NRC approves overhaul of FOF inspections, baseline security programs

In “Recommendations for Revising the Security Baseline Inspection Program Including the Force-On-Force Inspection Program” (SECY-26-0015) released in February, NRC staff recommended revising the FOF inspection program “to include two exercises, an update to the method of characterizing exercise outcomes, and an option to increase the licensee’s role in exercise scenario development.” The approved changes, however, would have the staff observing one licensee-conducted exercise after 2028.

The NRC has conducted FOF security inspections at power plants since 1991. These exercises simulate security threats that are in accordance with any design basis threat applicable to a facility. This program has undergone multiple revisions over its history to incorporate new inspection guidance, lessons learned, and commission direction. For instance, the inspection frequency changed from once every eight years to once every three years following the attacks of September 11, 2001.

The changes: As described in SECY-26-0015, licensees wanted to have a greater say in FOF exercises. The approved changes reflect this by having licensees conduct the exercises, Jeremy Groom, acting director of the NRC’s Office of Nuclear Reactor Regulation, told Nuclear News.

“That’s not to say we are releasing all control to the licensee; we would never do that,” Groom said. “We still have to be a safety and security regulator. What we are going to do is make sure they have the ability to provide input in how the exercises run. The NRC will still pick what the target is within the facility . . . but the licensee will have some input on the actual planning, some of the breaching that happens in the exercise.”

He continued, “They know their facilities better than we do. This will actually add realism to the scenarios because they know how their facilities are designed.”

The FOF changes will include NRC staff recommendations to remove the labels used to determine an exercise outcome—terms like “effective,” “ineffective,” and “indeterminate.” Removing these terms should eliminate the win-or-lose mentality the FOF exercise outcomes have generated, Groom said.

“What we learned is if we remove characterization and focus on the learning . . . both sides go into it really thinking about what can we gain from the experience of the exercise, and not so much about [whether] the good guys won or maybe the adversary force was successful in the mock attack on the facility,” he said. “That's going to have a really positive impact.”

While the more notable changes will happen once this current triennial period ends in 2028, Groom said the transition will begin over the next few months in areas like the characterization of exercise outcomes and scoring methodology.

Other revisions: In addition to FOF, the baseline security changes include retiring eight of the 11 security inspection procedures (IPs) and introducing two new IPs—“Security Operations” and “Security Performance”—that consolidate the old IPs’ risk-significant elements. Under the proposed revisions, the number of annualized baseline inspection hours would drop from 287 hours to anywhere from 149 to 170 hours. The IPs being retired are listed below.

• “Access Authorization”
• “Access Control”
• “Equipment Performance, Testing, and Maintenance”
• “Protective Strategy Evaluation and Performance Evaluation Program”
• “Security Training”
• “Fitness-for-Duty Program”
• “Security Plan Changes”
• “Review of Power Reactor Target Sets”

The revisions also include changing the frequency of the material control and accounting IPs from triennial to “as needed” and changing the frequency of cybersecurity IPs from biennial to triennial.

Update: The article has been revised to include a quote from SECY-26-0015.