eCFR.io
Daily eCFR

§ 73.100 Technology-inclusive requirements for physical protection of licensed activities at commercial nuclear plants against radiological sabotage.

10 CFR 73.100

  1. CFR
  3. Title 10
  5. Chapter I
  7. Part 73
  9. Subpart J
  11. 10 CFR 73.100
Citation10 CFR 73.100
CorpusDaily eCFR
Displayed edition2026-05-07
Last updated2026-05-07

§ 73.100 Technology-inclusive requirements for physical protection of licensed activities at commercial nuclear plants against radiological sabotage.

(a) Introduction. (1) Each licensee that is licensed to operate a commercial nuclear plant under part 53 of this chapter and elects to implement the requirements of this section must identify achievable target sets in accordance with paragraph (b)(5) of this section and develop, implement, and maintain a physical protection program under the following requirements:

(i) Each licensee that demonstrates no achievable target sets exist in accordance with paragraph (b)(5) of this section, and does not credit any active measures (e.g., operator action, mitigative action, detection, assessment, armed response) in making that demonstration, is exempt from the remaining requirements of this section.

(ii) Each licensee that demonstrates no achievable target sets exist in accordance with paragraph (b)(5) of this section, and credits active measures in making that demonstration, must implement the requirements of this section through its physical security plan, training and qualification plan, safeguards contingency plan, and cybersecurity plan, referred to collectively hereafter as “security plans,” before initial fuel load into the reactor (or, for a fueled manufactured reactor, before initiating the removal of the features to prevent criticality required under § 53.620(d)(1) of this chapter); for such licensees, the requirements of paragraphs (b)(2) through (4) of this section will be deemed satisfied if the physical protection program is designed to ensure that the credited active measures will be implemented in response to threats up to and including the design-basis threat of radiological sabotage.

(iii) Each licensee that demonstrates achievable target sets exist, in accordance with paragraph (b)(5) of this section, must implement the requirements of this section through its physical security plan, training and qualification plan, safeguards contingency plan, and cybersecurity plan, referred to collectively hereafter as “security plans,” before initial fuel load into the reactor (or, for a fueled manufactured reactor, before initiating the removal of the features to prevent criticality required under § 53.620(d)(1) of this chapter).

(2) The security plans must identify, describe, and account for site-specific conditions that affect the licensee's capability to satisfy the requirements of this section.

(b) General performance objective and requirements. (1) The licensee must establish, implement, and maintain a physical protection program and a security organization, which will have as their objective to provide reasonable assurance that activities involving special nuclear material are not inimical to the common defense and security and do not constitute an unreasonable risk to the public health and safety.

(2) To satisfy the general performance objective of paragraph (b)(1) of this section, the physical protection program must protect against the design-basis threat of radiological sabotage as stated in § 73.1. Specifically, the licensee must—

(i) Ensure that the physical protection program capabilities to protect against the design-basis threat of radiological sabotage are maintained at all times; and

(ii) Provide defense in depth in achieving performance requirements through the integration of engineered systems, administrative controls, and management measures.

(3) The physical protection program must be designed to prevent the release of radionuclides from any source from exceeding the dose reference values defined in § 53.210 of this chapter.

(4) The physical protection program must be designed and implemented to achieve and maintain the reliability and availability of structures, systems, and components (SSCs) required for demonstrating compliance with the following performance requirements at all times:

(i) Intrusion detection. The licensee must be capable of detecting attempted and actual unauthorized access to interior and exterior areas containing SSCs needed to implement safety and security functions.

(ii) Intrusion assessment. The licensee must be capable of timely assessment for determining the cause of a detected intrusion.

(iii) Security communication. The licensee must be capable of continuous security communications. Communication systems must account for design-basis threats that can interrupt or interfere with continuity or integrity of communications.

(iv) Security response. The physical protection program must be designed to provide timely security response to interdict and neutralize adversary attacks up to and including the design-basis threat of radiological sabotage. The physical protection program must be designed to provide layers of security response, with each layer assuring that a single failure does not result in the loss of capability to neutralize the design-basis threat adversary. Structures, systems, and components relied on for delay functions must be designed to allow for timely security responses to adversary attacks with adequate defense in depth.

(A) The security response may rely on the use of onsite responders, law enforcement or other offsite armed responders, or a combination thereof, to fulfill the interdiction and neutralization functions required by paragraph (b)(4)(iv) of this section. A licensee relying entirely or partially on law enforcement or other offsite armed responders must—

(1) Maintain the capability to detect, assess, interdict, and neutralize threats as required by paragraphs (b)(4)(i), (b)(4)(ii), and (b)(4)(iv) of this section;

(2) Provide adequate delay to enable law enforcement or other offsite armed responders to fulfill the interdiction and neutralization functions for threats up to and including the design-basis threat of radiological sabotage;

(3) Provide necessary information about the facility and make available periodic training to law enforcement or other offsite armed responders who will fulfill the interdiction and neutralization functions for threats up to and including the design-basis threat of radiological sabotage;

(4) Fully describe in the safeguards contingency plan the role that law enforcement or other offsite armed responders will play in the licensee's protective strategy. The description must provide sufficient detail to enable the NRC to determine that the licensee's physical protection program provides reasonable assurance of adequate protection against threats up to and including the design-basis threat of radiological sabotage; and

(5) Identify criteria and measures to compensate for the degradation or absence of law enforcement or other offsite armed responders and propose suitable compensatory measures that meet the requirements of paragraph (h)(3) of this section to address this degradation.

(B) For licensees relying entirely or partially on law enforcement responders to fulfill the interdiction and neutralization functions required by paragraph (b)(4)(iv) of this section, the training and qualification requirements related to armed response personnel in paragraphs (c) and (e) of this section do not apply to law enforcement responders. The licensee shall continue to satisfy the performance evaluation requirements in paragraph (g) of this section for all armed response personnel, including law enforcement.

(v) Protecting against land and waterborne vehicle bomb assaults. The licensee must be capable of protecting the plant against the design-basis threat vehicle bomb assault. The methods that are relied on to protect against a design-basis threat land vehicle and waterborne vehicle bomb assault must be designed to protect the reactor building and structures containing safety- or security-related systems, and components from explosive effects.

(vi) Access control portals. The licensee must be capable of detecting and denying unauthorized access to persons and pass-through of contraband materials (e.g., weapons, incendiary devices, explosives) to protected areas.

(5) The licensee must identify and document complete and accurate target sets in accordance with the following:

(i) Preventative operator actions may be credited as target set elements when: sufficient time to implement exists; environmental conditions allow operator actions to be completed successfully; adversary interference is precluded; all equipment required for operator actions is available, dedicated, staged, and maintained; approved procedures exist specific to the task being performed; and training is maintained for proficiency of the credited operator action.

(ii) The identification of target sets must not assume the success of the security organization; except that licensees may consider delay provided by the security organization when assessing the availability of operator actions.

(iii) The licensee must consider cyberattacks in the identification of target sets.

(iv) The licensee must further identify achievable target sets through a site-specific analysis. Achievable target sets are those that are within the capabilities of the design-basis threat adversary to compromise, destroy, or render non-functional; cannot be mitigated after adversary interference is precluded and prior to a release of radionuclides exceeding dose reference values defined in 10 CFR 53.210; and, if defeated, result irreversibly in exceedance of the dose reference values in 10 CFR 53.210.

(v) The licensee must document and maintain the process used to identify achievable target sets, to include the site-specific analyses and methodologies used to determine and group the target set equipment or elements, including elements not contained in a protected or vital area.

(vi) The licensee must implement a process for the oversight of target set equipment and systems to ensure that changes to the configuration of the identified equipment and systems are considered in the licensee's protective strategy. Where appropriate, changes must be made to documented target sets.

(vii) The licensee must maintain records in accordance with paragraph (j) of this section and, in addition, must maintain site-specific analyses until submittal of the licensee's certifications required by § 53.1070 of this chapter.

(6) The licensee must identify and analyze site-specific conditions, including achievable target sets, that may affect the physical protection program needed to implement the requirements of this section. The licensee must account for these conditions in demonstrating compliance with the requirements of this section.

(7) The licensee must establish, implement, and maintain a performance evaluation program to assess the effectiveness of the licensee's implementation of the physical protection program to protect against the design-basis threat of radiological sabotage.

(8) The licensee must establish, implement, and maintain an access authorization program under § 73.56, and must describe the program in the physical security plan.

(9) The licensee must establish, implement, and maintain a cybersecurity program under § 73.54 or § 73.110 and must describe the program in the cybersecurity plan.

(10) The licensee must establish, implement, and maintain an insider mitigation program and must describe the program in the physical security plan.

(i) The insider mitigation program must monitor the initial and continuing trustworthiness and reliability of individuals granted or retaining unescorted access or unescorted access authorization to a protected or vital area, and implement defense-in-depth methodologies to minimize the potential for an insider (active, passive, or both) to adversely affect, either directly or indirectly, the licensee's capability to protect against radiological sabotage.

(ii) The insider mitigation program must integrate elements of—

(A) The access authorization program under § 73.56 or § 73.120;

(B) The fitness-for-duty program under 10 CFR part 26;

(C) The cybersecurity program under § 73.54 or § 73.110; and

(D) The physical protection program under this section.

(11) The licensee must have the capability to track, trend, correct, and prevent recurrence of failures and deficiencies in the implementation of the requirements of this section.

(12) Implementation of security plans and associated procedures must be coordinated with other onsite plans and procedures to preclude conflict during both normal and emergency conditions and ensure the adequate management of the safety and security interface.

(13)(i) The licensee must ensure that the firearms background check requirements of § 73.17 of this part are met for all members of the security organization whose official duties require access to covered weapons or who inventory enhanced weapons.

(ii) The provisions of this paragraph (b)(13) are only applicable to licensees subject to this section that are also subject to the firearms background check provisions of § 73.17 of this part.

(c) Security organization. The licensee must establish and maintain a security organization that is staffed, trained, qualified, and equipped to implement the physical protection program under the requirements of this section.

(1) The licensee must establish a management system for maintaining and implementing security policies and procedures to implement the requirements of this section and the security plans.

(2) Implementing procedures must document the conduct of security operations, security design and configuration controls, maintenance, training and qualification, and contingency responses.

(3) The licensee must—

(i) Establish a process for the approval of designs, policies, processes, and procedures and changes by the individual with overall responsibility for the physical protection program; and

(ii) Ensure that revisions and changes to the physical protection program and implementing policies, processes, and procedures satisfy the requirements of this section.

(4) The licensee must retain, in accordance with § 73.70, all analyses, assessments, calculations, and descriptions of the technical basis for demonstrating compliance with the performance requirements of paragraph (b) of this section. The licensee must protect these records in accordance with the requirements for protecting safeguards information in §§ 73.21 and 73.22.

(5) The licensee may not permit any individual to implement any part of the physical protection program unless the individual has been trained, equipped, and qualified to perform their assigned duties and responsibilities in accordance with the training and qualification plan.

(d) Search requirements. The licensee must establish and implement searches of individuals, vehicles, and materials to detect and prevent the introduction into the protected area of firearms, explosives, incendiary devices, or other items and material which could be used to commit radiological sabotage.

(e) Training and qualification program. The licensee must establish and maintain a training and qualification program that ensures personnel who are responsible for the physical protection of the facility against radiological sabotage are able to effectively perform their assigned security-related job duties for implementing the requirements of this section and must describe the program in the training and qualification plan.

(f) Security reviews. The licensee must establish and implement security reviews to assess the effectiveness of the implementation of the physical protection program. Security reviews must be performed by individuals independent of those personnel responsible for program management and any individual who has direct responsibility for implementing the onsite physical protection program.

(1) The licensee must review each element of the physical protection program at a frequency commensurate with the importance or significance to safety of plant operations to ensure timely identification and documentation of vulnerabilities, improvements, and corrective actions. The objective of these reviews must be maintaining effective implementation of the engineered and administrative controls required to achieve the physical protection program functions and the management system required to implement programs and requirements in this section.

(2) The licensee must establish and perform self-assessments to ensure the effective implementation of the physical protection program functions of detection, assessment, communication, delay, and interdiction and neutralization to protect against the design-basis threat of radiological sabotage. The licensee must perform design verification and assessments of the capabilities of active and passive engineering systems relied on to protect against the design-basis threat.

(3) Reviews of the security program must include, but are not limited to, an audit of the effectiveness of the physical protection program, security plans, implementing procedures, cybersecurity programs, safety/security interface activities, the testing, maintenance, and calibration program, and response commitments by local, State, and Federal law enforcement authorities.

(4) The results and recommendations of the onsite physical protection program reviews, management's findings regarding program effectiveness, and any actions taken as a result of recommendations from prior program reviews, must be documented in a report and must be maintained in an auditable form and available for inspection.

(g) Performance evaluation. Licensee performance evaluations must include methods appropriate and necessary to assess, test, and challenge the integration of the physical protection program's functions to protect against the design-basis threat, including measures to protect against cyberattack and engineered systems designed to protect against the design-basis threat standalone ground vehicle bomb attack.

(1) The licensee must establish the frequencies for performance evaluations commensurate with the security significance of the physical protection program.

(2) The licensee must document processes and procedures for implementing the performance evaluations. The licensee must maintain records, including results, findings, and corrective actions identified during the performance evaluations.

(h) Maintenance, testing, and calibration and corrective actions. (1) The licensee must ensure that security SSCs, including supporting systems, are inspected, tested, and calibrated for operability and performance at intervals necessary and sufficient to meet the requirements of this section.

(2) The licensee must implement corrective actions to ensure resolution of identified vulnerabilities and deficiencies to meet the requirements of this section.

(3) The licensee must establish and implement timely compensatory measures for degraded or inoperable security SSCs to meet the requirements of this section. Compensatory measures must provide a level of protection that is equivalent to the protection that was provided prior to the degradation or inoperability of the security structures, systems, or components.

(4) The licensee must document processes and procedures and maintain records for implementing the corrective actions, compensatory measures, and maintenance, inspection, testing, and calibration of security SSCs.

(i) Suspension of security measures. (1) The licensee may suspend implementation of affected requirements of this section in accordance with § 53.740(h) of this chapter under the following conditions:

(i) In an emergency, when action is immediately needed to protect the public health and safety; and

(ii) During severe weather, when the suspension of affected security measures is immediately needed to protect the personal health and safety of personnel.

(2) Suspended security measures must be reinstated as soon as conditions permit.

(3) The suspension of security measures must be reported and documented in accordance with the provisions of §§ 73.1200 and 73.1205.

(j) Records. (1) The Commission may inspect, copy, retain, and remove all reports, records, and documents required to be kept by Commission regulations, orders, or license conditions, whether the reports, records, and documents are kept by the licensee or a contractor.

(2) The licensee must maintain all records required to be kept by Commission regulations, orders, or license conditions, until the Commission terminates the license for which the records were developed and must maintain superseded portions of these records for at least 3 years after the record is superseded, unless otherwise specified by the Commission.

(3) If a contracted security force is used to implement the onsite physical protection program, the licensee's written agreement with the contractor must be retained by the licensee as a record for the duration of the contract.

(4) Review and audit reports must be available for inspection, for a period of 3 years.