Publication Date: 6/1/80     Pages: 20     Date Entered: 2/23/84     Title: INTENT AND SCOPE OF PHYSICAL PROTECTION UPGRADE RULE REQUIREMENTS FOR FIXED SITES     June 1980     U.S. NUCLEAR REGULATORY COMMISSION     REGULATORY GUIDE     OFFICE OF STANDARDS DEVELOPMENT     REGULATORY GUIDE 5.61     INTENT AND SCOPE OF THE PHYSICAL PROTECTION UPGRADE RULE     REQUIREMENTS FOR FIXED SITES A. INTRODUCTION     On November 28, 1979, strengthened physical protection     requirements for fuel cycle facilities and transportation involving     formula quantities of strategic special nuclear material were published     in the Federal Register (44 FR 68184). The "Physical Protection Upgrade     Rule" is the short title for these requirements. This guide provides     information to assist in understanding the physical security     requirements for fuel cycle facilities set forth in Sections 73.1,     73.20, 73.45, and 73.46 of the Physical Protection Upgrade Rule.     Section B, "Discussion," provides an overview of the major sections of     the rule and discusses (1) how the Physical Protection Upgrade Rule is     structured, (2) what the purposes of its major provisions are, and (3)     what interrelationships exist among the three major portions of the rule     that contain requirements for the physical protection of fixed sites.     Section C, Regulatory Position, attempts, by means of a question and     answer format, to explain, why certain fixed site requirements are     included in the rule and to clarify the intent of these requirements. B. DISCUSSION     This section is intended to give the reader a broad overview of     the structure of the Physical Protection Upgrade Rule as it applies to     fixed sites and the purpose of its major provisions. A review of the     threat statement is included. The Physical Protection Upgrade Rule is     structured in three distinct levels; two are essentially performance     oriented and the third, a reference physical protection system, is     specification oriented. 1. Purpose and Scope: Section 73.1 (Threat Statement) Paragraphs 73.1(a)(1) and (a)(2) describe the types of threats     against which the physical protection system must be effective.     Distinctions are made between the overall protection level to be     provided against radiological sabotage and that required against theft     or diversion of SSNM.     For radiological sabotage, two basic adversary types are defined.     The first is an external assault by several persons in which the     attackers are assumed to be well armed, well trained, and able to obtain     inside help. The second postulated adversary is a single insider who     may be employed in any position and who may have an NRC or DOE security     clearance.     For theft or diversion, the basic external assault threat is     similar to that for radiological sabotage, except that the adversaries     are assumed to be capable of operating as two or more teams. The     internal theft or diversion threat is markedly different from that for     radiological sabotage in that it also includes a conspiracy among     individuals either with access to and knowledge of facilities and     activities or equipped with items that could facilitate theft of     material subject to this rule. 2. General Performance Objective and Requirements: Paragraphs     73.20(a) and (b) The general performance objective and requirements are referenced     to the threat statements of Section 73.1, wherein appropriate design     basis threats for protecting against radiological sabotage and     preventing theft of special nuclear material are specified.     Paragraph 73.20(a) is the first of the two performance-oriented     levels and sets forth the rule's basic parameters. This paragraph states     who is covered by these regulations; i.e., licensees authorized to     operate fuel reprocessing plants pursuant to 10 CFR Part 50, licensees     who operate facilities that possess or use formula quantities of     strategic special nuclear materials, and licensees involved in the     transport or delivery of formula quantities of strategic special nuclear     material, including import and export. On an interim basis, non-power     reactors are not subject to the Physical Protection Upgrade Rule     requirements. It further states that those covered by these regulations     must establish and maintain or make arrangements for a physical     protection system which will have as its objective to provide high     assurance that activities involving special nuclear material are not     inimical to the common defense and security and do not constitute an     unreasonable risk to the public health and safety.     Paragraph 73.20(b) describes how licensees covered by these     regulations are to provide effective physical protection systems meeting     the general performance objective of paragraph (a) of section 73.20. To     meet the general performance objective, a licensee must establish and     maintain or arrange for a physical protection system. That physical     protection system must include the characteristics defined in paragraphs     (b)(1) through (b)(3), which require that the physical protection system     (1) provide the performance capabilities of section 73.45, (2) be     designed with redundancy and diversity, and (3) include a testing and     maintenance program as described therein. 3. Performance Capabilities for Fixed Site Physical Protection:     Section 73.45     Paragraph 73.20(b)(1) provides a direct link between the general     performance requirements and the performance capabilities that comprise     the second of the performance-oriented levels. This paragraph states     that, in order to meet the general performance requirements of paragraph     73.20(a), a licensee must establish and maintain or arrange for a     physical protection system that provides the performance capabilities     described in Section 73.45 for fixed site protection unless otherwise     authorized by the Commission. Thus, a physical protection system must     be designed to satisfy the performance capabilities in order to meet the     objective of providing high assurance of preventing the theft of SSNM     and protecting against radiological sabotage by the previously described     adversaries.     Because the adversary may consist of insiders operating alone or     in combination with persons without authorized access, the adversary is     able to initiate his activities inside as well as outside the facility.     In order to provide the required level of assurance, the physical     protection system must be able to detect, assess, and respond to     unauthorized acts initiated at any point outside or inside the facility.     The performance capabilities necessary to provide assurance that the act     will be prevented may, therefore, be viewed as a series of four     protection layers that detect and respond to an unauthorized act     initiated at any point.     Starting from the facility perimeter and working inward, the first     protection layer consists of the performance capability delineated in     paragraph 73.45(f), which is to provide for authorized access and assure     detection of and response to unauthorized penetrations of the protected     area. This performance capability is the first line of defense against     external groups, but does not provide protection against persons or     material with authorized access to the facility. The second protection     layer is the performance capability delineated in paragraph 73.45(b),     which is to prevent unauthorized access of persons and materials into     material access areas and vital areas. This performance capability     denies unauthorized access to a material access area or a vital area but     is still not effective against adversaries with authorized access to a     material access area or a vital area. This problem is addressed by the     third layer of performance capabilities delineated in paragraph 73.45(c)     which requires that the physical protection system permit only     authorized activities and conditions within protected areas, material     access areas, and vital areas, and paragraph 73.45(d) which requires     that the physical protection system permit only authorized placement and     movement of strategic special nuclear material within material access     areas. These two performance capabilities ensure that, even in cases in     which the adversary is authorized access to material access areas or     vital areas and is authorized to handle and move SSNM, the physical     protection system will be capable of detecting the unauthorized     adversary act and initiating an effective response. The fourth     protection layer permits the removal of only authorized and confirmed     forms and amounts of strategic special nuclear material from material     access areas (paragraph 73.45(e)).     The final performance capability [paragraph 73.45(g)] is that the     physical protection system must provide a response capability to assure     that the five capabilities described in paragraphs (b) through (f) of     Section 73.45 are achieved. In cases where the adversary initiates     action outside the facility or in the facility's protected areas, he     will face redundant protection in the several layers of performance     capabilities remaining between him and his objective. But, again, the     primary purpose for this layering of performance capabilities is to     ensure that an unauthorized act by an adversary will be detected as soon     as it is initiated, regardless of who the adversary is or where within     the facility he is located.     The proper implementation of these performance capabilities will     provide the desired high assurance that the physical protection system     can prevent the theft of strategic special nuclear material and protect     against radiological sabotage by any of the postulated adversaries at     any given time. 4. Fixed Site Physical Protection Systems, Subsystems, Components,     and Procedures: Section 73.46 (Reference System) Regulatory guidance to assist in ensuring the proper     implementation of the performance capabilities identified in Section     73.45 in the design of a physical protection system are contained in     Section 73.46 and constitute the third major level of the Physical     Protection Upgrade Rule. Section 73.46 delineates those safeguards     measures that usually will be included in a physical protection system     that satisfies the performance capability requirements. In order to     clarify the relationship between the reference system in Section 73.46     and the performance capabilities in Section 73.45, Table 1 has been     developed. This table is organized by performance capability, with each     capability function and subfunction designated in the rule as necessary     to achieve that performance capability listed as a separate column     heading. Under each heading are listed all the provisions from the     reference system (Section 73.46) that fulfill some portion of that     function or subfunction. The table shows how the reference system may be     used to provide the functions or subfunctions necessary to each     performance capability and thus to achieve each performance capability     itself. The table provides several types of information on how     safeguards measures can be used to help satisfy a required function or     subfunction. In providing this information, various situations must be     considered. For fixed sites, the reference system must consider     situational and timing differences (for example, working hours versus     non-working hours).     The column headed by paragraph 73.45(b)(2)(ii) provides an     example. This paragraph deals with entry controls and procedures for     the detection of attempts to gain unauthorized access into material     access areas and vital areas by deceit. The paragraphs from the     reference system that comprise the body of the column contain components     and measures for dealing with entry attempts by employees, non-employees     requiring frequent access, visitors, individuals with NRC or DOE     material access authorizations, vehicles, and materials. There are also     safeguards measures listed for key, lock, and combination control and     for communications. Thus, the reference system contains different ways     of providing these subfunctions of the performance capability under     different circumstances. Some of the activities, equipment, and design     features needed to provide the functions and subfunctions are not time     sensitive (that is, they must be in effect or be operational at all     times). Physical barriers, for example, are not the type of safeguards     measure that needs to be effective only at certain times.     To provide this same high assurance of protection over time,     paragraph 73.20(b) of the general performance requirements, contains two     additional requirements, redundancy and diversity and testing and     maintenance. 5. Redundancy and Diversity: Paragraph 73.20(b)(2) Paragraph 73.20(b)(2) requires that the physical protection system     be designed with sufficient redundancy and diversity to assure     maintenance of the capabilities described in section 73.45. To provide     protection against the failure of physical protection system measures     that would cause a performance capability not to be satisfied, the     system must be designed with redundancy and diversity. That is,     redundant and diverse means of providing functions or subfunctions must     be included to ensure that no single adversary act or no single     safeguards-measure failure will cause the overall system to fail.     Redundancy means providing more than one measure (which may be the same     measure duplicated) to perform a given function or subfunction.     Diversity means providing two or more different kinds of measures that     all perform or contribute to the same function or subfunction but that     have different operating characteristics (such as sensitivities, failure     modes, strengths, and weaknesses).     Table 1 is useful in clarifying the role of redundancy and     diversity in the physical protection system. Paragraph 73.46(g)(5) of     the reference system implies that redundancy and diversity are not     required everywhere, but only in those cases in which the effectiveness     of the physical protection system would be compromised by failure or     other contingencies. As stated in paragraph 73.20(b), this means that     the physical protection system must be designed with sufficient     redundancy and diversity to assure maintenance of the capabilities     described in Section 73.45. In terms of information provide by the     table, this means that components providing redundancy and diversity     will not be found in every column, but only in those in which the     criteria of the reference system makes their inclusion warranted. Thus,     in providing the functions and subfunctions of the performance     capabilities as shown through the columns on the table, guidance is     given showing the usual level for redundancy and diversity needed to     satisfy paragraph 73.20(b)(2). 6. Testing and Maintenance: Paragraph 73.20(b)(3) Paragraph 73.20(b)(3) requires the physical protection system to     include a testing and maintenance program to assure control over all     activities and devices affecting the effectiveness, reliability, and     availability of the physical protection system, including a     demonstration that any defects of such activities will be corrected for     the total period of time they are required as a part of the physical     protection system. This requirement is intended to ensure that all     procedures and hardware will remain effective, reliable, and available     at all times. This requires programs to promptly detect any defects and     to correct them in a timely manner. It also requires a program to     provide alternative measures to replace the capabilities lost while the     maintenance and repair is being accomplished.     Testing and maintenance that normally will be included in a system     providing the capabilities required by paragraph 73.20(b)(3) are     described in paragraph 73.46(g) of the reference system. In order to     ensure that required performance capability functions or subfunctions     are performed, the reference system provides guidance for a testing and     maintenance program. The purpose of any testing and maintenance program     should be to ensure continued operation of the safeguards measures that     are used to provide those functions or subfunctions.     Table 1 delineates reference system maintenance provisions     corresponding to the appropriate performance capabilities of Section     73.45. C. REGULATORY POSITION     This section provides the rationale for and clarifies the intent     of particular requirements for fixed sites in the Physical Protection     Upgrade Rule.     Section 73.1 Purpose and Scope (Threat Statement) Q: Is there more concern for theft of SNM than for radiological     sabotage? A: The threat statements reflect the position that there is a     greater risk to the public from theft of SNM at a fuel cycle facility     than from radiological sabotage because of the type and form of SNM     actually located at existing fuel cycle facilities. Therefore, it is     necessary for licensees' physical protection systems to provide a level     of assurance that is consistent with the higher potential damage to the     national security and public health and safety.     (Due to database constraints, Table 1 is not included. Please contact     LIS to obtain a copy.) Q: Is there any reason why the number of adversaries has not     been specified? A: Yes. Threat analysis has shown that basing defense     capabilities on a predetermined number of postulated adversaries can be     misleading. Given the dynamic nature of the threat and the significance     of behavior as well as resource characteristics in determining adversary     effectiveness, it was felt that protection against an adversary with a     composite of characteristics across a spectrum of threat levels would     constitute a more prudent performance objective.     Paragraph 73.1(a)(1)(i) Q: Is "hand-carried equipment" intended to include toxic gases     and antipersonnel ordinance? A: It is intended that the term "hand-carried" include     incapacitating agents (tear gas, mace, tranquilizers, etc.) but not     poisonous gases, and that adversaries will have available to them     antipersonnel ordinance (hand grenades, claymore mines, etc.). These     two adversary attributes indicate that unprepared guards or other     response force personnel may be rendered ineffective either prior to     engaging the adversary or much more easily during the engagement. The     attributes also imply that response force personnel must have special     equipment and receive special training to counter these capabilities.     Paragraph 73.1(a)(2) Q: Is there any special reason why the adversaries have "the     ability to operate as two or more teams?"     A: The ability to operate as two or more teams implies that (1)     the adversary may be able to split the response force into several     groups, thereby reducing the firepower that the response forces can     concentrate in any area during an engagement or (2) the adversary may be     able to fix the response force in one location by having one team engage     the response force while another team maneuvers and completes the theft     mission. This adversary attribute has a potential impact on the number     of response force personnel that may be required and the response     tactics they may employ.     Paragraph 73.1(a)(1) and (a)(2) Q: Do the knowledgeable individual who renders inside     assistance and the conspirators possess the same adversary attributes as     the "small group of external attackers"? A: It is expected that anyone who supports the adversaries'     actions will be capable of acquiring the same training as the most     sophisticated members of the adversary's group. However, because of the     nature of the level of protection required by these regulations it is     not expected that the single insider or the conspirators will have     available to them all of the weapons, ordinance, or special tools that     are considered the attributes of the "small group of external     attackers." However, if the insider is a guard or perhaps an armed     response individual, he may possess some of the armament referenced in     the rule. The prescribed upgrade rule protective measures should limit     the quantity and quality of the weapons and ordinance that can be     introduced into a facility prior to initiation of the theft or sabotage     sequence.     Paragraph 73.1(a)(2) Q: Is it the intent of the conspiracy threat statement that the     physical protection system provide a capability to prevent collusion     between more than two insiders? A: It is the intent of the regulations that those design     features of the physical protection system that are affected by the     number of insiders in collusion be effective against two colluding     individuals. It is expected that some measure of protection will be     afforded against larger colluding groups as a result of those features     designed to counteract two colluding individuals. Also, the larger the     colluding group, the higher the probability it will be detected.     Section 73.20 General Performance Objective and Requirements     Paragraph 73.20(b)(2) Q: What is the general scope of the "redundancy and diversity"     requirement? A: The physical protection system must be designed with     redundant and diverse measures sufficient to ensure that the system will     remain capable of providing the necessary level of protection under     adverse conditions causing the failure of some elements of the system.     Redundancy means providing several measures (which may be the same     measure duplicated) to perform the same function or subfunction in order     to prevent failure of the entire system on the failure of a single     measure. The performance of any given capability must not be so     dependent on any one measure that failure of that measure prevents     adequate performance of the capability.     Diversity means providing different kinds or types of measures     that contribute to the performance of a given security function or     subfunction. By providing various measures that have differing     operating characteristics (sensitivities, failure modes, strengths, and     weaknesses), the continued performance of a given capability is ensured     regardless of the failure of one such characteristic.     An example of pure redundancy is the use of two microwave     perimeter intrusion alarm systems installed in parallel and provided     with independent annunciators and power supplies. If one of the two     microwave perimeter intrusion alarm systems is replaced with a     fence-mounted intrustion detection system, both redundancy and diversity     have been achieved.     A more abstract example of redundancy and diversity would be the     use of a perimeter intrusion alarm system (any technology) with a     low-light-level (LLL) closed circuit protected area television     surveillance system equipped with a motion detection capability. For     example, a primary perimeter intrusion detection system could be an     infrared (IR) system and a redundant secondary capability would be     provided by the motion detection feature of the CCTV system. A tertiary     intrusion detection capability would be provided by manual observation     of the CCTV monitors. A fourth detection capability could be provided     by the guard patrols. Diversity of the perimeter detection capability     thus is provided by different types of technology used to detect the     intrusion. Further diversity is provided by the fact that the LLL CCTV     cameras may be designed to work during the failure of the perimeter     lighting system.     Paragraph 73.20(b)(2) Q: In what manner will the redundancy and diversity requirement     aid in the protection against the insider or the conspiracy threat? A: Whether the threat arises from an insider, a conspiracy,, or     outsiders, redundancy and diversity provides additional elements that     must be overcome by the adversary to steal SSNM or commit radiological     sabotage. These additional elements improve protection by requiring,     for example, the adversary to spend more time in learning system     functions and more time in attempting to disarm or compromise a series     of systems instead of just one.     Paragraph 73.20(b)(3) Q: What is the general meaning of the requirement of a "testing     and maintenance program to assure control over activities and devices     affecting the effectiveness, reliability, and availability of the     physical security system" and "a demonstration that any defects of such     activities and devices will be promptly detected and corrected"? A: The physical protection system should include a testing and     maintenance program that addresses all elements of the physical     protection system and will ensure that all elements remain operating as     they are supposed to and that all elements will operate at all times,     including under adverse conditions. Testing means procedures to confirm     that the individual measures of the safeguards system are performing as     designed and intended and are, therefore, providing the appropriate     functions and capabilities. Maintenance means not only the repair or     replacement of hardware components, but also the review and possible     revision of orders establishing procedures that may be necessary to keep     physical security systems and subsystems operating effectively.     The testing and maintenance program should be designed to ensure     that failures or defects in safeguards measures will be detected     promptly and corrected promptly. Both preventive maintenance and repair     capabilities are needed. Correction of failures or defects should not     be merely temporary fixes but should remedy the fundamental problem and     prevent a recurrence of the failure or defect.     Paragraph 73.20(b)(3) Q: What is the intent of the need "to assure control over all     activities and devices affecting the effectiveness, reliability, and     availability of the physical protection system"? A: It is clear that such security devices as alarms and CCTV     must be tested and maintained to ensure reliability and availability.     However, it is not so obvious, for example, that, if criticality alarms     are activated falsely or illicitly, they pose a significant problem to     the integrity of the physical security system. This problem exists     because these alarms create the impression of an emergency situation     that requires emergency evacuations. These evacuations reduce the level     of protection for a period of time and provide paths for adversaries to     enter or exit the MAA and remove material through an unprotected portal.     Therefore, the testing and maintenance program should ensure that such     devices are kept in good working order and that illicit activities can     not cause the effectiveness of the physical protection system to be     impaired.     Examples of activities that might cause criticality alarms to     activate erroneously are (1) setting the detection threshold too low and     (2) simulating an alarm condition on the signal lines.     Examples of controls over the above activities that might reduce     the probability that these erroneous alarms occur are (1) close     supervision by knowledgeable security personnel of the calibration     process and (2) placing criticality alarms out of reach where possible,     enclosing signal lines in conduits, and tamper protecting detection     circuitry.     Paragraph 73.20(b)(3) Q: What are considered defects of activities and devices? A: Examples of defects in activities that affect the     reliability, effectiveness, and availability of the physical protection     system are (1) incomplete guard rounds, (2) improper vault opening or     closing procedures, (3) escort duties that are not taken seriously, (4)     delay in removal of snow from between perimeter infrared intrusion alarm     detectors that are in constant alarm, and (5) failure to properly     calibrate portal detectors.     Examples of defects in devices that affect the physical protection     system are (1) tamper switches that stick in the closed or secure     position, (2) alarm components that do not alarm when they lose power,     (3) signal lines that have line supervision that is not functioning     according to specifications, (4) exterior equipment enclosures that fill     with rain and cause equipment failures because they are not properly     waterproofed, and (5) unacceptable degradation in detection performance     of alarm systems because of other environmental conditions such as high     winds.     Paragraph 73.20(b)(3) Q: What is a "demonstration that any defects...will be     ...detected and corrected"? A: Examples of effective demonstrations would be procedures     that (1) cause tamper switches to be physically activated, (2) cause     alarm systems to actually operate on emergency power, and (3) measure     line supervision tolerances.     Paragraph 73.20(b)(3) Q: Does the requirement for a testing program imply the need     for adversary type testing? A: Testing does not imply that the licensee should conduct     exercises in which individuals assume the roles and characteristics of     adversary groups and attempt to commit adversary actions. Drills in     which an alarm is sounded (but for which there is no simulated     adversary) and the security force's response times and knowledge of     contingency plans are demonstrated constitute an appropriate and     effective test method. The manner in which the alarm is caused to sound     can be used to test its sensitivity, and the location of the alarm     selected can be used to test the adequacy of the alarm display and     assessment functions.     Paragraph 73.20(c)(2) Q: What activities constitute "new construction, significant     physical modification of existing structures or major equipment     modifications," and what kind of evidence that these activities are     actually being planned is necessary to permit a delay in implementation     to be authorized? A: The intent of this provision is to permit a delay in     implementing those safeguards measures that require lengthy procurement,     installation/modification/construction periods, and testing before they     can become an integral part of the physical protection system. The     licensee should be prepared to show proof, if requested, in the form of     signed contracts that clearly indicate the dates of delivery or     completion of the subject components or measures, and the name and     address of the vendors and contractors. For every measure in which     there is an implementation delay, temporary measures that achieve a     comparable level of protection will be expected.     Section 73.45 Performance Capabilities for Fixed Site Physical     Protection Systems     Q: Is it necessary for some capabilities to be maintained     during both normal and emergency conditions? Which ones are they? A: The following paragraphs contain requirements to maintain     the expressed capabilities during both normal and emergency conditions:     73.45(b)(1) and 73.45(b)(2)     73.45(c)(1)     73.45(e)(1) and 73.45(e)(2)     73.45(f)(1) and 73.45(f)(2) Paragraph 73.45(b) Q: Why doesn't this capability statement also include a     requirement for preventing unauthorized access of persons and materials     into the protected area? A: Because it has been determined that it is not always     possible to prevent the unauthorized access of materials or persons into     the protected area (PA). Materials can be passed through or thrown over     PA barriers, and an external group can penetrate the barriers before the     response force has sufficient time to reach the point of penetration.     The PA barrier forms only the first of a series of defense-in-depth     systems the adversary must compromise in order to effect SSNM theft or     sabotage.     Paragraphs 73.45(b)(1) and (b)(2) Q: Paragraph 73.45(b)(1) is concerned with adversaries who     attempt to gain access or introduce material across MAA or VA boundaries     using stealthful or forceful tactics. Is it not reasonable to speculate     that adversaries might consider the use of stealth or force to introduce     unauthorized materials or gain unauthorized access into an MAA or VA     through entry control points? A: The boundaries referred to in the rule include the entry     control points for the purposes of stealth or force.     Paragraph 73.45(b)(2) Q: How do "entry criteria" differ from "authorization controls     and procedures" and "authorization schedules"? A: Detecting attempts to gain unauthorized access into MAAs or     VAs by deceit will require the establishment of access authorization     controls and procedures to provide current authorization schedules and     entry criteria for both persons and materials. Access authorization     controls and procedures constitute the administrative process of     determining which persons and materials have a legitimate need to enter     a given MAA or VA and at what time or under what conditions this need     exists. Current authorization schedules will document for entry control     personnel which persons and materials are authorized access and the     times or conditions for such authorized access. Entry criteria are the     aggregate of many pieces of information to be considered or checked in     determining whether or not a person or material is authorized entry to     that MAA or VA at that time or under those circumstances.     Paragraph 73.45(b)(2)(ii) Q: What is the intended meaning of the requirement to verify     the identify of materials prior to introduction into an MAA? A: This requirement is intended to ensure that all materials     entering an MAA are searched for contraband and that comparisons of     shipping documents with package identification and authorization     schedules are made. In the case of receipts of SSNM, this requirement     does not imply that the packages of SSNM presented for entry into the     MAA must be opened and the SSNM scrutinized, weighed, and analyzed at     the entry point by security personnel. Authorization to receive this     material must be transmitted to entry control security personnel through     channels independent of the shipper. SSNM content may be verified by     matching information on the shipping documents with that on the     containers. Also required would be some form of verification that the     package has not been opened or its integrity otherwise compromised.     This can be accomplished by the examination of both the container and     the tamper-indicating devices affixed to it.     Paragraph 73.45(c) Q: What is meant by "unauthorized activities and conditions"? A: The intent of this capability is to ensure that procedures     that are consistent with sound security practices are maintained within     the MAAs and VAs. The focus is on the security system detecting,     primarily through surveillance, activities and conditions that threaten     the security posture within the MAA. Unauthorized conditions include     such things as vent grills out of place, holes in walls, and vault doors     open when not necessary. Unauthorized activities are those that would     lead to unauthorized conditions if the activity is not terminated.     Paragraph 73.45(d) Q: Is it the intent of this paragraph to bring about     substantial changes in material control and accounting practices? A: The intent of this paragraph is primarily to ensure that     strategic special nuclear material is located within an MAA and to     recognize that certain uses of the material within the MAA may need to     be physically separated to make unauthorized removal more difficult.     For example, materials directly usable in a clandestine fission     explosive should be stored in a vault when not actively undergoing     processing, while fuel elements, fuel assemblies, and certain other     materials need not be afforded the same degree of protection because of     their form. Furthermore, areas such as processing and packaging areas     where the material is handled should be controlled separately to provide     additional help in preventing unauthorized removal of the material. A     physical protection system can accomplish the intent of this paragraph     by performing surveillance activities to detect gross occurrences of     unauthorized movement and placement of SSNM. This is not intended to be     a sophisticated control of small quantities of SSNM that would be a     material control and accounting function. Material control and     accounting practices can, however, assist in achieving this capability.     These practices help to accomplish this by (1) defining authorized     placements and movements of SSNM (which should be done in concert with     the physical protection system) and (2) providing procedures for     informing the physical protection system of current authorizations for     placement and movement of materials within the MAA. This includes the     receipt of shipments through MAA portals. Licensees should review their     fundamental nuclear material control (FNMC) plans and submit appropriate     revisions to them to ensure that the above mentioned activities are     covered in their plan.     Paragraph 73.45(e) Q: What is the intended meaning of the term "confirmed forms     and amounts"? A: Confirming the properties and quantities of material     presented for removal, that is, establishing that the material presented     for removal is in fact what it is purported to be, does not imply that     the packages of SSNM presented for removal from the MAA must be opened     and the SSNM scrutinized, weighed, and analyzed at the exit point by     security personnel. Confirmation does require controls on the     packaging, measurement of contents, and sealing of containers prior to     removal. Alternative methods of controlling, packaging, measurement,     and sealing are discussed in Regulatory Guide 5.57. Controls also     should include procedures that permit the exit control security     personnel to determine that the package does in fact contain the     material listed on the packing document. This may be accomplished by     matching the information on the documents accompanying the SSNM with     information on other documents prepared by MBA or ICA personnel or other     personnel who certified the packaging of the material. These documents     are transmitted to the exit control personnel through channels beyond     the control of the individuals making the removal. Also required would     be some form of verification that the package has not been opened or its     integrity otherwise compromised since the MBA or ICA personnel or     inspectors certified the contents. This can be accomplished by the use     of packaging containers of such design that their structural integrity     (or lack thereof) is readily apparent and that are sealed with     tamper-indicating seals (see Regulatory Guide 5.10, "Selection and Use     of Pressure-Sensitive Seals on Containers for Onsite Storage of Special     Nuclear Material," and Regulatory Guide 5.15, "Security Seals for the     Protection and Control of Special Nuclear Material"). Checks on seals     should include both seal integrity and seal identification.     Paragraph 73.45(e) Q: Is it the intent of this capability statement that only the     modes of stealth and force will be used by adversaries to remove SSNM     through the MAA boundary and that only deceit will be used to remove     SSNM through the MAA portal? A: As with other provisions of the rule, the major concern is     for stealthful and forceful attempts to penetrate the MAA boundary     (barriers) and deceitful attempts to pass through the portal. An     adversary using stealth or force to remove material through a portal     would probably select an emergency exit before he would select an exit     control point. However, removal by stealth or force through normal     entry control points should be considered in the design and operation of     the portal. It is also conceivable that an adversary might attempt to     pass SSNM around an SSNM detector by using stealth; however, it is     expected that the portal design would prohibit this.     Paragraph 73.45(e) Q: What is the distinction between the activities of     "authorization" and "verification"? A: Authorization determines what is to be permitted and must     occur before the act of verification. Verification is the process of     determining whether what is happening is or is not authorized.     Paragraph 73.45(e) Q: Is it the intent of this requirement to make changes in     material control and accounting practices? A: Compliance with this paragraph may require changes in     licensee material control and accounting practices and hence their     FNMCs. Measurement and packaging of SSNM is ordinarily performed by     either operational or material control and accounting personnel.     However, controls that ensure that two people have attested to the     contents and witnessed the application of the tamper-indicating seal,     for example, may need to be instituted in advance to levy an overall     internal control system to meet the intent of the regulation. Although     Part 70 presently has requirements for tamper-indicating seals, the     purpose was to allow the use of a previous measurement for     accountability purposes. In this requirement, the intent is to prevent     the theft of SSNM both by a single individual and through collusion.     Therefore, additional control over the seals and the seal records may be     needed. For example, procedures to provide copies of the seal log to     exit control individuals might be developed to ensure that two     individuals have attested to the contents and witnessed the affixing of     the seal and that both of these individuals did not participate in     transferring the material to the exit control point.     Paragraph 73.45(e)(2) Q: Why not confirm the identity and quantity of strategic     special nuclear material "authorized" (rather than "presented") for     removal from a material access area? A: The concern is whether material "presented" for removal     conforms with the identity and quantity of SSNM "authorized" for     removal. "Confirmation" occurs at the time the material crosses the MAA     boundary. "Authorization" must occur before the material is moved to     the MAA boundary. "Confirmation" should be conducted immediately before     departure of the material to preclude tampering.     Paragraph 73.45(f) Q: Is the intent of this requirement similar to the MAA and VA     access controls called for in paragraph 73.45(b)? A: It is similar, although the emphasis is on detection rather     than prevention. This requirement is intended to detect individuals     penetrating the PA or introducing unauthorized materials or vehicles     through PA portals. Therefore, specific authorization for such access     must be presented to the security guards. This capability will     ordinarily be accomplished by intrusion sensors, guard patrols, and     remote assessment of the PA boundary and through personnel and vehicle     searches at the portals.     Section 73.46 Fixed Site Physical Protection Systems, Subsystems,     Components, and Procedures (Reference System) Paragraph 73.46(a) Q: Why are the systems, subsystems, components, and procedures     delineated in Section 73.46 included in the Physical Protection Upgrade     Rule if there are already general performance and capabilities     requirements? A: The level of detail in paragraphs 73.46(b) through 73.46(h)     is included in order to present examples of the types of systems,     subsystems, components, and procedures that would normally be included     in a physical protection system having the level of performance required     of that system in order to be licensed. The required level of     performance is specified in Sections 73.20 and 73.45.     Paragraph 73.46(a) Q: Is there a reference specification provision in Section     73.46 for every capability requirement in Section 73.45? A: Table 1 in Section B of this guide demonstrates that there     is at least one example provision in Section 73.46 for every capability     requirement in Section 73.45. Usually, there are several provisions in     Section 73.46 that apply to each requirement in Section 73.45. A more     detailed discussion of the relationship between these provisions can be     found in Section B.4. of this guide.     Paragraph 73.46(b)(2) Q: What is the meaning of the phrase "members of the security     organization with authority to direct the physical protection     activities"? A: The meaning of the phrase is that someone with specifically     designated authority and a member of the security organization, e.g.,     the Director of Security or the security shift supervisor, must be     onsite at all times and ready to direct the necessary physical     protection activities.     Paragraph 73.46(b)(2) Q: What is the meaning of the term "physical protection     activities"? A: The term includes the full spectrum of activities from     normal guard force duties, through immediate actions required by a     security breach, to reaching response forces and obtaining necessary     assistance.     Paragraph 73.46(b)(3)(i) Q: What is the meaning of the term "other individuals     responsible for security"? A: Other individuals are such management personnel as guard     supervisors, response personnel who are not members of the guard force,     plant security directors, and plant personnel directors.     Paragraph 73.46(b)(3)(ii) Q: Who is the "individual with overall responsibility for the     security functions"? A: Generally, the individual to whom overall facility security     responsibility is delegated is a corporate Vice President, Plant     Manager, or the Plant Director for Security.     Paragraph 73.46(b)(4) Q: Does this provision mean that licensees must submit separate     plans to implement the requirements of Appendix B to Part 73? A: Separate plans will be required to implement the     requirements of Appendix B to Part 73, although these should be related     to and coordinated with the security plan prepared in accordance with     the provisions of the Physical Protection Upgrade Rule.     Paragraph 73.46(c)(2) Q: Are vehicle barriers required along the PA perimeter? A: No. It is not the intent of the regulations to require a PA     barrier capable of resisting a forceful entry attempt using a vehicle.     Paragraph 73.46(c)(5) Q: Does "strategic special nuclear material, other than alloys,     fuel elements or fuel assemblies" mean all SSNM that is in the form of     powder, liquid, or gas? A: Yes, it includes SSNM in solid, liquid, or gaseous states.     Paragraph 73.46(c)(5)(i) Q: Must the penetration time of the vault equal local law     enforcement response time or response time of the facility response     force? A: The penetration time should either be equal to or greater     than the amount of time necessary to deploy a response force capable of     containing and preventing removal of SSNM from the facility by the     external assault threat (a small group, well trained, well equipped,     able to operate as two or more teams, etc.). Depending on site     conditions, the response force with this capability could be an     appropriate mix of onsite and offsite personnel.     Paragraph 73.46(c)(5)(iii) Q: Does the term "significant delay to penetrations" mean that     this MAA barrier must be more formidable than those surrounding alloys,     fuel elements, or assemblies? A: Yes. The purpose of this provision is to make it difficult     for a conspiracy of individuals within the MAA to breach the barrier     without being detected and transfer SSNM to the outside.     Under this provision, all openings in the MAA barrier, such as     areas under doors, through-fans, ventilation ducts, and pipe     passthroughs, that lead to an accessible area outside the MAA should be     completely closed off or specially protected. In addition, the barrier     should be constructed of a material that resists cutting, drilling, and     puncture by small hand tools or tool substitutes. Where possible, all     operations at a facility involving SSNM that has not been alloyed or     encapsulated should be consolidated in a single location that meets this     barrier provision.     Barriers should be inspected at regular intervals to ensure that a     breach is not in process.     The secondary intent of this provision is to provide additional     protection of unalloyed and unencapsulated SSNM in process against     external assault.     Paragraph 73.46(c)(5)(iv) Q: Does the term "except when personally attended" mean that     components and process equipment containing SSNM do not need to be     locked as long as someone is in the MAA? A: No. The only SSNM that does not need to be under lock is     that being processed, handled, worked on, or directly observed by     personnel.     Paragraph 73.46(d)(1) Q: What type of escort is required for a non-employee entering     an MAA or VA? A: Non-employees who require occasional access to an MAA or VA     should be escorted by either a member of the security organization or a     licensee employee who has current authorization to enter that MAA or VA.     Paragraph 73.46(d)(6) Q: Is use of x-ray for package search required by the rule? A: No. X-ray is an acceptable method of conducting package     searches but is not the only method. Substantial technical guidance on     alternative methods to accomplish package searches are contained     elsewhere in the Physical Protection Upgrade Rule Guidance Compendium.     Paragraph 73.46(d)(8) Q: Must a member of the guard force provide escort to personnel     or vehicles that require an escort to enter the PA or may a designating     escort be used? A: A member of the security force should escort vehicles     entering the PA. Individual pedestrians may be escorted within the PA     by either a member of the security force or a licensee employee who has     current authorization to enter the PA.     Paragraph 73.46(d)(9) Q: To meet the need for dual exit searches from MAAs, may one     of the searches be a visual search or must both use electronic     detectors, etc.? A: Visual searches are not considered sufficient to detect     small quantities of concealed SSNM. Electronic SNM detectors should be     used for both searches.     Paragraph 73.46(d)(9) Q: What normally would constitute an acceptable random search? A: A technique that ensures that each individual could be     selected for search each and every time the individual leaves the     material access area.     Paragraph 73.46(d)(14) Q: Does the definition of "termination of employment" include     employees who have been transferred to another work site? A: Yes, it is intended that changes to keys, locks,     combinations, and other related equipment should be made whenever an     employee is transferred to another work site.     Paragraph 73.46(e)(3) Q: Does the requirement that an individual other than the alarm     station operator have knowledge of the opening of unoccupied vaults or     process areas indicate that the individual may be notified some time in     advance of the opening? A: No. The individual should witness the opening, either     directly or through an assessment mechanism such as CCTV.     Paragraph 73.46(e)(3) Q: Is one monitor per each remote CCTV camera required in the     CAS and SAS? A: Not in all cases. Guidelines on appropriate CCTV     configurations are provided in NUREG/CR-0543, "Central Alarm Station and     Secondary Alarm Station Design," and in NUREG-0178, "Basic     Considerations for Assembling CCTV," both of which are contained in the     Physical Protection Upgrade Rule Guidance Compendium.     Paragraph 73.46(e)(7) Q: Does the requirement that the status of all alarms and alarm     zones be indicated in the alarm station mean that both the central alarm     station (CAS) and the secondary alarm station (SAS) have identical     annunciation and alarm control (access, secure, test) capabilities? A: A discussion of which capabilities should be duplicated     between CAS and SAS and how and where to accomplish this is discussed in     NUREG/CR-0543, "Central Alarm Station and Secondary Alarm Station     Design," contained in the Physical Protection Upgrade Rule Guidance     Compendium.     Paragraph 73.46(e)(7) Q: Is the intent of the rule to require a display board in the     CAS/SAS indicating the status of each alarm with a visual display? A: The intent is that the status of each alarm can be     independently determined in real time at each alarm station, i.e., no     "summary alarms."     Paragraph 73.46(g) Q: What is the meaning of the term "other physical protection     related devices"? A: Examples of devices included in this term are:     * Emergency power sources     * Lighting, normal and emergency     * CCTV surveillance systems     * Weapons and other guard equipment     * Security vehicles     * Electronic access control devices     * Search equipment     * Duress alarms     Paragraph 73.46(g)(5) Q: Does the provision for "two individuals working as a team     who have been trained in the operation and performance of the equipment"     mean the electrician and his apprentice or two separate electricians who     do not normally work together? A: The two individuals could be any employees of the licensee     or agents or contractors of the licensee who meet all other requirements     for access. Both should be trained in the operation and performance of     the security equipment involved to the extent that each could detect an     unauthorized alteration of the system by the other.     Paragraph 73.46(g)(5) Q: Do "performance verification tests" differ from "operational     tests"? A: Performance verification tests are an abbreviated form of     operational tests. Operational tests are rigorous and systematic tests     conducted on every zone of every alarm system at prescribed intervals.     Performance verification tests involve testing the performance     characteristics of only those functions that were likely to be affected     by the maintenance activities in question.     Paragraph 73.46(g)(6) Q: Does the provision for "individuals independent of both     security management and security supervision" mean that someone outside     the security program must conduct the review? A: Yes, the intent is to have a management review by persons     other than those responsible for the security programs.     Paragraph 73.46(h)(3) Q: What is the minimum composition of the response force and     other armed personnel that should be available to cope with safeguards     contingencies? A: This provision envisions five armed guards totally committed     to the physical security effort being available for response and     assessment of safeguards contingencies. The number of "additional"     guards or other appropriately trained (in accordance with Appendix B)     and armed personnel who must also be available for backup cannot be     predetermined on a generic basis. This must be done on a site-by-site     basis, giving due consideration to such factors as (1) the size,     location, competence, and reliability of the local law enforcement     agency; (2) the ease or difficulty with which the site can be approached     undetected; (3) the ease with which escape from the site can be made;     and (4) the general attitude of the local population toward the site and     its management. These are the kinds of considerations that should     influence the licensee's determination of the number of available armed     personnel as expressed in the physical protection plan.     Paragraph 73.46(h)(3) Q: May guards and armed response personnel have other duties or     must they be dedicated to the response function? A: Guards and armed response personnel can have other duties as     long as such duties do not interfere with their response to a safeguards     contingency. Normally, it is expected that the response force would be     made up of guards who have routine duties other than response, other     members of the licensee's organization who are qualified and trained in     accordance with Appendix B, and guards from the licensee's organization     who may be located at a facility that is adjacent to the protected area.     Guards manning the alarm stations have continuing duties in case of an     assault and are not considered to be part of the response force.     Paragraph 73.46(h)(6) Q: What are some of the measures that can be used to     "facilitate the initial response to detection of penetration of the     protected area and assessment of the existence of a threat"? A: To facilitate prompt assessment and initial response to the     detection of questionable activity at or in the vicinity of the     protected area perimeter, a capability of observing the isolation zones     and the physical barrier should be provided. Such means as     closed-circuit television (CCTV), hardened observation posts, armored     response vehicles, and various combinations of these might be used. The     employment of such physical security systems should be governed by the     following considerations. 1. CCTV. Coverage should include the entire perimeter,     isolation zones, and, to the extent possible, the clear areas between     barriers. Cameras on remotely controlled pan and tilt mechanisms may be     used for optimum effectiveness. If, however, fixed position cameras are     used, the field of view normally would not need to extend beyond the     isolation zones. Such limitation should allow concentration within the     areas of primary concern. Low-light-level CCTV cameras are most     desirable for this purpose owing to their effectiveness during periods     of reduced visibility. 2. Hardened Observation Posts. Hardening should be to a level     at least equivalent to that of the alarm stations. Such posts should be     located so that an unobstructed view of the perimeter and isolation zone     that is supposed to be monitored is available. The posts should also     have direct communication and alerting capability with the alarm     stations, including duress alarms, in order to avoid delay in the     transmission of information concerning any threatening event. 3. Armored Response Vehicles. Such vehicles should be armored     to a level at least equivalent to that of the alarm stations. They     should be capable of reaching a defensive position at any part of the     perimeter barrier. Response to such a position must be sufficiently     rapid to prevent intruders from reaching and breaching a second barrier     without direct visual contact and opportunity for confrontation by the     response force. The vehicles should be equipped with duress codes that     can be easily activated through the mobile radio.     Assessment is a continuing process of evaluating the security     situation and deciding whether or not conditions that dictate the     initiation of a response exist. The assessment functions of security     personnel and systems such as that described above are important to the     achievement of the objectives of a perimeter protection system.     Personnel selected for any of the positions that have an assessment role     (e.g., observation posts and alarm stations) should be highly competent     and dependable. Furthermore, they should have the unquestionable     authority to alert the response force and, in the case of those within     the alarm stations, to request assistance from offsite forces.     Paragraph 73.46(h)(7) Q: Why are security personnel assessing alarms within     unoccupied vaults and unoccupied material access areas containing     unalloyed or unencapsulated SSNM required to use only remote means to     assess these alarms? A: There are two reasons for this provision. First, to     maintain the designed delay time built into vaults, the doors should be     kept closed and locked, especially at night and during offshifts. The     remote assessment would preclude an adversary from intentionally using a     false alarm as a means of getting the vault opened. Second, the use of     remote assessment techniques prevents the two responding guards from     having access to material access areas and the SSNM. A possible     alternative would be to use a team of personnel (more than two) to     investigate the source of the alarm. D. IMPLEMENTATION     This section provides information to applicants and licensees     regarding the staff's plans for using this regulatory guide.     Except in those cases in which the applicant proposes an     acceptable alternative, after publication of this guide the Commission's     staff will use the intents and understandings described herein as one     aid for evaluating an applicant's or licensee's capability to conform to     the performance-oriented physical protection requirements in the     Physical Protection Upgrade Rule.     14