Regulatory Analysis for Cyber Security Event Notifications Final Rule

Regulatory Analysis for Cyber Security Event Notification final rule.pdf

Cyber Security Event Notifications Final Rule (10 CFR Part 73 burden)

Regulatory Analysis for Cyber Security Event Notifications Final Rule

OMB: 3150-0230

Document [pdf]
Download: pdf | pdf
Regulatory Analysis for Final Rule on
Cyber Security Event Notifications
(10 CFR Part 73)

U.S. Nuclear Regulatory Commission
Office of Nuclear Reactor Regulation
Office of Nuclear Security and Incident Response

October 2014

[Page intentionally left blank.]

Table of Contents
1. Introduction ............................................................................................................................................. 1
2. Statement of the Problem and Objective ................................................................................................ 1
2.1.

Background ................................................................................................................................... 1

2.2.

Statement of the Problem ............................................................................................................. 2

2.3.

Objective ....................................................................................................................................... 2

3. Identification and Analysis of Alternative Approaches............................................................................ 3
3.1.

Option 1: No Action ...................................................................................................................... 3

3.2.

Option 2: Amend Regulations to Add Cyber Security Event Notification Requirements ............. 4

4. Evaluation of Benefits and Costs............................................................................................................ 4
4.1.

Identification of Affected Attributes ............................................................................................... 4

4.2.

Analytical Methodology ................................................................................................................. 7

5. Results .................................................................................................................................................. 23
5.1.

Benefits and Costs of the Final Rule .......................................................................................... 23

5.2.

Sensitivity Analysis ..................................................................................................................... 31

5.3.

Disaggregation ............................................................................................................................ 32

5.4.

Safety Goal Evaluation ............................................................................................................... 33

6. Decision Rationale for Selection of the Proposed Action ..................................................................... 33
7. Implementation ..................................................................................................................................... 34
8. List of Tables ........................................................................................................................................ 34
9. References ........................................................................................................................................... 35
Appendix A

Backfit Analysis ............................................................................................................... A-1

Appendix B

U.S. Commercial Nuclear Power Reactor Sites Affected by the Final Rule ................... B-1

Appendix C

Estimation of Overall Costs of the Final Rule Based on the Sensitivity Analysis ........... C-1

i

[Page intentionally left blank.]

ii

1. Introduction
This document presents a regulatory analysis of the U.S. Nuclear Regulatory Commission’s
(NRC’s) final rule on cyber security event notifications (Agencywide Document Management
System (ADAMS) Accession No. ML14136A214) and the associated Regulatory Guide 5.83,
Revision 0, “Cyber Security Event Notifications” (ADAMS Accession No. ML14175A657). A
discussion of backfitting of the final rule is presented in Appendix A. The recommended
regulatory action establishes regulations under Title 10 of the Code of Federal Regulations (10
CFR) section 73.77 related to the process, timeliness, and reporting of cyber security event
notifications that licensees submit to the NRC following cyber security events.

2. Statement of the Problem and Objective
The cyber security event notifications (CSEN) final rulemaking amends the NRC regulations to
add timely notification requirements for certain cyber security events. This rulemaking
increases the NRC's ability to respond to security-related plant events, evaluate ongoing
suspicious activities for threat implications, and accomplish the Agency's strategic
communications mission.

2.1.

Background

Following the terrorist attacks on September 11, 2001, the NRC conducted a thorough review of
security to ensure that nuclear power plants continued to have effective security measures in
place given the changing threat environment. Through a series of orders, the Commission
specified a supplement to the Design Basis Threat (DBT), as well as requirements for specific
training enhancements, access authorization enhancements, security officer work hours, and
enhancements to defensive strategies, mitigative measures, and integrated response.
Additionally, in generic communications, the Commission specified expectations for enhanced
notifications to the NRC for certain security events or suspicious activities. As noted to
recipients of the post-September 11, 2001 orders, the Commission’s intent was to complete a
thorough review of the existing physical protection program requirements and undertake a
rulemaking that would codify generically-applicable security requirements.
In October 2006, the NRC issued a proposed power reactor security requirements rule to
amend its security regulations and add new security requirements pertaining to nuclear power
reactors (71 Federal Register (FR) 62664; October 26, 2006). The rule included: (1) security
requirements imposed by Commission orders issued after the terrorist attacks of
September 11, 2001; (2) requirements for access to enhanced weapons and firearms
background checks; and (3) new requirements that resulted from insights from implementation
of the security orders, review of site security plans, and implementation of the enhanced
baseline inspection program and force-on-force exercises. One of the new security
requirements in the proposed rule was the establishment of a cyber security program.
In March 2009, the NRC issued the power reactor security requirements final rule, which
included adding section 73.54, “Protection of Digital Computer and Communication Systems
and Networks,” to the NRC’s regulations (74 FR 13926; March 27, 2009). Section 73.54
requires power reactor licensees to establish and maintain a cyber security program at their
facilities to provide high assurance that digital computer and communication systems and
networks are adequately protected against cyber attacks, up to and including the DBT, as
described in 10 CFR 73.1.

1

In February 2011, the NRC published a proposed enhanced weapons rule that would add new
security requirements for enhanced weapons and firearms background checks, as well as
revisions to existing regulations governing security event notifications (76 FR 6200;
February 3, 2011). The proposed revisions to security event notification requirements included
notification requirements related to imminent or actual hostile acts, physical intrusions,
suspicious activities, unauthorized operation or tampering events, and cyber security events.
The NRC included the CSEN requirements as part of the February 2011 proposed rule because
CSEN requirements were not included in the March 2009 final power reactor security
requirements rule.
Subsequently, the NRC bifurcated the February 2011 proposed enhanced weapons rule into
two separate rulemakings. One rulemaking will address the CSEN requirements. The second
rulemaking will address the remaining requirements, which include the enhanced weapons
requirements, firearms background check requirements, and physical security event notification
requirements. This regulatory analysis examines only the CSEN requirements.

2.2.

Statement of the Problem

Notification of a cyber security event is necessary to assist the NRC in assessing and evaluating
issues with potential cyber security-related implications in a timely manner, determining the
significance and credibility of the identified issue(s), and providing recommendations and/or
courses of action to NRC management. Currently, licensees are reporting certain cyber security
events voluntarily to the NRC. However, since this is done voluntarily there could be certain
cyber security events that may not be reported to the NRC in a timely manner or reported at all.
It is important for the NRC to have information about certain cyber security events to fulfill its
strategic communications mission within the framework of the National Infrastructure Protection
Plan (NIPP) developed by the Department of Homeland Security (DHS). The NIPP is carried
out by Federal, state and local agencies and private sector entities all operating together
voluntarily. The CSEN final rule removes the voluntary aspects of reporting certain cyber
security events and provides regulatory stability and ensures the NRC is notified in a timely
manner, including suspicious cyber security events, which plays an important role in our
strategic communications mission, as well as certain cyber security events within the scope of
10 CFR 73.54 (e.g., adverse impacts to safety, security, or emergency preparedness functions).
In March 2009, the NRC published 10 CFR 73.54, “Protection of Digital Computer and
Communication Systems and Networks,” as part of the power reactor security requirements final
rule. This rule established a cyber security program under section 73.54, in which licensees
provide high assurance that digital computer and communication systems, and networks are
adequately protected against cyber attacks. However, the power reactor security rulemaking
did not include CSEN requirements. Currently, there is no mandatory CSEN regulation or
process that requires nuclear power reactor licensees to notify the NRC of any cyber attacks
(successful, suspicious, or unsuccessful) in a timely manner for NRC response.

2.3.

Objective

The objective of this final rulemaking is to amend Title 10 of the Code of Federal Regulations to
add section 73.77, “Cyber Security Event Notifications,” to require licensees under 10 CFR parts
50 and 52 subject to the provisions of section 73.54, “Protection of Digital Computer and
Communication Systems and Networks,” to report certain cyber security events to the NRC
Headquarters Operations Center via the Emergency Notification System (ENS) within the
timeliness requirements specified. Section 73.77 also requires these licensees to record cyber
2

security events in their site corrective action program. Finally, licensees are required to submit
written security follow-up reports to the NRC for certain notifications made under section 73.77.
The February 2011 proposed enhanced weapons rule applied to operating power reactor sites,
decommissioning power reactor sites, operating and decommissioning research and test reactor
sites, hot cell sites, other reactor sites, Category I strategic special nuclear material sites,
Category II and Category III special nuclear material sites, and independent spent fuel storage
installations (ISFSIs). However the CSEN final rule applies only to power reactor licensees
under 10 CFR Parts 50 and 52 subject to the provisions of 10 CFR 73.54. In conducting the
quantitative analysis presented in this document, the NRC staff assumed that the following sites
will be affected by the final rule: 58 sites with only reactors that are currently in commercial
operation, two sites with both operating reactors and projected new power reactors for which a
combined license (COL) already has been issued under 10 CFR Part 52, one site with both an
operating reactor and a reactor under active construction under a 10 CFR Part 50 construction
permit, and four sites with reactors that currently are in decommissioning. This results in
65 affected power reactor sites.

3. Identification and Analysis of Alternative Approaches
This section presents an analysis of the alternatives that the NRC staff considered in meeting
the regulatory goals identified in Section 2. The NRC staff considered two alternatives for
revising the Part 73 provisions, as discussed below.

3.1.

Option 1: No Action

Under this option, the “no-action” alternative, the NRC would not amend the current regulations
in Part 73 to add notification and reporting requirements related to certain cyber security events.
Under this option, licensees would not be required to submit cyber security event notifications
and reports to the NRC. Rather, the NRC would rely on the current voluntary reporting process
for cyber security events by licensees. Voluntary reports can be submitted by the licensee at
any time, such that the NRC may not be able to assess and evaluate issues with potential cyber
security-related implications in a timely manner. This option would avoid any new costs to
licensees in communicating, documenting, and reporting cyber security events. It also would
avoid new costs to the NRC to review and respond to cyber security event notifications not
voluntarily reported to the NRC. However, this option would not increase the NRC's ability to
respond to cyber security-related plant events, evaluate ongoing suspicious activities for threat
implications, or accomplish the Agency's strategic communications mission. The strategic
communications mission is part of the NIPP framework and is designed to share information in
an effort to protect critical infrastructure and key resources (CIKR). Under the CIKR reporting
guidelines from DHS, licensees are encouraged but not required to report information
concerning suspicious or criminal activity related to terrorism (e.g., physical security, cyber
security, emergency preparedness).
There is specific guidance contained in the NRC’s Regulatory Analysis Technical Evaluation
Handbook1 on how to handle voluntary initiatives, including credit to be given to voluntary
actions by licensees. However, in this case, the voluntary actions (i.e., reporting suspicious
1

NRC; Regulatory Analysis Technical Evaluation Handbook (NUREG/BR-0I84); Section 5.7, “Quantification of
Attributes;” January 1997. Available at: http://pbadupws.nrc.gov/docs/ML0501/ML050190193.pdf, last accessed on
July 29, 2014.

3

activity associated with cyber incidents) occur as part of the “no action” alternative. Thus, by
definition, voluntary actions will occur provided that the NRC takes no action. While the final
rule adds cyber security event notification requirements, under this option a regulatory baseline
already exists. The NRC provides oversight of the licensee’s corrective action program which
includes cyber security events under the Physical Protection Program per section 73.55.

3.2.

Option 2: Amend Regulations to Add Cyber Security Event Notification
Requirements

Under this option, the NRC would conduct a rulemaking to add notification and reporting
requirements related to certain cyber security events. These changes would entail adding
10 CFR 73.77, “Cyber Security Event Notifications.” Specifically, the NRC would require
through rulemaking that licensees conduct notifications and submit reports to the NRC in the
event of certain cyber security attacks. The cyber security events fall into three categories:
one-hour notifications, four-hour notifications, and eight-hour notifications. For some of these
cyber security events, licensees would be required to provide a written security follow-up report
to the NRC within 60 days using NRC Form 366. These cyber security events include one-hour
notifications (cyber attacks that adversely impacted safety, security, or emergency
preparedness (SSEP) functions (section 73.77(a)(1))) and two of the four-hour notifications
(cyber attacks that could have caused an adverse impact to SSEP functions
(section 73.77(a)(2)(i)) and cyber attacks initiated by personnel with physical or electronic
access (section 73.77(a)(2)(ii))). Licensees also would be required to record, in their site
corrective action program, vulnerabilities, weaknesses, failures and deficiencies in their cyber
security program and notifications made under section 73.77(a).
The NRC staff will review the information provided by licensees to determine appropriate
response actions. These actions may include one or more of the following actions: (1) notifying
the NRC Cyber Assessment Team, (2) determining necessary follow-up actions based on the
event characteristics, (3) documenting reported events, (4) making additional notifications to
other government agencies, and (5) issuing threat advisories to other licensees. The NRC also
will use the information provided by licensees to effectively monitor ongoing licensee actions
and inform other licensees in a timely manner of cyber security-significant events.

4. Evaluation of Benefits and Costs
This section examines the benefits and costs expected to result from this rulemaking, and are
presented in two subsections. Section 4.1 identifies attributes that are expected to be affected
by the rulemaking. Section 4.2 describes how benefits and costs have been analyzed.

4.1.

Identification of Affected Attributes

The following attributes are expected to be affected by this rulemaking. Their impacts are
quantified where possible. Impacts to accident-related attributes are qualified because
estimates of occurrences of possible attacks and their successful repulsions are unknown.
Further, even if reliable estimates were available, they would be considered Safeguards
Information and not to be released for public dissemination.
•

Safeguards and Security Considerations — The actions regarding cyber security event
notifications will increase the NRC's ability to respond to cyber security events and to
effectively monitor ongoing licensee actions and inform other licensees in a timely

4

manner of cyber security-significant events and thus, protect public health and safety,
and the common defense and security.
•

Industry Implementation — In implementing the regulatory action, licensees are
expected to read the final rule and regulatory guide, and develop or upgrade their
existing notification procedures. Licensees also are expected to develop and deliver
initial and recurring notification training to designated personnel. For purposes of this
analysis, the NRC staff estimates that 65 sites will be affected by the final rule.
Estimated hours of burden for each of these activities can be found in:
o
o
o

•

Section 4.2.4.2: Development of Procedures
Section 4.2.4.3: Initial Notification Training
Section 4.2.4.10: Recurring Notification Training

Industry Operation — The CSEN requirements of the final rule would result in operating
expenses for industry. Specifically, the final rule will require licensees to make
telephonic notifications and submit written security follow-up reports to the NRC. Written
security follow-up reports must be prepared on NRC Form 366, which is currently used
for physical security event notifications. Licensees also will need to record, in their
existing site corrective action program, notifications made under section 73.77(a) and
vulnerabilities, weaknesses, failures or deficiencies in their cyber security program. In
addition, licensees will need to periodically supply NRC inspectors with cyber security
event information to support security inspections, as needed. Finally, licensees will need
to update and deliver recurring notification training.

The analysis includes three categories of cyber security events that will impact industry
operations. The estimated rates of events per year for each notification requirement are based
on the following:
•

Voluntary Reporting Initiatives: The NRC has been collecting data from licensees under
the voluntary reporting initiative. However, reporting is on a voluntary basis and it is not
known if all of the cyber security events (within the voluntary initiative) are being reported
to the NRC.

•

10 CFR 73.54 Requirements: As the implementation of the cyber security rule
progresses, voluntary reporting has been decreasing.

Using information from the above two actions, the NRC staff generated the best estimate annual
rates for the one-, four-, and eight-hour notifications as shown below:
•

One-hour notifications: A cyber attack that adversely impacted SSEP functions (i.e.,
cyber security events covered under section 73.77(a)(1)). The NRC staff assumes that,
on average, cyber attacks with adverse impacts occur once every two years (i.e., at a
rate of 0.50 event per year) at each site that has reactors that are currently in
commercial operation, projected new reactors under a Part 52 license, and/or reactors
under active construction under a Part 50 license; cyber attacks with adverse impacts
occur once every 20 years (i.e., at a rate of 0.05 event per year) at each site that has
only reactors that currently are in decommissioning. In addition, the NRC staff assumes
that each event would require one hour of licensee staff time to make a telephonic
notification to the NRC Headquarters Operations Center.

5

•

Four-hour notifications: A cyber attack that could have caused an adverse impact to
SSEP functions (i.e., cyber security events covered under section 73.77(a)(2)(i)), cyber
attacks initiated by personnel with physical or electronic access (section 73.77(a)(2)(ii)),
or notification of a local, State, or other Federal agency (section 73.77(a)(2)(iii)). The
NRC staff assumes that, on average, these types of events occur once a year at each
site that has reactors that are currently in commercial operation, projected new reactors
under a Part 52 license, and/or reactors under active construction under a Part 50
license; cyber attacks without adverse impacts to SSEP functions occur once every
10 years (i.e., at a rate of 0.10 event per year) at each site that has only reactors that
currently are in decommissioning. The NRC staff also assumes that each event would
require 0.5 hour of licensee staff time to make a telephonic notification to the NRC
Headquarters Operations Center.

•

Eight-hour notifications: Activities that may indicate intelligence gathering or
preoperational planning related to a cyber attack (i.e., cyber security events covered
under section 73.77(a)(3)). The NRC staff assumes that, on average, activities that may
indicate intelligence gathering or preoperational planning related to a cyber attack occur
2.5 times a year at each site that has reactors that are currently in commercial operation,
projected new reactors under a Part 52 license, and/or reactors under active
construction under a Part 50 license; activities that may indicate intelligence gathering or
preoperational planning related to a cyber attack occur once every two years (i.e., at a
rate of 0.50 event per year) at each site that has only reactors that currently are in
decommissioning. In addition, the NRC staff assumes that each event would require
0.50 hour of licensee staff time to make a telephonic notification to the NRC
Headquarters Operations Center.

For events requiring entry in the site corrective action program, the NRC staff assumes that, on
average, each site that has reactors that are currently in commercial operation, projected new
reactors under a Part 52 license, and/or reactors under active construction under a Part 50
license will record 10 entries per year in its corrective action program; each site that has only
reactors that currently are in decommissioning will record 2.5 entries per year in its corrective
action program. The NRC staff also assumes that each site will require 0.50 hour of licensee
staff time to record one entry in the site corrective action program. This final rule specifies
certain cyber security events for entry into the site corrective action program and those hours
are included in the regulatory baseline as required under the Physical Protection Program per
section 73.55.
The NRC staff estimates that 65 sites will be affected by the final rule and will be required to
conduct all of the above activities.
•

NRC Implementation — The NRC implementation costs include the labor cost for the
development of the final rule and the associated regulatory guidance.

•

NRC Operation — The NRC activities under the final rule include the review of
information received during a cyber security event notification for follow-up, activation of
the NRC’s Headquarters Operations Center, or immediate communication to DHS and
other licensees, as needed. The NRC staff also will review written security follow-up
reports received after initial telephonic notifications. In addition, the NRC staff may
review information on cyber security events recorded in the site corrective action
program during an inspection.

6

•

Regulatory Efficiency — The regulatory action is expected to result in enhanced
regulatory efficiency involving the NRC's ability to monitor ongoing cyber security events
at a range of licensed facilities, and the ability to rapidly communicate information on
cyber security events at such facilities to other NRC-regulated facilities and other
government agencies, as necessary.

•

Public Health (Accident) — The regulatory action is expected to reduce the risk that
public health will be affected by radiological releases because of the increased likelihood
of a successful repulsion of an attack.

•

Occupational Health (Accident) — The regulatory action is expected to reduce the risk
that occupational health will be affected by radiological releases because of the
increased likelihood of a successful repulsion of an attack.

•

Off-Site Property — The regulatory action is expected to reduce the risk that off-site
property will be affected by radiological releases because of the increased likelihood of a
successful repulsion of an attack.

•

On-Site Property — The regulatory action is expected to reduce the risk that on-site
property will be affected by radiological releases because of the increased likelihood of a
successful repulsion of an attack.

•

Other Government Agencies — The CSEN final rule will not have an effect on other
Government agencies because the reporting of suspicious or criminal activity related to
terrorism (e.g., physical security, cyber security) is captured under the NIPP and part of
the NRC’s strategic communications mission. In addition, certain cyber security events
reported to the NRC that fall within the scope of 10 CFR 73.54 will not need to be
reported to other Government agencies.

Attributes that are not expected to be affected by this rulemaking include the following:
occupational health (routine); public health (routine); environmental considerations; general
public; improvements in knowledge; and antitrust considerations.

4.2.

Analytical Methodology

This section describes the process used to evaluate benefits and costs associated with the final
rule. The benefits of the final rule include any desirable changes in affected attributes
(e.g., monetary savings, improved safety, improved security) while the costs include any
undesirable changes in affected attributes (e.g., monetary costs, increased exposures).
Of the 11 affected attributes, the analysis evaluates four⎯industry implementation, industry
operation, NRC implementation, and NRC operation⎯on a quantitative basis. Quantitative
analysis requires a baseline characterization of the affected universe, including characterization
of factors such as the number of affected entities and the types of procedures that licensees
would implement as a result of the final rule. Sections 4.2.1 through 4.2.4 describe the most
significant analytical data and assumptions used in the quantitative analysis of these attributes.
The analysis primarily relies on a qualitative (rather than quantitative) evaluation of the
remaining seven affected attributes (safeguards and security considerations, regulatory
efficiency, public health (accident), occupational health (accident), off-site property, on-site

7

property, and other government agencies) because of the uncertainties associated with
monetizing the impact that the cyber security event notifications under the final rule would have
on these affected attributes. Monetizing the impact on any of these attributes would require
estimation of factors such as the frequency with which radiological sabotage attempts are
(i.e., pre-rule) and will be (i.e., post-rule) successful, and the impacts associated with successful
radiological sabotage attempts. Because these factors preclude monetization of these seven
affected attributes, this analysis discusses them qualitatively in Section 4.1.

4.2.1.

Baseline for Analysis

This regulatory analysis measures the incremental costs of the final rule relative to a “baseline”
that reflects anticipated behavior in the event the NRC undertakes no regulatory action
(Option 1, the “no-action” alternative). As part of the baseline used in this analysis, the NRC
staff assumes full licensee compliance with existing NRC regulations, which includes the NRC’s
oversight of the licensee’s corrective action program to include cyber security events as part of
the physical protection program per section 73.55. Section 5 presents the estimated
incremental costs of the final rule relative to this baseline.

4.2.2.

Affected Universe

The NRC staff estimates that 65 U.S. commercial nuclear power reactor sites will be affected by
the final rule.2 This estimate includes sites with:
•
•
•
•

Operating power reactors (one, two, or three units);
Projected new power reactors for which a combined license (COL) already has been
issued under Part 52;
Power reactors under active construction under a Part 50 license (i.e., Watts Bar
Nuclear Plant Unit 2 );3 and
Decommissioning reactors.

The analysis evaluates the incremental costs of the final rule on a site (65) basis rather than on
a per unit (116) basis. For each type of site included in the analysis, Table 4-1 presents the
number of sites and the average number of years that sites are expected to be subject to the
final rule requirements (i.e., final rule applicability period).
The final rule applicability period was derived as follows:
•

Sites with only reactors that are currently in commercial operation - The final rule
applicability period for this type of site is estimated to be 34 years. This estimate is
based on the sum of the average remaining operating life across all sites and then
adding a 15-year decommissioning period. For each site, the staff identified the
operating reactor unit with the latest license expiration date.4 The staff then used that

2
The Bellefonte Nuclear Power Station is not included in this analysis because the site will not be affected by the
final rule. The site does not have any operating units, has no fuel on site, and new construction is indefinitely
delayed. Bellefonte Units 1 and 2 are under the Commission Policy Statement on Deferred Plants (52 FR 38077;
October 14, 1987).
3

Watts Bar Nuclear Plant Unit 2 is currently under active construction.

4

Based on information obtained from NRC, 2013-2014 Information Digest (NUREG-1350, Volume 25), "Appendix H:
U.S. Commercial Nuclear Power Reactor Operating Licenses - Expiration by Year, 2013–2049," August 2013.
Available at: http://www.nrc.gov/reading-rm/doc-collections/nuregs/staff/sr1350/, last accessed on July 7, 2014.

8

license expiration date to calculate the remaining operating life for the site. For example,
for a site where the last unit license expiration date will occur in 2017, the staff
calculated the remaining operating life to be 2 years (i.e., 2017 – 2015). The staff
assumed that all operating licenses go to term with the exception of: (1) early
terminations already announced (i.e., Vermont Yankee plans to terminate commercial
operation in December 2014 and Oyster Creek plans to terminate commercial operation
in 2019) and (2) license renewal applications already under consideration (i.e., Indian
Point Nuclear Generating) for which the staff assume that the license renewal is granted.
After the staff calculated the remaining operating life for each site, the staff then
calculated the average remaining operating life across all sites. Finally, the staff added
a 15-year decommissioning period. (Refer to “sites with only reactors that currently are
in decommissioning” for information on the derivation of the 15-year decommissioning
period).
•

Sites with both operating reactors and projected new reactors under a Part 52 license The final rule applicability period for this type of site is estimated to be 59 years. This
estimate is based on the sum of the average estimated remaining operating life across
all sites and then adding a 15-decommissioning period. For each site, the staff identified
the reactor unit with the latest license expiration date.5, 6, 7 The staff then used that
license expiration date to calculate the remaining operating life for the site. The staff
assumed that all licenses go to term. After the staff calculated the remaining operating
life for each site, the staff then calculated the average remaining operating life across all
sites. Finally, the staff added a 15-year decommissioning period. (Refer to “sites with
only reactors that currently are in decommissioning” for information on the derivation of
the 15-year decommissioning period).

•

Sites with both operating reactors and reactors under active construction under a Part 50
license – The final rule applicability period for this type of site is estimated to be
55 years. This estimate is based on the remaining operating life of the only site with
reactors under active construction under a Part 50 license (i.e., the Watts Bar Nuclear
Plant) and then adding a 15-year decommissioning period. (Refer to “sites with only
reactors that currently are in decommissioning” for information on the derivation of the
15-year decommissioning period).

5

Based on information obtained from NRC, 2013-2014 Information Digest (NUREG-1350, Volume 25), "Appendix H:
U.S. Commercial Nuclear Power Reactor Operating Licenses - Expiration by Year, 2013–2049," August 2013.
Available at: http://www.nrc.gov/reading-rm/doc-collections/nuregs/staff/sr1350/, last accessed on July 7, 2014.

6

Based on information obtained from NRC, 2013-2014 Information Digest (NUREG-1350, Volume 25), "Appendix A:
U.S. Commercial Nuclear Power Reactors - Operating Reactors under Active Construction or Deferred Policy,"
August 2013. Available at: http://www.nrc.gov/reading-rm/doc-collections/nuregs/staff/sr1350/, last accessed on
July 7, 2014

7

For a Part 52 license, the 40-year term of the license does not begin until after the 10 CFR 52.103(g) finding, which
occurs after construction is completed. Summer Units 2 and 3 are expected to begin commercial operation in 2016
and 2019, respectively. Vogtle Units 3 and 4 are expected to begin commercial operation in 2017 and 2018,
respectively.

9

•

Sites with only reactors that currently are in decommissioning – The final rule
applicability period for this type of site is estimated to be 15 years. This estimate is
based on information on time periods contained in Irradiated Fuel Transfer Plans
submitted, pursuant to 10 CFR 50.54(bb), by licensees that have prematurely shutdown
their reactor units.8

In estimating the costs to sites, the NRC staff classified sites with more than one type of reactor
under the site category with the longest final rule applicability period. For example, a site with
one operating reactor and one decommissioning reactor is categorized as a “site with only
reactors that are currently in commercial operation” because the final rule applicability period for
an operating reactor exceeds the period for a reactor that already is decommissioning.
Appendix B to this analysis presents additional information on the sites affected by the final rule,
including information on the categorization of the individual sites.

8

Kewaunee permanently ceased commercial operation on May 7, 2013. The licensee expects to have all of
Kewaunee’s spent fuel transferred from the spent fuel pool to the ISFSI by the end of year 2016 (e.g., transfer within
4 years of ceasing commercial operation). Crystal River Unit 3 permanently ceased commercial operation on
February 20, 2013, which is when the licensee transferred fuel from the reactor vessel to the spent fuel pool. The
licensee expects to have all of Crystal River Unit 3’s spent fuel transferred from the spent fuel pool to the ISFSI by the
end of year 2019 (e.g., transfer within 6 years of ceasing commercial operation). Based on these representative
plans, it is reasonable to estimate that licensees will transfer all spent fuel to ISFSI (e.g., dry cask storage) within
15 years of ceasing commercial operation.

10

Table 4-1. U.S. Commercial Nuclear Power Reactor Sites Affected by the Final Rule a
Number
of Sites

Final Rule
Applicability
Period (years)

Sites with only reactors that are currently in commercial
operation

58

34

Sites with both operating reactors and projected new reactors
under a Part 52 license

2

59

Sites with both operating reactors and reactors under active
construction under a Part 50 license

1

55

Sites with only reactors that currently are in decommissioning

4

15

65

Not applicable

Type of Site

Total
a

Sites with more than one type of reactor were included under the site category with the longest final rule
applicability period. Refer to Appendix B for information on the categorization of the individual sites.

Sources:
(1) NRC, "Operating Nuclear Power Reactors (by Location or Name)" Web page, www.nrc.gov. Data current as of
March 19, 2014. Available at: http://www.nrc.gov/info-finder/reactor/, last accessed on July 7, 2014.
(2) NRC, 2013-2014 Information Digest (NUREG-1350, Volume 25), "Appendix H: U.S. Commercial Nuclear Power
Reactor Operating Licenses - Expiration by Year, 2013–2049," August 2013. Available at:
http://www.nrc.gov/reading-rm/doc-collections/nuregs/staff/sr1350/, last accessed on July 7, 2014.
(3) NRC, "Combined License Applications for New Reactors" Web page, www.nrc.gov. Data current as of July 1,
2014. Available at: http://www.nrc.gov/reactors/new-reactors/col.html, last accessed on July 7, 2014.
(4) NRC, 2013-2014 Information Digest (NUREG-1350, Volume 25), "Appendix A: U.S. Commercial Nuclear Power
Reactors - Operating Reactors under Active Construction or Deferred Policy," August 2013. Available at:
http://www.nrc.gov/reading-rm/doc-collections/nuregs/staff/sr1350/, last accessed on July 7, 2014.
(5) NRC, "Locations of Power Reactor Sites Undergoing Decommissioning" Web page, www.nrc.gov. Data current
as of April 24, 2014. Available at: http://www.nrc.gov/info-finder/decommissioning/power-reactor/, last accessed
on July 7, 2014.

11

4.2.3.

Labor Rates

In estimating the incremental costs of the final rule, the analysis uses two hourly labor rates that
include salary, fringe benefits (e.g., paid leave and health benefits), and indirect costs:
•

The average labor rate for licensee staff is estimated to be $125 per hour.9

•

The average labor rate for NRC staff is estimated to be $121 per hour.10

Both average labor rates are in 2014 dollars.

4.2.4.

Assumptions

This subsection discusses the analysis of the costs associated with the implementation of the
final rule. The analysis employs the following assumptions and considerations:
•

All licensees are assumed to be in full compliance with the existing baseline
requirements. The costs to comply with the baseline requirements are not expected to
change with the final rule. Therefore, this analysis only presents the incremental costs
associated with the final rule changes.

•

All costs presented in this subsection are in 2014 dollars.

•

Implementation costs are assumed to be incurred in 2015.

•

Licensees will incur costs over the final rule applicability period, as presented in
Table 4-1. The actual time period that each site will be operated will depend on the term
of the operating license, and on whether the licensee chooses to operate the site for the
duration of the licensed period.

•

The costs incurred in each year of the analysis are discounted to the present using a
7 percent and 3 percent discount rate, in accordance with NUREG/BR-0058, Rev. 4,
“Regulatory Analysis Guidelines of the U.S. Nuclear Regulatory Commission.” (See
Section 5 for these results).

•

For purposes of this analysis, the costs under the final rule were categorized as follows:
o

One-time costs:
 Rulemaking activities;
 Development of procedures; and
 Initial notification training.

9

Based on data developed by the Bureau of Labor Statistics for “Power Plant Operators, Distributors, and
Dispatchers” (Standard Occupational Code 51-8010) and for “Nuclear Power Reactor Operators” (Standard
Occupational Code 51-8011), hourly labor rates for industry range from about $89 to $98. As a conservative
assumption, this analysis uses an hourly labor rate of $125.

10

NRC, Rulemaker@nrc.gov, "NRC Labor Rates for Use in Regulatory Analyses (as of October 2013),"
January 2, 2014.

12

o

Annual costs:
 One-hour notifications;
 Four-hour notifications;
 Eight-hour notifications;
 Twenty-four-hour recordable events;
 Written security follow-up reports;
 Inspections; and
 Recurring notification training.

The remainder of this subsection describes the derivation of the estimated per site costs for
each of the cost categories.
4.2.4.1.

Rulemaking Activities

In implementing the regulatory action, the NRC will perform rulemaking activities that include
development and publication of the final rule and regulatory guidance. To estimate the costs
associated with NRC’s rulemaking activities, the analysis employs the following assumptions:
•

1 person-year of NRC staff time (i.e., 1,375 hours) will be required for performing the
final rulemaking activities.11

•

The NRC published a proposed enhanced weapons rule in 2011 that contained new
security requirements for enhanced weapons and firearms background checks along
with proposed cyber security event notification requirements. The proposed cyber
security event notification requirements were a part of the much larger proposed
enhanced weapons and firearms background checks proposed rule. The NRC is unable
to determine the costs of the proposed cyber security event notification requirements
separate from the enhanced weapons activities. As such, only the hours for the final
cyber security event notification rulemaking activities are being reported in this analysis.

Based on the above, the NRC’s one-time cost for rulemaking activities is estimated to be
$166,375 (i.e., 1,375 hours x $121/hour).
4.2.4.2.

Development of Procedures

In implementing the regulatory action, licensees are expected to read the final rule and
develop/revise procedures (e.g., site security plan). To estimate the costs associated with the
development of procedures, the analysis employs the following assumptions:
•

On average, each site will require 88 hours of licensee staff time to read the final rule
and regulatory guide (RG), and develop 2 procedures for plant staff and security staff.
The following are the estimated hours to perform each task:
o
o
o

1 person – review final rule/RG = 8 hours
1 person – modify/create procedures = 40 hours
1 person – review procedures = 24 hours

11

Number of productive hours in one person-year obtained from NRC, Rulemaker@nrc.gov, "NRC Labor Rates for
Use in Regulatory Analyses (as of October 2013)," January 2, 2014.

13

o

o
o

Approval process (Site Management and Plant Operating Review Committee
(PORC)):
 Procedures Review – 2 hours * 6 people = 12 hours
 PORC Meeting – ¼ hour * 6 people = 1.5 hours
1 person – Enter procedures into plant document control system = 2 hours
Total is 87.5 hours, rounded up to 88 hours

Table 4-2 shows the estimated one-time cost per site for development of procedures, by type of
site.
Table 4-2. Estimated One-Time Cost per Site for Development of Procedures (2014 Dollars)
One-Time Cost to Industry a, b

One-Time Cost to the NRC

Sites with only reactors that are
currently in commercial operation

$11,000

Not applicable

Sites with both operating reactors and
projected new reactors under a Part 52
license

$11,000

Not applicable

Sites with both operating reactors and
reactors under active construction
under a Part 50 license

$11,000

Not applicable

Sites with only reactors that currently
are in decommissioning

$11,000

Not applicable

Type of Site

a
b

One-Time Cost to Industry = [88 hours] x [$125/hour].
Costs in the table are rounded to the nearest whole number.

4.2.4.3.

Initial Notification Training

In implementing the regulatory action, licensees are expected to revise their notification training
and deliver the revised training to designated personnel. To estimate the costs associated with
the initial notification training, the analysis employs the following assumptions:
Operating Reactors
• On average, each operating reactor site will require 286 hours of licensee staff time to
develop, approve, and deliver the initial notification training to 800 licensee staff
members. This time includes 36 hours to develop the training and 250 hours to deliver
the training. The following are the estimated hours to perform each task:
o

o
o

o

Read Final Rule/Regulatory Guide
 1 person from Licensing department = 8 hours
 1 person from Cyber Security Assessment Team (CSAT) = 8 hours
 1 person from Training department = 8 hours
Sub-total 24 hours
Training Material Development
 1 person to develop training materials/lesson plans = 8 hours
 1 person to review training materials/lesson plans = 4 hours
Sub-total 12 hours

14

o

Total Training Development Time = 36 hours

o

Initial Training of Plant Staff on CSEN Rule
 Operations/Engineering/Administrative staff: 600 people * 0.25 hour = 150 hours
 Security and CSAT staff: 200 people * 0.50 hours = 100 hours
Total Initial Training Time = 250 hours

o

Grand Total: 36 hours + 250 hours = 286 hours
Decommissioning Reactors
• On average, each decommissioning site will require 136 hours of licensee staff time to
develop, approve, and deliver the initial notification training to 300 licensee staff
members. This time includes 36 hours to develop the training and 100 hours to deliver
the training. The following are the estimated hours to perform each task:
o

o

Read Final Rule/Regulatory Guide
 1 person from Licensing department = 8 hours
 1 person from Cyber Security Assessment Team (CSAT) = 8 hours
 1 person from Training department = 8 hours
Sub-total 24 hours

o

Training Material Development
 1 person to develop training materials/lesson plans = 8 hours
 1 person to review training materials/lesson plans = 4 hours
Sub-total 12 hours

o

Total Training Development Time = 36 hours

o

Initial Training of Plant Staff on CSEN Rule
 Operations/Engineering/Administrative staff: 200 people * 0.25 hours = 50 hours
 Security and CSAT staff: 100 people * 0.50 hours = 50 hours
Total Training Development Time = 100 hours

o

o

Grand Total: 36 hours + 100 hours = 136 hours
Table 4-3 shows the estimated one-time cost per site for initial notification training, by type of
site.

15

Table 4-3. Estimated One-Time Cost per Site for Initial Notification Training (2014 Dollars)
One-Time Cost to Industry a, b

One-Time Cost to the NRC

Sites with only reactors that are
currently in commercial operation

$35,750

Not applicable

Sites with both operating reactors and
projected new reactors under a Part 52
license

$35,750

Not applicable

Sites with both operating reactors and
reactors under active construction
under a Part 50 license

$35,750

Not applicable

Sites with only reactors that currently
are in decommissioning

$17,000c

Not applicable

Type of Site

a
b
c

One-Time Cost to Industry = [286 hours] x [$125/hour].
Costs in the table are rounded to the nearest whole number.
One-Time Cost to Industry = [136 hours] x [$125/hour].

4.2.4.4.

One-Hour Notifications

Licensees subject to the provisions of 10 CFR 73.54 must make a telephonic notification of the
cyber security events identified at 10 CFR 73.77(a)(1) to the NRC within one hour after
discovery. Notifications must be made according to 10 CFR 73.77(c).
To estimate the costs associated with one-hour notifications, the analysis employs the following
assumptions:
•

On average, cyber security events occur once every two years (i.e., at a rate of
0.50 event per year) at each site that has reactors that are currently in commercial
operation, projected new reactors under a Part 52 license, and/or reactors under active
construction under a Part 50 license; cyber security events occur once every 20 years
(i.e., at a rate of 0.05 event per year) at each site that has only reactors that currently are
in decommissioning. This rate of occurrence is based on data collected by the NRC
since inception of the voluntary reporting initiatives and 10 CFR 73.54.

•

On average, each site will require 1 hour of licensee staff time to make a telephonic
notification.
On average, the NRC will require 5 hours of NRC staff time to review the information
provided by licensees and respond to a cyber security event telephonic notification. The
estimated hours are based on the NRC staff actions when a notification is received from
the voluntary reporting initiatives. Response actions may include one or more of the
following actions: (1) notifying the Cyber Assessment Team; (2) activation of the NRC’s
Headquarters Operations Center; (3) determining necessary follow-up actions based on
the event characteristics; (4) documenting reported events; (5) making additional
notifications to other government agencies (e.g., DHS); and (6) issuing threat advisories
to other licensees.

Table 4-4 shows the estimated annual cost per site for one-hour notifications, by type of site.

16

Table 4-4. Estimated Annual Cost per Site for One-Hour Notifications (2014 Dollars)
Annual Cost to Industry a, c

Annual Cost to the NRC b, c

Sites with only reactors that are
currently in commercial operation

$63

$303

Sites with both operating reactors and
projected new reactors under a Part 52
license

$63

$303

Sites with both operating reactors and
reactors under active construction
under a Part 50 license

$63

$303

Sites with only reactors that currently
are in decommissioning

$6

$30

Type of Site

a

Annual Cost to Industry = [Annual number of cyber security events per site] x [1 hour/event] x [$125/hour]. The “annual
number of cyber security events per site” is 0.50 for sites that have reactors that are currently in commercial operation,
projected new reactors under a Part 52 license, and/or reactors under active construction under a Part 50 license and
0.05 for sites that have only reactors that currently are in decommissioning.
b
Annual Cost to the NRC = [Annual number of cyber security events per site] x [5 hours/event] x [$121/hour]. The
“annual number of cyber security events per site” is 0.50 for sites that have reactors that are currently in commercial
operation, projected new reactors under a Part 52 license, and/or reactors under active construction under a Part 50
license and 0.05 for sites that have only reactors that currently are in decommissioning.
c
Costs in the table are rounded to the nearest whole number.

4.2.4.5.

Four-Hour Notifications

Licensees subject to the provisions of 10 CFR 73.54 must make a telephonic notification of the
cyber security events identified at 10 CFR 73.77(a)(2)(i)-(iii) to the NRC within four hours after
discovery. Notifications must be made according to 10 CFR 73.77(c).
To estimate the costs associated with four-hour notifications, the analysis employs the following
assumptions:
•

On average, cyber security events occur once a year at each site that has reactors that
are currently in commercial operation, projected new reactors under a Part 52 license,
and/or reactors under active construction under a Part 50 license; cyber security events
occur once every 10 years (i.e., at a rate of 0.10 event per year) at each site that has
only reactors that currently are in decommissioning. This rate of occurrence is based on
data collected by the NRC since inception of the voluntary reporting initiatives and
10 CFR 73.54.

•

On average, each site will require 0.50 hour of licensee staff time to make a telephonic
notification.

•

On average, the NRC will require 5 hours of NRC staff time to respond to a cyber
security event telephonic notification, including notifying the Cyber Assessment Team
and determining necessary follow-up actions. The estimated hours are based on the
NRC staff actions when a notification is received from the voluntary reporting initiatives.

Table 4-5 shows the estimated annual cost per site for four-hour notifications, by type of site.

17

Table 4-5. Estimated Annual Cost per Site for Four-Hour Notifications (2014 Dollars)
Annual Cost to Industry a, c

Annual Cost to the NRC b, c

Sites with only reactors that are
currently in commercial operation

$63

$605

Sites with both operating reactors and
projected new reactors under a Part 52
license

$63

$605

Sites with both operating reactors and
reactors under active construction
under a Part 50 license

$63

$605

Sites with only reactors that currently
are in decommissioning

$6

$61

Type of Site

a

Annual Cost to Industry = [Annual number of cyber security events per site] x [0.5 hour/event] x [$125/hour]. The
“annual number of cyber security events per site” is 1 for sites that have reactors that are currently in commercial
operation, projected new reactors under a Part 52 license, and/or reactors under active construction under a Part 50
license and 0.10 for sites that have only reactors that currently are in decommissioning.
b
Annual Cost to the NRC = [Annual number of cyber security events per site] x [5 hours/event] x [$121/hour]. The
“annual number of cyber security events per site” is 1 for sites that have reactors that are currently in commercial
operation, projected new reactors under a Part 52 license, and/or reactors under active construction under a Part 50
license and 0.10 for sites that have only reactors that currently are in decommissioning.
c
Costs in the table are rounded to the nearest whole number.

4.2.4.6.

Eight-Hour Notifications

Licensees subject to the provisions of 10 CFR 73.54 must make a telephonic notification of the
cyber security events identified at 10 CFR 73.77(a)(3) to the NRC within eight hours after
discovery. Notifications must be made according to 10 CFR 73.77(c).
To estimate the costs associated with eight-hour notifications, the analysis employs the
following assumptions:
•

On average, cyber security events occur 2.5 times a year at each site that has reactors
that are currently in commercial operation, projected new reactors under a Part 52
license, and/or reactors under active construction under a Part 50 license; cyber security
events occur once every two years (i.e., at a rate of 0.50 event per year) at each site that
has only reactors that currently are in decommissioning. This rate of occurrence is
based on data collected by the NRC since inception of the voluntary reporting initiatives
and 10 CFR 73.54.

•

On average, each site will require 0.50 hour of licensee staff time to make a telephonic
notification.

•

On average, the NRC will require 5 hours of NRC staff time to respond to a cyber
security event telephonic notification, including notifying the Cyber Assessment Team
and determining necessary follow-up actions. The estimated hours are based on the
NRC staff actions when a notification is received from the voluntary reporting initiatives.

Table 4-6 shows the estimated annual cost per site for eight-hour notifications, by type of site.

18

Table 4-6. Estimated Annual Cost per Site for Eight-Hour Notifications (2014 Dollars)
Annual Cost to Industry a, c

Annual Cost to the NRC b, c

Sites with only reactors that are
currently in commercial operation

$156

$1,513

Sites with both operating reactors and
projected new reactors under a Part 52
license

$156

$1,513

Sites with both operating reactors and
reactors under active construction
under a Part 50 license

$156

$1,513

Sites with only reactors that currently
are in decommissioning

$31

$303

Type of Site

a

Annual Cost to Industry = [Annual number of cyber security events per site] x [0.5 hour/event] x [$125/hour]. The
“annual number of cyber security events per site” is 2.5 for sites that have reactors that are currently in commercial
operation, projected new reactors under a Part 52 license, and/or reactors under active construction under a Part 50
license and 0.50 for sites that have only reactors that currently are in decommissioning.
b
Annual Cost to the NRC = [Annual number of cyber security events per site] x [5 hours/event] x [$121/hour]. The
“annual number of cyber security events per site” is 2.5 for sites that have reactors that are currently in commercial
operation, projected new reactors under a Part 52 license, and/or reactors under active construction under a Part 50
license and 0.50 for sites that have only reactors that currently are in decommissioning.
c
Costs in the table are rounded to the nearest whole number.

4.2.4.7.

Twenty-Four-Hour Recordable Events

Under 10 CFR 73.77(b), licensees must use the site corrective action program to record
vulnerabilities, weaknesses, failures and deficiencies in their 10 CFR 73.54 cyber security
program. Licensees also must use the site corrective action program to record notifications
made under section 73.77(a).
To estimate the costs associated with twenty-four-hour recordable events, the analysis employs
the following assumptions:
•

On average, each site that has reactors that are currently in commercial operation, projected
new reactors under a Part 52 license, and/or reactors under active construction under a
Part 50 license will record 10 entries per year in its corrective action program (i.e., 4 entries
on notifications made under section 73.77(a) and 6 entries on vulnerabilities, weaknesses,
deficiencies and failures within the cyber security program that do not fall into the cyber
security events under section 73.77(a)). For each site that has only reactors that currently in
decommissioning will record 2.5 entries per year in its corrective action program (i.e., 0.65
entries for notifications made under section 73.77(a) and 1.85 entries on vulnerabilities,
weaknesses, deficiencies and failures within the cyber security program that do not fall into
the cyber security events under section 73.77(a)). This rate of occurrence is based on data
collected by the NRC since inception of the voluntary reporting initiatives and 10 CFR 73.54.

•

On average, each site will require 0.50 hour of licensee staff time to record one entry in the
site corrective action program. The time required to perform corrective actions, trends, etc.,
are not part of this regulation. Those hours are included in the regulatory baseline as
required under the physical protection program per section 73.55.

19

Table 4-7 shows the estimated annual cost per site for twenty-four-hour recordable events, by
type of site.
Table 4-7. Estimated Annual Cost per Site for
Twenty-Four-Hour Recordable Events (2014 Dollars)
Annual Cost to Industry a, b

Annual Cost to the NRC

Sites with only reactors that are
currently in commercial operation

$625

Not applicable

Sites with both operating reactors and
projected new reactors under a Part 52
license

$625

Not applicable

Sites with both operating reactors and
reactors under active construction
under a Part 50 license

$625

Not applicable

Sites with only reactors that currently
are in decommissioning

$156

Not applicable

Type of Site

a

Annual Cost to Industry = [Annual number of recordable events per site] x [0.5 hour/event] x [$125/hour]. The “annual
number of recordable events per site” is 10 for sites that have reactors that are currently in commercial operation,
projected new reactors under a Part 52 license, and/or reactors under active construction under a Part 50 license and
2.5 for sites that have only reactors that currently are in decommissioning.
b
Costs in the table are rounded to the nearest whole number.

4.2.4.8.

Written Security Follow-Up Reports

Under 10 CFR 73.77(d), licensees making an initial telephonic notification of cyber security
events to the NRC according to the provisions of 10 CFR 73.77(a)(1), (a)(2)(i) and (a)(2)(ii) also
must submit a written security follow-up report to the NRC within 60 days of the telephonic
notification. However, licensees are not required to submit a written security follow-up report
following a telephonic notification made under 10 CFR 73.77(a)(2)(iii) (i.e., notification to a local,
State, or other Federal agency) and 10 CFR 73.77(a)(3) (i.e., notification regarding activities
that may indicate intelligence gathering or pre-operational planning related to a cyber attack).
To estimate the costs associated with written security follow-up reports, the analysis employs
the following assumptions:

12

•

On average, each site that has reactors that are currently in commercial operation,
projected new reactors under a Part 52 license, and/or reactors under active
construction under a Part 50 license will submit 1.5 written security follow-up reports to
the NRC every year; each site that has only reactors that currently are in
decommissioning will submit 1 written security follow-up report to the NRC
approximately every 6.67 years (i.e., at a rate of 0.15 reports per year). This rate of
occurrence is based on the estimated rates of events per year for the one and four hour
notifications.

•

On average, each site will require 80 hours12 of licensee staff time to prepare and submit
a written security follow-up report. The estimated time to complete the NRC Form 366 to

Includes recordkeeping (16 hrs), and time to prepare, review, approve, and submit the follow-up report (64 hrs).

20

report a cyber security event is similar to other reportable events already used by this
form. No additional information is being collected beyond what is already required by
the use of the form. The most recent information collection review included contacting
nine licensees to refine the burden estimate. The data collected determined that the
estimate of 80 hours of burden (including 16 hours of recordkeeping) is still valid.
•

On average, the NRC will require 1 hour of NRC staff time to review a written security
follow-up report. Information in these reports will be used by the NRC to get a clearer
understanding of the event, and to assess trends and patterns.

Table 4-8 shows the estimated annual cost per site for written security follow-up reports, by type
of site.
Table 4-8. Estimated Annual Cost per Site for
Written Security Follow-Up Reports (2014 Dollars)
Annual Cost to Industry a, c

Annual Cost to the NRC b, c

Sites with only reactors that are
currently in commercial operation

$15,000

$182

Sites with both operating reactors and
projected new reactors under a Part 52
license

$15,000

$182

Sites with both operating reactors and
reactors under active construction
under a Part 50 license

$15,000

$182

Sites with only reactors that currently
are in decommissioning

$1,500

$18

Type of Site

a

Annual Cost to Industry = [Annual number of reports per site] x [80 hours/report] x [$125/hour]. The “annual number of
reports per site” is 1.5 for sites that have reactors that are currently in commercial operation, projected new reactors under
a Part 52 license, and/or reactors under active construction under a Part 50 license and 0.15 for sites that have only
reactors that currently are in decommissioning.
b
Annual Cost to the NRC = [Annual number of reports per site] x [1 hour/report] x [$121/hour]. The “annual number of
reports per site” is 1.5 for sites that have reactors that are currently in commercial operation, projected new reactors under
a Part 52 license, and/or reactors under active construction under a Part 50 license and 0.15 for sites that have only
reactors that currently are in decommissioning.
c
Costs in the table are rounded to the nearest whole number.

4.2.4.9.

Inspections

Licensees must provide information on cyber security events recorded in the site corrective
action program during an inspection. On average, each site will be inspected by the NRC once
every two years (i.e., at a rate of 0.50 inspection per year). Inspectors are assumed to perform
their own queries of the site CAP to assist with their inspection activities. Also, time spent on
inspecting a site’s cyber security event notification requirements will be part of a larger security
inspection of the licensee so any costs will be offset by equivalent efforts in other areas. Thus,
although the inspection will occur, there will be no incremental cost to industry or the NRC.

21

4.2.4.10.

Recurring Notification Training

Licensees are expected to deliver their notification training to designated personnel. To
estimate the costs associated with the recurring notification training, the analysis employs the
following assumptions:
•

On average, each site will deliver the recurring notification training that includes the
cyber security event notification requirements once a year as part of their annual training
program.

Operating Reactors
• On average, each site will require 84 hours of licensee staff time to deliver the recurring
notification training to 800 licensee staff members at each site for operating reactors.
o
o
o

Operations/Engineering/Administrative staff: 600 people * 0.083 hours = 50 hours
Security and CSAT staff: 200 people * 0.17 hours = 34 hours
Total 84 hours

Decommissioning Reactors
• On average, each site will require 34 hours of licensee staff time to deliver the recurring
notification training for to 300 licensee staff members at each site decommissioning
reactors.
o
o
o

Operations/Engineering/Administrative staff: 200 people * 0.083 hour = 17 hours
Security and CSAT staff: 100 people * 0.17 hours = 17 hours
Total 34 hours

Table 4-9 shows the estimated annual cost per site for recurring notification training, by type of
site.
Table 4-9. Estimated Annual Cost per Site for Recurring Notification Training (2014 Dollars)
Annual Cost to Industry a, b

Annual Cost to the NRC

Sites with only reactors that are
currently in commercial operation

$10,500

Not applicable

Sites with both operating reactors and
projected new reactors under a Part 52
license

$10,500

Not applicable

Sites with both operating reactors and
reactors under active construction
under a Part 50 license

$10,500

Not applicable

Sites with only reactors that currently
are in decommissioning

$4,250c

Not applicable

Type of Site

a
b
c

Annual Cost to Industry = [1 recurring notification training per year] x [84 hour/training] x [$125/hour].
Costs in the table are rounded to the nearest whole number.
Annual Cost to Industry = [1 recurring notification training per year] x [34 hour/training] x [$125/hour].

22

5. Results
This section organizes the analytical results into four separate sections. Section 5.1 presents
results on the benefits and costs of the final rule as a whole, as well as disaggregated results for
each of the regulatory requirements that comprise the final rule. Section 5.2 presents the
results of a sensitivity analysis conducted to determine whether, and to what extent, the results
of the analysis are sensitive to changes in key assumptions and numeric inputs. Section 5.3
evaluates disaggregation of the requirements in the final rule. Section 5.4 addresses the
applicability of a safety goal evaluation to the final rule.

5.1.

Benefits and Costs of the Final Rule

This section discusses the benefits and costs estimated for the final rule.

5.1.1.

Summary of Benefits and Costs

Tables 5-1 through 5-3 summarize the benefits and costs of the final rule as a whole, and for
each quantifiable regulatory requirement contained in the final rule.
The final rule as a whole (Option 2) would result in a quantitative cost estimated between
$27.9 million and $42.6 million (at a 7 percent and 3 percent discount rate, respectively). These
costs are associated with four affected attributes⎯industry implementation, industry operation,
NRC implementation, and NRC operation. Section 4.2.4 provides detail on the incremental
activities under the final rule, and estimates the one-time and annual costs associated with
these activities.
The analysis does not quantify the benefits associated with Option 2, but it does describe them
qualitatively in Table 5-1. The NRC staff assumes that Option 2 would result in qualitative
benefits in the following attributes: safeguards and security considerations, regulatory efficiency,
public health (accident), occupational health (accident), off-site property, on-site property, and
other government agencies.
Overall, the benefits include an increased ability to protect digital computers, communication
systems, and networks associated with safety-related; important-to-safety; security; emergency
preparedness, to include offsite communications (SSEP); and support systems and equipment
which, if compromised, would adversely impact SSEP functions. Notifications and written
reports generated by licensees will be used by the NRC to respond to emergencies, monitor
ongoing events, assess trends and patterns, identify precursors of more significant events, and
inform other NRC licensees of cyber security-related events, enabling them to take preemptive
actions if necessary (e.g., increase security posture).

23

Table 5-1. Summary of Overall Benefits and Costs (Quantitative and Qualitative)
Benefits
Option 2:
Final Rule

Costs (2014 Dollars)

Safeguards and Security Considerations – Increased NRC's
ability to respond to cyber security events and to effectively
monitor ongoing licensee actions and inform other licensees in
a timely manner of cyber security-significant events and thus,
protect public health and safety and the common defense and
security.

Industry Implementation:

Regulatory Efficiency – The regulatory action will enhance
regulatory efficiency by establishing staff-approved guidance
that licensees may use to track, correct, and prevent cyber
security events. Consequently, licensees and the NRC will
face less uncertainty in determining compliance with the
regulatory requirements in the final rule.

$22.5 million using a 7% discount rate
$35.9 million using a 3% discount rate

Public Health (Accident) – Timely notification of potential
and/or imminent cyber attacks will improve the ability of the
NRC and other licensees to respond and take actions
necessary to mitigate the adverse impacts of cyber attacks
directed against nuclear power reactors. These actions are
expected to avert potential radiation exposure to the public
following an attack.

NRC Operation:

Occupational Health (Accident) – Timely notification of
potential and/or imminent cyber attacks will improve the ability
of the NRC and other licensees to respond and take actions
necessary to mitigate the adverse impacts of cyber attacks
directed against nuclear power reactors. These actions are
expected to avert potential radiation exposure to site workers
following an attack.
Off-Site Property – Timely notification of potential and/or
imminent cyber attacks will improve the ability of the NRC and
other licensees to respond and take actions necessary to
mitigate the adverse impacts of cyber attacks directed against
nuclear power reactors. These actions are expected to avert
potential off-site property damage and costs that may result
from an attack.
On-Site Property – Timely notification of potential and/or
imminent cyber attacks will improve the ability of the NRC and
other licensees to respond and take actions necessary to
mitigate the adverse impacts of cyber attacks directed against
nuclear power reactors. These actions are expected to avert
potential on-site property damage and costs that may result
from an attack.
Other Government Agencies – The CSEN final rule will not
have an effect on other Government agencies because the
reporting of suspicious or criminal activity related to terrorism
(e.g., physical security, cyber security) is captured under the
NIPP and part of the NRC’s strategic communications mission.
In addition, certain cyber security events reported to the NRC
that fall within the scope of 10 CFR 73.54 will not need to be
reported to other Government agencies.

24

$3.0 million
Industry Operation:

NRC Implementation:
$166,375

$2.2 million using a 7% discount rate
$3.5 million using a 3% discount rate
Total Costs:
$27.9 million using a 7% discount rate
$42.6 million using a 3% discount rate

Table 5-2. Summary of Quantified One-Time, Annual,
and Overall Costs of the Final Rule (2014 Dollars)
One-Time
Costs

Cost Category

Annual
Costs

Present Value
7% Discount
Rate

3% Discount
Rate

Rulemaking activities

$166,375

$0

$166,375

$166,375

Development of procedures

$715,000

$0

$715,000

$715,000

$2,248,750

$0

$2,248,750

$2,248,750

One-hour notifications

$0

$22,470

$309,810

$494,647

Four-hour notifications

$0

$41,016

$565,497

$902,861

Eight-hour notifications

$0

$103,145

$1,419,390

$2,263,996

Recordable events

$0

$38,749

$532,733

$849,332

Written security follow-up reports

$0

$932,174

$12,852,172

$20,519,587

Initial notification training

Inspections

$0

$0

$0

$0

Recurring notification training

$0

$657,500

$9,013,419

$14,348,917

$3,130,125

$1,795,054

$27,823,147

$42,509,465

Total

25

Table 5-3. Summary of Quantified One-Time, Annual, and Overall Costs
to Industry and the NRC, by Regulatory Requirement (2014 Dollars)
Costs to Industry
Cost Category

Rulemaking activities
Development of
procedures
Initial notification
training
One-hour notifications
Four-hour
notifications
Eight-hour
notifications
Recordable events
Written security
follow-up reports
Inspections
Recurring notification
training
Total

One-Time
Costs

Annual
Costs

$0

Costs to the NRC

Present Value

One-Time
Costs

Annual
Costs

7% Discount
Rate

3% Discount
Rate

$0

$0

$0

$166,375

$715,000

$0

$715,000

$715,000

$2,248,750

$0

$2,248,750

$0

$3,867

$0

Present Value
7% Discount
Rate

3% Discount
Rate

$0

$166,375

$166,375

$0

$0

$0

$0

$2,248,750

$0

$0

$0

$0

$53,320

$85,134

$0

$18,603

$256,490

$409,512

$3,867

$53,320

$85,134

$0

$37,149

$512,177

$817,727

$0

$9,640

$132,661

$211,603

$0

$93,505

$1,286,730

$2,052,393

$0

$38,749

$532,733

$849,332

$0

$0

$0

$0

$0

$921,000

$12,698,110

$20,273,610

$0

$11,174

$154,063

$245,977

$0

$0

$0

$0

$0

$0

$0

$0

$0

$657,500

$9,013,419

$14,348,917

$0

$0

$0

$0

$2,963,750

$1,634,623

$25,447,313

$38,817,482

$166,375

$160,431

$2,375,834

$3,691,983

26

5.1.2.

Incremental Costs by Type of Site

Tables 5-4 and 5-5 show the costs to industry and the NRC based on type of site, respectively.
The tables also show the per-site costs and number of sites used to estimate total costs.
Table 5-4. Summary of Estimated Costs to Industry
under the Final Rule, by Type of Site (2014 Dollars)
Type of Site
One-Time Costs
Sites with only reactors that are
currently in commercial operation
Sites with both operating reactors and
projected new reactors under a Part 52
license
Sites with both operating reactors and
reactors under active construction under
a Part 50 license
Sites with only reactors that currently
are in decommissioning

Per-Site Costs

Number of Sites

Total Costs

$46,750

58

$2,711,500

$46,750

2

$93,500

$46,750

1

$46,750

$28,000

4

$112,000

Total One-Time Costs
Annual Costs
Sites with only reactors that are
currently in commercial operation
Sites with both operating reactors and
projected new reactors under a Part 52
license
Sites with both operating reactors and
reactors under active construction under
a Part 50 license
Sites with only reactors that currently
are in decommissioning

$2,963,750

$26,407

58

$1,531,606

$26,407

2

$52,814

$26,407

1

$26,407

$5,949

4

$23,796

Total Annual Costs

27

$1,634,623

Table 5-5. Summary of Estimated Costs to the NRC
under the Final Rule, by Type of Site (2014 Dollars)
Type of Site

Per-Site Costs

Number of Sites

Total Costs

Not Applicable

65

$166,375

One-Time Costs
All sites

Total One-Time Costs
Annual Costs
Sites with only reactors that are
currently in commercial operation
Sites with both operating reactors and
projected new reactors under a Part 52
license
Sites with both operating reactors and
reactors under active construction under
a Part 50 license
Sites with only reactors that currently
are in decommissioning

$166,375

$2,603

58

$150,974

$2,603

2

$5,206

$2,603

1

$2,603

$412

4

$1,648

Total Annual Costs
.

28

$160,431

Tables 5-6 and 5-7 summarize the estimated per-site costs associated with each of the cost
categories for industry and the NRC, respectively.
Table 5-6. Estimated Per-Site Costs to Industry under the Final Rule (2014 Dollars)

Cost Category

Sites with
Only
Reactors
that are
Currently in
Commercial
Operation

Sites with
Both
Operating
Reactors and
Projected
New
Reactors
under a
Part 52
License

Sites with
Both
Operating
Reactors
and
Reactors
under Active
Construction
under a
Part 50
License

Sites with Only
Reactors that
Currently are in
Decommissioning

$11,000

$11,000

$11,000

$11,000

$35,750

$35,750

$35,750

$17,000

$46,750

$46,750

$46,750

$28,000

$63

$63

$63

$6

$63

$63

$63

$6

$156

$156

$156

$31

$625

$625

$625

$156

$15,000

$15,000

$15,000

$1,500

$0

$0

$0

$0

$10,500

$10,500

$10,500

$4,250

$26,407

$26,407

$26,407

$5,949

One-Time Costs
Develop procedures
Develop and deliver initial
notification training to designated
personnel
Total One-Time Costs
Annual Costs
Make one-hour notifications
(10 CFR 73.77(a)(1) and (c))
Make four-hour notifications
(10 CFR 73.77(a)(2)(i)-(iii) and (c))
Make eight-hour notifications
(10 CFR 73.77(a)(3) and (c))
Record events in site’s corrective
action program (10 CFR 73.77(b))
Prepare and submit written security
follow-up reports (10 CFR 73.77(d))
Provide information during
Inspections (10 CFR 73.77(b))
Update and deliver recurring
notification training to designated
personnel (10 CFR 73.77)
Total Annual Costs

29

Table 5-7. Estimated Per-Site Costs to the NRC under the Final Rule (2014 Dollars)

Cost Category

Sites with
Only
Reactors that
are Currently
in
Commercial
Operation

Sites with
Both
Operating
Reactors and
Projected
New
Reactors
under a
Part 52
License

Sites with
Both
Operating
Reactors
and
Reactors
under Active
Construction
under a
Part 50
License

Sites with Only
Reactors that
Currently are in
Decommissioning

One-Time Costs
Perform rulemaking activities
Annual Costs
Respond to one-hour notifications
(10 CFR 73.77(a)(1) and (c))
Respond to four-hour notifications
(10 CFR 73.77(a)(2)(i)-(iii) and (c))
Respond to eight-hour notifications
(10 CFR 73.77(a)(3) and (c))
Review written security follow-up
reports (10 CFR 73.77(d))
Review information during
inspections (10 CFR 73.77(b))
Total Annual Costs

$166,375
$303

$303

$303

$30

$605

$605

$605

$61

$1,513

$1,513

$1,513

$303

$182

$182

$182

$18

$0

$0

$0

$0

$2,603

$2,603

$2,603

$412

30

5.2.

Sensitivity Analysis

This section presents a sensitivity analysis in order to determine whether, and to what extent,
the results of the analysis are sensitive to costs according to the following alternative sets of
parameters:
•

Best Estimate. The NRC’s best estimate for key parameters is based on historic data
from voluntary cyber security reports from licensees. These values reflect the key
assumptions and numeric inputs discussed in Section 4.

•

Alternative Estimate. Higher estimates for the frequency of cyber security events.
These key parameters were selected for the sensitivity analysis because of the
uncertainty resulting from limited availability of data on the frequency of cyber security
events. The alternative estimates are based on the increased frequency of cyber
security events within the Federal Government which could potentially affect other
critical infrastructures and resources (i.e. nuclear sector). The NRC used these two
parameters to estimate the alternative annual frequencies a site could see in a higher
threat situation.

Table 5-8 presents the assumptions associated with key parameters used in the sensitivity
analysis.
Table 5-8. Assumptions Associated with Key Parameters Used in Sensitivity Analysis
Data Element

Annual Number
of Events that
Will Require a
One-Hour
Notification

Annual Number
of Events that
Will Require a
Four-Hour
Notification

Annual Number
of Events that
Will Require an
Eight-Hour
Notification

Best
Estimate

Alternative
Estimate

Sites with only reactors that are currently in commercial
operation

0.50

5

Sites with both operating reactors and projected new reactors
under a Part 52 license

0.50

5

Sites with both operating reactors and reactors under active
construction under a Part 50 license

0.50

5

Sites with only reactors that currently are in decommissioning

0.05

1

Sites with only reactors that are currently in commercial
operation

1

10

Sites with both operating reactors and projected new reactors
under a Part 52 license

1

10

Sites with both operating reactors and reactors under active
construction under a Part 50 license

1

10

Sites with only reactors that currently are in decommissioning

0.10

2

Sites with only reactors that are currently in commercial
operation

2.5

15

Sites with both operating reactors and projected new reactors
under a Part 52 license

2.5

15

Sites with both operating reactors and reactors under active
construction under a Part 50 license

2.5

15

Sites with only reactors that currently are in decommissioning

0.50

3.5

Type of Site

31

Table 5-8. Assumptions Associated with Key Parameters Used in Sensitivity Analysis
Best
Estimate

Alternative
Estimate

Sites with only reactors that are currently in commercial
operation

10

30

Sites with both operating reactors and projected new reactors
under a Part 52 license

10

30

Sites with both operating reactors and reactors under active
construction under a Part 50 license

10

30

Sites with only reactors that currently are in decommissioning

2.5

5

Sites with only reactors that are currently in commercial
operation

1.5

20

Sites with both operating reactors and projected new reactors
under a Part 52 license

1.5

20

Sites with both operating reactors and reactors under active
construction under a Part 50 license

1.5

20

Sites with only reactors that currently are in decommissioning

0.15

4.5

Data Element

Annual Number
of Entries in the
Site’s Corrective
Actions Program

Annual Number of
Written Follow-Up
Report after Initial
Cyber Security
Event Notification

Type of Site

In conducting the sensitivity analysis, the NRC re-computed the annual costs of the final rule
using the alternative estimate parameters shown in Table 5-8. The results of the sensitivity
analysis are presented in Table 5-9. Appendix C provides additional detail on the estimation of
the overall costs of the final rule based on the sensitivity analysis.
Table 5-9. Overall Costs of the Final Rule
Based on the Sensitivity Analysis (2014 Dollars)
Set of Data
Elements

7% Discount Rate

3% Discount Rate

Present Value

Annualized

Present Value

Annualized

Best Estimate

$27.9 million

$1.8 million

$42.6 million

$1.8 million

Alternative
Estimate

$203.4 million

$14.6 million

$322.5 million

$14.8 million

As shown in the table, the overall costs of the final rule are estimated to be between $27.9
million and $322.5 million (2014 dollars), depending on the alternative set of parameters used to
estimate the costs. In all cases, NRC concludes that the final rule is not an “economically
significant regulatory action” under Section 3(f)(1) of Executive Order 12866.

5.3.

Disaggregation

The NRC staff has evaluated the rulemaking to determine whether specific requirements have
to be considered separately, but has determined that the requirements in the final rule are
narrowly focused. Therefore, the analysis of disaggregated requirements is not necessary.

32

5.4.

Safety Goal Evaluation

The analysis relies primarily on a qualitative (rather than quantitative) evaluation of several of
the affected attributes (safeguards and security considerations, regulatory efficiency, public
health (accident), occupational health (accident), off-site property, and on-site property) due to
the difficulty in quantifying the impact of the current rulemaking. These attributes will be
affected by the regulatory options through the associated reduction in the risks of radiological
sabotage and damage to the reactor core and the spent fuel. Quantification of any of these
attributes would require estimation of factors such as: (1) the frequency of attempted
radiological sabotage, (2) the frequency with which radiological sabotage attempts are (i.e., prerule) and will be (i.e., post-rule) successful, and (3) the impacts associated with successful
radiological sabotage attempts.
Safety goal evaluations are applicable only to regulatory initiatives considered to be generic
safety enhancement backfit subject to the substantial additional protection standard at section
50.109(a)(3).4. Some aspects of this rule may qualify as generic safety enhancements because
they may affect the likelihood of core damage or spent fuel damage, which generally are the
focus of a quantitative safety goal evaluation. However, the magnitude of this change is not
readily quantifiable due to uncertainties discussed in Section 4.2 above. A more dominant
effect of this rule is to reduce the probability of other types of damage associated with a wide
array of acts of sabotage, although this effect is equally difficult to quantify. Because the
change in safety associated with the rulemaking cannot be quantified, the regulatory changes
cannot be compared to the NRC’s safety goals.

6. Decision Rationale for Selection of the Proposed Action
Relative to the “no-action” alternative, the final rule would cost industry between $27.7 million
and $41.1 million (at a 7-percent and 3-percent discount rate, respectively). The NRC costs are
estimated between $2.4 million and $3.7 million (at a 7-percent and 3-percent discount rate,
respectively). Therefore, the total cost of this final rule is estimated to range from $30.1 million
(7-percent discount rate) to $44.8 million (3-percent discount rate). (Costs are presented at a
high level; more detailed information is presented in Sections 4 and 5).
Although the NRC did not quantify the benefits of this final rule, the staff did qualitatively
examine benefits and concluded that the rule would provide safety and security-related benefits.
The NRC believes that prompt notification of a cyber attack is vital to the NRC’s ability to take
immediate action in response to a cyber attack and, if necessary, to notifiy other NRC licensees,
Government agencies, and critical infrastructure facilities, to defend against a multiple sector
(e.g., energy, financial, etc.) cyber attack. Like the attacks of September 2001, a cyber attack
has the capability to be launched against multiple targets simultaneously or spread quickly
throughout multiple sectors of critical infrastructure. In addition, reporting suspicious cyber
activities and incidents, even though their significance may seem minor, is a substantial safety
enhancement because it increases awareness of cyber security threats and allows time to plan
for appropriate response if an attack is substantiated.
Based on the NRC's assessment of the costs and benefits of the final rule on licensee facilities,
the NRC has concluded that the final rule provisions would be justified to support the NRC’s
strategic communications mission as well as protecting the public health and safety or the
common defense and security.

33

7. Implementation
The final rule is to take effect 30 days after publication in the Federal Register with a compliance
date within 180 days after publication in the Federal Register for those licensed to operate
under 10 CFR Parts 50 and 52, and subject to 10 CFR 73.54. The NRC staff does not expect
this rule to have any impact on other requirements.

8. List of Tables
Section 4 Tables
Table 4-1
Table 4-2
Table 4-3
Table 4-4
Table 4-5
Table 4-6
Table 4-7
Table 4-8
Table 4-9

U.S. Commercial Nuclear Power Reactor Sites Affected by the Final Rule
Estimated One-Time Cost per Site for Development of Procedures (2014 Dollars)
Estimated One-Time Cost per Site for Initial Notification Training (2014 Dollars)
Estimated Annual Cost per Site for One-Hour Notifications (2014 Dollars)
Estimated Annual Cost per Site for Four-Hour Notifications (2014 Dollars)
Estimated Annual Cost per Site for Eight-Hour Notifications (2014 Dollars)
Estimated Annual Cost per Site for Twenty-Four-Hour Recordable Events (2014
Dollars)
Estimated Annual Cost per Site for Written Security Follow-Up Reports (2014
Dollars)
Estimated Annual Cost per Site for Recurring Notification Training (2014 Dollars)

Section 5 Tables
Table 5-1
Table 5-2
Table 5-3
Table 5-4
Table 5-5
Table 5-6
Table 5-7
Table 5-8
Table 5-9

Summary of Overall Benefits and Costs (Quantitative and Qualitative)
Summary of Quantified One-Time, Annual, and Overall Costs of the Final Rule
(2014 Dollars)
Summary of Quantified One-Time, Annual, and Overall Costs to Industry and the
NRC, by Regulatory Requirement (2014 Dollars)
Summary of Estimated Costs to Industry under the Final Rule, by Type of Site
(2014 Dollars)
Summary of Estimated Costs to the NRC under the Final Rule, by Type of Site
(2014 Dollars)
Estimated Per-Site Costs to Industry under the Final Rule (2014 Dollars)
Estimated Per-Site Costs to the NRC under the Final Rule (2014 Dollars)
Assumptions Associated with Key Parameters Used in Sensitivity Analysis
Overall Costs of the Final Rule Based on the Sensitivity Analysis (2014 Dollars)

Appendix B Tables
Table B-1

U.S. Commercial Nuclear Power Reactor Sites Subject to the Cyber Security Event
Notifications Rule

Appendix C Tables
Table C-1
Table C-2
Table C-3

Industry Implementation (One-Time Costs): Develop Procedures
Industry Implementation (One-Time Costs): Develop and Revise Initial Notification
Training to Designated Personnel
Industry Operation (Annual Costs): Make One-Hour Notifications (10 CFR
73.77(a)(1) and (c))
34

Table C-4
Table C-5
Table C-6
Table C-7
Table C-8
Table C-9
Table C-10
Table C-11
Table C-12
Table C-13

Industry Operation (Annual Costs): Make Four-Hour Notifications (10 CFR
73.77(a)(2) and (c))
Industry Operation (Annual Costs): Make Eight-Hour Notifications (10 CFR
73.77(a)(3) and (c))
Industry Operation (Annual Costs): Record Events in Site Corrective Action
Program (10 CFR 73.77(b))
Industry Operation (Annual Costs): Prepare and Submit Written Security FollowUp Reports (10 CFR 73.77(d))
Industry Operation (Annual Costs): Update and Deliver Recurring Notification
Training to Designated Personnel (10 CFR 73.77)
NRC Implementation (One-Time Costs): Perform Rulemaking Activities
NRC Operation (Annual Costs): Respond to One-Hour Notifications (10 CFR
73.77(a)(1) and (c))
NRC Operation (Annual Costs): Respond to Four-Hour Notifications (10 CFR
73.77(a)(2) and (c))
NRC Operation (Annual Costs): Respond to Eight-Hour Notifications (10 CFR
73.77(a)(3) and (c))
NRC Operation (Annual Costs): Review Written Security Follow-Up Reports
(10 CFR 73.77(d))

9. References
Dominion Energy Kewaunee, Inc.; “Dominion Energy Kewaunee, Inc., Kewaunee Power
Station, Certification of Permanent Cessation of Power Operations;” February 25, 2013.
ADAMS Accession No. ML13058A065. Available at:
http://pbadupws.nrc.gov/docs/ML1305/ML13058A065.pdf, last accessed on
August 13, 2014.
Dominion Energy Kewaunee, Inc.; “Dominion Energy Kewaunee Inc., Kewaunee Power Station,
Update to Irradiated Fuel Management Plan pursuant to 10 CFR 50.54(bb);” April 15,
2014. ADAMS Accession No. ML14219A738. Available at:
http://pbadupws.nrc.gov/docs/ML1421/ML14219A738.pdf, last accessed on
August 13, 2014.
Duke Energy, “Crystal River Unit 3 – Certification of Permanent Cessation of Power Operations
and that Fuel Has Been Permanently Removed from Reactor,” February 20,2013.
ADAMS Accession No. ML13056A005. Available at:
http://pbadupws.nrc.gov/docs/ML1305/ML13056A005.pdf, last accessed on
August 13, 2014.
U.S. Department of Labor, Bureau of Labor Statistics; "May 2013 National Occupational
Employment and Wage Estimates, United States;" April 1, 2014. Available at:
http://www.bls.gov/oes/2013/may/oes_nat.htm, last accessed on July 7, 2014.
U.S. Department of Labor, Bureau of Labor Statistics; Employment Cost Index, Historical Listing
– Volume V; "Table 8. Employment Cost Index for wages and salaries, for civilian
workers, by occupation and industry, continuous occupational and industry series (not
seasonally adjusted);" April 2014. Available at: http://www.bls.gov/web/eci/ecicois.pdf,
last accessed on July 7, 2014.

35

U.S. Department of Labor, Bureau of Labor Statistics; News Release, Employer Costs for
Employee Compensation – March 2014; "Table 1. Employer costs per hour worked for
employee compensation and costs as a percent of total compensation: Civilian workers,
by major occupational and industry group, March 2014;" June 11, 2014. Available at:
http://www.bls.gov/news.release/archives/ecec_06112014.pdf, last accessed on July 7,
2014.
U.S. Nuclear Regulatory Commission, "Locations of Power Reactor Sites Undergoing
Decommissioning" Web page, www.nrc.gov. Data current as of April 24, 2014.
Available at: http://www.nrc.gov/info-finder/decommissioning/power-reactor/, last
accessed on July 7, 2014.
U.S. Nuclear Regulatory Commission, "Combined License Applications for New Reactors" Web
page, www.nrc.gov. Data current as of July 1, 2014. Available at:
http://www.nrc.gov/reactors/new-reactors/col.html, last accessed on July 7, 2014.
U.S. Nuclear Regulatory Commission, "Operating Nuclear Power Reactors (by Location or
Name)" Web page, www.nrc.gov. Data current as of March 19, 2014. Available at:
http://www.nrc.gov/info-finder/reactor/, last accessed on July 7, 2014.
U.S. Nuclear Regulatory Commission, Rulemaker@nrc.gov, "NRC Labor Rates for Use in
Regulatory Analyses (as of October 2013)," January 2, 2014.
U.S. Nuclear Regulatory Commission, 2013-2014 Information Digest (NUREG-1350, Volume
25), "Appendix A: U.S. Commercial Nuclear Power Reactors - Operating Reactors
under Active Construction or Deferred Policy," August 2013. Available at:
http://www.nrc.gov/reading-rm/doc-collections/nuregs/staff/sr1350/, last accessed on
July 7, 2014.
U.S. Nuclear Regulatory Commission, 2013-2014 Information Digest (NUREG-1350, Volume
25), "Appendix H: U.S. Commercial Nuclear Power Reactor Operating Licenses Expiration by Year, 2013–2049," August 2013. Available at: http://www.nrc.gov/readingrm/doc-collections/nuregs/staff/sr1350/, last accessed on July 7, 2014.
U.S. Nuclear Regulatory Commission; “Enhanced Weapons, Firearms Background Checks, and
Security Event Notifications, Proposed Rule;” 76 Federal Register 6200 (February 3,
2011) (amending 10 CFR Part 73). Available at: http://www.gpo.gov/fdsys/pkg/FR2011-02-03/pdf/2011-1766.pdf, last accessed on July 7,2014.
U.S. Nuclear Regulatory Commission; “Power Reactor Security Requirements, Final Rule;” 74
Federal Register 13926 (March 27, 2009) (amending 10 CFR Parts 50, 52, 72, and 73).
Available at: http://www.gpo.gov/fdsys/pkg/FR-2009-03-27/pdf/E9-6102.pdf, last
accessed on July 7, 2014.
U.S. Nuclear Regulatory Commission; “Power Reactor Security Requirements, Proposed Rule;”
71 Federal Register 62664 (October 26, 2006) (amending 10 CFR Parts 50, 72, and 73).
Available at: http://www.gpo.gov/fdsys/pkg/FR-2006-10-26/pdf/06-8678.pdf, last
accessed on July 7, 2014.

36

U.S. Nuclear Regulatory Commission; Regulatory Analysis Technical Evaluation Handbook
(NUREG/BR-OI84); Section 5.7, “Quantification of Attributes;” January 1997. Available
at: http://pbadupws.nrc.gov/docs/ML0501/ML050190193.pdf, last accessed on July 29,
2014.

37

[Page intentionally left blank.]

38

Appendix A
Backfit Analysis

A-1

[Page intentionally left blank.]

A-2

Backfit Analysis
The U.S. Nuclear Regulatory Commission (NRC) is amending its regulations in Part 73 to add
reporting and recordkeeping requirements related to certain cyber security events. The NRC is
adding these requirements because cyber security event reporting and recordkeeping
requirements were not included in the NRC’s final rule that added section 73.54 to the NRC’s
regulations (74 FR 13925; March 27, 2009). Section 73.54 requires power reactor licensees to
establish and maintain a cyber security program at their facilities to provide high assurance that
digital computer and communication systems and networks are adequately protected against
cyber attacks, up to and including the design basis threat as described in section 73.1. These
new requirements are being added to the security event notification provisions of Part 73 as
section 73.77.
Revisions that amend existing information collection and reporting requirements or impose new
information and collection and reporting requirements are not considered to be backfits, as
presented in the charter for the NRC’s Committee to Review Generic Requirements (CRGR).
Therefore, a backfit analysis has not been completed for this final rule.

A-3

[Page intentionally left blank.]

A-4

Appendix B
U.S. Commercial Nuclear Power Reactor Sites
Affected by the Final Rule

B-1

[Page intentionally left blank.]

B-2

Table B-1. U.S. Commercial Nuclear Power Reactor Sites Subject to the Cyber Security Event Notifications Rule
Reactors at Site

No.

Site Name

Location

Operating
Reactor
1 Unit

Operating
Reactors
2 Units

Operating
Reactors
3 Units

Projected
New
Reactor
Issued
Combined
License
under
Part 52

Reactors
under Active
Construction
under
Part 50
License

Reactors
Undergoing
Decommissioning

Type of Site for Purposes of
Analysis

1

Arkansas Nuclear One

London, AR

X

Site with only reactors that are
currently in commercial operation

2

Beaver Valley Power
Station

Shippingport, PA

X

Site with only reactors that are
currently in commercial operation

3

Braidwood Station

Braceville, IL

X

Site with only reactors that are
currently in commercial operation

4

Browns Ferry Nuclear
Plant

Athens, IL

5

Brunswick Steam
Electric Plant

Southport, NC

X

Site with only reactors that are
currently in commercial operation

6

Byron Station

Byron, IL

X

Site with only reactors that are
currently in commercial operation

7

Callaway Plant

Fulton, MO

8

Calvert Cliffs Nuclear
Power Plant

Lusby, MD

X

Site with only reactors that are
currently in commercial operation

9

Catawba Nuclear
Station

York, SC

X

Site with only reactors that are
currently in commercial operation

10

Clinton Power Station

Clinton, IL

X

Site with only reactors that are
currently in commercial operation

11

Columbia Generating
Station

Benton County, WA

X

Site with only reactors that are
currently in commercial operation

12

Comanche Peak
Nuclear Power Plant

Glen Rose, TX

13

Cooper Nuclear Station

Brownville, NE

14

Crystal River

Crystal River, FL

15

Davis Besse Nuclear
Power Station

Oak Harbor, OH

Site with only reactors that are
currently in commercial operation

X

Site with only reactors that are
currently in commercial operation

X

Site with only reactors that are
currently in commercial operation

X

Site with only reactors that are
currently in commercial operation

X
X

Site with only reactors that currently
are in decommissioning
Site with only reactors that are
currently in commercial operation

X

B-3

Table B-1. U.S. Commercial Nuclear Power Reactor Sites Subject to the Cyber Security Event Notifications Rule
Reactors at Site

No.

Site Name

Location

Operating
Reactor
1 Unit

Operating
Reactors
2 Units

Operating
Reactors
3 Units

Projected
New
Reactor
Issued
Combined
License
under
Part 52

Reactors
under Active
Construction
under
Part 50
License

Reactors
Undergoing
Decommissioning

Type of Site for Purposes of
Analysis

16

Diablo Canyon Nuclear
Power Plant

Avila Beach, CA

X

Site with only reactors that are
currently in commercial operation

17

Donald C. Cook Nuclear
Plant

Bridgman, MI

X

Site with only reactors that are
currently in commercial operation

18

Dresden Nuclear Power
Station

Morris, IL

X

19

Duane Arnold Energy
Center

Palo, IA

20

Edwin I. Hatch Nuclear
Plant

Baxley, GA

21

Fermi

Newport, MI

X

22

Fort Calhoun Station

Ft. Calhoun, NE

X

Site with only reactors that are
currently in commercial operation

23

Grand Gulf Nuclear
Station

Port Gibson, MS

X

Site with only reactors that are
currently in commercial operation

24

H.B. Robinson Steam
Electric Plant

Hartsville, SC

X

Site with only reactors that are
currently in commercial operation

25

Hope Creek Generating
Station

Hancocks Bridge, NJ

X

Site with only reactors that are
currently in commercial operation

26

Indian Point Nuclear
Power Plant

Buchanan, NY

27

James A. FitzPatrick
Nuclear Power Plant

Scriba, NY

28

Joseph M. Farley
Nuclear Plant

Columbia, AL

29

Kewaunee

Kewaunee, WI

30

LaSalle County Station

Marseilles, IL

X

Site with only reactors that are
currently in commercial operation

a

Site with only reactors that are
currently in commercial operation

X

Site with only reactors that are
currently in commercial operation

X
X

X

X

Site with only reactors that are
currently in commercial operation

Site with only reactors that are
currently in commercial operation

a

a

Site with only reactors that are
currently in commercial operation

X

Site with only reactors that are
currently in commercial operation

X
X

Site with only reactors that currently
are in decommissioning
Site with only reactors that are
currently in commercial operation

X

B-4

Table B-1. U.S. Commercial Nuclear Power Reactor Sites Subject to the Cyber Security Event Notifications Rule
Reactors at Site

No.

Site Name

Location

Operating
Reactor
1 Unit

Operating
Reactors
2 Units

Operating
Reactors
3 Units

Projected
New
Reactor
Issued
Combined
License
under
Part 52

Reactors
under Active
Construction
under
Part 50
License

Reactors
Undergoing
Decommissioning

Type of Site for Purposes of
Analysis

31

Limerick Generating
Station

Limerick, PA

X

Site with only reactors that are
currently in commercial operation

32

McGuire Nuclear Station

Huntersville, NC

X

Site with only reactors that are
currently in commercial operation

33

Millstone Power Station

Waterford, CT

X

34

Monticello Nuclear
Generating Plant

Monticello, MN

35

Nine Mile Point Nuclear
Station

Scriba, NY

X

Site with only reactors that are
currently in commercial operation

36

North Anna Power
Station

Mineral, VA

X

Site with only reactors that are
currently in commercial operation

37

Oconee Nuclear Station

Seneca, SC

38

Oyster Creek Nuclear
c
Generating Station

Forked River, NJ

X

Site with only reactors that are
currently in commercial operation

39

Palisades Nuclear Plant

Covert, MI

X

Site with only reactors that are
currently in commercial operation

40

Palo Verde Nuclear
Generating Station

Wintersburg, AZ

41

Peach Bottom Atomic
Power Station

Delta, PA

42

Perry Nuclear Power
Plant

Perry, OH

X

Site with only reactors that are
currently in commercial operation

43

Pilgrim Nuclear Power
Station

Plymouth, MA

X

Site with only reactors that are
currently in commercial operation

44

Point Beach Nuclear
Plant

Two Rivers, WI

X

Site with only reactors that are
currently in commercial operation

45

Prairie Island Nuclear
Generating Plant

Welch, MN

X

Site with only reactors that are
currently in commercial operation

X

Site with only reactors that are
currently in commercial operation

a

Site with only reactors that are
currently in commercial operation

X

Site with only reactors that are
currently in commercial operation

X

Site with only reactors that are
currently in commercial operation

X
X

X

B-5

Site with only reactors that are
currently in commercial operation

a

Table B-1. U.S. Commercial Nuclear Power Reactor Sites Subject to the Cyber Security Event Notifications Rule
Reactors at Site

No.

Site Name

Location

Operating
Reactor
1 Unit

Operating
Reactors
2 Units

Operating
Reactors
3 Units

Projected
New
Reactor
Issued
Combined
License
under
Part 52

Reactors
under Active
Construction
under
Part 50
License

Reactors
Undergoing
Decommissioning

Type of Site for Purposes of
Analysis

46

Quad Cities Nuclear
Power Station

Cordova, IL

47

R.E. Ginna Nuclear
Power Plant

Ontario, NY

X

Site with only reactors that are
currently in commercial operation

48

River Bend Station

St. Francisville, LA

X

Site with only reactors that are
currently in commercial operation

49

Salem Nuclear
Generating Station

Hancocks Bridge, NJ

50

San Onofre Nuclear
Generating Station

San Clemente, CA

51

Seabrook Station

Seabrook, NH

52

Sequoyah Nuclear Plant

Soddy-Daisy, TN

53

Shearon Harris Nuclear
Power Plant

New Hill, NC

54

South Texas Project

Bay City, TX

X

Site with only reactors that are
currently in commercial operation

55

St. Lucie Plant

Jensen Beach, FL

X

Site with only reactors that are
currently in commercial operation

56

Surry Power Station

Surry, VA

X

Site with only reactors that are
currently in commercial operation

57

Susquehanna Steam
Electric Station

Berwick, PA

X

Site with only reactors that are
currently in commercial operation

58

Three Mile Island
Nuclear Station

Middletown, PA

59

Turkey Point Nuclear
Generating

Homestead, FL

60

Vermont Yankee
Nuclear Power Station

Vernon, VT

Site with only reactors that are
currently in commercial operation

X

Site with only reactors that are
currently in commercial operation

X
X

Site with only reactors that currently
are in decommissioning
Site with only reactors that are
currently in commercial operation

X

Site with only reactors that are
currently in commercial operation

X

Site with only reactors that are
currently in commercial operation

X

X

X

Site with only reactors that are
currently in commercial operation

a

Site with only reactors that are
currently in commercial operation

X
X

B-6

Site with only reactors that currently
b
are in decommissioning

Table B-1. U.S. Commercial Nuclear Power Reactor Sites Subject to the Cyber Security Event Notifications Rule
Reactors at Site

No.

Site Name

Location

Operating
Reactor
1 Unit

61

Virgil C. Summer
Nuclear Station

Jenkinsville, SC

62

Vogtle Electric
Generating Plant

Waynesboro, GA

63

Waterford Steam
Electric Station

Killona, LA

X

64

Watts Bar Nuclear Plant

Spring City, TN

X

65

Wolf Creek Generating
Station

Burlington, KS

X

Operating
Reactors
2 Units

Operating
Reactors
3 Units

X

X

Projected
New
Reactor
Issued
Combined
License
under
Part 52

Reactors
under Active
Construction
under
Part 50
License

Reactors
Undergoing
Decommissioning

Type of Site for Purposes of
Analysis

X

Site with both operating reactors and
projected new reactors under a Part
52 license

X

Site with both operating reactors and
projected new reactors under a Part
52 license
Site with only reactors that are
currently in commercial operation
X

Site with both operating reactors and
reactors under active construction
under a Part 50 license
Site with only reactors that are
currently in commercial operation

a

Site has operating reactor(s) and decommissioning reactor(s). Because the final rule applicability period for an operating reactor exceeds the period for a reactor that already is decommissioning, the
site is categorized as a "site with only reactors that are currently in commercial operation" for purposes of this analysis.
b

The Vermont Yankee Nuclear Power Station is assumed to be in decommissioning on the effective date of the final rule (i.e., in 2015) and thus, is categorized as "site with only reactors that currently
are in decommissioning." The Vermont Yankee Nuclear Power Station plans to terminate commercial operation in December 2014. The operating license renewal applications for Indian Point Nuclear
Generating Units 2 and 3 are currently under NRC consideration and it was assumed that these license renewals will be granted.
c

Oyster Creek Nuclear Generating Station plans to terminate commercial operation in 2019.

Sources:
(1) NRC, "Operating Nuclear Power Reactors (by Location or Name)" Web page, www.nrc.gov. Data current as of March 19, 2014. Available at: http://www.nrc.gov/info-finder/reactor/, last accessed on
May 26, 2014.
(2) NRC, "Locations of Power Reactor Sites Undergoing Decommissioning" Web page, www.nrc.gov. Data current as of April 24, 2014. Available at: http://www.nrc.gov/infofinder/decommissioning/power-reactor/, last accessed on May 26, 2014.
(3) NRC, 2013-2014 Information Digest (NUREG-1350, Volume 25), "Appendix A: U.S. Commercial Nuclear Power Reactors - Operating Reactors under Active Construction or Deferred Policy," August
2013. Available at: http://www.nrc.gov/reading-rm/doc-collections/nuregs/staff/sr1350/#pubinfo, last accessed on May 26, 2014.
(4) NRC, "Combined License Applications for New Reactors" Web page, www.nrc.gov. Data current as of April 17, 2014. Available at: http://www.nrc.gov/reactors/new-reactors/col.html, last accessed
on May 26, 2014

B-7

[Page intentionally left blank.]

B-8

Appendix C
Estimation of Overall Costs of the Final Rule
Based on the Sensitivity Analysis

C-1

[Page intentionally left blank.]

C-2

Table C-1. Industry Implementation (One-Time Costs): Develop Procedures
For All Sites
Cost per Site

Cost for All
Sites

Sites with only reactors that are currently in commercial operation

$11,000

Sites with both operating reactors and projected new reactors under a Part 52 license
Sites with both operating reactors and reactors under active construction under a Part 50 license

Type of Site

Sites with only reactors that currently are in decommissioning

Present Value 7%
Discount Rate

Present Value 3%
Discount Rate

Annualized Value
7% Discount Rate

Annualized Value
3% Discount Rate

$638,000

$638,000

$638,000

$46,387

$29,312

$11,000

$22,000

$22,000

$22,000

$1,466

$777

$11,000

$11,000

$11,000

$11,000

$737

$399

$11,000
Total for all sites

$44,000

$44,000

$44,000

$4,515

$3,578

$715,000

$715,000

$715,000

$53,106

$34,066

Table C-2. Industry Implementation (One-Time Costs): Revise and Deliver Initial Notification Training to Designated
Personnel
For All Sites
Cost per Site

Cost for All
Sites

Sites with only reactors that are currently in commercial operation

$35,750

Sites with both operating reactors and projected new reactors under a Part 52 license

$35,750

Sites with both operating reactors and reactors under active construction under a Part 50 license

$35,750

Type of Site

Sites with only reactors that currently are in decommissioning

$17,000
Total for all sites

Present Value 7%
Discount Rate

Present Value 3%
Discount Rate

Annualized Value
7% Discount Rate

Annualized Value
3% Discount Rate

$2,073,500

$2,073,500

$2,073,500

$150,758

$95,264

$71,500

$71,500

$71,500

$4,766

$2,524

$35,750

$35,750

$35,750

$2,397

$1,296

$68,000

$68,000

$68,000

$6,978

$5,530

$2,248,750

$2,248,750

$2,248,750

$164,898

$104,614

Table C-3. Industry Operation (Annual Costs): Make One-Hour Notifications (10 CFR 73.77(a)(1) and (c))
For All Sites
Cost per Site

Cost for All
Sites

$625

Sites with both operating reactors and projected new reactors under a Part 52 license
Sites with both operating reactors and reactors under active construction under a Part 50 license
Sites with only reactors that currently are in decommissioning

$125

Type of Site

Sites with only reactors that are currently in commercial operation

Present Value 7%
Discount Rate

Present Value 3%
Discount Rate

Annualized Value
7% Discount Rate

Annualized Value
3% Discount Rate

$36,250

$498,575

$789,010

$36,250

$36,250

$625

$1,250

$18,754

$35,414

$1,250

$1,250

$625

$625

$9,322

$17,236

$625

$625

$500

$4,873

$6,148

$500

$500

$38,625

$531,524

$847,808

$38,625

$38,625

Total for all sites

C-3

Table C-4. Industry Operation (Annual Costs): Make Four-Hour Notifications (10 CFR 73.77(a)(2) and (c))
For All Sites
Cost per Site

Cost for All
Sites

Sites with only reactors that are currently in commercial operation

$625

Sites with both operating reactors and projected new reactors under a Part 52 license

$625

Type of Site

Present Value 7%
Discount Rate

Present Value 3%
Discount Rate

Annualized Value
7% Discount Rate

Annualized Value
3% Discount Rate

$36,250

$498,575

$789,010

$36,250

$36,250

$1,250

$18,754

$35,414

$1,250

$1,250

Sites with both operating reactors and reactors under active construction under a Part 50 license

$625

$625

$9,322

$17,236

$625

$625

Sites with only reactors that currently are in decommissioning

$125

$500

$4,873

$6,148

$500

$500

$38,625

$531,524

$847,808

$38,625

$38,625

Total for all sites

Table C-5. Industry Operation (Annual Costs): Make Eight-Hour Notifications (10 CFR 73.77(a)(3) and (c))
For All Sites
Cost per Site

Cost for All
Sites

Sites with only reactors that are currently in commercial operation

$938

Sites with both operating reactors and projected new reactors under a Part 52 license

$938

Sites with both operating reactors and reactors under active construction under a Part 50 license
Sites with only reactors that currently are in decommissioning

Type of Site

Present Value 7%
Discount Rate

Present Value 3%
Discount Rate

Annualized Value
7% Discount Rate

Annualized Value
3% Discount Rate

$54,404

$748,261

$1,184,146

$54,404

$54,404

$1,876

$28,146

$53,149

$1,876

$1,876

$938

$938

$13,991

$25,868

$938

$938

$219

$876

$8,537

$10,771

$876

$876

$58,094

$798,936

$1,273,934

$58,094

$58,094

Total for all sites

Table C-6. Industry Operation (Annual Costs): Record Events in Site Corrective Action Program (10 CFR 73.77(b))
For All Sites
Cost per Site

Cost for All
Sites

$1,875

Sites with both operating reactors and projected new reactors under a Part 52 license
Sites with both operating reactors and reactors under active construction under a Part 50 license

$313

Type of Site

Sites with only reactors that are currently in commercial operation

Sites with only reactors that currently are in decommissioning

Present Value 7%
Discount Rate

Present Value 3%
Discount Rate

Annualized Value
7% Discount Rate

Annualized Value
3% Discount Rate

$108,750

$1,495,725

$2,367,030

$108,750

$108,750

$1,875

$3,750

$56,263

$106,241

$3,750

$3,750

$1,875

$1,875

$27,967

$51,708

$1,875

$1,875

$1,252

$12,201

$15,395

$1,252

$1,252

$115,627

$1,592,156

$2,540,374

$115,627

$115,627

Total for all sites

C-4

Table C-7. Industry Operation (Annual Costs): Prepare and Submit Written Security Follow-Up Reports (10 CFR 73.77(d))
For All Sites
Cost per Site

Cost for All
Sites

Sites with only reactors that are currently in commercial operation

$200,000

Sites with both operating reactors and projected new reactors under a Part 52 license
Sites with both operating reactors and reactors under active construction under a Part 50 license

Type of Site

Sites with only reactors that currently are in decommissioning

Present Value 7%
Discount Rate

Present Value 3%
Discount Rate

Annualized Value
7% Discount Rate

Annualized Value
3% Discount Rate

$11,600,000

$159,543,964

$252,483,185

$11,600,000

$11,600,000

$200,000

$400,000

$6,001,383

$11,332,402

$400,000

$400,000

$200,000

$200,000

$2,983,147

$5,515,532

$200,000

$200,000

$45,000
Total for all sites

$180,000

$1,754,184

$2,213,293

$180,000

$180,000

$12,380,000

$170,282,679

$271,544,412

$12,380,000

$12,380,000

Table C-8. Industry Operation (Annual Costs): Update and Deliver Recurring Notification Training to Designated Personnel
(10 CFR 73.77)
For All Sites
Cost per Site

Cost for
All Sites

Sites with only reactors that are currently in commercial operation

$10,500

Sites with both operating reactors and projected new reactors under a Part 52 license
Sites with both operating reactors and reactors under active construction under a Part 50 license
Sites with only reactors that currently are in decommissioning

Type of Site

Present Value 7%
Discount Rate

Present Value 3%
Discount Rate

Annualized Value
7% Discount Rate

Annualized Value
3% Discount Rate

$609,000

$8,376,058

$13,255,367

$609,000

$609,000

$10,500

$21,000

$315,073

$594,951

$21,000

$21,000

$10,500

$10,500

$156,615

$289,565

$10,500

$10,500

$10,500

$17,000

$165,673

$209,033

$17,000

$17,000

$657,500

$9,013,419

$14,348,917

$657,500

$657,500

Total for all sites

C-5

Table C-9. NRC Implementation (One-Time Costs): Perform Rulemaking Activities
For All Sites
Type of Site

All Sites

Cost per Site

Cost for
All Sites

Not
Applicable
Total for all sites

Present Value 7%
Discount Rate

Present Value 3%
Discount Rate

Annualized Value
7% Discount Rate

Annualized Value
3% Discount Rate

$166,375

$166,375

$166,375

$11,089

$5,873

$166,375

$166,375

$166,375

$11,089

$5,873

Table C-10. NRC Operation (Annual Costs): Respond to One-Hour Notifications (10 CFR 73.77(a)(1) and (c))
For All Sites
Cost per Site

Cost for
All Sites

Sites with only reactors that are currently in commercial operation

$3,025

Sites with both operating reactors and projected new reactors under a Part 52 license

$3,025

Sites with both operating reactors and reactors under active construction under a Part 50 license

$3,025

Type of Site

Sites with only reactors that currently are in decommissioning

$605
Total for all sites

Present Value 7%
Discount Rate

Present Value 3%
Discount Rate

Annualized Value
7% Discount Rate

Annualized Value
3% Discount Rate

$175,450

$2,413,102

$3,818,808

$175,450

$175,450

$6,050

$90,771

$171,403

$6,050

$6,050

$3,025

$45,120

$83,422

$3,025

$3,025

$2,420

$23,584

$29,756

$2,420

$2,420

$186,945

$2,572,578

$4,103,390

$186,945

$186,945

Table C-11. NRC Operation (Annual Costs): Respond to Four-Hour Notifications (10 CFR 73.77(a)(2) and (c))
For All Sites
Cost per Site

Cost for
All Sites

$6,050

Sites with both operating reactors and projected new reactors under a Part 52 license
Sites with both operating reactors and reactors under active construction under a Part 50 license
Sites with only reactors that currently are in decommissioning

$1,210

Type of Site

Sites with only reactors that are currently in commercial operation

Present Value 7%
Discount Rate

Present Value 3%
Discount Rate

Annualized Value
7% Discount Rate

Annualized Value
3% Discount Rate

$350,900

$4,826,205

$7,637,616

$350,900

$350,900

$6,050

$12,100

$181,542

$342,805

$12,100

$12,100

$6,050

$6,050

$90,240

$166,845

$6,050

$6,050

$4,840

$47,168

$59,513

$4,840

$4,840

$373,890

$5,145,155

$8,206,779

$373,890

$373,890

Total for all sites

C-6

Table C-12. NRC Operation (Annual Costs): Respond to Eight-Hour Notifications (10 CFR 73.77(a)(3) and (c))
For All Sites
Cost per Site

Cost for
All Sites

Sites with only reactors that are currently in commercial operation

$9,075

Sites with both operating reactors and projected new reactors under a Part 52 license

$9,075

Sites with both operating reactors and reactors under active construction under a Part 50 license
Sites with only reactors that currently are in decommissioning

Type of Site

Present Value 7%
Discount Rate

Present Value 3%
Discount Rate

Annualized Value
7% Discount Rate

Annualized Value
3% Discount Rate

$526,350

$7,239,307

$11,456,425

$526,350

$526,350

$18,150

$272,313

$514,208

$18,150

$18,150

$9,075

$9,075

$135,360

$250,267

$9,075

$9,075

$2,118

$8,472

$82,564

$104,172

$8,472

$8,472

$562,047

$7,729,544

$12,325,072

$562,047

$562,047

Total for all sites

Table C-13. NRC Operation (Annual Costs): Review Written Security Follow-Up Reports (10 CFR 73.77(d))
For All Sites
Cost per Site

Cost for
All Sites

$2,420

Sites with both operating reactors and projected new reactors under a Part 52 license
Sites with both operating reactors and reactors under active construction under a Part 50 license

$545

Type of Site

Sites with only reactors that are currently in commercial operation

Sites with only reactors that currently are in decommissioning

Present Value 7%
Discount Rate

Present Value 3%
Discount Rate

Annualized Value
7% Discount Rate

Annualized Value
3% Discount Rate

$140,360

$1,930,482

$3,055,047

$140,360

$140,360

$2,420

$4,840

$72,617

$137,122

$4,840

$4,840

$2,420

$2,420

$36,096

$66,738

$2,420

$2,420

$2,180

$21,245

$26,805

$2,180

$2,180

$149,800

$2,060,440

$3,285,712

$149,800

$149,800

Total for all sites

C-7


File Typeapplication/pdf
File Modified2014-12-05
File Created2014-12-05

© 2024 OMB.report | Privacy Policy