Section 8: Facility Threat and Risk Assessment
24. The licensee shall perform a threat and risk assessment specific to the facility in which it conducts licensed activities in order to determine the adequacy of its physical protection system based on the design basis threat or threat assessment as prescribed by the NRRC.
25. The licensee shall make modifications to its physical protection system, as necessary, to counter any credible threat identified as a result of the threat and risk assessment and shall kept a written record of each threat and risk assessment conducted.
26. The licensee shall provide a copy of the written record, along with a statement of actions taken as a result of the threat and risk assessment, to the NRRC within the time period specified by the NRRC upon completion of the assessment.
Section 9: Assignment of Nuclear Security Responsibilities
27. The licensee shall assign qualified personnel, subject to the NRRC approval, in charge with a de-fined role and responsibility to effectively implement nuclear security measures ensuring the facil-ity's continuous operational functions, and to liaise and cooperate with the NRRC and competent security agencies.
28. At the minimum, the licensee shall ensure the availability of the following effective nuclear securi-ty functions:
(a) Security management;
(b) Security operations; and
(c) Physical protection.
29. The licensee shall have in place trained and adequately equipped guards to perform their func-tions in accordance with nuclear security measures and arrangement.
30. The licensee shall ensure that assigned personnel and guards are familiar with nuclear security measures, the locations of nuclear material at the site, and procedures contributing to the im-plementation of the regulatory requirements of this regulation.
Section 10: Protection Areas and Layers
31. The licensee shall designate a nuclear security area depending on the category of nuclear material and sabotage targets for which defense in depth needs is applied based on the following:
(a) limited access area;
(b) protected area; and
(c) inner areas and vital areas.
32. The protection areas shall be physically separated through each having its own protection layer.
33. The licensee shall establish sufficient nuclear security measures for each security areas as pre-scribed by the NRRC.
34. The licensee shall control and manage procedures and record for the movement of persons and vehicles inside the security areas.
Section 11: Information and Cybersecurity
35. The licensee shall have sufficient measures for protecting computer-based systems, including sys-tems used for nuclear safety, nuclear material accounting and control, and the physical protec-tion. Consideration shall be given to the potential capabilities of the adversary, from the perspec-tive of both insider threats and external threats.
36. The licensee shall implement requirements for protecting the confidentiality of information, the unauthorized disclosure of which could compromise the physical protection of nuclear material and facility.
37. The licensee shall ensure information security and cybersecurity as prescribed in the Regulation on Information Protection and Cybersecurity (NRRC-R-20).
38. The licensee shall submit to the NRRC for approval information and cybersecurity plan describing details measures prescribed in Article 43 of this regulation.
Section 12: Training
39. The licensee shall ensure that all personnel is familiar with nuclear security measures, the loca-tions of nuclear material at the site, the procedures contributing to the implementation of these at the nuclear facility, and nuclear material transport and shall keep up-to-date record of this training.
Section 13: Security Culture
40. The licensee shall be responsible for establishing and maintaining a dynamic and effective securi-ty culture in which there is an identification of any credible threat that may exist, and where every individual in the entire organization has a role in nuclear security.
Section 14: Quality Assurance
41. The licensee shall establish and implement a quality assurance policy and quality assurance pro-gram in order to ensure that specified requirements for all activities important to nuclear security measures are satisfied.
Section 15: Trustworthiness
42. The licensee shall ensure the trustworthiness of persons working or having authorized access to the nuclear facility or confidential information, as well as those participating in activities involving nuclear material, in use and storage, onsite movement, transport and treatment, and nuclear waste.
43. The licensee shall ensure the trustworthiness of employees and persons working or having au-thorized access, with or without escorted access, to the nuclear facility or confidential information or participating in activities dealing with nuclear material in cooperation with competent security agencies.
Section 16: Insider Mitigation
44. The licensee shall establish, maintain, and implement insider mitigation measures to monitor the initial and continual trustworthiness and reliability of individuals granted or retaining unescorted access authorization to a protected or vital area or sensitive information.
45. The licensee shall implement defense-in-depth methodologies to minimize the potential for an in-sider to adversely affect, either directly or indirectly, the licensee's capability to prevent sabotage and unauthorized removal of nuclear material.
46. Measures for preventing threats related to persons who have authorized access to nuclear facili-ty, nuclear material during transport or confidential information, shall be implemented systemat-ically and extended to the licensee's subcontractors and employees.
Section 17: Records
47. A record of all persons who have access to or possession of nuclear security systems including computer systems that control access to nuclear material and/or protection areas shall be kept in an up-to-date record by the licensee.
48. The licensee shall ensure the identity of persons transacting any activity at the licensee's premises and shall keep up-to-date records of this control.
49. The licensee shall comply to the requirements to the duration of maintaining the records as pre-scribed by NRRC.
50. The licensee shall maintain all records related to the implementation of all requirements pre-scribed under this regulation for compliance and verification measures by the NRRC.
Section 18: Nuclear Material Accounting and Control for Nuclear Security
51. The licensee shall ensure control of, and be able to account for, all nuclear material at a nuclear facility at all times.
52. The licensee shall design and implement a Nuclear Material Accountancy and Control (NMAC) system as prescribed in Nuclear Material Accountancy and Control (NRRC-R-12).
53. The licensee shall ensure that the nuclear material accountancy and control system is able to pro-vide accurate information about the potentially missing nuclear material in the facility following a nuclear security event.
54. The licensee shall report any confirmed accounting discrepancy in a timely manner as prescribed by the NRRC.
55. The licensee shall ensure sufficient measures for nuclear material accounting and control are in place for nuclear security purposes and comply with the requirements prescribed in the Regula-tion on Nuclear Material Accountancy and Control (NRRC-R-12).
Section 19: Sustainability Program
56. The licensee shall develop, implement, and maintain means and procedures for maintenance and testing of physical protection systems.
57. Performance testing shall be carried out in accordance with the nuclear security plans and imple-menting procedures.
58. The licensee shall ensure that the intended function of the nuclear security equipment and sys-tem do not compromise in the event when modifications and replacement take place.
59. Maintenance of nuclear security equipment shall be performed according to approved proce-dures, vendor's recommendations, experience feedback, and system performance to ensure that design requirements are not compromised.
60. The licensee shall establish sustainability programs for its physical protection systems that en-compass:
(a) Operating procedures and instructions;
(b) Human resource management and training;
(c) Equipment updating, maintenance, repair, and calibration;
(d) Performance testing and operational monitoring;
(e) Configuration management; and
(f) Resource allocation and operational cost analysis.
Section 20: Compensatory Measures
61. The licensee shall immediately identify and implement measures to compensate for, degraded or inoperable equipment, systems, and components, as well as in the case that physical protection equipment is taken out of service.
62. The licensee shall implement compensatory measures in case nuclear security measures are de-termined to be incapable of providing the required level of security and the relevant corrective ac-tions shall be submitted to NRRC for approval.
63. Compensatory measures shall provide a level of protection that is equivalent to the protection that was provided by the equipment, system, or components prior to degradation or inoperabil-ity.
64. The licensee's Nuclear Security Plan shall include a plan for compensatory measures.
Section 21: Nuclear Security Plan
65. The applicant shall submit a security plan for the approval by the NRRC as part of the licensing process for the facility or activity to be licensed.
66. The security plan shall be designed according to the category of nuclear material being protected and the levels of the potential radiological consequences of sabotage.
67. The licensee shall notify the NRRC without delay of any significant events concerning unauthor-ized actions that affect the physical protection of nuclear material or nuclear facilities that deviate from the approved security plan.
68. The licensee shall submit all other relevant plans, programs and measures prescribed by this reg-ulation as part of the nuclear security plan.
Section 22: Contingency Plan
69. The licensee shall prepare and submit a contingency plan to respond to nuclear security event as defined in the design basis threat.
70. The licensee shall include written arrangements with an off-site response force in the contingency plan to ensure the protection of a facility where it conducts licensed activities.
71. The licensee shall ensure capability at all times for immediate communication among the security monitoring room, the on-site nuclear response force, and the off-site response force.
72. The licensee shall ensure that the off-site response force can support the on-site nuclear re-sponse force in making an effective intervention when requested to do so by the licensee.
73. The licensee shall implement joint exercises between on-site response force and the off-site re-sponse force as prescribed by the NRRC.
74. Whenever a threat is detected, the person in charge of the security at the facility shall take control of nuclear security measures preventing the threat and submit the relevant reports to the NRRC.