(a) Applicability. (1) Each licensee that possesses an aggregated category 1 or category 2 quantity of radioactive material shall establish, implement, and maintain a security program in accordance with the requirements of this subpart.

(2) An applicant for a new license and each licensee that would become newly subject to the requirements of this subpart upon application for modification of its license shall implement the requirements of this subpart, as appropriate, before taking possession of an aggregated category 1 or category 2 quantity of radioactive material.

(3) Any licensee that has not previously implemented the Security Orders or been subject to the provisions of subpart C shall provide written notification to the NRC regional office specified in § 30.6 of this chapter at least 90 days before aggregating radioactive material to a quantity that equals or exceeds the category 2 threshold.

(b) General performance objective. Each licensee shall establish, implement, and maintain a security program that is designed to monitor and, without delay, detect, assess, and respond to an actual or attempted unauthorized access to category 1 or category 2 quantities of radioactive material.

(c) Program features. Each licensee's security program must include the program features, as appropriate, described in §§ 37.43, 37.45, 37.47, 37.49, 37.51, 37.53, and 37.55.

(a) Security plan. (1) Each licensee identified in § 37.41(a) shall develop a written security plan specific to its facilities and operations. The purpose of the security plan is to establish the licensee's overall security strategy to ensure the integrated and effective functioning of the security program required by this subpart. The security plan must, at a minimum:

(i) Describe the measures and strategies used to implement the requirements of this subpart; and

(ii) Identify the security resources, equipment, and technology used to satisfy the requirements of this subpart.

(2) The security plan must be reviewed and approved by the individual with overall responsibility for the security program.

(3) A licensee shall revise its security plan as necessary to ensure the effective implementation of Commission requirements. The licensee shall ensure that:

(i) The revision has been reviewed and approved by the individual with overall responsibility for the security program; and

(ii) The affected individuals are instructed on the revised plan before the changes are implemented.

(4) The licensee shall retain a copy of the current security plan as a record for 3 years after the security plan is no longer required. If any portion of the plan is superseded, the licensee shall retain the superseded material for 3 years after the record is superseded.

(b) Implementing procedures. (1) The licensee shall develop and maintain written procedures that document how the requirements of this subpart and the security plan will be met.

(2) The implementing procedures and revisions to these procedures must be approved in writing by the individual with overall responsibility for the security program.

(3) The licensee shall retain a copy of the current procedure as a record for 3 years after the procedure is no longer needed. Superseded portions of the procedure must be retained for 3 years after the record is superseded.

(c) Training. (1) Each licensee shall conduct training to ensure that those individuals implementing the security program possess and maintain the knowledge, skills, and abilities to carry out their assigned duties and responsibilities effectively. The training must include instruction in:

(i) The licensee's security program and procedures to secure category 1 or category 2 quantities of radioactive material, and in the purposes and functions of the security measures employed;

(ii) The responsibility to report promptly to the licensee any condition that causes or may cause a violation of Commission requirements;

(iii) The responsibility of the licensee to report promptly to the local law enforcement agency and licensee any actual or attempted theft, sabotage, or diversion of category 1 or category 2 quantities of radioactive material; and

(iv) The appropriate response to security alarms.

(2) In determining those individuals who shall be trained on the security program, the licensee shall consider each individual's assigned activities during authorized use and response to potential situations involving actual or attempted theft, diversion, or sabotage of category 1 or category 2 quantities of radioactive material. The extent of the training must be commensurate with the individual's potential involvement in the security of category 1 or category 2 quantities of radioactive material.

(3) Refresher training must be provided at a frequency not to exceed 12 months and when significant changes have been made to the security program. This training must include:

(i) Review of the training requirements of paragraph (c) of this section and any changes made to the security program since the last training;

(ii) Reports on any relevant security issues, problems, and lessons learned;

(iii) Relevant results of NRC inspections; and

(iv) Relevant results of the licensee's program review and testing and maintenance.

(4) The licensee shall maintain records of the initial and refresher training for 3 years from the date of the training. The training records must include dates of the training, topics covered, a list of licensee personnel in attendance, and related information.

(d) Protection of information. (1) Licensees authorized to possess category 1 or category 2 quantities of radioactive material shall limit access to and unauthorized disclosure of their security plan, implementing procedures, and the list of individuals that have been approved for unescorted access.

(2) Efforts to limit access shall include the development, implementation, and maintenance of written policies and procedures for controlling access to, and for proper handling and protection against unauthorized disclosure of, the security plan, implementing procedures, and the list of individuals that have been approved for unescorted access.

(3) Before granting an individual access to the security plan, implementing procedures, or the list of individuals that have been approved for unescorted access, licensees shall:

(i) Evaluate an individual's need to know the security plan, implementing procedures, or the list of individuals that have been approved for unescorted access; and

(ii) If the individual has not been authorized for unescorted access to category 1 or category 2 quantities of radioactive material, safeguards information, or safeguards information-modified handling, the licensee must complete a background investigation to determine the individual's trustworthiness and reliability. A trustworthiness and reliability determination shall be conducted by the reviewing official and shall include the background investigation elements contained in § 37.25(a)(2) through (a)(7).

(4) Licensees need not subject the following individuals to the background investigation elements for protection of information:

(i) The categories of individuals listed in § 37.29(a)(1) through (13); or

(ii) Security service provider employees, provided written verification that the employee has been determined to be trustworthy and reliable, by the required background investigation in § 37.25(a)(2) through (a)(7), has been provided by the security service provider.

(5) The licensee shall document the basis for concluding that an individual is trustworthy and reliable and should be granted access to the security plan, implementing procedures, or the list of individuals that have been approved for unescorted access.

(6) Licensees shall maintain a list of persons currently approved for access to the security plan, implementing procedures, or the list of individuals that have been approved for unescorted access. When a licensee determines that a person no longer needs access to the security plan, implementing procedures, or the list of individuals that have been approved for unescorted access, or no longer meets the access authorization requirements for access to the information, the licensee shall remove the person from the approved list as soon as possible, but no later than 7 working days, and take prompt measures to ensure that the individual is unable to obtain the security plan, implementing procedures, or the list of individuals that have been approved for unescorted access.

(7) When not in use, the licensee shall store its security plan, implementing procedures, and the list of individuals that have been approved for unescorted access in a manner to prevent unauthorized access. Information stored in nonremovable electronic form must be password protected.

(8) The licensee shall retain as a record for 3 years after the document is no longer needed:

(i) A copy of the information protection procedures; and

(ii) The list of individuals approved for access to the security plan, implementing procedures, or the list of individuals that have been approved for unescorted access.

[78 FR 17007, Mar. 19, 2013, as amended at 79 FR 58671, Sept. 30, 2014; 83 FR 30287, June 28, 2018]

(a) A licensee subject to this subpart shall coordinate, to the extent practicable, with an LLEA for responding to threats to the licensee's facility, including any necessary armed response. The information provided to the LLEA must include:

(1) A description of the facilities and the category 1 and category 2 quantities of radioactive materials along with a description of the licensee's security measures that have been implemented to comply with this subpart; and

(2) A notification that the licensee will request a timely armed response by the LLEA to any actual or attempted theft, sabotage, or diversion of category 1 or category 2 quantities of material.

(b) The licensee shall notify the appropriate NRC regional office listed in § 30.6(b)(2) of this chapter within 3 business days if:

(1) The LLEA has not responded to the request for coordination within 60 days of the coordination request; or

(2) The LLEA notifies the licensee that the LLEA does not plan to participate in coordination activities.

(c) The licensee shall document its efforts to coordinate with the LLEA. The documentation must be kept for 3 years.

(d) The licensee shall coordinate with the LLEA at least every 12 months, or when changes to the facility design or operation adversely affect the potential vulnerability of the licensee's material to theft, sabotage, or diversion.

[78 FR 17007, Mar. 19, 2013, as amended at 83 FR 30288, June 28, 2018]

(a) Licensees shall ensure that all aggregated category 1 and category 2 quantities of radioactive material are used or stored within licensee-established security zones. Security zones may be permanent or temporary.

(b) Temporary security zones must be established as necessary to meet the licensee's transitory or intermittent business activities, such as periods of maintenance, source delivery, and source replacement.

(c) Security zones must, at a minimum, allow unescorted access only to approved individuals through:

(1) Isolation of category 1 and category 2 quantities of radioactive materials by the use of continuous physical barriers that allow access to the security zone only through established access control points. A physical barrier is a natural or man-made structure or formation sufficient for the isolation of the category 1 or category 2 quantities of radioactive material within a security zone; or

(2) Direct control of the security zone by approved individuals at all times; or

(3) A combination of continuous physical barriers and direct control.

(d) For category 1 quantities of radioactive material during periods of maintenance, source receipt, preparation for shipment, installation, or source removal or exchange, the licensee shall, at a minimum, provide sufficient individuals approved for unescorted access to maintain continuous surveillance of sources in temporary security zones and in any security zone in which physical barriers or intrusion detection systems have been disabled to allow such activities.

(e) Individuals not approved for unescorted access to category 1 or category 2 quantities of radioactive material must be escorted by an approved individual when in a security zone.

(a) Monitoring and detection. (1) Licensees shall establish and maintain the capability to continuously monitor and detect without delay all unauthorized entries into its security zones. Licensees shall provide the means to maintain continuous monitoring and detection capability in the event of a loss of the primary power source, or provide for an alarm and response in the event of a loss of this capability to continuously monitor and detect unauthorized entries.

(2) Monitoring and detection must be performed by:

(i) A monitored intrusion detection system that is linked to an onsite or offsite central monitoring facility; or

(ii) Electronic devices for intrusion detection alarms that will alert nearby facility personnel; or

(iii) A monitored video surveillance system; or

(iv) Direct visual surveillance by approved individuals located within the security zone; or

(v) Direct visual surveillance by a licensee designated individual located outside the security zone.

(3) A licensee subject to this subpart shall also have a means to detect unauthorized removal of the radioactive material from the security zone. This detection capability must provide:

(i) For category 1 quantities of radioactive material, immediate detection of any attempted unauthorized removal of the radioactive material from the security zone. Such immediate detection capability must be provided by:

(A) Electronic sensors linked to an alarm; or

(B) Continuous monitored video surveillance; or

(C) Direct visual surveillance.

(ii) For category 2 quantities of radioactive material, weekly verification through physical checks, tamper indicating devices, use, or other means to ensure that the radioactive material is present.

(b) Assessment. Licensees shall immediately assess each actual or attempted unauthorized entry into the security zone to determine whether the unauthorized access was an actual or attempted theft, sabotage, or diversion.

(c) Personnel communications and data transmission. For personnel and automated or electronic systems supporting the licensee's monitoring, detection, and assessment systems, licensees shall:

(1) Maintain continuous capability for personnel communication and electronic data transmission and processing among site security systems; and

(2) Provide an alternative communication capability for personnel, and an alternative data transmission and processing capability, in the event of a loss of the primary means of communication or data transmission and processing. Alternative communications and data transmission systems may not be subject to the same failure modes as the primary systems.

(d) Response. Licensees shall immediately respond to any actual or attempted unauthorized access to the security zones, or actual or attempted theft, sabotage, or diversion of category 1 or category 2 quantities of radioactive material at licensee facilities or temporary job sites. For any unauthorized access involving an actual or attempted theft, sabotage, or diversion of category 1 or category 2 quantities of radioactive material, the licensee's response shall include requesting, without delay, an armed response from the LLEA.

(a) Each licensee subject to this subpart shall implement a maintenance and testing program to ensure that intrusion alarms, associated communication systems, and other physical components of the systems used to secure or detect unauthorized access to radioactive material are maintained in operable condition and are capable of performing their intended function when needed. The equipment relied on to meet the security requirements of this part must be inspected and tested for operability and performance at the manufacturer's suggested frequency. If there is no suggested manufacturer's suggested frequency, the testing must be performed at least annually, not to exceed 12 months.

(b) The licensee shall maintain records on the maintenance and testing activities for 3 years.

Each licensee that possesses mobile devices containing category 1 or category 2 quantities of radioactive material must:

(a) Have two independent physical controls that form tangible barriers to secure the material from unauthorized removal when the device is not under direct control and constant surveillance by the licensee; and

(b) For devices in or on a vehicle or trailer, unless the health and safety requirements for a site prohibit the disabling of the vehicle, the licensee shall utilize a method to disable the vehicle or trailer when not under direct control and constant surveillance by the licensee. Licensees shall not rely on the removal of an ignition key to meet this requirement.

(a) Each licensee shall be responsible for the continuing effectiveness of the security program. Each licensee shall ensure that the security program is reviewed to confirm compliance with the requirements of this subpart and that comprehensive actions are taken to correct any noncompliance that is identified. The review must include the radioactive material security program content and implementation. Each licensee shall periodically (at least annually) review the security program content and implementation.

(b) The results of the review, along with any recommendations, must be documented. Each review report must identify conditions that are adverse to the proper performance of the security program, the cause of the condition(s), and, when appropriate, recommend corrective actions, and corrective actions taken. The licensee shall review the findings and take any additional corrective actions necessary to preclude repetition of the condition, including reassessment of the deficient areas where indicated.

(c) The licensee shall maintain the review documentation for 3 years.

(a) The licensee shall immediately notify the LLEA after determining that an unauthorized entry resulted in an actual or attempted theft, sabotage, or diversion of a category 1 or category 2 quantity of radioactive material. As soon as possible after initiating a response, but not at the expense of causing delay or interfering with the LLEA response to the event, the licensee shall notify the NRC's Operations Center (301-816-5100). In no case shall the notification to the NRC be later than 4 hours after the discovery of any attempted or actual theft, sabotage, or diversion.

(b) The licensee shall assess any suspicious activity related to possible theft, sabotage, or diversion of category 1 or category 2 quantities of radioactive material and notify the LLEA as appropriate. As soon as possible but not later than 4 hours after notifying the LLEA, the licensee shall notify the NRC's Operations Center (301-816-5100).

(c) The initial telephonic notification required by paragraph (a) of this section must be followed within a period of 30 days by a written report submitted to the NRC by an appropriate method listed in § 37.7. The report must include sufficient information for NRC analysis and evaluation, including identification of any necessary corrective actions to prevent future instances.