is being made to the ruleto add a cyber threat as an explicitelement of the DBT rule for bothexternal and internal adversaries.

The previous DBT requirements in 10CFR 73.1 did not specifically includethe threat of a cyber attack. However, acyber attack capability was implied inthe proposed 10 CFR 73.1 issued forpublic comment In the Federal Registron November 7, 2005 (70 FR 67380).Under Section 651(a) (2) of the EPAct of2005, Congress also directed NRC toconsider malking an "assessment ofphysical, cyber, biochemical, and otherterrorist threats" when developing therevised rule, and the NRC specificallyasked for public comment on whetherthis and a number of other aspectsshould be included in the DBT. Onecommenter specifically referred to theneed for the DBT rule to containrequirements pertaining to cyber attackcapabilities.

The NRC has historically requiredlicensees to evaluate cybarvulnerabilities. In February 2002,I icensees subject to the DBTs weredirected by 1CM Order (EA-02-026) toconsider and address cybar safety andsecurity vulnerabilities, In April 2003.NRC Orders (RA-03-086 and EA-03-087) that supplemented the DBTScontained language concerning diethreat of a cyber attack. Licensees weresubsequently provided with a cybersecurity self-assessment methodologyand the results of pilot studies, as wellas additional guidance issued by thenuclear industry, to facilitatedevelopment of site cyber securityprograms.The February 2003, U.S. National

Strategy to Secure Cyberspace suggeststhat the dyber threat likely will increaseboth in Capability and frequency in thefuture. In light of this threat, the cybarsecurity programs already initiated bythe Industry, the proposed draft 10 CFR73.55(m), "Digital Computer andCommunication Networks," that isincluded in the proposed rule on powerreactor security requirements (71 FR62654; October 26, 2006), and therequirements of the EPAct of 2005, theCommission has decided to include acybor attack as an element of the DBT.TV. Section.by-Section Analysis

The followhig provides a comparisonbetween the previous rule text and thefinal rule text in 10 CFR 73.1.

(a) Previous Rule: Purpose. This partprescribes requirements for theestablishment and maintenance of aphysical. protection system which will

ave capabilities for the protection ofspecial nuclear material at fixed sitesand in transit and of plants in whichspecial nuclear material is used. Thefollowing design basis threats, wherereferenced in ensuing sections of thispart, shell be used to design safeguardssystems to protect against acts ofradiological sabotage and to prevent thetheft of special nuclear material.Licensees subject to the proviaions of§§ 72.182, 72.212, 73.20, 73,50, and73.60 are exempt from 73,1(a)(1)[i)(E)and 73.1(a)[1)(iii).

(a) Final Rule: Purpose. This partprescribes requirements for theestablishment and maintenance of aphysical protection system which willhave capabilities for the protection ofspecial nuclear material at fixed sitesand in transit and of plants In whichspecial nuclear material is used. Thefollowing design basis threats, wherereferenced in ensuing sections of thispart, shall be used to design safeguardssystems to protect against acts ofradlological sabotage and to prevent the

MAY-11-2007 17:33 F. 21/26

Federal Register/Vol. 72, No. 52/Monday, March 19, 2007/Rules aand Regulations 12723

theft or diversion of special nuclearmaterial. Licensees subject to theprovisions of q 73.20 (except for fuelcycle licensees authorized under part 70of this chapter to receive, acquire,possess, transfer, use, or deliver fortransportation formula quantities ofstrategic special nuclear material),§§ 73.50, and 73.60, are exempt from§§ 73.1(a)(1)(i)(E), 73.1(a)(1)(iii),73.1(a)(1)(iv), 73.2(a](2][iii),73. 1(a)(2)(iv). Licensees subject to theprovisions of§ 72.212 are exempt from§ 73.1(a)(1)(iv).

(a) Change: The paragraph is modifiedto clarify that the DBT Is designed toRprotect against diversion in addition totheft of special nuclear material. Theexemptions are updated based on theorder requirements and conformingchanges to other paragraphs of this part.

(13(i) Previous Rule: Radiologicalsabotage. (iU A determined violentexternal assault, attack by stealth, ordeceptive actions, of several personswith the following attributes, assistanceand equipment:

(2)(i) Final Rule. Radiologicalsabotage. (1] A determined violentexternal assault, attack by stealth, ordeceptive actions, includingdiversionary actions, by an adversaryforce capable of operating in each of thefollowing modes: a single groupattacking through one entry point,multiple groups attacking throughmultiple entry points, a combination ofone or more groups and one or moreindividuals attacking through multipleentry points, or individuals attackingthrough separate entry points, with thefollowing attributes, assistance andequipment:

(1)(i) Change: The paragraph addsnew capabilities to the DBT includingoperation in multiple modes of attack.The language in thi final rule wasmodified to provide specificity thatlicensees are required to maintain thecapability to protect against severalmodes, and that a physical security planonly capable of defending against one ofthe prescribed modes would not satisfythe requirements of the rule.

(1)(i) (A) Previous Rule: Well-trained(including military training and skills)and dedicated individuals,

MOM(i](A) Final Rule: Well-trained(including military training and skills)and dedicated individuals, willing tokill or be killed, with sufficientknowledge to identify specificequipment or locations necessary for asuccessful attack.

(1)(i)(A) Change: The paragraph addsadversaries who are willing to kill or bekilled and are knowledgeable aboutspecific target selection to the DBT.

(2)(i)(1) Previous Rule: Insideassistance which may include aknowledgeable individual who attemptsto participate In a passive role (e.g.,provide information), an active role(e.g., facilitate entrance and exit, disablealarms and communications, participatein violent attack), or both,

(1](i)(1) Final Rule: Active (e.g..facilitate entrance and exit, disablealarms and communications. participatein violent attack) or passive (e.g.,Erovide information), or both.owledgeable inside assistance,

(1)(i)(81 Change: The reference to anindividual is removed and theparagraph reworded to provideflexibility in defining the scope of theinside threat.

(1)(i}(C) Previous Rule: Suitableweapons, up to and including hand-held automatic weapons, equipped withsilencers and having effective long rangeaccuracy,

(1(i)(C) Final Rule: Suitable weapons,including hand-held automaticweapons, equipped with silencers andhaving effective long range accuracy,

(1)(i)(C) Change: The phrase "up toand including" is changed to"including" to provide flexibility indefining the range of weapons licenseesmust be able to defend against.

- (1J(i)(D) Previous Rule: Hand-carriedequipment, including incapacitatingagents and explosives for use as tools ofentry or for otherwise destroyingreactor, facility, transporter, or containerintegrity or features of the safeguardssystem, and

(1)(i)(D) Final Rule: Hand-carriedequipment, including incapacitatingagents and explosives for use as tools ofentry or for otherwise destroyingreactor, facility, transporter, or containerintegrity or features of the safeguardssystem, and

(116(0(D) Change: This description isnot revised by the final rule.

(1t(I)E) Previous Rule: A four-wheeldrive land vehicle used for transportingpersonnel and their hand-carriedequipment to the proximity of vitalareas and

W(1I)(E) Final Rule: Land and watervehicles, whiclh could be used fortransporting personnel and their hand-carried equipment to the proximity ofvital areas, and

(1)(1)(E) Change: The scope of vehicleslicensees must defend against isexpanded to Include water vehicles anda range of land vehiclesbeyond four.wheel drive vehicles.

(11(ii Previous Rule: An internalthreat of an insider, including anemployee (in any position), and

M1U(Iu Final Rule: An internal threat,and

(1l(ii) Canpe: The current ruledescribes the internal threat as a threatposed by an individual. The language isravisod to provide flexibility in definingthe scope of the Internal threat.

(i)(ili) Previous Rule: A four-wheeldrive land vehicle bomb.

({)(iii) Final Rule: A land vehiclebomb assault, which may becoordinated with an external assault,and

(1)(iii) Change:,The paragraph isupdated to reflect that licensees areroquired to protect against a wide rangeof land vehicles. A new mode of attacknot previously part of the DBTreguations is added indicating dtatadversaries may coordinate a vehiclebomb assault with another externalassault.

(1)(iv) Previous Rule: None.(1)(iv) Final Rule: A waterborno

vehicle bomb assault, which may becoordinated with an external assault,and

(1)(iv) Change: The paragraph adds anew mode of attack not previously partof the DBT, that being a waterbornevehicle bomb assault. This paragraphalso adds a coordinated attack concept.

(1)(v) Previous Rule: None.( ](v) Final Rule: A cyber attack,11(v) Change: Adds a cyber attack.

The capability to exploit site computerand communications systemvulnerabilities to modify or destroy dataand programming code, deny access tosystems, and prevent the operation ofthe computer system and the equipmentit controls.

(2)(i) Previous Rule: Theft ordiversion of formula quantities ofsxateagic special nuclear material. (i) Adetermined, violent, external assault,attack by stealth, or deceptive actions bya small group with the followingattributes, assistance, and equipment:

(2)(i) Final Rule: Theft or diversion offormula quantities of strategic specialnuclear material. (I) A determinedviolent external assault, attack bystealth, or deceptive actions, includingdiversionary actions, by an adversaryforce capable of operating in each of thefollowing modes: a single groupattacking through one entry point,multiple groups attacking throughmultiple entry points, a combination ofone or more groups and one or moreindividuals attacking through multipleentry points, or individuals attackingthrough separate entry points, with thefollowing attributes, assistance andequipment:

(2)(1) Change: The paragraph addsnew adversary capabilities to the DBTincluding operation in multiple modesof attack. The language in the final rulewas modified to provide specificity that

MRY-11-2007 17:33 P. 22/26

Vnaart R-.aicter/Vnl. 72. No. 52/Monday. March i9, 2007/Ruls and Regulations1977A

licensees are required to maintain thecapability to protect against severalmodes, and Stat a physical security planonly capable of defending against one ofthe prescribed modes would not satisfythe requirements of the rule.

(2(i) (A) Previous Rule: Well-trained(including military training and skills)and dedicated individuals;

(2M(i)(A) Final Rule: Well-trained(including military training and skills)and dedicated Individuals, willing tokill or be killed, with sufficientknowledge to identify specificequipment or locations necessary for asuccessful attack;

(2)(i)(A) Change: The paragraph addsto the.DBT adversaries who are willingto kill or be killed and areknowledgeable about specific targetselection.

(2)(i)(B) Previous Rule: Insideassistance that may include aknowledgeable individual who attemptsto participate in a passive role (eg.,provide information], an active role(e.g., facilitate entrance and exit, disablealarms and commu~nications, participatein violent attack), or both;

(2)(i)(B) Final Rule: Active (e,g.,facilitate entrance and exit, disablealarms and communications, participatein violent attack) or passive (e.g.,provide information), or both,knowledgeable inside assistance;

(2)(i)[B) Change: The reference to anindividual is removed and the

aragraph reworded to provideexibillty in deflning the scope of the

inside threat.(2)(i)(C) Previous Rule: Suitable

weapons, up to and including hand-held automatic weapons, equipped withsilencers end having effective long-range accuracy;

(2){I)(C) Final Rule: Suitable weapons,including hand-held automaticweapons, equipped wiLh silencers andhaving effective long-range accuracy;

(2)(i)(C) Chanre: The phrase "up toand including" is changed to"including" to provide flexibility indefining the range of weapons licenseesmust be able to defend against.

(2)[i)(D) Previous Rule: Hand-carriedequipment, including Incapacitatingagents and explosives for use as tools ofentry or for otherwise destroyingreactor, facility, transporter, or containerintegrity or features of the safeguardssystem;

(2{(il(D) Final Rule: Hand-carriedequipment, including incapacitatingagents and explosives for use as tools ofentry or for otherwise destroyingreactor, facility, transporter, or containerintegrity or features of the safeguardssystem; and

(Z)(i)(D) Change: This description isnot revised by tle final rule,

(2)(i)(E} Previous Rule: Land vehiclesused for transporting persounnl andtheir hand-carried equipment; and

(2)(i)lE) Final Rule: Land and watervehicles, which could be used fortransporting personnel and their hand-carried euiprment.

(2,)(i)EJ" Change: The scope of vehicleslicensees must defend against isexpanded to include water vehicles anda range of land vehicles beyond four-wheel drive vehicles.

(2)(i)(F) Previous Rule: The ability tooperate as two or more teams.

(2){i (F) Final Rule; Deleted.(2)(i)(F) Change: This requirement is

included in (2)(1).(23{it) Previous Rule:An individual,

including an employee (in anyposition), and

(2)(it) Final Rule: An internal threat,(2)(1i0 Change: The current rule

describes the internal threat as a threatposed by an individual. The language Isrevised to provide flexibility in definingthe scope of the Internal threat.

(2}{il) Previous Rule: A conspiracybetween individuals in any positionwho may have:

(A) Access to and detailed knowledgeof nuclear power plants or the facilitiesreferred to In § 73,20(a), or

(B) Items that could facilitate theft ofspecial nuclear materiel (e.g,, smalltools, subsUrate material, falsedocuments, esc.), or both.

(2)(iii) Final Rule: A land vehiclebomb assault, which may becoordinated with an external assault,and

(2{iii) Change: The paragraph isupdated to reflect that licensees arerequired to protect against a wide rangeof land vehicles, A new mode of attacknot previously pert of the DBT is addedindicating that adversaries maycoordinate a vehicle bomb assault withanother external assault.

(2)(iv) Previous Rule: None.(2)(iv) Final Rule: A waterborne

vehicle bomb assault, which may becoordinated with an external assault.

(2)(iv) Change: The paragraph wouldadd a new mode of attack not previouslypart of the DBT, that being a waterbornevehicle bomb assault. This coordinatedattack concept is another upgrade to thecurrent regulation.

(20(v) Previous Rule: None.(2)(v) Final Rule: A cyber attack.(2)(v) Change: Adds a cyber attack.

The capability to exploit site computerand communications systemvulnerabilities to modify or destroy dataand programming code, deny access tosystenm, and prevent the operation ofthe computer system and the equipmentit controls,

The Commission concludes that theamendments to § 73.1 will continue toensure adequate protection of publichealth and safety and the commondefense and security by requiring tiesecure use and management ofradioactive materials. The revised DB rsrepresent the largest threats againstwhich private sector facilities must boable to defend with high assurance, Theamendments to 10 CFR 73.1 reflectrequirements currently in place underexisting NRC regulations cnd orders.

V. GuidanceThe NRC staff is preparing new

regulatory guides (RGs) to providedetailed guidance on the revised D1Trequirements in 10 CFR 73.1. Theseguides are intended to assist currentlicensees in ensuring that their securityplane meet requirements In the revisedrule, as well as future license applicantsin the development of their securityprograms and plans. The new guidanceincorporates the insights gained fromapplying the earlier guidance that wasused to develop, review, and approvethe site security plans that licensees putin place in response to the April 2003Orders. As such, this regulatoryguidance is expected to be consistentwith revised security measures atcurrent licensees, The publication of theRCs is planned to coincide with thepublication of the final rule.

1. Regulatory Guide (RG-5.60),"Guidance for the Implementation ofthe Radiological Sabotage Design-BasisThreat (Safeguards)." This regulatoryguide will provide guidance to theindustry on the radiological sabotageDBT. RC--.69 contains SGI and,therefore, is being withheld from publicdisclosure and distributed on a need-to-know basis to those who otherwisequalify for access.

2, Regulatory Guide (RG-5.70),"Guidance for the Implementation ofthe Theft or Diversion Design-BasisThreat (Classified)." This regulatoryguide will provide guidance to theindustry on the theft or diversion DBT.RG.-5.70 contains classified informationand, therefore, is withheld from publicdisclosure and distributed only on aneed to know basis to those whootherwise qualify for access.

VL Resolution of Petition (PRM-73-12]The staff incorporated consideration

of a petition for rilemaking Into thisrulemaking filed by the Committee toBridge the Gap (PRM-73-12) on July 23,2004. The petition requests that NRCconduct a rulemaking to revise the DBTregulations (including numbers, teems,capabilities, planning, willingness todie, and other characteristics of

MAY-11-2007 17:34 P. 23/26

Federal Reglster/Vol. 72, No. 52/Monday. March 19, 2007/Rules and Regulations 12725

adversaries) to a level that encompasses,with a sufficient margin of safety, theterrorist capabilities demonstratedduring the attacks of September Ii,2001. The petition also requests thatsecurity plans, systems. inspections,and FOF exercises be revised inaccordance with the amended DBTs.Finally, the petition requests that arequirement be added to Part 73 torequire licensees to construct shieldsagainst air attack (referred to as"bearnhengas") so that nuclear powerplants would be able to withstand an airattack from a jumbo jet similar to theSeptember 11, 2001, attacks.• PRM-73-1 z was published for publiccomment in the Federal Register onNovember B, 2004 (69 FR 64690). Therewere 845 comments submitted on PRM-73-12. of which 528 were form letters.The staff reviewed both the petition andthe comments on the petition againstthe supplemental DBTs to determine ifthe DBTa should be revised as requestedby the petitioner. Based on this review,the NRC staff determined that a numberof the proposed revisions in PRM-73-12had already been set forth in theproposed DBT rule language. The NRCpartially granted PRM-73-12 as statedm the public notice of the proposed 10CFR 73.1 DBT rulemaking, (See, 70 FR07380; November 7, 2005), but deferredaction on other aspects of the petition,particularly with respect to itsconsideration of the airborne threat, tothe final rulemaking.

During the course of this rulemaking,the Commission considered if it wouldbe necessary to add some type ofairborne threat as part of the DBTs. Aftercareful evaluation and consideration,

the Commission has chosen a two-trackresponse to the air threat that excludesphysical security measures such as"beamhenge." First, the Commissiondetermined that active protectionagainst the airborne threat requiresmilitary weapons and ordinance (i.e.,ground-based air defense missiles), thatrightfully belong to the Department ofDefense. Thus, the airborne threat is onewhich is beyond what a private securityforce can reasonably be expected todefend against. Second, licensees havebeen directed to implement certainmitigative measures to limit the effectsof an aircraft strike. Therefore, theCommission has denied the request orthe petition PRM-73-12 regarding theinclusion of the airborne threat in theDBTs, as well as beamhenge as physicalsecurity measures. More detailedInformation in support of dteCommission's position is provided inthe comment resolutions for Factor 6,the potential for water-baBed and air-based threats, end Factor 0, the potentialfor fires, especially fires of longduration.VII. Criminal Penalties

For the purposes of Section Z23 of theAtomic Energy Act, as amended, theCommission is issuing the final rule torevise 10 CFR 73.1 under Sections of151b, 1Oli, or 161o of the AtomicEnergy Act of 1954 (AEA]. Criminalpenalties, as they apply to regulations inPart 73, are discussed in 10 CFR 73.81,VIII. Compatibility of Agreement StateRegulations

Under tie "Policy Statement onAdequacy and Compatibility of

Agreement States Programs, "approvedby the Commission on June 20, 1997,and published in the Federal Register(02 FR 46517; September 3, 1997), thisrule is classified as compatibility"NRC." Compatibility is not required forCategory "NRC" regulations. The NRCprogram elements in this category arethose that relate directly to areas ofregulation reserved to the NRC by theAEA or the provisions of Title 10 of theCode of Federal Regulations, andalthough an Agreement State may notadopt program elements reserved toNRC. it may wish to inform its licenseesof certain requirements via a mechanismthat is consistent with the particularState's administrative procedure laws,but does not confer regulatory authorityon the State.

IX. Availability of Documents

Some documents discussed in thisnotice are not available to the public.The following table indicates whichdocuments are available to the publicand how they may be obtained. PublicDocument Room (PDR). The NRC PublicDocument Room is located at 11555Rockville Pike. Rockville, Maryland20852. Rulemaking Wobsire (Web). TheNRC's interactive rulemaking Website islocated at: //ruleforurn.lhnl.gov. "liesedocuments may be viewed anddownloaded electronically via this Website. NRC's Electronic Reading Room(ERR]. The NRC's electronic readingroom Is located at http://www.nrc.govlreading-rmt.hmir,

Document PDR Web ERR

Environmental Assessment ................ ............. ............................................................ X X ML070530261Regulatory Analysis ... ........................................ X X ML070530193Public Comments on PRM-73-12 ................................................................................... . X X MLLS3040081Radiological Sabotage Adversary Characteristics document ..................... i ....................... no no noTheft or diversion Adversary Characteristics document ................. I ........ ..................... no no noTechnical Basis Document ......................................................................... 1 ... ................... no no noRG 5.69 on Radiological Sabotage ........................................................ no no noRG -5.70 on Theft or Diversion ................................................................................................ no no noMemorandum: Status of Securily-Related Rulemaking ............................ X X ML041180532Commission SRM dated August 23, 2004 ....... ............................ ........................ ML042360548Memorandum: Schedule for Part 73 Rulemaldngs ................................................................... X X ML043060572Letter to Petitioner .................................................................................................................... X X ML052920150Commission SAM dated October 27, 2005 ........................................ X X ML053000448Proposed Rulemaldng dated November 7, 2005 ......... .................. ....................... X X ML060080310Public Comments on Proposed Rule ........................................................................................ X X ML06213 5"75Commission SRM dated January 21, 2007 .............................................................................. X X ML070290286Final Rulemaking ....................................................................... ................. X X ML070520692

X, Plain LanguageThe Presidential memorandum dated

June 1, 1998, entitled "Plain Languagein Government Writing," published onJune 10, 1998 (63 FR 31883) directed

that the Government's documents be inplain, clear, and accessible language.The NRC requested comments on theproposed rule specifically with respectto the clarity and effectiveness of the

language used. No specific commentswere received on the propored rulerelated to this issue.

MAY-11-2007 17:35P242 P. 24/26

12726 Federal Register/Vol. 72, No. s2/Monday, March 19. 2007/Rules and Regulations

XT. Voluntary Consensus Standards

The National Technology Transferand Advancement Act of 1995, Pub. L,104-113, requires that Federal agenciesuse technical standards that aredeveloped or adopted by voluntaryconsensus standards bodies unlessusing such a standard is inconsistentwith applicable law or is otherwiseimpractical. The NRC is not aware ofany voluntary consensus standard thatcould be used instead of the proposedGovernment-unique standards. The NRCwill consider using a voluntaryconsensus standard if an appropriatestandard is identified,

XII. Finding of No SignificantEnvironmental Impact. EnvironmentalAssessmn:L Availability

The Commission has determinedunder the National EnvironmentalPolicy Act of 1969, as amended, and theCommission's regulations in Subpart Aof 10 CFR Part 51, that this rule is nota major Federal action significantlyaffecting the quality of the humanenvironment and, therefore, anenvironmental impact statement is notrequired.

The determination of thisenvironmental assessment is that therewill be no significant off-site Impact tothe public from this action.

The NRC sent a copy of theenvironmental assessment and theproposed rule to every State LiaisonOfficer and requested their commentson the environmental assessment. Nocomments were received from the StateLiaison Officer on the environmentalassessment. I

XII. Paperwork Reduction ActStatement

This final rule does not contain newor amended information collectionrequirements and, therefore is notsubject to the Paperwork Reduction Actof 1995 (44 U.S.C. 3501 at seq.). Existinginformation collection requirementswere approved by the Office ofManagement and Budget, approvalnumber 3150-0002. The burden for allfuture licensees will be covered under10 CFR Part 52 (3150-0151) as part ofthe combined operator licenseapplications.

Public Protection Notification

The NRC may not conduct or sponsor,and a person is not required to respondto, a request for information or aninformation collection requirementunless the requesting documentdisplays a currently valid OMB controlnumber.

XIV. Regulatory AnalyiiaThe Commission has prepared a

regulatory analysis on this regulation.The analysis examines the costs andbenefits of the alternatives consideredby the Commission, The Commissionrequested public comment on the draftregulatory analysis. Comments on thedraft analysis have been addressed in

-Section II of this document. Availabilityof the regulatory analysis is provided inSection VIII of this document,

XV. Regulatory Flexibility CertificationUnder the Regulatory Flexibility Act

(5 U.S.C. 605(b)), the Commissioncertifies that this ride does not have asignificant economic Impact on asubstantial number of smell entitles.This final rule affects only the licensingand operation of nuclear power plantsand Category I fuel cycle facilities. Thecompanies that own these plants do notfall within the scope of the definition of"~small entities" set forth in. theRegulatory Flexibility Act or the sizestandards established by the NRC (10CFR 2.B10).

XVI. Backfit AnalysisThe NRC has determined, pursuant to

the exception in 10 CR 50.109(a)(4)(111)and 10 CFR 70,70(e)(4)(iv), that a backfitanalysis is unnecessary for this finalrule, Sections 50.109 and 70.76(a)(4)(iv)state, in pertinent part, that a backfitanalysis is not required if theCommission finds and declares withappropriate documented evaluation forits finding that a "regulatory actioninvolves defining or redefining whatlevel of protection to the public healthand safety or common defense andsecurity should be regarded asadequate." The final rule increases thesecurity requirements currentlyprescribed in NRC regulations, and isnecessary to protect nuclear facilitiesagainst potential terrorists. When theCommission imposed securityenhancements by order in April 2003, itdid so in response to an escalateddomestic threat level. Since that time.,the Commission has continued tomonitor intelligence reports regardingplausible threats from terroristscurrently facing the U.S. TheCommission has also gained experiencefrom implementing the orderrequirements and reviewing revisedlicensee security pleas. TheCommission has considered all of thisInformation and finds that securityrequirements similar to those previouslyimposed by the DBT Orders, whichapplied only to existing licensees.should be made generically applicable.The Commission further finds that the

final rule would redefine the securityrequirements stated in existing NRCregulations, and is necessary to ensurethat the public health and safety andcommon defense and security areadequately protected in the current,post-September 11, 2001 environment.

XVII. Congressional Review ActUnder the Congressional Reviuw Act

of 1996, NRC has determined that thisaction is not a "major rule" and hasverified this determination with theOffice of Information and RegulatoryAffairs of OMB.List of Subjects in 10 CFR Part 73

Criminal penalties, Export, HIzardousmaterials transportation, Import,Nuclear materials, Nuclear power plantsand reactors, Reporting andrecordkeeping requirements, andSecurity measures.n For the reasons set oui in thepreamble and under the authority of theAtomic Energy Act of 1954, as amonded;the Energy Reorganization Act of 1974,as amended; and 5 U.S.C, 552 and 553;Lhe NRC is adopting the followingamendments to 10 CFR part 73.

PART 73--PHYSICAL PROTECTION OFPLANTS AND MATRIIALS• 1. The authority citation for part 73continues to read as follows:

Authority. Sacs. 53, 161, 68 Star. 030, 94B,as amended, sec. 147, 94 Stat. 780 (42 U.S.C.2073, 2167, 22011: sec. 201, as aroendud, 204,08 Stat. 1242, as amnded, 1245. sec. 1707,106 Stat. 951. 2952.2903 (42 U.S.C. 5841.5844, 22971); sac, 1704, 112 Stat. 2750 (44U.S.C. 3504 note). Section 73.1 also issuedunder se•&a 135,141. pub. L. 97-425. 96 Star.2232, 2241 (42 U.S.C, 10155. 101611. SActinn73.37(f also issued under sec. 301, Pub, L,06-295. 94 Stat. 7B9 (42 U.S.C. 5941 note).Section 73.57 is Issued under sec. 606, Pub.L. 99-399, 2o0 Stat. 876 (42 U.S.C. 2189).a 2. In § 73.1, paragraph (a) is revised toread as follows:

§ 73.1 Purpose and scope.(a) Purpose. This part prescribes

requirements for the establishment andmaintenance of a physical protectionsystem which will have capabilities forthe protection of special nuclearmaterial at fixed sites and In transit andof plants in which special nuclearmaterial is used. The following designbasis threats, where referenced inensuing sections of this part, shall beused to design safeguards systems toprotect against acts of radiologicalsabotage and to prevent the theft ordiversion of special nuclear material.Licensees subject to the provisions of§ 73.20 (except for fuel cycle licenseesauthorized under Part 70 of this chapter'

MAY-11-2007 1?:35 P. 25/26

Federal Register/Vol. 72, No. 52 / Monday, March 19, 2007 / Rules and -Regulations 12727

to receive, acquire, possess, transfer,usa, or deliver for transportation .formula quantities of strategic specialnuclear material). §§ 73.50, and 73.60are exempt from §§ 73.1(a)(13(i}(EJ,/3.1[a)(1)(iii)0 73.2[a)(1)(iv),

73.1(a)(2)(iii), and 73.11a)[2)(iv).Licensees subject to the provisions of§ 72.212 are exempt from§ 73.1(a)(1)(iv).

(1) Radiolo4ical sabotage. (I) Adetermined.vwolent external assault,attack by stealth, or deceptive actions,including diversionary actions, by anadversary force capable of operating Ineach of the following modes: A singlegroup attacking through one entry point,multiple groups attacking throughmultiple entry points, a combination ofone or more groups and one or moreindividuals attacking through multipleentry points, or individuals attackingthrough separate entry points, with thefollowing attributes, assistance andequipment:

(A)Well-trained (including militarytraining and skills] and dedicatedindividuals, willing to kill or be killed,with sufficient knowledge to identifyspecific equipment or locationsnecessary for a successful attack:

(B) Active (e.g., facilitate entrance andexit, disable alarms andcommunications, participate in violentattack) or passive (e.g., provideinformation), or both, knowledgeableinside assistance;

(C) Suitable weapons, Including hand.held automatic weapons, equipped withsilencers and having effective long rangeaccuracy;

(D) Hand-carried equipment,including incapacitating agents endexplosives for use as tools of entry or forotherwise destroying reactor, facility,transpoi-ter, or container integrity orfeatures of the safeguards system- and

(E) Land and water vehicles, whichcould be used for transporting personneland their hand-carried equipment to theproximity of vital areas; and

(iiI An internal threat; and(iii) A land vehicle bomb assault,

which may be coordinated with anexternal assault; and

(iv) A waterborne vehicle bombasuault, which maybe coordinated withan external assault: and

Jv] A cyber attack.2 Theft or diversion of formula

quantities of strategic special nuclearmaterial. (i) A determined violentexternal assault, attack by stealth, ordeceptive actions, includingdiversionary actions, by an adversaryforce capable of operating in each of thefollowing modes: a single groupattacking through one entry point,multiple groups attacking through

multiple entry points, a combination ofone or more groups and one orIndividuals attacking through multipleentry points, or individuals attackingthrough separate entry points, with th10following attributes, assistance andequipment:

(A] Well-trained (including militarytraining and skills) and dedicatedindividuals, willing to kill or be killed,with sufficient knowledge to identifyspecific equipment or locationsnecessary for a successful attack;

(B) Active (e.g., facilitate entrance andexit, disable alarms andcommunications, participate in violentattack) or passive (e.g,, provideInformation), or both, knowledgeableinside assistance;

(C] Suitable weapons, including hand-held automatic weapons, equipped withsilencers snd having effective long-range accuracy:

(D) Hand-carried equipment,including incapacitating agents andexplosives for use as tools of entry or forotherwise destroying reactor, facility,transporter, or container integrity orfeatures of the safe-guards system:

MEl Land and water vehicles, whichcould be used for transporting personneland their hand-carried equlpmant; and

(ii) An internal threat; and(iii) A land vehicle bomb assault,

which may be coordinated with anexternal assault; end

(iv) A waterborne vehicle bombassault, which may be coordinated withan external assault; and

(v) A cyber attack.

Dated at Rockville, Maryland this 13th dayof March 2007.

For thw Nuclear Regulatory Commission.Annette L. Vietti-Cook,Searmtay of the Cammission.IFR Doc. 07-132 7 Filed 3--16-07; 8:45 m-n]BILLING Coos 75.0-0I-P

DEPARTMENT OF TRANSPORTATION

Federal Aviation Administration

14 CFR Part 39

[Docket No. FAA-2006-29010; DirectorateIdentifier 2005-SW-02-AO; Amendment 39-14998; AD 2007-06-151

RIN 2120-AA64

Airworthinesa Directives; EurocopterFrance Model AS350B, ASUOB1,AS350B2, AS35OB3, AS35OBA,AS3SOC, AS35OD, and ASMS00IHelicopters

AGENCY: Federal AviationAdministration, 1OT.

ACTION. Final rule.

SUMUARY: This amendment adopts anew airworthiness directive (AD) for thespecified Eurocopter France(Eurocopter) model helicopters thatrequires replacing a certain hydraulicdrive belt (drive belt). Also required isreducing the lubrication time intervalfor a certain hydraulic pump drive shaft(drive shaft). This amendment isprompted by in-flight failures of thedrive belt and the drive shaft. Theactions specified by this AD areintended to prevent In-flight failure ofthe drive beft or drive shaft, loss ofhydraulic power to the flight controlsystem, and subsequent loss of controlof the helicopter.DATES: Effective April 23, 2007.A1DRESSES; You may get the serviceinformation identified in this AD fromAmerican Eurocopter Corporation, 2701Forum Drive, Grand Prairie, Texas75053-4005, telephone (972) 041-3460,fax (972] 641-3527.

Examining the Docket: You mayexamine the docket that contains thisAD, any comments, and otherinformation on the Internet at http://dma.dor~gov, or at the DocketManagement System (DMS), U.S.Department of Transportation, 400Seventh Street, SW., Room PL-403, onthe laza level of the Naself Building,Washingoi, DC.FOR FURTHER INFORMATION CONTACT: GaryRoach, Aviation Safety Engineer, FAA,Rotorcraft Directorate, Regulations andGuidance Group, Faot Worth, Texas76193-0111, telephone (817) 222-5130,fax (817) 222-5961.SUPPLEMENTARY INFORMATION: Aproposal to amend 14 CFR part 30 toinclude an AD for the specified modelhelicopters was published in theFederal Register on June 30, 2006 (72FR 37515). That action proposed torequire the following:

* At or before the next 500-hour time-in-service (TIS) inspection, replacingthe drive belt with an airworthy drivebelt that is not included in theapplicability of this AD, and

o Within 110 hours TIS or at the nextscheduled lubrication Interval for thedrive shaft splines, and thereafter atintervals not to exceed 110 hours TIS ora months, whichever occurs first,lubricating the drive shaft splines.

Eurocoptar has issued the following:* Service Bulletin No. 63 00.08, dated

May 27, 2002, which specifies installinga poly-v type drive bolt on the drivinghydraulic pump; and

* Service Bulletin No. 2g.00.04,Revision 2. dated January 27, 2004,which specifies reducing the lubrication

MRY-11-2007 19:1?P.02~ P. 02/02

CERTIFICATE OF SERVICE

I hereby certify that, this 11 th day of May, 2007,1 caused a copy of the foregoing Petition

for Review to be served by facsimile and by first-class mail, postage prepaid, on:

Karen Cyr, General CounselU.S. Nuclear Regulatory CommissionWashington, DC 20555-0001Fax. (301) 415-3200

Attorney General Alberto R. GonzalesU.S. Department of Justice950 Pennsylvania Avenue, NWWashington, DC 20530-0001Fax: (202) 307-6777

Adina H. Rosenbaum