What We Heard Report: DIS-21-02 and DIS-21-03

DIS-21-02, Proposals to Amend the Nuclear Security Regulations

DIS-21-03, Cyber Security and the Protection of Digital Information

Preamble

The Canadian Nuclear Safety Commission (CNSC) uses discussion papers, information sessions and workshops to better understand the potential impacts of its proposed regulations, amendments to existing regulations and/or approaches when updating regulatory requirements and guidance.

Introduction

Modernizing the Nuclear Security Regulatory Framework is a project that the CNSC is undertaking to amend the Nuclear Security Regulations (NSR) and associated regulatory documents. The CNSC proposes to take a less prescriptive approach to regulating nuclear security by affording licensees greater flexibility in the measures and approaches they can use to meet regulatory requirements. The regulatory documents (REGDOC-2.12 series) will be revised to clarify requirements and provide guidance on how nuclear security regulatory requirements can be met.

Discussion papers

In 2021, the CNSC issued 2 discussion papers related to Modernizing the Nuclear Security Regulatory Framework: DIS-21-02, Proposals to Amend the Nuclear Security Regulations, and DIS-21-03, Cyber Security and the Protection of Digital Information.

DIS-21-02 Footnote 1, published on Let’s Talk Nuclear Safety (an e-consultation platform) from April 15 to July 14, 2021, describes the CNSC’s proposed regulatory changes to areas such as physical protection (prevention of theft and sabotage), cyber security and the protection of nuclear security information, as well as security culture and the impact on nuclear material accountancy and control. There were 58 visitors to the e-consultation page from industry and the public. In total, 93 comments were submitted.

DIS‑21-03 Footnote 2, published on Let’s Talk Nuclear Safety from July 7 to October 7, 2021, added more details on the proposed revisions for regulating cyber security and the protection of digital information. There were 62 visitors to the e-consultation page from industry, a union, other government departments and the public. In total, 149 comments were submitted.

Note: DIS-21-02 also discussed nuclear security amendments to the Nuclear Safety and Control Act (NSCA) that were tabled in Parliament in early 2021, in Bill C-21 Footnote 3. These legislative amendments, if enacted, would require certain amendments to the NSR and supporting regulatory documents. When Parliament was dissolved in August 2021, the bill was terminated, which resulted in the CNSC removing these proposed amendments from the Modernizing the Nuclear Security Regulatory Framework project. Feedback received on this matter has been filed for possible future use, but is not included in this report. Stakeholders will be engaged further if another bill with similar amendments is tabled.

Workshops

From April to July 2021, CNSC staff held a series of consultation sessions with over 150 participants from public, environmental non-governmental organizations, industry, Government of Canada partners and representatives from various provincial governments. These consultation sessions included a walkthrough of the regulatory amendment process, highlighted specific proposed amendments to the NSR and the rationale behind the changes. The consultation sessions provided an opportunity to discuss the proposed changes and their potential impacts and challenges and have helped inform the proposed regulations and guidance.

Feedback

The following sections outline the changes that the CNSC is proposing, the feedback received from the discussion papers and workshops and the path forward.

Performance-based regulations

The CNSC proposes to introduce a more performance-based approach to regulating nuclear security by enabling licensees and applicants to introduce new technologies, processes and procedures while meeting the same robust security objectives. This requires certain proposed changes to definitions and requirements in the NSR.

Overall, there was strong support from stakeholders to transition to regulations that are less prescriptive and that have clear performance-based objective. Some members of the public were concerned that the performance-based requirements might be less stringent, particularly for new advanced reactor technologies.

Moving forward:

The implementation of any performance-based requirement needs to be approved by the CNSC: Applicants and licensees would be required to demonstrate that they would be able to achieve specific and measurable objectives or outcomes. The changes to the NSR would continue to ensure the continuity of Canada’s robust nuclear security regime, while affording licensees and applicants greater flexibility in demonstrating how they can meet nuclear security regulatory requirements. The CNSC would provide further guidance on how to meet these performance-based requirements in its regulatory documents.

Protecting against theft and sabotage

The CNSC proposes to amend the NSR such that nuclear facilities can use modern technologies and approaches to protect against theft and sabotage of Category I, II or III nuclear material. The CNSC is proposing to revise the NSR to ensure that the security of a nuclear facility is maintained by having effective security measures in place. The current NSR do not recognize alternative security approaches.

There was strong support to introducing flexibility to propose alternative approaches to ensuring nuclear facilities are secure. However, stakeholders requested clarity on what the CNSC would consider sufficient in meeting nuclear safety objectives. Others emphasized that considerations ought to be different for large nuclear power plants and small nuclear facilities, which have smaller inventories of nuclear materials. The public and environmental non-governmental organizations (ENGOs) cautioned that NSR changes ensure that current levels of security are maintained or strengthened. The application of nuclear security should be the same level of security, regardless of the geographic location or technology used in that facility (e.g., urban versus remote locations).

Moving forward:

The CNSC proposes to ensure that the security at nuclear facilities is strengthened while allowing flexibility to use modern technologies and alternative approaches.

Screening

The CNSC proposed to update references in the NSR to ensure that licensees and applicants use the Treasury Board Secretariat’s current Standard on Security Screening.Footnote 4. As part of the proposed changes, a site access clearance would be valid for 10 years, as opposed to the current 5 years, and include mandatory financial inquiry for individuals that require an enhanced site access clearance.

Stakeholders expressed concern with expanding the need to conduct financial and security checks for all employees, as opposed to applying the standard based on the level of responsibility for individual roles. There were also concerns about the accessibility of technology used to conduct fingerprinting, as some have faced challenges in collecting employees’ fingerprints.

Moving forward:

The CNSC understands that employers have experienced issues with fingerprinting and will consider this change and its impact further.

Nuclear material accountancy and control

Under the proposed changes, licensees and applicants would be required to implement an interface between security and nuclear material accountancy and control (NMAC) measures. This ensures security and NMAC are coordinated to deter and detect unauthorized removal of any nuclear substance from a licensed facility. Licensees and applicants would assess and manage this interface to ensure that they do not adversely affect each other while ensuring they are mutually supportive.

Overall, members of the public and ENGOs were supportive of a stronger interface between nuclear security and NMAC. Certain industry stakeholders stated that this interface is already in place and raised concerns regarding this change causing an increase in work to ensure the interface and potential introduction of more inspections and verifications across several different groups.

Moving forward:

This proposed change will align with recommendations under International Atomic Energy Agency (IAEA) Nuclear Security Series (NSS) 13, Nuclear Security Recommendations on Physical Protection of Nuclear Material and Nuclear Facilities.

Protection of sensitive information

The CNSC proposes that requirements for the protection of information be extended beyond prescribed information to include other sensitive information. The CNSC’s proposed definition of sensitive information is “any information, including prescribed or classified information, in whatever form, including software, for which the unauthorized disclosure, modification, alteration, destruction, or denial of use could compromise nuclear security”. This proposed definition aligns with the IAEA’s definition of sensitive information.

The CNSC proposes a lifecycle approach for the management of digital information, which means that licensees would be expected to perform activities to manage digital information for the following phases: creation, use, storage, transmission or disposal of sensitive digital information, including prescribed information. Licensees would be required to identify sensitive information assets, including computer systems and networks which create, store, process, and transmit sensitive digital information.

Most industry stakeholders agreed with CNSC’s proposed lifecycle approach for the protection of digital information. Some expressed concern regarding the proposed increase in scope of information to be protected, and the definition of sensitive information being overly broad.

Moving forward:

The proposed definition of sensitive information is aligned with the IAEA’s definition. The CNSC will clarify requirements and develop guidance on how to identify and protect sensitive information in its regulatory documents.

Sensitive information classification

The CNSC proposes to use the Government of Canada’s information classification scheme to develop graded regulatory requirements for information protection to align with IAEA NSS 23-G, Security of Nuclear Information. Since only prescribed information must currently be protected, this classification scheme will support the additional proposed management of sensitive information. Furthermore, the CNSC proposed information protection measures to assure the confidentiality, integrity and availability of digital sensitive information.

Most industry stakeholders use graded information classification schemes and generally agreed that classifying and marking information is necessary to adequately handle and protect information. However, some expressed concerns that the proposed scheme would be difficult to align with their existing classification schemes, could potentially lead to over-classifying information and that implementing multiple sensitivity levels would be overly burdensome in achieving the regulatory objective.

Moving forward:

The CNSC intends to develop performance-based information protection requirements, rather than prescriptive requirements, which will be based upon guidance from the Treasury Board of Canada Secretariat. This will be further clarified in regulatory documents.

Cyber security in threat and risk assessment

Under the proposed amendments to the NSR, all licensees subject to the NSR would be required to assess their vulnerability to cyber threats and include cyber threats in the threat and risk assessment (TRA). The objective of this proposed requirement is to ensure that licensees and applicants are able to detect and respond to cyber attacks targeting systems important to nuclear safety, nuclear security, emergency preparedness and safeguards (SSEPS). This aligns with CSA N290.7, Cyber security for nuclear facilities Footnote 5. In addition, as part of the proposal, licensees would be required to conduct, at least once every 5 years, a TRA in the nuclear facility where it carries on licensed activities, updating it at least once every 12 months (or when the threat changes and/or after a security incident).

Stakeholders recommended the use of a graded approach to determine the scope of sensitive information and SSEPS systems to be included in the TRA.

Stakeholders noted that the program elements set out in the CSA N290.7 standard are suitable, although some sought to use the graded approach. This would allow licensees of facilities having Category III nuclear material flexibility to propose alternative methods, approaches, security measures, etc. However, stakeholders requested that the CNSC provide further guidance as to how CSA N290.7 could be applied for these facilities.

Moving forward:

The CNSC will be conducting further research to better understand how a graded approach could be applied to lower-risk facilities. In addition, the CNSC intends to provide guidance in its security regulatory documents. Further information on the graded approach can be found in REGDOC-3.5.3, Regulatory Fundamentals Footnote 6.

Cyber security for transport

The NSR require that licensees who transport or arrange the transport of Category I, II and III nuclear materials make provisions for securing the material during transport. Under the proposed amendments to the NSR, all licensees subject to the NSR would be required to assess their vulnerability to cyber threats and include cyber threats in their TRA. As a result, the CNSC would require that the information protection and cyber security programs of licensees who transport or arrange the transport of Category I, II and III nuclear materials be extended to the protection of any digital technologies used within the transport security plan. This would include digital technologies vital to ensuring the secure transport of nuclear materials such as technologies used to implement physical security measures, those used for communications, and those that protect sensitive information. The CNSC proposes that these programs address situations where the transportation is procured as a service from a third party.

Industry and other stakeholders agree that the proposed cyber security measures in the Customs and Trade Partnership Against Terrorism are appropriate for this proposal. Industry stakeholders agreed they can manage cyber security for transport within their cyber security and information protection programs. However, some stakeholders would like the flexibility in the implementation of the cyber security for transport within their organization.

Moving forward:

The CNSC will provide additional clarity of requirements and guidance regarding transportation of Category I, II and III nuclear material in regulatory documents.

Transport security exercises and security exercises

As part of the CNSC’s proposed changes, licensees and applicants, in cooperation with the off-site response force, would be required to conduct a security exercise at least once every 5 years to test 1 or several elements of their contingency plan and nuclear security measures. The CNSC will provide clarity on implementation of this new requirement to high-security sites (HSS) that already conduct full-scale security exercises at their sites every 2 years under the current regulations. However, some industry stakeholders requested better clarity regarding scope and frequency of a transport security exercise.

Moving forward:

The CNSC will provide additional clarity regarding the requirements and guidance for transport security exercises in the regulatory documents.

Security culture

The CNSC proposed that every licensee and applicant implement and maintain measures to promote and support a security culture within their organization. Stakeholders expressed concern regarding methods of inspecting and enforcing these requirements. In addition, they requested clarity with regard to whether there would be additional expectations for those already in compliance with REGDOC-2.1.2, Safety Culture Footnote 7, which includes security culture.

Moving forward:

Based on feedback, the CNSC will consider providing further information in the NSR about security culture. For non-HSS, licensees or applicants would be asked to document their security culture measures in their facility security program or in an equivalent document that is acceptable by the CNSC.

Miscellaneous

The current layout of the NSR makes it challenging to find out which regulatory requirements apply to which facility. In addition, Schedule 2 grouping of the current NSR currently lists the business names of the facilities to which it applies, which creates confusion for new licensees.

The CNSC proposed to remove the names of licensees, and instead to group them and provide clear criteria that defines the characteristics of facilities to which the NSR apply. HSS will continue to be facilities that use, produce and store Category I and II nuclear material. In addition, the CNSC proposes to change the layout of the NSR to a modular format to increase clarity.

There was strong support from all stakeholders for the simplified layout and the revision of schedule 2.

Moving forward:

The CNSC intends to move ahead with the layout and Schedule 2 revisions.

Conclusion

The CNSC is using the feedback received through these discussion papers and workshops to inform its approach in the Modernizing the Nuclear Security Regulatory Framework project.

Next steps

The CNSC will develop a proposed regulatory amendment package that takes into account all feedback received. This includes a detailed Regulatory Impact Analysis Statement (RIAS), which is an evidence-based, non-technical synthesis of expected impacts of a proposed regulation. The RIAS and the text of the proposed regulations are expected to be published in the Canada Gazette, Part I, which serves as a tool for further consultation between the Government of Canada and Canadians.

The NSR are supported by regulatory documents which provide clarity on how to meet requirements specified in the regulations. Concurrent with Canada Gazette, Part I, CNSC staff will be releasing the nuclear security regulatory discussion paper for public comment.

Acronyms

ENGO
environmental non-governmental organization
HSS
high-security site
IAEA
International Atomic Energy Agency
NMAC
nuclear material accountancy and control
NSR
Nuclear Security Regulations
RIAS
Regulatory Impact Analysis Statement
SSEPS
nuclear safety, nuclear security, emergency preparedness and safeguards
TRA
threat and risk assessment

References

Footnote 1

Canadian Nuclear Safety Commission (CNSC), DIS-21-02 Proposals to Amend the Nuclear Security Regulations, Ottawa, Canada, 2021.

Return to footnote 1 referrer

Footnote 2

CNSC, DIS-21-03, Cyber Security and the Protection of Digital Information, Ottawa, Canada, 2021.

Return to footnote 2 referrer

Footnote 3

Public Safety Canada, Bill C-21: An Act to amend certain Acts and to make certain consequential amendments (firearms), Ottawa, Canada, 2021.

Return to footnote 3 referrer

Footnote 4

Treasury Board Secretariat, Standard on Security Screening, 2017.

Return to footnote 4 referrer

Footnote 5

Canadian Standards Association, N290.7, Cyber security for Nuclear Facilities, Toronto, Canada, 2021.

Return to footnote 5 referrer

Footnote 6

CNSC, REGDOC-3.5.3, Regulatory Fundamentals, Ottawa, Canada, 2020.

Return to footnote 6 referrer

Footnote 7

CNSC, REGDOC-2.1.2, Safety Culture, Ottawa, Canada, 2018.

Return to footnote 7 referrer

Date modified: