Publication Date: 6/1/80
    Pages: 20
    Date Entered: 2/23/84
    Title: INTENT AND SCOPE OF PHYSICAL PROTECTION UPGRADE RULE REQUIREMENTS FOR FIXED SITES
    June 1980
    U.S. NUCLEAR REGULATORY COMMISSION
    REGULATORY GUIDE
    OFFICE OF STANDARDS DEVELOPMENT
    REGULATORY GUIDE 5.61
    INTENT AND SCOPE OF THE PHYSICAL PROTECTION UPGRADE RULE
    REQUIREMENTS FOR FIXED SITES
A. INTRODUCTION
    On November 28, 1979, strengthened physical protection
    requirements for fuel cycle facilities and transportation involving
    formula quantities of strategic special nuclear material were published
    in the Federal Register (44 FR 68184). The "Physical Protection Upgrade
    Rule" is the short title for these requirements. This guide provides
    information to assist in understanding the physical security
    requirements for fuel cycle facilities set forth in Sections 73.1,
    73.20, 73.45, and 73.46 of the Physical Protection Upgrade Rule.
    Section B, "Discussion," provides an overview of the major sections of
    the rule and discusses (1) how the Physical Protection Upgrade Rule is
    structured, (2) what the purposes of its major provisions are, and (3)
    what interrelationships exist among the three major portions of the rule
    that contain requirements for the physical protection of fixed sites.
    Section C, Regulatory Position, attempts, by means of a question and
    answer format, to explain, why certain fixed site requirements are
    included in the rule and to clarify the intent of these requirements.
B. DISCUSSION
    This section is intended to give the reader a broad overview of
    the structure of the Physical Protection Upgrade Rule as it applies to
    fixed sites and the purpose of its major provisions. A review of the
    threat statement is included. The Physical Protection Upgrade Rule is
    structured in three distinct levels; two are essentially performance
    oriented and the third, a reference physical protection system, is
    specification oriented.
1. Purpose and Scope: Section 73.1 (Threat Statement) Paragraphs 73.1(a)(1) and (a)(2) describe the types of threats
    against which the physical protection system must be effective.
    Distinctions are made between the overall protection level to be
    provided against radiological sabotage and that required against theft
    or diversion of SSNM.
    For radiological sabotage, two basic adversary types are defined.
    The first is an external assault by several persons in which the
    attackers are assumed to be well armed, well trained, and able to obtain
    inside help. The second postulated adversary is a single insider who
    may be employed in any position and who may have an NRC or DOE security
    clearance.
    For theft or diversion, the basic external assault threat is
    similar to that for radiological sabotage, except that the adversaries
    are assumed to be capable of operating as two or more teams. The
    internal theft or diversion threat is markedly different from that for
    radiological sabotage in that it also includes a conspiracy among
    individuals either with access to and knowledge of facilities and
    activities or equipped with items that could facilitate theft of
    material subject to this rule.
2. General Performance Objective and Requirements: Paragraphs
    73.20(a) and (b) The general performance objective and requirements are referenced
    to the threat statements of Section 73.1, wherein appropriate design
    basis threats for protecting against radiological sabotage and
    preventing theft of special nuclear material are specified.
    Paragraph 73.20(a) is the first of the two performance-oriented
    levels and sets forth the rule's basic parameters. This paragraph states
    who is covered by these regulations; i.e., licensees authorized to
    operate fuel reprocessing plants pursuant to 10 CFR Part 50, licensees
    who operate facilities that possess or use formula quantities of
    strategic special nuclear materials, and licensees involved in the
    transport or delivery of formula quantities of strategic special nuclear
    material, including import and export. On an interim basis, non-power
    reactors are not subject to the Physical Protection Upgrade Rule
    requirements. It further states that those covered by these regulations
    must establish and maintain or make arrangements for a physical
    protection system which will have as its objective to provide high
    assurance that activities involving special nuclear material are not
    inimical to the common defense and security and do not constitute an
    unreasonable risk to the public health and safety.
    Paragraph 73.20(b) describes how licensees covered by these
    regulations are to provide effective physical protection systems meeting
    the general performance objective of paragraph (a) of section 73.20. To
    meet the general performance objective, a licensee must establish and
    maintain or arrange for a physical protection system. That physical
    protection system must include the characteristics defined in paragraphs
    (b)(1) through (b)(3), which require that the physical protection system
    (1) provide the performance capabilities of section 73.45, (2) be
    designed with redundancy and diversity, and (3) include a testing and
    maintenance program as described therein.
3. Performance Capabilities for Fixed Site Physical Protection:
    Section 73.45
    Paragraph 73.20(b)(1) provides a direct link between the general
    performance requirements and the performance capabilities that comprise
    the second of the performance-oriented levels. This paragraph states
    that, in order to meet the general performance requirements of paragraph
    73.20(a), a licensee must establish and maintain or arrange for a
    physical protection system that provides the performance capabilities
    described in Section 73.45 for fixed site protection unless otherwise
    authorized by the Commission. Thus, a physical protection system must
    be designed to satisfy the performance capabilities in order to meet the
    objective of providing high assurance of preventing the theft of SSNM
    and protecting against radiological sabotage by the previously described
    adversaries.
    Because the adversary may consist of insiders operating alone or
    in combination with persons without authorized access, the adversary is
    able to initiate his activities inside as well as outside the facility.
    In order to provide the required level of assurance, the physical
    protection system must be able to detect, assess, and respond to
    unauthorized acts initiated at any point outside or inside the facility.
    The performance capabilities necessary to provide assurance that the act
    will be prevented may, therefore, be viewed as a series of four
    protection layers that detect and respond to an unauthorized act
    initiated at any point.
    Starting from the facility perimeter and working inward, the first
    protection layer consists of the performance capability delineated in
    paragraph 73.45(f), which is to provide for authorized access and assure
    detection of and response to unauthorized penetrations of the protected
    area. This performance capability is the first line of defense against
    external groups, but does not provide protection against persons or
    material with authorized access to the facility. The second protection
    layer is the performance capability delineated in paragraph 73.45(b),
    which is to prevent unauthorized access of persons and materials into
    material access areas and vital areas. This performance capability
    denies unauthorized access to a material access area or a vital area but
    is still not effective against adversaries with authorized access to a
    material access area or a vital area. This problem is addressed by the
    third layer of performance capabilities delineated in paragraph 73.45(c)
    which requires that the physical protection system permit only
    authorized activities and conditions within protected areas, material
    access areas, and vital areas, and paragraph 73.45(d) which requires
    that the physical protection system permit only authorized placement and
    movement of strategic special nuclear material within material access
    areas. These two performance capabilities ensure that, even in cases in
    which the adversary is authorized access to material access areas or
    vital areas and is authorized to handle and move SSNM, the physical
    protection system will be capable of detecting the unauthorized
    adversary act and initiating an effective response. The fourth
    protection layer permits the removal of only authorized and confirmed
    forms and amounts of strategic special nuclear material from material
    access areas (paragraph 73.45(e)).
    The final performance capability [paragraph 73.45(g)] is that the
    physical protection system must provide a response capability to assure
    that the five capabilities described in paragraphs (b) through (f) of
    Section 73.45 are achieved. In cases where the adversary initiates
    action outside the facility or in the facility's protected areas, he
    will face redundant protection in the several layers of performance
    capabilities remaining between him and his objective. But, again, the
    primary purpose for this layering of performance capabilities is to
    ensure that an unauthorized act by an adversary will be detected as soon
    as it is initiated, regardless of who the adversary is or where within
    the facility he is located.
    The proper implementation of these performance capabilities will
    provide the desired high assurance that the physical protection system
    can prevent the theft of strategic special nuclear material and protect
    against radiological sabotage by any of the postulated adversaries at
    any given time.
4. Fixed Site Physical Protection Systems, Subsystems, Components,
    and Procedures: Section 73.46 (Reference System) Regulatory guidance to assist in ensuring the proper
    implementation of the performance capabilities identified in Section
    73.45 in the design of a physical protection system are contained in
    Section 73.46 and constitute the third major level of the Physical
    Protection Upgrade Rule. Section 73.46 delineates those safeguards
    measures that usually will be included in a physical protection system
    that satisfies the performance capability requirements. In order to
    clarify the relationship between the reference system in Section 73.46
    and the performance capabilities in Section 73.45, Table 1 has been
    developed. This table is organized by performance capability, with each
    capability function and subfunction designated in the rule as necessary
    to achieve that performance capability listed as a separate column
    heading. Under each heading are listed all the provisions from the
    reference system (Section 73.46) that fulfill some portion of that
    function or subfunction. The table shows how the reference system may be
    used to provide the functions or subfunctions necessary to each
    performance capability and thus to achieve each performance capability
    itself. The table provides several types of information on how
    safeguards measures can be used to help satisfy a required function or
    subfunction. In providing this information, various situations must be
    considered. For fixed sites, the reference system must consider
    situational and timing differences (for example, working hours versus
    non-working hours).
    The column headed by paragraph 73.45(b)(2)(ii) provides an
    example. This paragraph deals with entry controls and procedures for
    the detection of attempts to gain unauthorized access into material
    access areas and vital areas by deceit. The paragraphs from the
    reference system that comprise the body of the column contain components
    and measures for dealing with entry attempts by employees, non-employees
    requiring frequent access, visitors, individuals with NRC or DOE
    material access authorizations, vehicles, and materials. There are also
    safeguards measures listed for key, lock, and combination control and
    for communications. Thus, the reference system contains different ways
    of providing these subfunctions of the performance capability under
    different circumstances. Some of the activities, equipment, and design
    features needed to provide the functions and subfunctions are not time
    sensitive (that is, they must be in effect or be operational at all
    times). Physical barriers, for example, are not the type of safeguards
    measure that needs to be effective only at certain times.
    To provide this same high assurance of protection over time,
    paragraph 73.20(b) of the general performance requirements, contains two
    additional requirements, redundancy and diversity and testing and
    maintenance.
5. Redundancy and Diversity: Paragraph 73.20(b)(2) Paragraph 73.20(b)(2) requires that the physical protection system
    be designed with sufficient redundancy and diversity to assure
    maintenance of the capabilities described in section 73.45. To provide
    protection against the failure of physical protection system measures
    that would cause a performance capability not to be satisfied, the
    system must be designed with redundancy and diversity. That is,
    redundant and diverse means of providing functions or subfunctions must
    be included to ensure that no single adversary act or no single
    safeguards-measure failure will cause the overall system to fail.
    Redundancy means providing more than one measure (which may be the same
    measure duplicated) to perform a given function or subfunction.
    Diversity means providing two or more different kinds of measures that
    all perform or contribute to the same function or subfunction but that
    have different operating characteristics (such as sensitivities, failure
    modes, strengths, and weaknesses).
    Table 1 is useful in clarifying the role of redundancy and
    diversity in the physical protection system. Paragraph 73.46(g)(5) of
    the reference system implies that redundancy and diversity are not
    required everywhere, but only in those cases in which the effectiveness
    of the physical protection system would be compromised by failure or
    other contingencies. As stated in paragraph 73.20(b), this means that
    the physical protection system must be designed with sufficient
    redundancy and diversity to assure maintenance of the capabilities
    described in Section 73.45. In terms of information provide by the
    table, this means that components providing redundancy and diversity
    will not be found in every column, but only in those in which the
    criteria of the reference system makes their inclusion warranted. Thus,
    in providing the functions and subfunctions of the performance
    capabilities as shown through the columns on the table, guidance is
    given showing the usual level for redundancy and diversity needed to
    satisfy paragraph 73.20(b)(2).
6. Testing and Maintenance: Paragraph 73.20(b)(3) Paragraph 73.20(b)(3) requires the physical protection system to
    include a testing and maintenance program to assure control over all
    activities and devices affecting the effectiveness, reliability, and
    availability of the physical protection system, including a
    demonstration that any defects of such activities will be corrected for
    the total period of time they are required as a part of the physical
    protection system. This requirement is intended to ensure that all
    procedures and hardware will remain effective, reliable, and available
    at all times. This requires programs to promptly detect any defects and
    to correct them in a timely manner. It also requires a program to
    provide alternative measures to replace the capabilities lost while the
    maintenance and repair is being accomplished.
    Testing and maintenance that normally will be included in a system
    providing the capabilities required by paragraph 73.20(b)(3) are
    described in paragraph 73.46(g) of the reference system. In order to
    ensure that required performance capability functions or subfunctions
    are performed, the reference system provides guidance for a testing and
    maintenance program. The purpose of any testing and maintenance program
    should be to ensure continued operation of the safeguards measures that
    are used to provide those functions or subfunctions.
    Table 1 delineates reference system maintenance provisions
    corresponding to the appropriate performance capabilities of Section
    73.45.
C. REGULATORY POSITION
    This section provides the rationale for and clarifies the intent
    of particular requirements for fixed sites in the Physical Protection
    Upgrade Rule.
    Section 73.1 Purpose and Scope (Threat Statement) Q: Is there more concern for theft of SNM than for radiological
    sabotage? A: The threat statements reflect the position that there is a
    greater risk to the public from theft of SNM at a fuel cycle facility
    than from radiological sabotage because of the type and form of SNM
    actually located at existing fuel cycle facilities. Therefore, it is
    necessary for licensees' physical protection systems to provide a level
    of assurance that is consistent with the higher potential damage to the
    national security and public health and safety.
    (Due to database constraints, Table 1 is not included. Please contact
    LIS to obtain a copy.) Q: Is there any reason why the number of adversaries has not
    been specified? A: Yes. Threat analysis has shown that basing defense
    capabilities on a predetermined number of postulated adversaries can be
    misleading. Given the dynamic nature of the threat and the significance
    of behavior as well as resource characteristics in determining adversary
    effectiveness, it was felt that protection against an adversary with a
    composite of characteristics across a spectrum of threat levels would
    constitute a more prudent performance objective.
    Paragraph 73.1(a)(1)(i) Q: Is "hand-carried equipment" intended to include toxic gases
    and antipersonnel ordinance? A: It is intended that the term "hand-carried" include
    incapacitating agents (tear gas, mace, tranquilizers, etc.) but not
    poisonous gases, and that adversaries will have available to them
    antipersonnel ordinance (hand grenades, claymore mines, etc.). These
    two adversary attributes indicate that unprepared guards or other
    response force personnel may be rendered ineffective either prior to
    engaging the adversary or much more easily during the engagement. The
    attributes also imply that response force personnel must have special
    equipment and receive special training to counter these capabilities.
    Paragraph 73.1(a)(2) Q: Is there any special reason why the adversaries have "the
    ability to operate as two or more teams?"
    A: The ability to operate as two or more teams implies that (1)
    the adversary may be able to split the response force into several
    groups, thereby reducing the firepower that the response forces can
    concentrate in any area during an engagement or (2) the adversary may be
    able to fix the response force in one location by having one team engage
    the response force while another team maneuvers and completes the theft
    mission. This adversary attribute has a potential impact on the number
    of response force personnel that may be required and the response
    tactics they may employ.
    Paragraph 73.1(a)(1) and (a)(2) Q: Do the knowledgeable individual who renders inside
    assistance and the conspirators possess the same adversary attributes as
    the "small group of external attackers"? A: It is expected that anyone who supports the adversaries'
    actions will be capable of acquiring the same training as the most
    sophisticated members of the adversary's group. However, because of the
    nature of the level of protection required by these regulations it is
    not expected that the single insider or the conspirators will have
    available to them all of the weapons, ordinance, or special tools that
    are considered the attributes of the "small group of external
    attackers." However, if the insider is a guard or perhaps an armed
    response individual, he may possess some of the armament referenced in
    the rule. The prescribed upgrade rule protective measures should limit
    the quantity and quality of the weapons and ordinance that can be
    introduced into a facility prior to initiation of the theft or sabotage
    sequence.
    Paragraph 73.1(a)(2) Q: Is it the intent of the conspiracy threat statement that the
    physical protection system provide a capability to prevent collusion
    between more than two insiders? A: It is the intent of the regulations that those design
    features of the physical protection system that are affected by the
    number of insiders in collusion be effective against two colluding
    individuals. It is expected that some measure of protection will be
    afforded against larger colluding groups as a result of those features
    designed to counteract two colluding individuals. Also, the larger the
    colluding group, the higher the probability it will be detected.
    Section 73.20 General Performance Objective and Requirements
    Paragraph 73.20(b)(2) Q: What is the general scope of the "redundancy and diversity"
    requirement? A: The physical protection system must be designed with
    redundant and diverse measures sufficient to ensure that the system will
    remain capable of providing the necessary level of protection under
    adverse conditions causing the failure of some elements of the system.
    Redundancy means providing several measures (which may be the same
    measure duplicated) to perform the same function or subfunction in order
    to prevent failure of the entire system on the failure of a single
    measure. The performance of any given capability must not be so
    dependent on any one measure that failure of that measure prevents
    adequate performance of the capability.
    Diversity means providing different kinds or types of measures
    that contribute to the performance of a given security function or
    subfunction. By providing various measures that have differing
    operating characteristics (sensitivities, failure modes, strengths, and
    weaknesses), the continued performance of a given capability is ensured
    regardless of the failure of one such characteristic.
    An example of pure redundancy is the use of two microwave
    perimeter intrusion alarm systems installed in parallel and provided
    with independent annunciators and power supplies. If one of the two
    microwave perimeter intrusion alarm systems is replaced with a
    fence-mounted intrustion detection system, both redundancy and diversity
    have been achieved.
    A more abstract example of redundancy and diversity would be the
    use of a perimeter intrusion alarm system (any technology) with a
    low-light-level (LLL) closed circuit protected area television
    surveillance system equipped with a motion detection capability. For
    example, a primary perimeter intrusion detection system could be an
    infrared (IR) system and a redundant secondary capability would be
    provided by the motion detection feature of the CCTV system. A tertiary
    intrusion detection capability would be provided by manual observation
    of the CCTV monitors. A fourth detection capability could be provided
    by the guard patrols. Diversity of the perimeter detection capability
    thus is provided by different types of technology used to detect the
    intrusion. Further diversity is provided by the fact that the LLL CCTV
    cameras may be designed to work during the failure of the perimeter
    lighting system.
    Paragraph 73.20(b)(2) Q: In what manner will the redundancy and diversity requirement
    aid in the protection against the insider or the conspiracy threat? A: Whether the threat arises from an insider, a conspiracy,, or
    outsiders, redundancy and diversity provides additional elements that
    must be overcome by the adversary to steal SSNM or commit radiological
    sabotage. These additional elements improve protection by requiring,
    for example, the adversary to spend more time in learning system
    functions and more time in attempting to disarm or compromise a series
    of systems instead of just one.
    Paragraph 73.20(b)(3) Q: What is the general meaning of the requirement of a "testing
    and maintenance program to assure control over activities and devices
    affecting the effectiveness, reliability, and availability of the
    physical security system" and "a demonstration that any defects of such
    activities and devices will be promptly detected and corrected"? A: The physical protection system should include a testing and
    maintenance program that addresses all elements of the physical
    protection system and will ensure that all elements remain operating as
    they are supposed to and that all elements will operate at all times,
    including under adverse conditions. Testing means procedures to confirm
    that the individual measures of the safeguards system are performing as
    designed and intended and are, therefore, providing the appropriate
    functions and capabilities. Maintenance means not only the repair or
    replacement of hardware components, but also the review and possible
    revision of orders establishing procedures that may be necessary to keep
    physical security systems and subsystems operating effectively.
    The testing and maintenance program should be designed to ensure
    that failures or defects in safeguards measures will be detected
    promptly and corrected promptly. Both preventive maintenance and repair
    capabilities are needed. Correction of failures or defects should not
    be merely temporary fixes but should remedy the fundamental problem and
    prevent a recurrence of the failure or defect.
    Paragraph 73.20(b)(3) Q: What is the intent of the need "to assure control over all
    activities and devices affecting the effectiveness, reliability, and
    availability of the physical protection system"? A: It is clear that such security devices as alarms and CCTV
    must be tested and maintained to ensure reliability and availability.
    However, it is not so obvious, for example, that, if criticality alarms
    are activated falsely or illicitly, they pose a significant problem to
    the integrity of the physical security system. This problem exists
    because these alarms create the impression of an emergency situation
    that requires emergency evacuations. These evacuations reduce the level
    of protection for a period of time and provide paths for adversaries to
    enter or exit the MAA and remove material through an unprotected portal.
    Therefore, the testing and maintenance program should ensure that such
    devices are kept in good working order and that illicit activities can
    not cause the effectiveness of the physical protection system to be
    impaired.
    Examples of activities that might cause criticality alarms to
    activate erroneously are (1) setting the detection threshold too low and
    (2) simulating an alarm condition on the signal lines.
    Examples of controls over the above activities that might reduce
    the probability that these erroneous alarms occur are (1) close
    supervision by knowledgeable security personnel of the calibration
    process and (2) placing criticality alarms out of reach where possible,
    enclosing signal lines in conduits, and tamper protecting detection
    circuitry.
    Paragraph 73.20(b)(3) Q: What are considered defects of activities and devices? A: Examples of defects in activities that affect the
    reliability, effectiveness, and availability of the physical protection
    system are (1) incomplete guard rounds, (2) improper vault opening or
    closing procedures, (3) escort duties that are not taken seriously, (4)
    delay in removal of snow from between perimeter infrared intrusion alarm
    detectors that are in constant alarm, and (5) failure to properly
    calibrate portal detectors.
    Examples of defects in devices that affect the physical protection
    system are (1) tamper switches that stick in the closed or secure
    position, (2) alarm components that do not alarm when they lose power,
    (3) signal lines that have line supervision that is not functioning
    according to specifications, (4) exterior equipment enclosures that fill
    with rain and cause equipment failures because they are not properly
    waterproofed, and (5) unacceptable degradation in detection performance
    of alarm systems because of other environmental conditions such as high
    winds.
    Paragraph 73.20(b)(3) Q: What is a "demonstration that any defects...will be
    ...detected and corrected"? A: Examples of effective demonstrations would be procedures
    that (1) cause tamper switches to be physically activated, (2) cause
    alarm systems to actually operate on emergency power, and (3) measure
    line supervision tolerances.
    Paragraph 73.20(b)(3) Q: Does the requirement for a testing program imply the need
    for adversary type testing? A: Testing does not imply that the licensee should conduct
    exercises in which individuals assume the roles and characteristics of
    adversary groups and attempt to commit adversary actions. Drills in
    which an alarm is sounded (but for which there is no simulated
    adversary) and the security force's response times and knowledge of
    contingency plans are demonstrated constitute an appropriate and
    effective test method. The manner in which the alarm is caused to sound
    can be used to test its sensitivity, and the location of the alarm
    selected can be used to test the adequacy of the alarm display and
    assessment functions.
    Paragraph 73.20(c)(2) Q: What activities constitute "new construction, significant
    physical modification of existing structures or major equipment
    modifications," and what kind of evidence that these activities are
    actually being planned is necessary to permit a delay in implementation
    to be authorized? A: The intent of this provision is to permit a delay in
    implementing those safeguards measures that require lengthy procurement,
    installation/modification/construction periods, and testing before they
    can become an integral part of the physical protection system. The
    licensee should be prepared to show proof, if requested, in the form of
    signed contracts that clearly indicate the dates of delivery or
    completion of the subject components or measures, and the name and
    address of the vendors and contractors. For every measure in which
    there is an implementation delay, temporary measures that achieve a
    comparable level of protection will be expected.
    Section 73.45 Performance Capabilities for Fixed Site Physical
    Protection Systems
    Q: Is it necessary for some capabilities to be maintained
    during both normal and emergency conditions? Which ones are they? A: The following paragraphs contain requirements to maintain
    the expressed capabilities during both normal and emergency conditions:
    73.45(b)(1) and 73.45(b)(2)
    73.45(c)(1)
    73.45(e)(1) and 73.45(e)(2)
    73.45(f)(1) and 73.45(f)(2) Paragraph 73.45(b) Q: Why doesn't this capability statement also include a
    requirement for preventing unauthorized access of persons and materials
    into the protected area? A: Because it has been determined that it is not always
    possible to prevent the unauthorized access of materials or persons into
    the protected area (PA). Materials can be passed through or thrown over
    PA barriers, and an external group can penetrate the barriers before the
    response force has sufficient time to reach the point of penetration.
    The PA barrier forms only the first of a series of defense-in-depth
    systems the adversary must compromise in order to effect SSNM theft or
    sabotage.
    Paragraphs 73.45(b)(1) and (b)(2) Q: Paragraph 73.45(b)(1) is concerned with adversaries who
    attempt to gain access or introduce material across MAA or VA boundaries
    using stealthful or forceful tactics. Is it not reasonable to speculate
    that adversaries might consider the use of stealth or force to introduce
    unauthorized materials or gain unauthorized access into an MAA or VA
    through entry control points? A: The boundaries referred to in the rule include the entry
    control points for the purposes of stealth or force.
    Paragraph 73.45(b)(2) Q: How do "entry criteria" differ from "authorization controls
    and procedures" and "authorization schedules"? A: Detecting attempts to gain unauthorized access into MAAs or
    VAs by deceit will require the establishment of access authorization
    controls and procedures to provide current authorization schedules and
    entry criteria for both persons and materials. Access authorization
    controls and procedures constitute the administrative process of
    determining which persons and materials have a legitimate need to enter
    a given MAA or VA and at what time or under what conditions this need
    exists. Current authorization schedules will document for entry control
    personnel which persons and materials are authorized access and the
    times or conditions for such authorized access. Entry criteria are the
    aggregate of many pieces of information to be considered or checked in
    determining whether or not a person or material is authorized entry to
    that MAA or VA at that time or under those circumstances.
    Paragraph 73.45(b)(2)(ii) Q: What is the intended meaning of the requirement to verify
    the identify of materials prior to introduction into an MAA? A: This requirement is intended to ensure that all materials
    entering an MAA are searched for contraband and that comparisons of
    shipping documents with package identification and authorization
    schedules are made. In the case of receipts of SSNM, this requirement
    does not imply that the packages of SSNM presented for entry into the
    MAA must be opened and the SSNM scrutinized, weighed, and analyzed at
    the entry point by security personnel. Authorization to receive this
    material must be transmitted to entry control security personnel through
    channels independent of the shipper. SSNM content may be verified by
    matching information on the shipping documents with that on the
    containers. Also required would be some form of verification that the
    package has not been opened or its integrity otherwise compromised.
    This can be accomplished by the examination of both the container and
    the tamper-indicating devices affixed to it.
    Paragraph 73.45(c) Q: What is meant by "unauthorized activities and conditions"? A: The intent of this capability is to ensure that procedures
    that are consistent with sound security practices are maintained within
    the MAAs and VAs. The focus is on the security system detecting,
    primarily through surveillance, activities and conditions that threaten
    the security posture within the MAA. Unauthorized conditions include
    such things as vent grills out of place, holes in walls, and vault doors
    open when not necessary. Unauthorized activities are those that would
    lead to unauthorized conditions if the activity is not terminated.
    Paragraph 73.45(d) Q: Is it the intent of this paragraph to bring about
    substantial changes in material control and accounting practices? A: The intent of this paragraph is primarily to ensure that
    strategic special nuclear material is located within an MAA and to
    recognize that certain uses of the material within the MAA may need to
    be physically separated to make unauthorized removal more difficult.
    For example, materials directly usable in a clandestine fission
    explosive should be stored in a vault when not actively undergoing
    processing, while fuel elements, fuel assemblies, and certain other
    materials need not be afforded the same degree of protection because of
    their form. Furthermore, areas such as processing and packaging areas
    where the material is handled should be controlled separately to provide
    additional help in preventing unauthorized removal of the material. A
    physical protection system can accomplish the intent of this paragraph
    by performing surveillance activities to detect gross occurrences of
    unauthorized movement and placement of SSNM. This is not intended to be
    a sophisticated control of small quantities of SSNM that would be a
    material control and accounting function. Material control and
    accounting practices can, however, assist in achieving this capability.
    These practices help to accomplish this by (1) defining authorized
    placements and movements of SSNM (which should be done in concert with
    the physical protection system) and (2) providing procedures for
    informing the physical protection system of current authorizations for
    placement and movement of materials within the MAA. This includes the
    receipt of shipments through MAA portals. Licensees should review their
    fundamental nuclear material control (FNMC) plans and submit appropriate
    revisions to them to ensure that the above mentioned activities are
    covered in their plan.
    Paragraph 73.45(e) Q: What is the intended meaning of the term "confirmed forms
    and amounts"? A: Confirming the properties and quantities of material
    presented for removal, that is, establishing that the material presented
    for removal is in fact what it is purported to be, does not imply that
    the packages of SSNM presented for removal from the MAA must be opened
    and the SSNM scrutinized, weighed, and analyzed at the exit point by
    security personnel. Confirmation does require controls on the
    packaging, measurement of contents, and sealing of containers prior to
    removal. Alternative methods of controlling, packaging, measurement,
    and sealing are discussed in Regulatory Guide 5.57. Controls also
    should include procedures that permit the exit control security
    personnel to determine that the package does in fact contain the
    material listed on the packing document. This may be accomplished by
    matching the information on the documents accompanying the SSNM with
    information on other documents prepared by MBA or ICA personnel or other
    personnel who certified the packaging of the material. These documents
    are transmitted to the exit control personnel through channels beyond
    the control of the individuals making the removal. Also required would
    be some form of verification that the package has not been opened or its
    integrity otherwise compromised since the MBA or ICA personnel or
    inspectors certified the contents. This can be accomplished by the use
    of packaging containers of such design that their structural integrity
    (or lack thereof) is readily apparent and that are sealed with
    tamper-indicating seals (see Regulatory Guide 5.10, "Selection and Use
    of Pressure-Sensitive Seals on Containers for Onsite Storage of Special
    Nuclear Material," and Regulatory Guide 5.15, "Security Seals for the
    Protection and Control of Special Nuclear Material"). Checks on seals
    should include both seal integrity and seal identification.
    Paragraph 73.45(e) Q: Is it the intent of this capability statement that only the
    modes of stealth and force will be used by adversaries to remove SSNM
    through the MAA boundary and that only deceit will be used to remove
    SSNM through the MAA portal? A: As with other provisions of the rule, the major concern is
    for stealthful and forceful attempts to penetrate the MAA boundary
    (barriers) and deceitful attempts to pass through the portal. An
    adversary using stealth or force to remove material through a portal
    would probably select an emergency exit before he would select an exit
    control point. However, removal by stealth or force through normal
    entry control points should be considered in the design and operation of
    the portal. It is also conceivable that an adversary might attempt to
    pass SSNM around an SSNM detector by using stealth; however, it is
    expected that the portal design would prohibit this.
    Paragraph 73.45(e) Q: What is the distinction between the activities of
    "authorization" and "verification"? A: Authorization determines what is to be permitted and must
    occur before the act of verification. Verification is the process of
    determining whether what is happening is or is not authorized.
    Paragraph 73.45(e) Q: Is it the intent of this requirement to make changes in
    material control and accounting practices? A: Compliance with this paragraph may require changes in
    licensee material control and accounting practices and hence their
    FNMCs. Measurement and packaging of SSNM is ordinarily performed by
    either operational or material control and accounting personnel.
    However, controls that ensure that two people have attested to the
    contents and witnessed the application of the tamper-indicating seal,
    for example, may need to be instituted in advance to levy an overall
    internal control system to meet the intent of the regulation. Although
    Part 70 presently has requirements for tamper-indicating seals, the
    purpose was to allow the use of a previous measurement for
    accountability purposes. In this requirement, the intent is to prevent
    the theft of SSNM both by a single individual and through collusion.
    Therefore, additional control over the seals and the seal records may be
    needed. For example, procedures to provide copies of the seal log to
    exit control individuals might be developed to ensure that two
    individuals have attested to the contents and witnessed the affixing of
    the seal and that both of these individuals did not participate in
    transferring the material to the exit control point.
    Paragraph 73.45(e)(2) Q: Why not confirm the identity and quantity of strategic
    special nuclear material "authorized" (rather than "presented") for
    removal from a material access area? A: The concern is whether material "presented" for removal
    conforms with the identity and quantity of SSNM "authorized" for
    removal. "Confirmation" occurs at the time the material crosses the MAA
    boundary. "Authorization" must occur before the material is moved to
    the MAA boundary. "Confirmation" should be conducted immediately before
    departure of the material to preclude tampering.
    Paragraph 73.45(f) Q: Is the intent of this requirement similar to the MAA and VA
    access controls called for in paragraph 73.45(b)? A: It is similar, although the emphasis is on detection rather
    than prevention. This requirement is intended to detect individuals
    penetrating the PA or introducing unauthorized materials or vehicles
    through PA portals. Therefore, specific authorization for such access
    must be presented to the security guards. This capability will
    ordinarily be accomplished by intrusion sensors, guard patrols, and
    remote assessment of the PA boundary and through personnel and vehicle
    searches at the portals.
    Section 73.46 Fixed Site Physical Protection Systems, Subsystems,
    Components, and Procedures (Reference System) Paragraph 73.46(a) Q: Why are the systems, subsystems, components, and procedures
    delineated in Section 73.46 included in the Physical Protection Upgrade
    Rule if there are already general performance and capabilities
    requirements? A: The level of detail in paragraphs 73.46(b) through 73.46(h)
    is included in order to present examples of the types of systems,
    subsystems, components, and procedures that would normally be included
    in a physical protection system having the level of performance required
    of that system in order to be licensed. The required level of
    performance is specified in Sections 73.20 and 73.45.
    Paragraph 73.46(a) Q: Is there a reference specification provision in Section
    73.46 for every capability requirement in Section 73.45? A: Table 1 in Section B of this guide demonstrates that there
    is at least one example provision in Section 73.46 for every capability
    requirement in Section 73.45. Usually, there are several provisions in
    Section 73.46 that apply to each requirement in Section 73.45. A more
    detailed discussion of the relationship between these provisions can be
    found in Section B.4. of this guide.
    Paragraph 73.46(b)(2) Q: What is the meaning of the phrase "members of the security
    organization with authority to direct the physical protection
    activities"? A: The meaning of the phrase is that someone with specifically
    designated authority and a member of the security organization, e.g.,
    the Director of Security or the security shift supervisor, must be
    onsite at all times and ready to direct the necessary physical
    protection activities.
    Paragraph 73.46(b)(2) Q: What is the meaning of the term "physical protection
    activities"? A: The term includes the full spectrum of activities from
    normal guard force duties, through immediate actions required by a
    security breach, to reaching response forces and obtaining necessary
    assistance.
    Paragraph 73.46(b)(3)(i) Q: What is the meaning of the term "other individuals
    responsible for security"? A: Other individuals are such management personnel as guard
    supervisors, response personnel who are not members of the guard force,
    plant security directors, and plant personnel directors.
    Paragraph 73.46(b)(3)(ii) Q: Who is the "individual with overall responsibility for the
    security functions"? A: Generally, the individual to whom overall facility security
    responsibility is delegated is a corporate Vice President, Plant
    Manager, or the Plant Director for Security.
    Paragraph 73.46(b)(4) Q: Does this provision mean that licensees must submit separate
    plans to implement the requirements of Appendix B to Part 73? A: Separate plans will be required to implement the
    requirements of Appendix B to Part 73, although these should be related
    to and coordinated with the security plan prepared in accordance with
    the provisions of the Physical Protection Upgrade Rule.
    Paragraph 73.46(c)(2) Q: Are vehicle barriers required along the PA perimeter? A: No. It is not the intent of the regulations to require a PA
    barrier capable of resisting a forceful entry attempt using a vehicle.
    Paragraph 73.46(c)(5) Q: Does "strategic special nuclear material, other than alloys,
    fuel elements or fuel assemblies" mean all SSNM that is in the form of
    powder, liquid, or gas? A: Yes, it includes SSNM in solid, liquid, or gaseous states.
    Paragraph 73.46(c)(5)(i) Q: Must the penetration time of the vault equal local law
    enforcement response time or response time of the facility response
    force? A: The penetration time should either be equal to or greater
    than the amount of time necessary to deploy a response force capable of
    containing and preventing removal of SSNM from the facility by the
    external assault threat (a small group, well trained, well equipped,
    able to operate as two or more teams, etc.). Depending on site
    conditions, the response force with this capability could be an
    appropriate mix of onsite and offsite personnel.
    Paragraph 73.46(c)(5)(iii) Q: Does the term "significant delay to penetrations" mean that
    this MAA barrier must be more formidable than those surrounding alloys,
    fuel elements, or assemblies? A: Yes. The purpose of this provision is to make it difficult
    for a conspiracy of individuals within the MAA to breach the barrier
    without being detected and transfer SSNM to the outside.
    Under this provision, all openings in the MAA barrier, such as
    areas under doors, through-fans, ventilation ducts, and pipe
    passthroughs, that lead to an accessible area outside the MAA should be
    completely closed off or specially protected. In addition, the barrier
    should be constructed of a material that resists cutting, drilling, and
    puncture by small hand tools or tool substitutes. Where possible, all
    operations at a facility involving SSNM that has not been alloyed or
    encapsulated should be consolidated in a single location that meets this
    barrier provision.
    Barriers should be inspected at regular intervals to ensure that a
    breach is not in process.
    The secondary intent of this provision is to provide additional
    protection of unalloyed and unencapsulated SSNM in process against
    external assault.
    Paragraph 73.46(c)(5)(iv) Q: Does the term "except when personally attended" mean that
    components and process equipment containing SSNM do not need to be
    locked as long as someone is in the MAA? A: No. The only SSNM that does not need to be under lock is
    that being processed, handled, worked on, or directly observed by
    personnel.
    Paragraph 73.46(d)(1) Q: What type of escort is required for a non-employee entering
    an MAA or VA? A: Non-employees who require occasional access to an MAA or VA
    should be escorted by either a member of the security organization or a
    licensee employee who has current authorization to enter that MAA or VA.
    Paragraph 73.46(d)(6) Q: Is use of x-ray for package search required by the rule? A: No. X-ray is an acceptable method of conducting package
    searches but is not the only method. Substantial technical guidance on
    alternative methods to accomplish package searches are contained
    elsewhere in the Physical Protection Upgrade Rule Guidance Compendium.
    Paragraph 73.46(d)(8) Q: Must a member of the guard force provide escort to personnel
    or vehicles that require an escort to enter the PA or may a designating
    escort be used? A: A member of the security force should escort vehicles
    entering the PA. Individual pedestrians may be escorted within the PA
    by either a member of the security force or a licensee employee who has
    current authorization to enter the PA.
    Paragraph 73.46(d)(9) Q: To meet the need for dual exit searches from MAAs, may one
    of the searches be a visual search or must both use electronic
    detectors, etc.? A: Visual searches are not considered sufficient to detect
    small quantities of concealed SSNM. Electronic SNM detectors should be
    used for both searches.
    Paragraph 73.46(d)(9) Q: What normally would constitute an acceptable random search? A: A technique that ensures that each individual could be
    selected for search each and every time the individual leaves the
    material access area.
    Paragraph 73.46(d)(14) Q: Does the definition of "termination of employment" include
    employees who have been transferred to another work site? A: Yes, it is intended that changes to keys, locks,
    combinations, and other related equipment should be made whenever an
    employee is transferred to another work site.
    Paragraph 73.46(e)(3) Q: Does the requirement that an individual other than the alarm
    station operator have knowledge of the opening of unoccupied vaults or
    process areas indicate that the individual may be notified some time in
    advance of the opening? A: No. The individual should witness the opening, either
    directly or through an assessment mechanism such as CCTV.
    Paragraph 73.46(e)(3) Q: Is one monitor per each remote CCTV camera required in the
    CAS and SAS? A: Not in all cases. Guidelines on appropriate CCTV
    configurations are provided in NUREG/CR-0543, "Central Alarm Station and
    Secondary Alarm Station Design," and in NUREG-0178, "Basic
    Considerations for Assembling CCTV," both of which are contained in the
    Physical Protection Upgrade Rule Guidance Compendium.
    Paragraph 73.46(e)(7) Q: Does the requirement that the status of all alarms and alarm
    zones be indicated in the alarm station mean that both the central alarm
    station (CAS) and the secondary alarm station (SAS) have identical
    annunciation and alarm control (access, secure, test) capabilities? A: A discussion of which capabilities should be duplicated
    between CAS and SAS and how and where to accomplish this is discussed in
    NUREG/CR-0543, "Central Alarm Station and Secondary Alarm Station
    Design," contained in the Physical Protection Upgrade Rule Guidance
    Compendium.
    Paragraph 73.46(e)(7) Q: Is the intent of the rule to require a display board in the
    CAS/SAS indicating the status of each alarm with a visual display? A: The intent is that the status of each alarm can be
    independently determined in real time at each alarm station, i.e., no
    "summary alarms."
    Paragraph 73.46(g) Q: What is the meaning of the term "other physical protection
    related devices"? A: Examples of devices included in this term are:
    * Emergency power sources
    * Lighting, normal and emergency
    * CCTV surveillance systems
    * Weapons and other guard equipment
    * Security vehicles
    * Electronic access control devices
    * Search equipment
    * Duress alarms
    Paragraph 73.46(g)(5) Q: Does the provision for "two individuals working as a team
    who have been trained in the operation and performance of the equipment"
    mean the electrician and his apprentice or two separate electricians who
    do not normally work together? A: The two individuals could be any employees of the licensee
    or agents or contractors of the licensee who meet all other requirements
    for access. Both should be trained in the operation and performance of
    the security equipment involved to the extent that each could detect an
    unauthorized alteration of the system by the other.
    Paragraph 73.46(g)(5) Q: Do "performance verification tests" differ from "operational
    tests"? A: Performance verification tests are an abbreviated form of
    operational tests. Operational tests are rigorous and systematic tests
    conducted on every zone of every alarm system at prescribed intervals.
    Performance verification tests involve testing the performance
    characteristics of only those functions that were likely to be affected
    by the maintenance activities in question.
    Paragraph 73.46(g)(6) Q: Does the provision for "individuals independent of both
    security management and security supervision" mean that someone outside
    the security program must conduct the review? A: Yes, the intent is to have a management review by persons
    other than those responsible for the security programs.
    Paragraph 73.46(h)(3) Q: What is the minimum composition of the response force and
    other armed personnel that should be available to cope with safeguards
    contingencies? A: This provision envisions five armed guards totally committed
    to the physical security effort being available for response and
    assessment of safeguards contingencies. The number of "additional"
    guards or other appropriately trained (in accordance with Appendix B)
    and armed personnel who must also be available for backup cannot be
    predetermined on a generic basis. This must be done on a site-by-site
    basis, giving due consideration to such factors as (1) the size,
    location, competence, and reliability of the local law enforcement
    agency; (2) the ease or difficulty with which the site can be approached
    undetected; (3) the ease with which escape from the site can be made;
    and (4) the general attitude of the local population toward the site and
    its management. These are the kinds of considerations that should
    influence the licensee's determination of the number of available armed
    personnel as expressed in the physical protection plan.
    Paragraph 73.46(h)(3) Q: May guards and armed response personnel have other duties or
    must they be dedicated to the response function? A: Guards and armed response personnel can have other duties as
    long as such duties do not interfere with their response to a safeguards
    contingency. Normally, it is expected that the response force would be
    made up of guards who have routine duties other than response, other
    members of the licensee's organization who are qualified and trained in
    accordance with Appendix B, and guards from the licensee's organization
    who may be located at a facility that is adjacent to the protected area.
    Guards manning the alarm stations have continuing duties in case of an
    assault and are not considered to be part of the response force.
    Paragraph 73.46(h)(6) Q: What are some of the measures that can be used to
    "facilitate the initial response to detection of penetration of the
    protected area and assessment of the existence of a threat"? A: To facilitate prompt assessment and initial response to the
    detection of questionable activity at or in the vicinity of the
    protected area perimeter, a capability of observing the isolation zones
    and the physical barrier should be provided. Such means as
    closed-circuit television (CCTV), hardened observation posts, armored
    response vehicles, and various combinations of these might be used. The
    employment of such physical security systems should be governed by the
    following considerations.
1. CCTV. Coverage should include the entire perimeter,
    isolation zones, and, to the extent possible, the clear areas between
    barriers. Cameras on remotely controlled pan and tilt mechanisms may be
    used for optimum effectiveness. If, however, fixed position cameras are
    used, the field of view normally would not need to extend beyond the
    isolation zones. Such limitation should allow concentration within the
    areas of primary concern. Low-light-level CCTV cameras are most
    desirable for this purpose owing to their effectiveness during periods
    of reduced visibility.
2. Hardened Observation Posts. Hardening should be to a level
    at least equivalent to that of the alarm stations. Such posts should be
    located so that an unobstructed view of the perimeter and isolation zone
    that is supposed to be monitored is available. The posts should also
    have direct communication and alerting capability with the alarm
    stations, including duress alarms, in order to avoid delay in the
    transmission of information concerning any threatening event.
3. Armored Response Vehicles. Such vehicles should be armored
    to a level at least equivalent to that of the alarm stations. They
    should be capable of reaching a defensive position at any part of the
    perimeter barrier. Response to such a position must be sufficiently
    rapid to prevent intruders from reaching and breaching a second barrier
    without direct visual contact and opportunity for confrontation by the
    response force. The vehicles should be equipped with duress codes that
    can be easily activated through the mobile radio.
    Assessment is a continuing process of evaluating the security
    situation and deciding whether or not conditions that dictate the
    initiation of a response exist. The assessment functions of security
    personnel and systems such as that described above are important to the
    achievement of the objectives of a perimeter protection system.
    Personnel selected for any of the positions that have an assessment role
    (e.g., observation posts and alarm stations) should be highly competent
    and dependable. Furthermore, they should have the unquestionable
    authority to alert the response force and, in the case of those within
    the alarm stations, to request assistance from offsite forces.
    Paragraph 73.46(h)(7) Q: Why are security personnel assessing alarms within
    unoccupied vaults and unoccupied material access areas containing
    unalloyed or unencapsulated SSNM required to use only remote means to
    assess these alarms? A: There are two reasons for this provision. First, to
    maintain the designed delay time built into vaults, the doors should be
    kept closed and locked, especially at night and during offshifts. The
    remote assessment would preclude an adversary from intentionally using a
    false alarm as a means of getting the vault opened. Second, the use of
    remote assessment techniques prevents the two responding guards from
    having access to material access areas and the SSNM. A possible
    alternative would be to use a team of personnel (more than two) to
    investigate the source of the alarm.
D. IMPLEMENTATION
    This section provides information to applicants and licensees
    regarding the staff's plans for using this regulatory guide.
    Except in those cases in which the applicant proposes an
    acceptable alternative, after publication of this guide the Commission's
    staff will use the intents and understandings described herein as one
    aid for evaluating an applicant's or licensee's capability to conform to
    the performance-oriented physical protection requirements in the
    Physical Protection Upgrade Rule.
    14