Introduction
A "dirty bomb" or other type of radiological dispersal device (RDD, a device for dispersing radioactive material) could contaminate several square miles of densely populated or economically critical areas, such as a key port or the center of a large city. (The amount of area contaminated would depend on many factors.) The types of radioactive material most likely to be used in an RDD are widely available. While radioactive contamination from an RDD would kill few people, many experts believe, it could render an area off-limits, perhaps for many years. That, in turn, would require a massive cleanup effort, possibly including demolition and reconstruction of buildings and streets. As a result, an RDD attack could impose tens of billions of dollars of costs from economic activity forgone, societal disruption, and cleanup and remediation.
Congress has acted in multiple ways to protect the United States against the threat of terrorists seizing radioactive material that they would need to make an RDD:
- Congress has held numerous hearings on securing and detecting nuclear and other radioactive materials, and the threat they pose.1
- The SAFE Port Act of 2006 (P.L. 109-347), Section 121 (6 U.S.C. 921) mandated that all cargo containers entering the United States through certain ports "shall be scanned for radiation. To the extent practicable, the Secretary [of Homeland Security] shall deploy next generation radiation detection technology."
- Section 501 (6 U.S.C. 591) of that act established the Domestic Nuclear Detection Office and made it "responsible for coordinating Federal efforts to detect and protect against the unauthorized importation, possession, storage, transportation, development, or use of a nuclear explosive device, fissile material, or radiological material in the United States, and to protect against attack using such devices or materials."
- Congress has funded the Global Threat Reduction Initiative of the National Nuclear Security Administration (NNSA). Among other things, this initiative secures nuclear and other radioactive material domestically and internationally.
- Congress has funded programs by the Departments of Homeland Security, Defense, State, and Energy to research, develop, procure, and operate equipment to detect nuclear and other radioactive material at U.S. and foreign ports and elsewhere.
The Nuclear Regulatory Commission (NRC) is one of several agencies playing a role in protecting the United States against an RDD attack. NRC is in charge of regulating civilian nuclear and other radioactive materials. In the wake of 9/11, it issued a series of orders to its licensees mandating steps to increase security of many types of radioactive materials. Orders are effective immediately, issued with little or no formal input from stakeholders, and apply only to licensees to whom they are issued. Because of these limitations, NRC has prepared a forthcoming new rule that it has developed with extensive input from stakeholders and that would apply to all licensees. This rule, 10 C.F.R. 37, is "Physical Protection of Byproduct Material." ("Byproduct material" includes specified types radioactive material other than uranium or plutonium as defined in Appendix A.) Combining features of the security orders, the rule would regulate radioactive material of the types and quantities that pose the greatest threat for use in an RDD. The rule will have broad impacts across the country and across most if not all aspects of industries that use radioactive material, including hospital and blood bank irradiators, industrial radiography equipment, massive facilities for irradiating certain foods and medical supplies, laboratory equipment for research into radiation and its effects, state regulators, and manufacturers, distributors, and transporters of radioactive sources. NRC anticipates that the rule will be published in the Federal Register in early 2013. It would be effective one to several years after publication; until then, the orders would remain in effect.
Congress may find this analysis of interest for several reasons: Congress attaches great importance to protecting the United States against terrorist threats; the rule will affect the many industrial, research, and medical activities nationwide that use radioactive materials, thereby affecting many constituents and raising cost-benefit issues; and there is wide concern about regulation and radiation more generally. This report analyzes the rule.
In order to analyze the rule, CRS conducted detailed telephone interviews with 14 professionals in the radiation industry.2 They include radiation safety officers—individuals responsible for the safety and security of radioactive material and radiation equipment—at large universities; industrial radiographers; state regulators; manufacturers and distributors of radioactive sources; a representative of the Nuclear Energy Institute, which describes itself as "the policy organization of the nuclear energy and technologies industry";3 and a transporter of radioactive material. These interviews—which provided the views of front-line radiation professionals—constitute the database for this analysis of 10 C.F.R. 37. They display the widespread effects of this new rule, and the widely divergent views that these professionals hold of virtually every part of this rule. At the same time, one interviewee commented, "Part 37 is a sweeping, high-impact rule that affects the entire industry"; based on their responses, most if not all interviewees would seem to agree.
Technical Background
While there had been concerns about the vulnerability of the United States to "weapons of mass destruction," or more precisely chemical, biological, radiological, and nuclear (CBRN) weapons, for many years prior to September 11, 2001, the events of that day elevated concern about CBRN attacks, especially those that might be mounted by "non-state actors" such as terrorists.
One concern is that a terrorist group might acquire and set off a radiological dispersal device, or RDD. An RDD might contaminate several square miles with radioactive material. Such material would probably result in few prompt fatalities, but could cause additional long-term cancer fatalities. Its main potential impact would be rendering key sections of a city or critical infrastructure (e.g., Wall Street, Pennsylvania Avenue, the Port of Los Angeles-Long Beach) off-limits for years, causing immense societal and economic disruption, forcing many people to relocate, and requiring cleanup that could cost billions of dollars. A "dirty bomb," in which radioactive material is dispersed using explosives, is one type of RDD, but other means of dispersal are possible, such as dropping material from a tall building on a windy day. For further information on RDDs, see CRS Report R41890, "Dirty Bombs": Technical Background, Attack Prevention and Response, Issues for Congress, by Jonathan Medalia.
Every chemical element has at least one radionuclide, or radioactive form of its atom, but only a few are of concern for an RDD. Radionuclides with half-lives of a few days or less decay quickly, reducing cleanup costs and societal dislocation. Radionuclides with half-lives of tens of thousands of years emit so little radiation per unit mass that tons might be required to emit as much radiation, per unit time, as a few grams of other materials. Different types of radiation pose different threats. Most radionuclides are rare or nonexistent in commerce. The International Atomic Energy Agency (IAEA) screened radionuclides and found 16 of particular concern.4 Appendix B shows these radionuclides. In 2004, the IAEA produced a Code of Conduct on the Safety and Security of Radioactive Sources that was intended to "serve as guidance to States for—inter alia—the development and harmonization of policies, laws and regulations on the safety and security of radioactive sources."5 It applies to specified quantities of the 16 radionuclides. A category 1 source of a radionuclide has 100 times as much material as a category 2 source, which has 10 times as much material as a category 3 source. Most category 2 quantities of the 16 radionuclides weigh a few grams or less. While the IAEA defines these categories in terms of harm to an individual, they have become the international standard for defining harmful quantities of materials meriting protection against possible terrorist use. 10 C.F.R. 37 applies to the IAEA's category 1 and 2 quantities of the 16 specified radionuclides.6
Cesium-137 is radioactive; cesium-137 chloride is of particular concern as a potential threat:
Because of its dispersibility, solubility, penetrating radiation, source activity, and presence across the United States in facilities such as hospitals, blood banks, and universities, many of which are located in large population centers, radioactive cesium chloride is a greater concern than other Category 1 and 2 sources for some attack scenarios. This concern is exacerbated by the lack of an avenue for permanent disposal of high-activity cesium radiation sources, which can result in disused cesium sources sitting in licensees' storage facilities. As such, these sources pose unique risks.7
Figure 1 shows the area that an RDD attack using 1,000 curies (about 50 grams) of cesium-137 chloride could contaminate under the specified conditions. That amount fits into a vial 2-1/4 inches high by 1 inch in diameter. For comparison, 2,700 curies of cesium-137 is a category 1 quantity and 27 curies is a category 2 quantity.
|
Figure 1. A Possible Radiological Dispersal Device (RDD) Attack on Washington, DC Using 1,000 Curies of Cesium-137 Chloride |
|
Source: William Rhodes III, Senior Manager, International Security Systems Group, Sandia National Laboratories, September 2010; analysis by Heather Pennington; graphics by Mona Aragon. Notes (provided by William Rhodes): This map, based on an atmospheric dispersion model, shows where individuals are projected to have an increased risk of developing cancers due to radiation exposure over a year or more. The RDD in this scenario uses 1,000 curies of cesium-137 chloride (about 50 grams). The model assumes that all material used is dispersed, but that it is not dispersed evenly over the area. Wind is assumed to be from west to east at 7 mph. The model includes exposure from radioactive material both deposited on the surface and resuspended into the air and inhaled. EPA and FEMA have developed Protective Action Guides (PAGs) to indicate when long-term relocation of individuals should be considered. PAGs are primarily based on an assessment of the risk of developing cancer over an exposed individual's lifetime. They assume, conservatively, that individuals are unsheltered and remain in the area during the entire period described for each contour. Contours show where individuals, if not relocated per the PAG, are projected to receive at least a specified dose in a specified time, as follows: inner contour (red), dose in first year post-attack, >2.00 rem; middle contour (orange), dose in second year post-attack, >0.500 rem; and outer contour (yellow), cumulative dose in the first 50 years post-attack. >5.00 rem. The cigar-shaped plumes often seen in models of atmospheric dispersion occur for gases or very fine particles, which would be the case for chemical warfare agents or fallout from a nuclear weapon but not in the case depicted. Whether such plumes would occur for an RDD depends on such factors as wind speed, type of explosive, and particle size. (Provided by CRS): This note compares lifetime incidence of, and deaths from, cancer to those resulting from the attack modeled in this Figure. For the United States, the lifetime risk of being diagnosed with cancer is 43.61%, and the lifetime risk of dying from cancer is 21.15%. (U.S. National Institutes of Health. National Cancer Institute. Surveillance Epidemiology and End Results (SEER). "SEER Cancer Statistics Review 1975-2007," Tables 1.14 and 1.17, http://seer.cancer.gov/csr/1975_2007/results_merged/topic_lifetime_risk.pdf.) For the 125,000 people in the affected area, the estimated lifetime incidence of cancer would thus be approximately 54,513 people, and the estimated lifetime deaths from cancer, 26,438. The attack would increase the lifetime incidence of cancer by 461 people, and lifetime deaths from cancer by 314. The figure assumes no relocation, sheltering, or decontamination. All these actions would occur in the real world, significantly reducing cancer incidence and deaths caused by the attack. This figure is from CRS Report R41890, "Dirty Bombs": Technical Background, Attack Prevention and Response, Issues for Congress, by Jonathan Medalia. |
Regulatory Background
The statute that created the Nuclear Regulatory Commission (NRC)8 made it responsible for regulating the use and protection of special nuclear material—which for practical purposes consists of uranium enriched in isotope 235 (highly enriched uranium, or HEU, and low-enriched uranium, or LEU) and plutonium—in civilian uses, but not for regulating nuclear weapons or special nuclear material for weapons use. NRC also regulates fuel in nuclear reactors, which is typically low-enriched uranium, and "byproduct material," which includes many types of radioactive material other than plutonium or enriched uranium.9 Byproduct material is widely used in medicine, industry, and research. NRC issues licenses permitting facilities (such as nuclear power plants or hospitals) or other organizations (such as industrial radiography companies that use mobile radioactive sources in the field) to possess specified quantities of radioactive material. A license is not needed to possess minute quantities of radioactive material, such as are found in home smoke detectors.
Agreement States are a central component of the nation's regulatory framework. Pursuant to the Atomic Energy Act of 1954, as amended (42 U.S.C. 2011 et seq.), NRC is responsible, with respect to radioactive material, for maintaining the health and safety of the public and the common defense and security. Section 274(b) of the act permits NRC to relinquish its authority to regulate certain types of radioactive material within their borders to states that have entered into agreements with NRC for this purpose. There are 37 of these "Agreement States."10 NRC can relinquish its regulating authority in the area of public health and safety; however, pursuant to Section 274(m) of the act, NRC cannot relinquish its regulatory authority in matters concerning the common defense and security to Agreement States. Each Agreement State regulates radioactive materials within its boundaries, which can include most medical, academic, and industrial uses of byproduct material. Agreement States do not regulate commercial nuclear power plants, research and test reactors, and facilities that are part of the nuclear fuel cycle.
In the wake of the 9/11 attacks, NRC issued orders to its licensees to enhance the security of radioactive materials. These orders went, among others, to licensees of large irradiators, manufacturers and distributors of radioactive material, and certain transporters of radioactive material, as detailed in Appendix C. An "Increased Controls" (IC) order went to other licensees authorized to possess specified quantities of certain radioactive material.
In the Federal Register of June 15, 2010, NRC solicited comments for a proposed rule, "Physical Protection of Byproduct Material," that would incorporate and modify previous security orders as 10 C.F.R. 37.11 The proposed rule would deal with "the security requirements for use of category 1 and category 2 quantities of radioactive material."12 NRC approved the rule in March 2012 and sent it to OMB for its review in July. NRC anticipates that the rule will be published in the Federal Register in early 2013.13 For states regulated by NRC, the rule will become effective one year after it is published in the Federal Register. For Agreement States, the rule will take effect two years later. Once NRC and the Agreement States implement the rule, NRC and, when appropriate, Agreement States will rescind the various orders the rule replaces.
There are several differences between an order and a rule. An order can be effective immediately. The rulemaking process may take years, as it involves issuing a preliminary draft, soliciting comments, in some cases obtaining approval from the Office of Management and Budget, and a waiting period before the rule takes effect. An order that addresses an urgent situation, such as for post-9/11 security, may have little or no feedback from stakeholders, while a rule, such as 10 C.F.R. 37, entails extensive feedback, often with hearings, working groups, and lengthy correspondence. Orders apply only to current licensees; having an order apply to future licensees requires notifying them individually that the order applies to them. In contrast, a rule applies to current and future licensees. An order and a rule both have the effect of law. NRC wanted to replace its orders with a rule for various reasons:
The orders issued by the NRC could stay in place indefinitely. However, the regulations would not reflect current Commission policy or requirements. Imposing long-term requirements through orders has not traditionally been the agency's preferred method of regulation. Orders, unlike rules, do not apply prospectively to applicants for new licenses. The NRC would have to periodically issue new orders to cover new and amended licenses. In order to make the requirements generally applicable to all present and future licensees, the security-related requirements need to be placed in the regulations. In addition, notice and comment rulemaking allows for public participation and is an open and transparent process.14
The rule makes many changes as compared to the orders, such as requiring individuals already deemed trustworthy and reliable (T&R) to complete certain security training, requiring a personal history disclosure, and requiring each licensee to "review the access program content and implementation" at least once a year. NRC provides details in a 69-page table comparing the rule and orders.15
NRC's policy is to publish an implementation guidance document in the Federal Register when, or shortly after, it issues a rule. Such documents provide details (often in the form of questions and answers) on how licensees are to implement a rule. The guidance, unlike a rule, is not mandatory, and licensees may find other ways to implement a rule, but guidance shows what NRC finds acceptable. NRC issued draft guidance in June 2010 for 10 C.F.R. 37;16 however, there have been many changes to the rule since then, so there will be many changes to the final guidance document as well.
10 C.F.R. 37: Summary and Comments
10 C.F.R. 37 is included in an NRC document.17 It is divided into six Subparts (with a seventh, Subpart E, reserved) and an Appendix. This part of the report comments on selected sections of Subpart A (General Provisions), B (Background Investigations and Access Control Program), C (Physical Protection Requirements During Use), and D (Physical Protection in Transit). Comments are based on interviews with radiation professionals. Two striking features of the interviews are the extent to which there is a diversity of views on almost every issue raised, and the many ways in which the rule impacts the radioactive-materials industry. Subparts F (Records) and G (Enforcement) and the Appendix (Category 1 and Category 2 Radioactive Materials) are brief and straightforward, so are not discussed here.
Subpart A: General Provisions
Section 37.1, Purpose: The purpose of the rule is to "provide the requirements for the physical protection program for any licensee" possessing certain quantities of certain radioactive material in order to "provide reasonable assurance of the security" of this material. While an RDD attack using less than a category 1 source of material could impose costs of billions of dollars in lost productivity and remediation, the requirements seek to provide only "reasonable assurance of the security" of such material. Issues are whether this standard is high enough and, conversely, what would be the cost vs. benefit of imposing a higher standard.
Section 37.5, Definitions: Two definitions are of particular interest. (1) The rule provides a complex technical definition of "byproduct material," which is what the rule protects. In brief, the term refers to various categories of radioactive material. Appendix A provides the complete definition.
(2) NRC states that "trustworthiness and reliability," or T&R, "are characteristics of an individual considered dependable in judgment, character, and performance, such that unescorted access to category 1 or category 2 quantities of radioactive material by that individual does not constitute an unreasonable risk to the public health and safety or security." Note that the T&R definition is subjective, and requires the person or persons making the T&R adjudication to decide if an individual is "considered" "dependable in judgment, character, and performance," and if unescorted access to certain radioactive material by that person "does not constitute an unreasonable risk to the public health and safety or security." Since it is up to each licensee to formulate its own criteria for adjudicating T&R, that approach inevitably results in non-uniform criteria, so that an individual might be granted T&R status by one licensee and not by another.
An issue is whether it is reasonable to expect persons without extensive training in deciding whether or not someone is a security risk, such as radiation safety officers (RSOs)18 or human resources (HR) personnel, to make such determinations, and if such persons can do so reliably. Opinion on the part of radiation professionals varied widely on this point. An RSO at a large university said, "the idea that any university could determine if someone is a terrorist is silly. Universities are not set up for that." An RSO at another large university described a process in which an outside personnel security firm, for $125, runs background checks on individuals seeking T&R status. The firm gives its findings to university HR personnel, who say that they have no question about their ability to review T&R candidates because that is part of their job. The RSO then makes the final adjudication. An Agreement State director felt that licensees are best positioned to adjudicate T&R because they know their employees well, "so they can evaluate their character more easily and accurately than someone in [his state's capital] or Washington." He emphasized that the ability of small licensees to judge T&R is critical because a single misjudgment could cause major problems for the company, if not result in its end. Yet another university RSO felt, "having a federal agency make T&R adjudications would eliminate bias, as the adjudicators would not know the individuals being submitted for T&R."
Section 37.13, Information collection requirements: OMB approval: The rule imposes many such requirements. Some radiation professionals stated that 10 C.F.R. 37 placed a much more extensive burden of information collection on them than did the IC order; some felt otherwise.
An RSO at a large university:
10 CFR 37 is very administratively driven. There are a great many administrative requirements, such as for record-keeping, written security plans, and a requirement for annual reviews of these plans. Some of these are excessive, but we agree with other parts of 10 CFR 37.... Regarding the security plan that the new rule requires (§37.43), we didn't write the plan under the orders because anything we documented would have to be protected, and it's very difficult to impose document security on a university campus. A concern is that writing a detailed security plan creates a vulnerability: if a terrorist gained access to it, the plan could outline the strengths and potentially weaknesses.
An RSO at another large university:
NRC doesn't typically regulate by orders to licensees but decided to do so after re-evaluating the threat environment in the wake of 9/11, I feel the orders were the best that NRC could do at the time. However, I find 10 CFR 37 too burdensome. The rule is one size fits all, which causes a lot of problems. For example, radioactive sources in medical therapy units may be hard to steal, but have the same security requirements under the rule as self-shielded irradiators, which may be easier to break into.…
Because of the difficulties of complying with the rule, I am urging researchers and users at my organizations to plan to switch to x-ray based irradiators rather than current ones that use radioactive materials. Since x-ray-based irradiators do not use radioactive material, they do not fall under the IC orders or 10 CFR 37. A blood bank I oversee plans to move to a new facility. It will replace one cobalt-60 irradiator with two x-ray irradiators; two are needed because of operational reliability issues that do not arise with radioactive material irradiators.
An Agreement State regulatory official:
I think that we are all working under what Past Commissioner McGaffigan stated was the mandate from the Commission regarding security: 'To provide reasonable assurance of adequate protection, not absolute assurance of perfect protection.' Under that premise, it is my belief that the burden or costs of implementing the previous orders or Part 37 are not too great.
Subpart B: Background Investigations and Access Authorization Program
Section 37.21, Personnel access authorization requirements for category 1 or category 2 quantities of radioactive material: Requires licensees with a certain amount of radioactive material to "establish, implement, and maintain its access authorization program." The objective of this program is to ensure that individuals with unescorted access to category 1 or 2 quantities of radioactive material and "reviewing officials" (personnel who make T&R adjudications) are T&R. There is a catch. Section 37.21(c)(3) states, "Licensees shall approve for unescorted access to category 1 or category 2 quantities of radioactive material only those individuals with job duties that require unescorted access to category 1 or category 2 quantities of radioactive material." Further, reviewing officials must be T&R. However, the Energy Policy Act of 2005 amended Section 149 of the Atomic Energy Act of 1954 to direct NRC to require that each individual who is permitted unescorted access to radioactive material as determined by NRC, or who is given access to "safeguards information," that is, information such as on security plans for protecting radioactive material, be fingerprinted, with the fingerprints submitted to the Attorney General (in effect, the FBI) for a criminal history record check. Often, however, T&R adjudications are done by human resources personnel, who do not need unescorted access to radioactive material or access to safeguards information to do their job. Yet since the law requires fingerprinting and a criminal history record check only of individuals requiring such access, some organizations have given HR staff unescorted access in order to enable them to be fingerprinted. One university solved this dilemma by granting HR staff unescorted access but not giving them the requisite key card that would give them physical access! One individual expressed a need for NRC to seek to have the law changed to avoid this dilemma. Another university RSO saw an imbalance between T&R and physical security:
In general, I believe that limited funds should be spent more to augment physical security, especially internally to the devices, and less on T&R. Indeed, by spending more on physical security, there is less concern about T&R. If devices are made harder to penetrate, or if there are more alarms, it would be harder for anyone to steal radioactive material.
NRC staff elaborated on the link between fingerprinting and unescorted access:
Section 652 of the Energy Policy Act of 2005 (EPAct) amended Section 149 of the Atomic Energy Act of 1954, as amended (AEA). The AEA requires the NRC to fingerprint any individual permitted unescorted access to (1) a utilization facility; (2) radioactive material or property regulated by the Commission that the Commission has determined to be of such significance to the public health and safety or common defense and security as to warrant fingerprinting and background checks; or (3) is permitted access to safeguards information as defined in Section 147 of the Atomic Energy Act of 1954, as amended. The NRC does not have authority to fingerprint any other individuals.
The NRC has determined that it needs to have confidence in the integrity of the reviewing official because that official approves individuals for unescorted access category 1 and category 2 quantities of radioactive materials. Accordingly, the NRC requires that the individual be fingerprinted and undergo a background investigation and be determined to be trustworthy and reliable. However, as noted above, pursuant to Section 149 of the AEA, the NRC may only fingerprint those individuals who are permitted unescorted access to a utilization facility, certain radioactive materials or property regulated by the Commission, or safeguards information. This is why an individual designated by the licensee to serve as a reviewing official must be permitted unescorted access to category 1 and category 2 quantities of radioactive materials or to safeguards information.
The reviewing official is one of the layers for defense-in-depth of the security program. If the reviewing official is not fingerprinted, a gap could be created in the security program that could potentially be exploited. The reviewing official could have a criminal history or terrorist ties and allow other individuals with a criminal history or terrorist ties to have unescorted access to radioactive material in quantities of concern.19
Section 37.23, Access authorization program requirements: (1) States that "reviewing officials" are the only individuals who may make T&R determinations, and requires the licensee to "provide under oath or affirmation, a certification that the reviewing official is deemed trustworthy and reliable by the licensee." Not stated is how the licensee is to make this determination, and what assurance there is that licensee personnel making this determination are qualified to do so.
(2) Requires licensees to "develop, implement, and maintain written procedures for implementing the access authorization program." Each licensee is to develop its own procedures, which inevitably means that the procedures will differ from one licensee to another. Several interviewees expressed concern about this point. For example, if an individual moves from one organization to another, the first organization can transfer to the second the information on the individual's background investigation but cannot transfer its adjudication of the individual as T&R. Several interviewees stated that NRC has not developed a uniform set of standards or guidelines for adjudicating someone as T&R, and found this to be quite frustrating. A representative of the Nuclear Energy Institute said, "NRC does not want to adjudicate T&R even for difficult cases, and it has not even put out criteria that would disqualify someone as T&R even though that would be helpful. At a minimum, NRC needs to provide clear guidance on T&R to its licensees." An official at a company that manufactures and distributes radioactive sources echoed similar sentiments, and noted that the T&R requirement imposes real burdens, such as requiring the company to actively seek out references for T&R applicants who were not listed in the applicant's paperwork. This official stated, "NRC did not even provide guidelines on what factors should lead to rejecting someone as T&R."
A statement by an Agreement State regulator may help resolve the discrepancy between those saying that T&R adjudications are best done by employers but that NRC has not provided adequate guidelines for such adjudications: "The licensees begged NRC to provide T&R criteria. They asked over and over again, including for examples, but NRC wouldn't do it, though it's not clear as to why. At this point, however, licensees have so much experience in adjudicating T&R that there would not be much value added if NRC provided criteria."
Section 37.25, Background investigations: This section sets minimum requirements for a background investigation, including fingerprinting and an FBI identification and criminal history records check; verification of true identity, employment history, and education; and a character and reputation determination. Regarding the latter point, "reference checks under this subpart must be limited to whether the individual has been and continues to be trustworthy and reliable," yet it is unclear whether the references are able to judge whether the applicant is T&R. An issue is whether an applicant undergoing a background investigation would give as references individuals who would not vouch for him or her; accordingly, Section 37.25(a)(6) states, "The licensee shall also, to the extent possible, obtain independent information to corroborate that provided by the individual (e.g., seek references not supplied by the individual)." Yet one interviewee said it was very difficult to find references not listed by the applicant. A draft of the rule had a requirement for a credit check, but many stakeholders opposed that provision on grounds that a person's credit history—especially in the current economy—has no bearing on whether he is T&R. For example, a person could have lost her job, or gone bankrupt because of medical bills; such events would not indicate lack of T&R. NRC dropped that provision from the final rule.
Section 37.27, Requirements for criminal history records checks …: This section requires licensees seeking to grant unescorted access to category 1 or 2 quantities of radioactive material to individuals to fingerprint the individuals and transmit the fingerprints to NRC. NRC will then transmit the fingerprints to the FBI, which will conduct a criminal history records check. The FBI then transmits the criminal history records check to NRC, which in turn transmits it to the licensee. The licensee uses this information as part of the required background investigation to determine whether or not to grant unescorted access to the individual. Radiation professionals felt that this procedure is cumbersome; they should be able to send fingerprints directly to the FBI, and receive information directly from the FBI. Two interviewees complained that they wanted to collect fingerprints electronically rather than by using fingerprint cards, but said that they could not do so because of the rule. While Section 37.27(c)(1) specifically permits use of an electronic fingerprint scan, a university RSO said
my institutions can only use NRC fingerprint cards, at a cost of $26 per FBI background check request (if more than two cards are needed by FBI, up to an additional $52 may be required). When establishing the required fingerprinting program, I investigated use of a vendor to provide electronic fingerprinting service similar to that used by the state's Department of Elementary & Secondary Education. I ultimately learned that the NRC would only accept electronic fingerprints if sent directly from the licensee, and not a vendor (equipment like this is cost prohibitive for materials licensees). I have had several hundred people go through FBI fingerprint background checks, which is quite burdensome. Why pay NRC to be the middleman instead of going directly to the FBI? Why can't one central federal agency make these kinds of T&R adjudications?
NRC provided the following comment:
42 USC 2169 prescribes this process:
(2) All fingerprints obtained by an individual or entity as required in paragraph (1) shall be submitted to the Attorney General of the United States through the Commission for identification and a criminal history records check.
(3) The costs of an identification or records check under paragraph (2) shall be paid by the individual or entity required to conduct the fingerprinting under paragraph (1)(A).
(4) Notwithstanding any other provision of law–
(A) the Attorney General may provide any result of an identification or records check under paragraph (2) to the Commission; and
(B) the Commission, in accordance with regulations prescribed under this section, may provide the results to the individual or entity required to conduct the fingerprinting under paragraph (1)(A).
The law also permits electronic fingerprinting as follows:
d. The Commission may require a person or individual to conduct fingerprinting under subsection a.(1) by authorizing or requiring the use of any alternative biometric method for identification that has been approved by–
(1) the Attorney General; and
(2) the Commission, by regulation.
However the Department of Justice has determined that criminal history record information cannot be provided to any party other than the NRC, the licensee, or the individual that is the subject of the record. That is why the use of a third party contractor is an issue.20
Section 37.29, Relief from fingerprinting, identification, and criminal history records checks …: This section provides that individuals in 13 categories do not need to undergo these checks in order to have unescorted access. Categories include Members of Congress; employees of NRC, of the executive branch, and of Members and committees of Congress who have undergone fingerprinting for a prior U.S. government criminal history records check; federal, state, and local law enforcement personnel; state governors or their representatives; and others.
Section 37.31, Protection of information: This section requires licensees to protect personal information obtained through background investigations. It requires licensees to "establish and maintain a system of files and written procedures for protection of the record and the personal information from unauthorized disclosure." It also permits personal information to be provided to another licensee under certain conditions. While none of the interviewees expressed concern about protecting personal information, quite a few expressed concern about requirements throughout 10 C.F.R. 37 for creating and protecting written procedures. This issue is dealt with in more detail below, but this section is an example of what many interviewees saw as an administrative burden. Some interviewees also felt that it should be possible to transfer a T&R adjudication in addition to personal information. One said, "It also seems arbitrary that an employee moving to another company can have his or her background investigation data transferred to the new employer, but not the first company's adjudication of the person as T&R."
Section 37.33, Access authorization program review: Requires each licensee to "be responsible for the continuing effectiveness of the access authorization program.… The review program shall evaluate all program performance objectives and requirements." An issue is whether each licensee has the ability to review its own program, and whether it can do so objectively. This section also requires licensees to document results of the reviews and any recommendations. Further, "Each review report must identify conditions that are adverse to the proper performance of the access authorization program, the cause of the condition(s), and, when appropriate, recommend corrective actions, and corrective actions taken." This is an administrative burden imposed by the rule.
Subpart C: Physical Protection Requirements During Use
Section 37.41, Security program: "Each licensee shall establish, implement, and maintain a security program that is designed to monitor and, without delay, detect, assess, and respond to an actual or attempted unauthorized access to category 1 or category 2 quantities of radioactive material." Specific requirements are detailed, and commented on, in following sections.
Section 37.43, General security program requirements: This section requires licensees to have a security plan, implementing procedures, training, and methods to protect information. The security plan shall be written and specific to each licensee's facilities and operations. The plan shall describe measures, and identify resources, for implementation. It shall be "reviewed and approved by the individual with overall responsibility for the security program." This individual shall also approve, in writing, the implementing procedures. In an effort to ensure that this individual and others have the training and expertise necessary to determine the adequacy of the security program, this section requires "each licensee [to] conduct training to ensure that those individuals implementing the security program possess and maintain the knowledge, skills, and abilities to carry out their assigned duties and responsibilities effectively." Training must, at a minimum, include instruction in the licensee's security program, the responsibility to report to licensee conditions that may violate NRC requirements, the responsibility of the licensee to report promptly to local law enforcement actual or potential threats to category 1 or 2 material, and how to respond to security alarms. Finally, this section requires licensees to protect security-related information, such as the security plan and implementing procedures, and requires "written policies and procedures for controlling access to, and for proper handling and protection against unauthorized disclosure of, the security plan and implementing procedures."
Interviewees offered many comments on these requirements. An RSO at a university stated,
An NRC manager said NRC thinks that the new rule will not be much of a burden to licensees because they have already implemented many of the requirements in 10 CFR 37. I strongly disagree. The rule is one size fits all: security plans, training, procedures, new concepts (like security zones). There were orders, and we implemented them. After we had been inspected a few times, we were able to understand how to comply with the orders. Now with the new rule, we will have to set the rule as the new baseline. We will be reinspected against the new standards. It will take significantly more time. There are 37 Agreement States plus NRC, so there will be 38 interpretations of what the rule means. We will have to start all over again. A big problem will be the paperwork.
Regarding the requirement for a written security plan and written implementing procedures, the RSO continued,
we didn't write the plan under the orders because anything we documented would have to be protected, and it's very difficult to impose document security on a university campus. A concern is that writing a detailed security plan creates a vulnerability: if a terrorist gained access to it, the plan could outline the strengths and potentially weaknesses. It is easier for NRC to inspect a written plan than to sit down and discuss (orally) what the plan is. This puts the burden on the licensee.
An RSO at another university said,
there is a new requirement to train people every year on security. This is a large time commitment for individuals with unescorted or need-to-know access and for me as compared to the orders. For example, staff can have refresher courses in health and safety online, but security training cannot be done online because of the security nature of the material. Since the institutions for which I am the RSO have several hundred people currently granted unescorted access to category 1 and 2 material, several training sessions must be done so as to cover all the people needing training every year.
Regarding the requirement to protect information, an industrial radiographer said,
Yet another concern I have is that 10 CFR 37 requires limiting information on security to people with a need to know, but in practice information is often widely disseminated. At the steel mill, all 200 electronics technicians know that there is a storage room where spare devices are stored. Same story in a hospital, where most of the doctors and nurses know if their hospital has a gamma knife. Limiting information can be tough to implement in practice.
An official at a manufacturing and distribution company noted a disparity in regulations protecting radioactive and other material:
The nuclear industry is very heavily regulated, while other industries that pose significant health and safety risks are much less stringently regulated. For example, tanker trucks carrying large quantities of dangerous chemicals can go through large cities.
Section 37.45, LLEA [local law enforcement agency] coordination: Licensees "shall coordinate, to the extent practicable, with an LLEA for responding to threats to the licensee's facility, including any necessary armed response." Among other things, the licensee must notify LLEA "that the licensee will request a timely armed response by the LLEA to any actual or attempted theft, sabotage, or diversion of category 1 or category 2 quantities of material." The licensee shall notify NRC if an LLEA has not responded to the request for coordination within 60 days, or if an LLEA does not plan to participate in coordination.
Many interviewees reported excellent cooperation between licensees and LLEAs. An Agreement State official found that the security orders (preceding 10 C.F.R. 37) promoted working relationships:
before NRC issued its security orders, there was often not a good relationship, if any, between licensees and LLEA. The orders, which require licensees to contact LLEA to try to work out a response plan, have in many cases led to the establishment of relationships between licensees and LLEA.
Initially, he said,
regulators and licensees came to the orders with limited security real world/operational experience, but believe training, knowledge gained and partnerships formed while under the orders prepare everyone well for the implementation of 10 CFR 37. The orders and the new rule are designed to motivate the integration of LLEA, by both regulators and licensees. LLEAs bring that real world security experience to the final safety culture product.
He found LLEAs receiving homeland security grants provided by the U.S. Department of Homeland Security are more sensitized to potential threats from radioactive materials, and said, "LLEA is absolutely much more aware of the need for radioactive material security post-9/11."
A second Agreement State official found cooperation improving:
In the beginning, LLEA was not so cooperative in coordinating security plans with licensees; this was a common violation. Often, they were not interested. But as LLEA awareness of radioactive threats increased and as regulators tried to help licensees contact the right people in law enforcement, LLEA now "gets it" and wants to know if there is radioactive material in their jurisdictions.
A third Agreement State official noted that LLEAs work closely with licensees, conduct security inspections21 to facilities housing radioactive material, have alarms linked to police headquarters, and provide armed escort of radioactive material within the state's borders. Some police departments, including those in some large cities, send all their officers to Advanced Radiological Response Techniques training courses at the Y-12 National Security Complex in Tennessee. LLEAs in states such as these would give high priority to a theft of radioactive material.
On the other hand, other interviewees reported instances of noncooperation. In one case, an LLEA rebuffed repeated attempts to contact it; the interviewee found the situation "unworkable." Another said that an LLEA was unaware of the issue of radioactive material security. Further, circumstances of budget and distance may conspire to render LLEAs less cooperative than they might like to be. An Agreement State official noted this in his state, and pointed out that there is no mechanism to force LLEAs to cooperate, let alone to the extent NRC wants:
Local law enforcement agencies (LLEAs) are cooperative up to a limit. They want to cooperate but don't want to be pinned down to certain requirements, such as responding within [a specified time]. NRC would like the theft of a radioactive source to be high on the LLEA priority list, but that probably won't happen. Some state troopers cover several hundred miles on their routes. If an event happens at one end of their route, it's unrealistic to expect them to drop everything and rush to the other end in [a specified time]. LLEA is committed to assisting if feasible, but if there's a bank robbery or other emergency situation, should they disregard it to respond to a radiological event? They need to make a choice. As a regulator, neither the NRC nor the Agreement States have any control over LLEA. Licensees also have no control. They try to get LLEA to participate, and document their efforts to do so.
Security 37.47, Security zones: Licensees shall ensure that category 1 and 2 materials are within security zones established by the licensee. Security zones shall allow unescorted access to approved individuals in several ways: (1) "Isolation of category 1 and category 2 quantities of radioactive materials by the use of continuous physical barriers that allow access to the security zone only through established access control points. A physical barrier is a natural or man-made structure or formation sufficient for the isolation of the category 1 or category 2 quantities of radioactive material within a security zone." (2) By direct control of the security zone, or (3) by both methods.
There are potential issues with the isolation approach. First, the definition is tautological: isolation is to be achieved by use of barriers sufficient for isolation. Second, there is no requirement for the amount of control, if any, that must be present at an access control point. In particular, would it be vulnerable to an armed attack by terrorists?
An industrial radiographer said,
10 CFR 37 will be burdensome in terms of cost and what it requires. I am particularly concerned about security zones. Most of my clients are in industries, such as steel and petrochemicals, and use radioactive sources in the form of gauges, such as to measure thickness of steel or flow of chemicals.
He noted that a steel mill inherently has many features that would make it exceedingly difficult for terrorists to steal radioactive sources, and security devices such as alarms and cameras.
The security features already in place should be sufficient to keep people from gaining unauthorized access to the material. It seems excessive to require the licensee to set up a security zone, which is a barrier that absolutely prevents people from getting to that area. It is even more burdensome for licensees if the security zone extends well beyond the gauge itself.
An Agreement State official said, "The rule establishes security zones, which are not in the [Increased Controls order] and are confusing to the Agreement States as to where a zone must be established. Licensees will have to learn about establishing these zones."
On the other hand, another Agreement State official is pleased that the rule is not overly prescriptive, that is, that it does not specify in minute detail what must be done. As a result, the rule "leaves us a lot of room to work. For example, not telling me how to do security zones is fine."
Section 37.49, Monitoring, detection, and assessment: "Licensees shall establish and maintain the capability to continuously monitor and detect without delay all unauthorized entries into its security zones." In contrast to much of the rest of 10 C.F.R. 37, this section is prescriptive and detailed. Examples of methods for monitoring and detection include a monitored intrusion detection system linked to a central monitoring facility, and a monitored video surveillance system. Licensees must also be able to detect unauthorized removal of radioactive material from the security zone. For category 1 material, this can be achieved by electronic sensors linked to an alarm or direct visual surveillance. For category 2 material, it can be achieved by weekly verification through physical checks. Specified other means for monitoring and detection may also be used. The section also requires immediate assessment of actual or attempted unauthorized entry; maintenance of communication and electronic data transmission, including an alternative communication capability; and requesting an armed response by an LLEA involving theft, sabotage, or diversion of category 1 or 2 materials.
Some interviewees were unsure how many, and what types of, security features they needed to install in order to satisfy these requirements. Others consulted security professionals who designed security systems for their facilities. Many felt that NNSA's Global Threat Reduction Initiative, described below, was important in helping them set up a security system.
An industrial radiographer expressed concern about the requirement for a weekly inventory of category 2 sources:
the rule takes us from a quarterly inventory of sources to a weekly inventory. On the surface, this is not a bad idea. For me, this is not a problem because most of my sources come back each night, and there is a benefit of source security, which is a top concern for us. But [another] company … works in all 50 states and its sources do not return to a centralized location. This provision of Part 37 is a nightmare for them, imposing a huge logistical burden.
The requirement for weekly verification of category 2 sources to ensure that the material is present is found in 10 C.F.R. 37.49(a)(3)(ii). NRC notes that the Increased Controls order does not require a quarterly inventory of category 2 sources.22
An official with a company that manufactures and distributes radioactive sources expressed a similar concern:
One example of the burden is a requirement to do a weekly check of all sealed radioactive sources. This may be workable for a company with a few dozen sources, but [our company] has thousands of sources. It would be impossible to check them all each week, and someone doing the checking would receive too much radiation exposure.
A university RSO favors the British model for deciding on the adequacy of physical protection measures:
In discussions with colleagues from Great Britain, all hospital security plans are centrally reviewed by a police agency PRIOR to paying for the new equipment or installations. Therefore, there is agreement between groups of the necessary security before any money is spent. While not every site is the same and some flexibility is required, it would be really nice to know if the systems being paid for will be deemed adequate before they are installed.
NRC notes that the U.S. procedure is different. Rules are printed in the Federal Register. NRC issues a guidance document to accompany each rule, and prints a notice of availability of this document in the Federal Register. The rule and notice are often, but not always, printed in the Federal Register at the same time. The guidance document, while not mandatory, provides detailed questions and answers on what constitutes compliance. The appropriate regulatory authority—NRC or an Agreement State—does not approve the licensee's security measures in advance. Once the measures are in place, regulators inspect the facility to determine whether they meet the requirements of the rule. Since the guidance is not mandatory, licensees may adopt other approaches that they believe to be acceptable ways of complying with the rule. The authority would then inspect the facility once the measures have been implemented to ensure that the approach, as implemented, complies with the rule.23
Section 37.51, Maintenance and testing: Licensees shall maintain physical components of the security systems, and shall test them at the frequency the manufacturer suggests. If there is no such suggestion, the frequency shall be at least once every 12 months. The RSO at a large university found this requirement problematic:
An earlier version of Part 37 required quarterly testing of alarms, or as recommended by the manufacturer. Quarterly was too frequent because of the number of alarms and the amount of documentation. Some items can break or be knocked out of alignment if tested, such as magnetic door position switches. And some plastic access controls can be damaged during disassembly to test the internal tamper alarm. These really do not have any method for breakage so they don't really need to be tested. Furthermore, testing can be complicated, as it sends alarms to police, distracting them from their work. Section 37.51 of the final rule calls for testing in accordance with the manufacturer's recommendation, and if no recommendation then at least every 12 months. One manufacturer states: "This security system requires very little maintenance, however, test the system weekly to ensure it is working properly" The company then goes on to offer to sell the testing service to the customer.… Thus, the change in the final rule is not an improvement. In some circumstances it requires much more frequent testing than the Draft Part 37 required.
The RSO suggested an alternate wording: "The equipment relied on to meet the security requirements of this part must be inspected and tested for operability and performance at least annually."
Section 37.53, Requirements for mobile devices: Licensees with mobile devices containing category 1 or 2 quantities of radioactive material must "have two independent physical controls that form tangible barriers to secure the material from unauthorized removal." None of the interviewees expressed concern about this provision. Security of mobile sources has not been a problem. An industrial radiographer said,
Up until 2011, no one had stolen a source, though people occasionally stole trucks that incidentally had small radioactive sources on them. Last year, a radiography camera was stolen in Texas and was never recovered. However, since its radioactive material was iridium-192, with a half-life of 74 days, over 99 percent of that radionuclide will have decayed in about two years. That source, 33 curies of Iridium 192, would be approximately 2 curies now, so this clearly was not a theft for terrorist purposes.
Section 37.55, Security program review: Licensees shall ensure that the security program is reviewed, at least annually, with the results and recommendations documented, and shall take actions to correct adverse conditions. An RSO at a large university found some administrative requirements to be excessive, but an RSO at another large university found the burden worth the effort:
At first glance, 10 CFR 37 appeared to impose additional burdens compared to the Increased Controls Order. For example, it required security system reviews each quarter and a performance review every year. Despite the burden, … the university police department mandated these periodic security system reviews two years ago. The university police has experts in security, security systems and a capable police force, so their judgment on security matters is well-respected in the local law enforcement authority (LLEA) community. The security reviews have proven to be of great value.
Section 37.57, Reporting of events: Section 37.57(a) requires licensees to immediately notify LLEA of actual or attempted theft, sabotage, or diversion of category 1 or 2 material, and also to notify NRC within four hours of discovering such event. Section 37.57(b) requires licensees to assess suspicious activity of this nature, notify LLEAs as appropriate, and also notify NRC within four hours of notifying LLEAs.
There was one comment on this latter provision. An RSO at a large university had an experience in which these requirements were excessive:
An unknown State Police Officer in uniform in his private car drove up to our reactor and requested admittance (wearing a side arm). This was very suspicious. The LLEA was notified. The LLEA sergeant responded very quickly. He knew the individual, a State Police captain. The State Police captain promised to NEVER do that again. According to §37.57 of the final rule, I must still notify the NRC within four hours.
The RSO feels that the rule should offer some flexibility as to what incidents to report. If an event occurs that initially appears suspicious but proves not to be, there should be no requirement to contact NRC. NRC comments that there is no requirement to notify NRC if, after assessing the situation, the licensee determines that there is no need to contact an LLEA. The licensee only needs to contact NRC about suspicious activities if it has contacted an LLEA.24
Subpart D: Physical Protection in Transit
Comments in this section are mainly from a shipper of radioactive materials. A key assertion he makes, not reflected in a section-by-section analysis of Subpart D, is that Subpart D should have been placed in Title 49 of the U.S. Code (transportation) rather than in Title 10 for the following reasons:
the Agreement States will have some flexibility in how they implement the Part 37 requirements. This flexibility may result in Agreement State implementation of Part 37 Subpart D regulations in a manner that would otherwise result in preemption if the regulations were contained in Title 49. For example in the early 1990's the State of Washington attempted to establish highway routing restrictions for radioactive materials that limited the locations that trucks hauling radioactive material could enter the State. This regulation was preempted by the DOT under the dual compliance and obstacle tests, reference 58 FR 31580. My concern is that given the pre-planning and coordination requirements contained in Part 37 Subpart D, an Agreement State could effectively restrict the routing of radioactive materials through the State. Another concern is that states may charge unreasonable fees for transporting category 1 and category 2 materials through the state, in these cases the NRC cannot challenge the fees, but the DOT could. Differences in escorting and vehicle inspections requirements could also place undue burdens on the shippers and carriers of category 1 and 2 quantities of materials. Generally speaking, when transportation requirements are set by many regulators and by federal interstate commerce rules as well, compliance with transportation regulations can become very complicated.
Section 37.71, Additional requirements for transfer of category 1 and category 2 quantities of radioactive material: Licensees transferring such material shall verify that the recipient's license authorizes receipt of the material. "In an emergency where the licensee cannot reach the license issuing authority and the license verification system is nonfunctional, the licensee may accept a written certification by the transferee that it is authorized by license to receive the type, form, and quantity of radioactive material to be transferred.… The certification must be confirmed by use of the NRC's license verification system or by contacting the license issuing authority by the end of the next business day." A shipper found it generally straightforward to verify the recipient's license, and noted that, in his experience, the emergency provision did not come into play:
§37.71(c) provides an alternative method for obtaining permission in an emergency situation, but I don't know when that would arise. We haven't had that happen. We typically plan category 1 shipments months in advance; sufficient advanced planning is associated with category 2 shipments as well.
Section 37.73, Applicability of physical protection of category 1 and category 2 quantities of radioactive material during transit: This section refers licensees to at least 44 provisions of 10 U.S.C. 37 and 71. Some apply to imports and exports, others apply to category 1 or category 2.
A potential issue is the degree of complexity of complying with the many provisions referenced in this section. A shipper felt that it was not difficult to comply with the provisions of Subpart D because his company had to implement many of these provisions as a result of previous NRC orders, notably for radioactive material quantities of concern (RAMQC).25 He said,
Subpart D does not add burdens beyond the existing NRC orders. There are minor things, such as updating the transportation security plan, and developing procedures to ensure compliance with the regulation but these are administrative activities that we do not consider burdensome because the Part 37 requirements for route notifications, estimation of when a shipment is going to cross state borders, delivery time, revised delivery time if there are changes, and so on are already in the RAMQC order.
Section 37.75, Preplanning and coordination of shipment of category 1 or category 2 quantities of radioactive material: Licensees planning to transport, or to have transported, category 1 material shall conduct detailed preplanning and coordination of the shipment with the recipient, and any state through which the shipment will pass, identify safe havens along the planned route, and document these activities. Requirements for category 2 shipments are less stringent. As noted under Section 37.73, the shipper did not consider these requirements burdensome because they are already in the RAMQC order. According to NRC, "A safe haven is a readily recognizable and readily accessible site at which security is present or from which, in the event of an emergency, the transport crew can notify and wait for the LLEA. The NRC expects safe havens to be identified and designated by the licensee."26 However, the shipper noted that NRC "provides for safe havens, but doesn't provide a list of safe havens. It is up to us to identify safe havens."
Section 37.77, Advance notification of shipment of category 1 quantities of radioactive material: Licensees planning to ship category 1 material shall provide advance notification of the shipment to NRC and the governor, or the governor's representative, of each state through which the shipment will pass, using procedures this section details.
Section 37.79, Requirements for physical protection of category 1 and category 2 quantities of radioactive material during shipment: This section spells out requirements for shipment by road and rail in great detail. For example, a licensee transporting category 1 quantities of material by road shall ensure that movement control centers and redundant communications are established, and that shipments are "continuously and actively monitored by a telemetric position monitoring system or an alternative tracking system reporting to a movement control center." For shipments of category 1 quantities of material by rail, the licensee shall "ensure that rail shipments are monitored by a telemetric position monitoring system or an alternative tracking system."
While shipment by truck entails a driver in close proximity to the radioactive material, that is not the case for rail shipments. In theory, this might constitute a vulnerability. In practice, however, the shipper said that this section "provides for security of transportation of category 1 and 2 radioactive material by rail, but I don't know of any instances where such material is transported by rail." The shipper also noted that Section 37.79 does not address shipments by air for imports or exports of radioactive material. "Part 37 applies to the domestic portion of the highway (or rail) shipment, so once we deliver the shipment to the airport we are relieved of the transportation security burden." In contrast,
Imports and exports by sea are much more difficult because we have to coordinate the arrival or departure of our shipment with the arrival or departure of a ship. This is difficult because ships may encounter delays enroute. We planned an export to South Africa, to be carried on a ship from Baltimore. The ship was delayed for 48 hours. The port would not accept the material, so the truck, with its two drivers, had to wait at a truck stop. If we could have delivered the material to the port, we would have been in compliance with the NRC order, and the port would have been much more secure than the truck stop.
Section 37.81, Reporting of events: The licensee doing the shipping shall notify LLEA and NRC within one hour of determining that a shipment of category 1 material is lost or missing, and shall notify NRC within four hours if category 2 material is lost or missing, as detailed in this section.
Additional Comments
Discussions with radiation professionals yielded comments on several topics that are not directly a part of 10 C.F.R. 37 but are related to it. They are discussed here because they add insight into how radiation professionals view, and are affected by, the new rule. This section presents views—often, contending views—on each of several topics from various radiation professionals.
The Rulemaking Process
The transition from security orders to a rule: Opinions differed on whether the orders should have been left in place, or should have been codified into a rule and subsequently modified, or combined into a new rule. A university RSO said:
NRC says it is incorporating lessons learned in the rule, and that it issued orders because it had to get them out quickly. But if the orders provide adequate security, why not codify the orders and modify them later as needed? NRC is making fundamental changes to the orders in 10 CFR 37, with additional requirements and burdens for licensees. If the Orders were adequate, why change?
A Nuclear Energy Institute representative said,
NEI's view is that NRC should have codified the security orders, and then done a careful analysis of enhancements beyond the orders, including vulnerability assessments.
An industrial radiographer said,
To comply with the new rule, plans will have to be changed, and people covered by security orders will have to be retrained to the new terms. This will impose a financial burden on licensees, but without benefit. One of my clients is pulling his hair out because of the added burden. His feeling is that his organization has a good program, it has been inspected three or four times, and everything is up to snuff. Why change it? NRC should have simply codified the orders and then changed them as necessary.
According to an Agreement State official,
Initially, most Agreement States would have preferred to simply codify the security orders. The new rule, however, is a consensus of Agreement State and USNRC ideas learned from experience while using the orders. A rule established and enhanced from experience would seem to have a better foundation than orders issued to address an immediate security need. The new rule also combines all security rules into one regulation. It is more efficient for regulators and the regulated community.
A university RSO favored a new rule, but finds it essentially a codification of the orders. He
likes the fact that 10 CFR 37 combines multiple orders into one new part of 10 CFR rather than codifying the orders as they were. Having them all in one place makes it easier to follow than if a licensee had to look in multiple orders, revisions to orders, Q&A, revisions to Q&A, etc. In effect, by combining the orders and adding material, NRC codified them.
An Agreement State official pointed to another reason to have a rule rather than orders:
My legal staff is of the opinion that it is easier to conduct enforcement of a rule than of an order. Specifically, the staff says, if a licensee violates a rule, the state is in a stronger position in a court case than if the licensee violates an order.
How well did NRC conduct the rulemaking process? Radiation professionals had mixed views on this point. Some found NRC to be responsive, others did not. An industrial radiographer:
When [the Increased Controls order] was being crafted, it included a lot of provisions that wound up being jettisoned because of strong opposition. NRC included many of those items into a draft of Part 37 and, not surprisingly, they met with strong opposition. I and others testified before NRC on these points, and NRC accepted much of what we told them. But most of the industry didn't know about the draft Part 37 until very late. NRC could have sent notices to all its licensees, or to the Agreement States. I didn't see a strong NRC effort to pull in the stakeholders.… I give kudos to the NRC for listening to the users and adjusting the regulation in response to our comments. I strongly believe that input from the "experts" in the field, i.e., the end users, should have a large part in regulatory affairs as it is those in the field that see the real impact of regulations.
A Nuclear Energy Institute representative:
The current security orders include security requirements based on vulnerability assessments. NRC says it used lessons learned from implementing the security orders, but concedes that it had not done vulnerability assessments in preparing the rule. Without the assessments, the justification for the enhancements and inclusion of some categories of licensees is unclear.… NRC issued security orders for panoramic and underwater irradiator licensees and for manufacturer and distributor licensees, and increased controls for other licensees. Each order provided separate requirements for each type of licensee. Licensees have been operating within the security orders. NRC merged the three sets of requirements and imposed this merged set on every licensee, including nuclear power plants and licensees operating other parts of the nuclear fuel cycle. As a result, the rule is quite complicated. It would have been better if NRC had codified the orders and made revisions later in a risk-informed manner, as necessary, based on objective vulnerability assessments.
An official of the Conference of Radiation Control Program Directors:
CRCPD had serious concerns on the draft rule but the concerns have been removed. For example, NRC removed the requirement to check credit history as part of T&R; CRCPD felt that credit checks do not give good information and that other tools were sufficient.
An Agreement State official:
The state members of the rulemaking working group kept asking NRC if there was some particular threat, and if so, shouldn't they tailor the rule to the threat and the users. NRC did not provide an answer. As a result, the rule has overkill in terms of the level of security.
Another Agreement State official:
[Agreement State representatives] worked closely with NRC to develop the rule. We were co-regulators and had a good partnership with NRC. For example, we were involved in developing parts of the rule concerning fingerprinting and reviewing officials. We feel that the [Increased Controls order] and the rule provide reasonable assurance—not certainty—about the security of radioactive material. We are quite satisfied with the rule, and were able to get our input in; it was an excellent experiment in rulemaking. We feel that the rule is pretty clear.
NRC offered rebuttals to several of the foregoing comments. They are assembled here:
(1) The ICs themselves were not revised. NRC used stakeholder comments to develop the guidance document accompanying the ICs.
(2) The NRC conducted a number of outreach activities for the rule. First, the technical basis for subpart D was placed in the Federal Register for public comment. Three public meetings were held to receive comments. Second, the preliminary draft language for subparts B, C, and D were placed in the Federal Register for comment. Third, the draft final rule and guidance were placed in the Federal Register for comment. The comment period lasted for more than six months. By letter dated June 15, 2010, the NRC sent notification to every licensee that received an NRC order and everyone that commented on the preliminary rule language that the proposed rule was available for public comment (and enclosed a copy of the Federal Register notice that contained the proposed rule); the notice also provided information on the guidance document and the public meetings (2) that were planned on the guidance. The NRC also provided a copy of the letter to the Agreement States for their use and information. Many of the Agreement States provided the information to their licensees.
(3) While NRC did not perform a new vulnerability assessment in preparing the rule, the original vulnerability assessment provided security enhancements that are applicable to both the ICs and Part 37.
(4) All Orders were essentially the same. They all contained requirements to 1) control access, conduct trustworthy and reliable determinations, 2) detect, assess, respond to unauthorized access, and 3) transportation security requirements. The performance based nature of the Orders and 10 CFR Part 37 allows licensees to tailor their security plan to their specific situation. The main difference is the Orders before the ICs had specific timelines. The timelines were and have been replaced by "immediate" and "without delay."
(5) It was stated many times throughout the rulemaking process that the NRC does not have specific threat (organization, place, or time). It was stated that there is a general threat meaning that there is intelligence to indicate that groups are interested in using radioactive material in a terrorist attack.27
Characteristics of the Rule
Should there be a design basis threat? NRC uses a design basis threat (DBT) to define the type of threat that a facility, such as a nuclear power plant, must be able to counter. Radiation professionals interviewed for this report had mixed views on a DBT for radioactive materials. Some felt a DBT would have been inappropriate or unworkable; one felt the rule should have had a DBT to indicate what is required; another felt that NRC has specified the threat clearly; and one noted that having a DBT for less-than-huge quantities of radioactive material would imply that there should be a DBT for chemical tanker trucks and other potential hazards.
An industrial radiographer pointed to difficulties with a DBT:
The regulation is right not to specify a design basis threat (DBT). I'm aware of one source that has been stolen in the past 20 years. Should I hire people with M-16s to guard each of my radioactive sources? What level of security is needed? We do want operational security, but can't bust the bank for it.
A university RSO also pointed to difficulties:
Requiring a licensee to develop a design basis threat would not work. How would a licensee know and guard against the DBT for each different Category 1 or 2 device? Requiring armed guards at every irradiator or other source would put research and medical licensees out of business for use of these devices. Also, if information on a DBT leaked out, it could reveal to terrorists what sort of attack was being defended against, and would imply that a somewhat greater threat would succeed.
An RSO at another university felt that the rule should have had a DBT:
there is no design basis threat or discussion of adversary capabilities provided to the licensee. Without a common security education, each site will develop their security in accordance of their understanding of the regulations AND their guess of the potential threat. This variation in security implementation combined with the variation in inspection practices will produce widely varying security levels and practices.
An Agreement State official felt that a DBT could not have been tailored to each facility's characteristics:
I don't think there has to be a design basis threat (DBT) for each facility. When people look at a facility to see how to harden it, they are in effect doing a DBT, as they are looking for vulnerabilities specific to each room. The [city] Police Department conducts security inspections of facilities.… In my experience, when an organization needs to design a security system, RSOs consult with security professionals. This approach guards against a plausible threat that is specific to each room or facility, rather than a DBT. This is a better approach.
NRC commented, "The LLEA does not have the authority to conduct security inspections of the licensees under either the orders or the Part 37 rule."28
A university RSO maintained that NRC has clearly stated the threats that must be countered even without specifying a DBT:
The rule does not specify a design basis threat but NRC has clearly communicated what a security program needs to do, potential scenario and the timeframes in which a police response is required.… the NRC has included security assessments into the Increased Controls Orders and the new 10 CFR 37. Even without prescribing a DBT for materials licensees, [the RSO] believes that NRC has been crystal clear in what threats must be countered … [and] does not see the need for additional guidance or a DBT.
An Agreement State official found a DBT inappropriate for most licensees, and questioned what other potential threats might require a DBT if one were set for most radioactive sources:
A Design Basis Threat (DBT) is easy to construct for a nuclear power plant. There could be a DBT for a panoramic irradiator (with perhaps hundreds of thousands of curies) or for manufacturers and distributors of radioactive material, but it's not plausible to apply a DBT to other radioactive sources. Licensees having few employees and modest amounts of radioactive material could not handle a DBT. Terrorists could seize such sources, or mobile sources. But they could also attack tanker trucks carrying chlorine or gasoline, many of which are on the roads; should there be a DBT for them, too?
Is the rule too prescriptive, or too performance-based? A difficult issue in formulating 10 C.F.R. 37 was striking the right balance between a performance-based vs. a prescriptive rule. The former would specify the desired result; the latter, how the result is to be achieved. A performance-based rule would specify what a program must be able to do, such as detecting attempted theft of radioactive material and summoning a prompt police response, while leaving to each licensee how to accomplish these tasks. In contrast, a prescriptive rule would specify in detail what constitutes adequate security, such as having an iris scanner for access control and a TV camera and radiation monitor with direct links to the police central alarm station. In general, radiation professionals felt that the rule strikes the right balance, and noted that a companion "implementation document," to be issued by NRC along with the final rule, will provide more details on what NRC views as constituting compliance. Closely related is the question of whether the rule is "one size fits all," that is, does not make allowances for differing types of licensees holding vastly different quantities of radioactive material under differing security conditions. There were several criticisms of the rule on this point.
GAO, in testimony of March 2012, found the security orders to be performance-based, resulting in uneven levels of security from one facility to the next.
NRC's security order and implementation guidance are broadly written and do not prescribe the specific steps that licensees must take to secure their sources. Rather, they provide a general framework for what constitutes adequate security practices.… It is up to the licensee to determine, for example, if security cameras are necessary or what types of locks or alarms are needed to secure doors or windows.…The ability to tailor security to a facility's needs and resources is particularly important for commercial facilities with limited resources. For example, officials from smaller medical facilities told us that implementing specific security requirements—such as cameras and other surveillance equipment—could jeopardize their continued operations because of the costs associated with this equipment. NRC officials told us that given factors such as diverse economic conditions, facility type, layout, and operations of facilities, a "one size fits all" approach is neither practical nor desirable.
We found that the NRC controls have been implemented in a variety of ways in the hospitals and medical facilities we visited.… At some locations, the controls resulted in significant security upgrades, such as the addition of surveillance cameras, upgrades to locks on doors, and alarms. In contrast, we observed minimal security in other facilities.29
The radiation professionals interviewed for this report felt that the diversity in types of organizations that use radioactive materials made a prescriptive approach impossible to implement by regulation, though the implementation document will help clarify what constitutes compliance with a performance-based regulation. Some felt that the rule is one size fits all, despite what NRC told GAO, and that that was bad policy. On the other hand, those who noted the flexibility inherent in a performance-based regulation would seem to contradict those who said that the regulation was one size fits all.
An industrial radiographer:
Regarding the issue of whether Part 37 is too prescriptive or too performance-based, I like the rule. While I don't like some of the wording, it leaves us a lot of room to work. For example, not telling me how to do security zones is fine.
An Agreement State official:
The new rule addresses a very diverse community possessing various radioactive materials. The rule must allow flexibility for the differing business models to comply with the rule. Based on this belief the rule is not too broadly written. The Agreement States and the USNRC have more than a decade of experience in performance-based regulation. Likewise, the regulated community has the same amount of experience complying with regulations through performance-based policies, procedures and programs. The new rule "tightens" up some of the initial orders with prescriptive requirements, while allowing performance-based implementation across a very diverse regulated community.
An Agreement State official:
Some RSOs wanted a prescriptive order, but I told them that I didn't know the specifics of each facility, so they would need to develop a security system and RCP would then inspect it. If we found weaknesses in their system, we would not issue a violation notice but rather work with them to develop a corrective action plan. In practice, many RSOs would develop a plan, then call me to ask my opinion of the plan.… I think the rule strikes the right balance between being prescriptive and being performance-based.
A university RSO
feels that the balance between the rule being prescriptive vs. performance-based has worked out well. Many stakeholders have lobbied NRC for more performance-based requirements in the rule, which is what NRC provided in this case. However, there is now complaint by some that they would like the rule to be more prescriptive. NRC and many other federal agencies have done an excellent job of providing detailed guidance on how to implement a rule in addition to the rule itself. NRC's draft guidance from 2010 for the draft of 10 CFR 37 provided a clear explanation of what the rule meant. As he understands it, NRC intends to publish supplemental guidance documents based on the experiences from the increased controls program to assist with implementation of the new rule. These guidance documents provide very useful information for licensees to successfully implement the regulation.
An Agreement State official:
Compared to the orders, the final rule is much more prescriptive.… it is a one size fits all set of regulations. The orders were issued incrementally to licensees needing different levels of security, such as panoramic irradiators, manufacturers and distributors of radioactive sources, and other organizations such as hospitals. The rule mandates that all licensees have the same high level of security; that may not be necessary. Security should have been tailored to users, as the orders were. For example, a licensee with a half-dozen employees using soil moisture and density gauges, which have millicuries of radioactive material, do not need the same level of security as a panoramic irradiator, which may have hundreds of thousands of curies.
A university RSO:
The rule is one size fits all: security plans, training, procedures, new concepts (like security zones). There were orders, and we implemented them. After we had been inspected a few times, we were able to understand how to comply with the orders. Now with the new rule, we will have to set the rule as the new baseline. We will be reinspected against the new standards. It will take significantly more time. There are 37 Agreement States plus NRC, so there will be 38 interpretations of what the rule means. We will have to start all over again.
In comments in January 2011 on the draft rule, the Advisory Council on the Medical Uses of Isotopes, an official advisory body to NRC, stated,
The ACMUI understands the need to quickly develop and implement the Increased Controls License Orders required the NRC to establish a one-size-fits all model for all types and uses of Category 1 and 2 sources. The ACMUI is concerned that the proposed Part 37 builds off of and expands the requirements of a one-size-fits all model.30
Other
Scarcity of resources has affected radiation security programs. Several radiation professionals noted many ways in which scarcity of resources has affected their or other programs. This raises the question of whether it will be economically feasible to secure radioactive materials to the extent, and on the timeline, that the rule requires.
A university RSO:
The lack of resources affects inspections. For example, budget cuts reduce the number of inspectors and the time they have for each inspection.
An industrial radiographer:
Under the rule, we must verify that the receiving licensee has a valid license. On the surface, this makes sense. But I have to contact that licensee's jurisdiction to get this information. For me, that means I have to call [the state] and ask the radiation health bureau if the license is still valid and can receive the shipment. In reality, [the state] doesn't have enough money, so that bureau is understaffed and people don't answer the phone.
NRC commented on the foregoing statement:
Under 10 CFR Part 30, all licensees are required to verify that the recipient is authorized to possess the radioactive material. In the past, this was done by the recipient faxing the first page of their license to the sender. To prevent the use of counterfeit licenses, licensees will be required to verify the recipients' license with the appropriate regulator and the preferred way to comply with the regulation is use of the License Verification System.31
An Agreement State official:
While there are no concerns about the new rule, there is the concern over the ability to promulgate the rule when required. I think all states including [mine] are experiencing that it is definitely harder to promulgate rules in this tough economic environment. Regulatory rule promulgation is perceived as anti-business and bad for the economy.
A university RSO:
Unfortunately, at many institutions I've spoken with, the money estimated to implement the new rule is woefully inadequate.
A Nuclear Energy Institute representative:
NRC's regulatory analysis with the final rule showed an average one-time cost of $23,375, and an average annual cost of $21,736, for each of the 1,400 or so licensees with category 1 or 2 sources. Most of these licensees are small business industrial radiographers, for whom these costs would be significant.
An Agreement State official:
NRC can find a state inadequate for protecting public health and safety, and can put that state on "heightened oversight." A few years ago, [my state] was put on heightened oversight, after which more resources were devoted to the radiation control program and [the state] showed sufficient improvement to be taken off heightened oversight. The [state] radiation protection budget was cut approximately 20 percent for the 2011-12 biennium. In order to make sure the radioactive materials program has enough staff, resources are being shifted to ensure adequate support for radioactive materials.
Comments on Global Threat Reduction Initiative (GTRI). According to NRC, "The rule would impose the minimum requirements that the NRC believes are necessary to adequately protect the public health and safety and the common defense and security."32 The National Nuclear Security Administration, a semiautonomous component of the Department of Energy, operates GTRI. The Domestic Materials Protection Program, a GTRI component, goes beyond the minimum requirements by providing security upgrades on a voluntary basis to facilities with radioactive material. To do so, it sends a team to a participating facility to assess its security situation. The team makes recommendations on security upgrades—such as iris scanners for access control, infrared cameras to provide video if the lights go out, a backup power supply, and communication links to police alarm stations—and negotiates with the facility's personnel on which to install. GTRI then contracts to have the agreed systems installed, and provides funds for maintenance for three years, after which time the facility is supposed to fund maintenance. GTRI also provides training at the Y-12 National Security Complex (TN) for law enforcement personnel,33 and conducts training exercises at facilities around the country.
NRC and NNSA view their roles as complementary, with NRC setting minimum standards for securing radioactive material and GTRI providing a higher level of security. For example, a particularly worrisome threat is that posed by insiders. 10 C.F.R. 37 deals with this threat by requiring licensees to grant unescorted access to category 1 and 2 material only to personnel the licensee deems trustworthy and reliable. So far, this system appears to have worked satisfactorily; since 9/11, there has been only one theft of a category 2 source of radioactive material, a radiography camera with 33.7 curies of iridium-192 stolen from a truck in Texas in 2011, and that theft was not done for terrorist purposes. In contrast, GTRI installs TV cameras, tamper-alarming seals, radiation detectors, and links to police alarm stations in order to indicate a theft of radioactive material in progress by anyone, including an insider, as breaking the seal, or radiation leaking out when the material was removed, would trigger an alarm.
GTRI is not a part of 10 C.F.R. 37, and is not under NRC jurisdiction. Nonetheless, several radiation professionals interviewed for this report commented on GTRI, and their comments seem worth including. Most of them found GTRI valuable; one declined to participate on grounds of personnel time, cost of maintaining GTRI-installed equipment, and complexity of equipment.
A university RSO:
NNSA's Global Threat Reduction Initiative installed a full suite of equipment. [The university's] reactor building also houses a 30-year-old irradiator with less than 1000 curies. The construction people ripped everything in the building apart for months in order to install many alarms. However, the reactor people love the system, it's a great system.
An industrial radiographer:
What level of security is needed? We do want operational security, but can't bust the bank for it. NNSA's Global Threat Reduction Initiative has the best way to approach this. They would like to come out to our facility. I signed up for it, and am hopeful that as their limited budget will allow, they will come here this year or next and help us with realistic workable approaches to enhancing our security both at our fixed facilities as well as our mobile fleet.
An Agreement State official:
While it is the licensee's responsibility to develop and implement a compliant operational strategy, there are other resources available to assist them in this mission such as the Global Threat Reduction Initiative (GTRI). GTRI has performed a lot of security enhancements in [my state]. It has increased the security for many irradiators. [A] University, for example, has been very complimentary of the work that GTRI completed for them. It not only provided enhanced security devices, but also developed and implemented extensive tabletop exercises. Participants in these exercises included the FBI, the [state] Radiation Protection Section, universities, state and local response organizations, and other public and private sector stakeholders at local, state and federal levels. This exercise led to the development of many improved relationships among the participants.
As part of their voluntary security enhancement program, GTRI also provides opportunities for private and public sector security force response training at their Oak Ridge facility. This training specifically enhances the coordination of a facility's radiation safety staff and their responding security force, including LLEA. With real world staged environments in which the "players" form response plans and act them out, the value of pre-arranged cross-discipline response plans is evident and strong partnerships are formed.
An Agreement State official:
Police departments in [various] cities send all of their officers to [the GTRI Alarm Response Training course] at the Y-12 National Security Complex in Tennessee. This is not something that [the radiation control program] mandates.
An Agreement State official:
NNSA has done a lot, including two tabletop exercises in [my state]. These have been eye-openers to emergency responders. They raised elements that the responders hadn't considered. For example, if it became necessary to evacuate 300,000 people from [city] because of a dirty bomb, where would they go? How would health workers treat them, given that emergency rooms would be flooded with people? The exercise helped the [city] learn what other assets were available to them in the event that they needed additional resources. Another exercise, at [a university], had a scenario with a two-pronged terrorist attack that stole a radioactive source and raided a reactor. This exercise gave an excellent opportunity to work through the issues and provided many lessons.
An Agreement State official:
The Global Threat Reduction Initiative has been in [my state] a half-dozen times. They will install security systems for one of the state's larger licensees this summer. The program opens the eyes of licensees to security, and provides good training not only for the licensee, but also for the state inspectors who sit in on the training.
On the other hand, a university RSO does not use GTRI:
I have thus far declined to use GTRI because of my organizations' concerns with the level of complexity with the security systems, their lack of personnel time to devote to this GTRI implementation, and uncertainty of the funds which will be needed to support maintaining the security systems after the three years in which GTRI provides that maintenance support.
Should trustworthiness and reliability (T&R) screening be enhanced? 10 C.F.R. 37 would require every individual granted unescorted access to category 1 or 2 sources to be deemed T&R by his or her employer. Some radiation professionals interviewed for this report were comfortable with their T&R procedures. They feel that their organizations are competent to adjudicate T&R decisions, are able to use outside investigators as needed, and have experience in adjudicating T&R through implementing the various security orders. They see their employees every day and can spot changes in behavior, and are aware that erroneously granting someone T&R status could ruin their organization. Others expressed concerns: how to determine who should adjudicate T&R decisions (a human resources specialist, an RSO, or a committee); standards used in making T&R decisions that varied from one organization to the next; the possibility of being sued by an individual not hired because he or she was denied T&R status; lack of clear standards in 10 C.F.R. 37 for denying T&R status; the difficulty of making T&R decisions based on incomplete information, such as for foreign students; and inadequate training of individuals who make T&R determinations for evaluating background information.
It can be readily argued that the current system is satisfactory, given that there has been only one case of a theft of a category 2 source of radioactive material since 9/11. On the other hand, the issue is potentially serious: one individual erroneously deemed T&R could obtain material for a "dirty bomb" that could contaminate several square miles of a city and cost many billions of dollars in cleanup costs, relocation costs, and lost productivity, as well as societal disruption.
Should there be a desire to enhance T&R adjudication, several measures might be taken:
- NRC could make T&R standards clearer. For example, the State Department's "Adjudicative Guidelines for Determining Eligibility for Access to Classified Information" provide a detailed set of criteria for this purpose. The department notes, "The ability to develop specific thresholds for action under these guidelines is limited by the nature and complexity of human behavior. The ultimate determination of whether the granting or continuing of eligibility for a security clearance is clearly consistent with the interests of national security must be an overall common sense judgment based upon careful consideration of the following [thirteen] guidelines, each of which is to be evaluated in the context of the whole person."34 The text presents these guidelines, along with a detailed discussion of security concerns and mitigating factors for each. Standards such as these could be used even if not in the context of granting a security clearance.
- The Federal Select Agents Program is operated by the Centers for Disease Control and Prevention (CDC), part of the Department of Health and Human Services, and the Animal and Plant Health Inspection Service (APHIS), part of the Department of Agriculture. Its registry program "oversees the activities of possession of biological agents and toxins that have the potential to pose a severe threat to public, animal or plant health, or to animal or plant products."35 It may offer another model for adjudicating T&R decisions. A university RSO said,
One alternative approach to the current Increased Controls T&R process is the one used for a bioterrorism security risk assessment to vet people for access to select agents or toxins. Under this program, an organization's biosafety officer (BSO) sends in an application for an individual to APHIS or CDC to obtain a unique identifying number (UIN). The BSO submits a completed FD-961 form36 with the UIN and two fingerprint cards to the FBI. The FBI does a background check, and the FBI and APHIS or CDC make the decision and give the biosafety officer a yes or no decision, all for no charge.37
NRC commented:
The FBI's Criminal Justice Information Service (CJIS) performs a fingerprint-based Security Risk Assessment (SRA) for access to select agents, transmits the result, which indicates whether an individual is authorized or restricted, and maintains a database of their determination. CJIS bases their determination primarily on whether the criminal history record indicates that the person has committed any of the offenses listed in section 817 of the USA PATRIOT ACT, that would make them a "restricted person". The Department of Justice is specifically authorized to perform this function by the Public Health Security and Bioterrorism Preparedness and Response Act of 2002. CJIS transmits the result of the SRA to the CDC, which in turn sends an authorization or denial letter to the entity's Responsible Official. The Responsible Official is ultimately responsible for controlling access to the agent. A legislative change would be required to apply a similar process to users of radioactive materials.38
- NRC could provide training for personnel making T&R decisions.
- Difficult cases could be resolved by denying an individual unescorted access to category 1 or 2 material. Such cases do arise. It may prove hard to do an adequate background investigation of foreign nationals because information may be incomplete or available in a form that is hard for U.S. personnel to evaluate. Some U.S. citizens may have committed a serious crime many years earlier, but have had a clean record since.
- A federal agency, such as NRC, the FBI, or the Office of Personnel Management, could adjudicate difficult cases. Referring such cases to a federal agency would permit a more thorough background investigation, could apply clear standards to the results, and could reduce the risk that a person denied T&R would sue the requesting organization.
- A federal agency could adjudicate all cases. NRC commented, "This would require a legislative change."39
- Individuals granted T&R status could be required to have a Secret clearance. The definition of Secret information is: "'Secret' shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security that the original classification authority is able to identify or describe."40 In its regulatory analysis for the new rule, NRC states that in issuing several orders between 2003 and 2006 for securing radioactive material, "NRC noted that a deliberate malevolent act by an individual with unescorted access to these materials has a potential to result in significant adverse impacts to the public health and safety or the common defense and security and, thus, necessitated expeditious implementation of additional fingerprint requirements."41 Yet an individual who stole certain radioactive material could take it to the roof of a building and disperse it in minutes using explosives, potentially inflicting large costs and societal disruption. While this release would not be "information," it "reasonably could be expected to cause serious damage to the national security."
- NRC commented:
The 10 CFR Part 37 rule is being issued under the authority to protect public health and safety. "Secret" clearances apply to protecting the common defense and security. This recommendation would cause a change in the underpinnings of the 10 CFR Part 37 regulations and would result in a difference of costs to the licensees and regulators and change to the regulatory burden.… additional analysis would be needed (and possibly a legislative change) to implement such a recommendation.42
Measures such as these would arguably provide a higher level of assurance that individuals granted T&R status were in fact trustworthy and reliable. At issue is whether they are needed; if so, if they are worth any added cost they might incur; and whether Congress would wish to make the requisite legislative changes.
Wrap-Up
Several general points emerge from the foregoing analysis.
- While the rule imposes many requirements on licensees, the previously issued security orders did so as well, so the incremental burden of the rule is much less than would have been the case had the orders not been issued first.
- Since many actions must be undertaken by all facilities with category 1 or 2 material regardless of facility size, the rule would appear to impose a proportionately larger burden on small licensees than on larger ones.
- Layered defense—in which no layer is perfect but each reduces the likelihood of a successful terrorist attack—is a cornerstone of post-9/11 homeland security. The rule puts into effect a layered defense using personnel reliability, ability to detect intrusion, police response, etc. Vulnerabilities are inevitable: someone deemed T&R might not be, security systems could fail, or police might not respond in time. Nonetheless, the ability of one layer to offset weaknesses in others can be expected to improve security, especially as terrorists would not necessarily know where vulnerabilities are or how to exploit them.
- Security can be expected to increase over time as more monitoring equipment is installed, as local law enforcement becomes more familiar with the need for rapid response, and as the T&R process becomes more effective. However, as with so many other aspects of enhanced security post-9/11, this gradual accretion of security measures has made the United States safer but cannot guarantee safety.
- Further steps might increase security further, such as a more rapid rollout of GTRI, a more uniform T&R policy, or federal adjudication of some or all T&R applications. Whether the costs of these measures are worth the potential benefit is a matter for political judgment.
- Radiation professionals who use or regulate radioactive material every working day express a wide range of views on how changes from orders to rule and details of each section of the rule affect them. NRC consulted with them and made many changes in moving from the draft to the final rule in response to their recommendations. Nonetheless, judging from comments presented throughout this report, further changes—whether to the rule or the accompanying guidance document—may prove desirable. Such changes would benefit from further consultation with radiation professionals.
Appendix A. Definition of "Byproduct Material"
10 C.F.R. 37 regulates "byproduct material." This appendix presents the definition of the term as contained in 10 C.F.R. 30, "Rules of General Applicability to Domestic Licensing of Byproduct Material," at 10 C.F.R. 30.4, "Definitions."43
Byproduct material means—(1) Any radioactive material (except special nuclear material) yielded in, or made radioactive by, exposure to the radiation incident to the process of producing or using special nuclear material;
(2)(i) Any discrete source of radium-226 that is produced, extracted, or converted after extraction, before, on, or after August 8, 2005, for use for a commercial, medical, or research activity; or
(ii) Any material that—
(A) Has been made radioactive by use of a particle accelerator; and
(B) Is produced, extracted, or converted after extraction, before, on, or after August 8, 2005, for use for a commercial, medical, or research activity; and
(3) Any discrete source of naturally occurring radioactive material, other than source material, that—
(i) The Commission, in consultation with the Administrator of the Environmental Protection Agency, the Secretary of Energy, the Secretary of Homeland Security, and the head of any other appropriate Federal agency, determines would pose a threat similar to the threat posed by a discrete source of radium-226 to the public health and safety or the common defense and security; and
(ii) Before, on, or after August 8, 2005, is extracted or converted after extraction for use in a commercial, medical, or research activity.
Appendix B. Radionuclides and Quantities of Concern Regulated by NRC
Quantities Correspond to Category 2 Sources in IAEA Code of Conduct
|
Radionuclide |
Quantity of Concern, in Units of … |
Threshold (Ci) to contaminate 1 square km assuming per-fect dispersion |
||
|
terabecquerels (TBq) |
curies (Ci) |
grams (g) |
||
|
Americium-241 |
0.6 |
16 |
4.73 |
78 |
|
Americium-241/beryllium |
0.6 |
16 |
~4.73 |
~78 |
|
Californium-252 |
0.2 |
5.4 |
0.01 |
49 |
|
Curium-244 |
0.5 |
14 |
0.17 |
130 |
|
Cobalt-60 |
0.3 |
8.1 |
0.007 |
11 |
|
Cesium-137 |
1 |
27 |
0.31 |
42 |
|
Gadolinium-153 |
10 |
270 |
0.08 |
390 |
|
Iridium-192 |
0.8 |
22 |
0.002 |
100 |
|
Promethium-147 |
400 |
11,000 |
11.66 |
410,000* |
|
Plutonium-238 |
0.6 |
16 |
0.95 |
220 |
|
Plutonium-239/beryllium |
0.6 |
16 |
16.22* |
220* |
|
Radium-226 |
0.4 |
11 |
10.93 |
13 |
|
Selenium-75 |
2 |
54 |
0.004 |
150 |
|
Strontium-90 (yttrium-90) |
10 |
270 |
1.98 |
200 |
|
Thulium-170 |
200 |
5400 |
0.033* |
2000 |
|
Ytterbium-169 |
3 |
81 |
0.003 |
600 |
Source: The list of radionuclides and the TBq column are from "Table 1: Radionuclides of Concern," in U.S. Nuclear Regulatory Commission, "Order Imposing Increased Controls (Effective Immediately)," EA-05-090, November 14, 2005, http://www.nrc.gov/security/byproduct/table1.pdf. (1 Bq = 1 radioactive disintegration of an atom per second; 1 Ci = 3.7 x 1010 disintegrations per second; 1 TBq = 27.027 Ci) NRC extracted the list and TBq column from International Atomic Energy Agency, "Code of Conduct on the Safety and Security of Radioactive Sources," Table 1, "Activities Corresponding to Thresholds of Categories," p. 16. Specific activity, used here to calculate grams, is from U.S. Department of Energy. Office of Environmental Management. "Table B.1. Characteristics of Important Radionuclides," http://www.orau.org/ptp/PTP%20Library/library/DOE/Misc/Table%20B_1_%20Characteristics%20of%20Important%20Radionuclides.htm. CRS calculated columns for Ci and g. Data for column, "Threshold (Ci) to contaminate 1 square km," are from Sandia National Laboratories, Radioactive Material Downselection and Source Prioritization Methodology: A Sandia National Laboratories Study in Support of the Global Threat Reduction Initiative, May 8, 2009, p. 40, "Threshold Quantities Comparison." This document is Official Use Only; these figures are unclassified when not associated with a specific weapon. William Rhodes of Sandia National Laboratories provided data for cells marked with an asterisk.
Notes: "Radionuclides of concern" are those for which, in the specified "quantities of concern," NRC requires enhanced security, such as access control, personnel security, and record-keeping. These quantities are Category 2 sources in the IAEA Code of Conduct. The threshold for Category 1 sources is 100 times that for Category 2 sources; the threshold for Category 3 sources is one tenth that for Category 2 sources. A quantity of concern is a very small amount. One ounce is 28.35 grams; many quantities of concern are less than 1 gram.
"Threshold to contaminate 1 square km" shows the amount of material, in curies, to contaminate that area to a level that a person in that area for a year would receive a dose of 2 rem in the first year after an attack, the EPA/FEMA protective action guide for relocation. (The column for curies is presented to two significant figures.) NRC explained the rationale for the area chosen, 1 square km: "Given all the uncertainties, it was a criterion used that might represent significant economic losses, primarily from decontamination and disposal from cleanup efforts. The thresholds being used for significant [radiological exposure devices] and RDDs are the IAEA Code of Conduct Category 2 values." (Comments prepared by NRC, November 30, 2010.) The figures in this column assume perfectly even dispersion of material over the total area. They are a useful metric for comparing the ability of different radionuclides to contaminate, but perfect dispersion would not occur in the real world. Further, the masses of material needed to produce this level of contamination would be somewhat higher than shown because materials used in commerce would not be pure.
For 14 of the 16 isotopes, the quantity of concern (in curies) in the center column is less than the amount of material (in curies) needed to contaminate 1 square km in the rightmost column. One of the two isotopes for which this is not the case, thulium-170, is very rare in commerce, and for the other, strontium-90, the difference between the two quantities is not great. Thus, protecting quantities of concern generally suffices to protect quantities that could be used to create a "significant" RDD.
The Code of Conduct uses TBq as the benchmark to define quantities of concern; CRS converted TBq to Ci. Entry for grams is obtained by dividing TBq by specific activity (expressed in TBq/gram). Entries in right two columns for strontium-90 (yttrium-90) are for strontium-90.
*Rhodes notes that the figure for promethium-147 is so large because that isotope is "essentially a weak pure beta emitter." That is, curies measure the number of disintegrations per second, not energy emitted per disintegration. Since each disintegration of promethium-147 produces very little energy, and in a form of particles that travel only a short distance, it takes a large amount to contaminate 1 square km to the level that would produce the specified dose.
This table is from CRS Report R41890, "Dirty Bombs": Technical Background, Attack Prevention and Response, Issues for Congress, by Jonathan Medalia.
Appendix C. Nuclear Regulatory Commission Security Orders to Licensees
In the wake of the 9/11 attacks, NRC issued orders to its licensees to enhance the security of radioactive materials. This appendix summarizes these orders; a full listing is available on the NRC website at http://www.nrc.gov/reading-rm/doc-collections/enforcement/security/index.html#6.
- Licensees of panoramic and underwater irradiators having more than 10,000 curies of material (68 FR 35458, June 13, 2003).44 45 NRC, under its common defense and security authority, issued this order to NRC and Agreement State licensees.
- Manufacturers and distributors of radioactive material (69 FR 5375, February 4, 2004). NRC, under its common defense and security authority, issued this order to NRC and Agreement State licensees.
- Licensees transporting radioactive materials in quantities of concern (69 FR 44407, August 2, 2005), with category 1 as the threshold for a quantity of concern. NRC, under its common defense and security authority, issued this order to NRC and Agreement State licensees.
- Increased Controls (IC) order for licensees authorized to possess 16 types of radioactive material above specified "quantities of concern." (70 FR 72128, December 1, 2005).46 NRC acted because "the Commission has determined that certain additional controls are required to be implemented by Licensees to supplement existing regulatory requirements" to enhance the security of certain quantities of certain radioactive sources.47 The order required licensees to (1) allow only "trustworthy and reliable" personnel to have unescorted access to category 1 and 2 material; (2) have a program to monitor and immediately respond to unauthorized access; (3) follow certain procedures in shipping category 2 material; (4) obtain from NRC an order to implement certain added security measures to ship category 1 material; (5) protect mobile or portable radioactive sources; (6) retain documentation; and (7) protect information describing protection of radioactive material from unauthorized disclosure. NRC issued the IC order to its licensees under its public health and safety authority. The Agreement States issued legally binding requirements, identical to the IC order, to their licensees.
- Fingerprinting orders: The Energy Policy Act of 2005 (P.L. 109-58, August 8, 2005), Section 652, amended Section 149 of the Atomic Energy Act to require fingerprinting and an FBI criminal history records check of any individual permitted unescorted access to certain radioactive materials. NRC determined that individuals with unescorted access to category 1 or 2 material required fingerprinting and a records check, and issued orders requiring these measures to irradiator licensees and manufacturer and distributor licensees (71 FR 63046, October 27, 2006), licensees making shipments of category 1 material (71 FR 62302, October 24, 2006), and to all other licensees with category 1 or 2 quantities of material (72 FR 70901, December 13, 2007). NRC issued the fingerprinting orders to its licensees under its public health and safety authority. The Agreement States issued legally binding requirements, identical to the fingerprinting orders, to their licensees.
- Certain Licensees Requesting Unescorted Access to Radioactive Material; Order Imposing Trustworthiness and Reliability Requirements for Unescorted Access to Certain Radioactive Material (Effective Immediately), (75 FR 160, January 4, 2010): "Starting in December 2007, the NRC and the Agreement States began issuing additional Orders or other legally binding requirements to the IC Licensees, imposing the new fingerprinting requirements. In the December 2007 Fingerprinting Order, Paragraph IC 1.c of the IC requirements was superseded by the requirement that 'Service provider Licensee employees shall be escorted unless determined to be trustworthy and reliable by an NRC-required background investigation.' However, NRC did not require background investigations for non-M&D [manufacturer and distributor] service provider Licensees. Consequently, only service representatives of certain M&D Licensees may be granted unescorted access to the radionuclides of concern at an IC Licensee facility, even though non-M&D service provider Licensees provide similar services and have the same degree of knowledge of the devices they service as M&D Licensees. To maintain appropriate access control to the radionuclides of concern, and to allow M&D Licensees and non-M&D service provider Licensees to have the same level of access at customers' facilities, NRC is imposing trustworthiness and reliability requirements for unescorted access to radionuclides of concern, as set forth in this Order."48 "The Order was issued to NRC and Agreement State licensees by the NRC under its common defense and security authority."49