Security regulation across the UK Civil Nuclear Industry has undergone a significant transformation, with a move away from prescription to a more outcome focused and objective approach. This has coincided with the publication of the Security Assessment Principles (SyAPs).
The Office for Nuclear Regulation (ONR) use SyAPs, together with supporting Technical Assessment Guides (TAGs) and Technical Inspection Guides (TIGs), to guide regulatory judgements when undertaking assessments of dutyholders’ security arrangements.
Within the UK, regulation of the Civil Nuclear Industry’s Supply Chain, and specifically holders of Sensitive Nuclear Information (SNI) outside of nuclear facilities, falls under Regulation 22 of the Nuclear Industries Security Regulations (NISR) 2003. This requires responsible persons to maintain such security standards, procedures and arrangements as are necessary for the purpose of minimising the risk of loss, theft or unauthorised disclosure of, or unauthorised access to, any SNI.
SNI has a number of legal definitions within UK legislation, within The Anti-Terrorism, Crime and Security Act 2001,The Nuclear Industries Security Regulations (NISR) 2003, and ,The Energy Act (TEA) 2013. Whilst not taking precedent over these legal definitions, a simple, working definition of SNI can be described as information relating to activities carried out on or in relation to civil nuclear premises; and deemed to be of value to an adversary planning a hostile act. This definition and further guidance can be found within ONR’s Classification Policy.
SNI that could have damaging consequences if lost, stolen or disclosed without authorisation should be classified as OFFICIAL – SENSITIVE. This typically applies to less detailed information concerning Category I –III NM or Vital Areas (VAs) that is only likely to affect a single layer of defence in depth and/or be of minimal consequence to the overall security effect.
SNI where compromise could seriously damage nuclear security should be protectively marked SECRET. This typically applies to highly detailed and exploitable information regarding Category I-III NM and VAs which could facilitate attack planning by affecting several layers of defence in depth and/or jeopardising an effective security response.
In order for a dutyholder to demonstrate evidence of effective arrangements in this area, and noting that SNI always accompanies a Government Security Classification (GSC), ONR considers the expectations and requirements articulated within the HMG Security Policy Framework (SPF) to be relevant good practice. As such ONR have directly mapped 5 of the 10 Fundamental Security Principles (FSyP) from the SyAPs to HMG SPF in order to provide a framework for dutyholders to evidence their arrangements and for regulators to make judgements on their adequacy.
The following mapping demonstrates the FSyPs deemed relevant to Regulation 22 dutyholders and how they relate to HMG SPF:
Regulation 22 dutyholders are typically subject to formal assurance by their respective Contracting Authorities. This process is commonly known as a Facility Security Clearance (FSC). In some circumstances, where there is no Contracting Authority in place such dutyholders may fall under direct regulation by ONR, who in effect undertake the FSC as part of regulatory interventions.
Once an FSC has been undertaken the designated facility can then be included on ‘List N’. Although ONR maintain ‘List N’, Contracting Authorities may issue or terminate contracts across their supply chain as deemed necessary in order to meet their business needs. Whilst there are similarities in the expectations for ‘List N’ and the Defence equivalent ‘List X’, the two processes remain separate.
In due course, it is ONRs intention to replace the current List N Database with a new Regulation 22 Dutyholder Portal. This portal will enable Regulation 22 Dutyholders to provide regulatory evidence to all of their Contracting Authorities and ONR in a single submission which can be updated as required. In addition Contracting Authorities will have the ability to view assurance activities undertaken as part of the Facility Security Clearance process by other Contracting Authorities, subject to approval by the respective Contractor. It is anticipated that this will reduce the regulatory burden on Contractors and improve risk management and awareness across the Sector. Legal accountability will remain unchanged under this process.
In addition to assurance activities conducted by Contracting Authorities, ONR conducts independent sampling inspections, both announced and unannounced on Regulation 22 dutyholder facilities in order to ensure adequate arrangements are in place for the protection of SNI. ONR would not routinely inspect facilities more frequently than once every 3 years for OFFICIAL-SENSITIVE and once every 2 years for SECRET unless there is evidence or regulatory intelligence that SNI may be at increased risk.
There are a number of scenarios that could lead to this which include: a major security breach; a series of more minor breaches; an increased threat, significant increases in SNI holdings or a significant change in the facility or its governance arrangements. It should be noted that ONR operates a full cost recovery model for all regulatory activities undertaken with dutyholders under the Nuclear Industries Security (Fees) Regulations 2005.
The international exchange of SNI is a complex area and requirements can vary depending upon the countries involved. As well as the HMG SPF, GSC and SyAPs, dutyholders must take into account: Cabinet Office Guidance for the sharing of Classified Information with international partners; General Security Agreements (where appropriate); and the security requirements of the overseas country concerned.
ONR’s regulatory expectations are that the Contracting Authority must ensure appropriate protective security controls are in place for the protection of SNI against compromise or loss wherever it is stored, processed, transmitted, controlled, secured or accessed regardless of whether this is in the UK or overseas. Dutyholders should undertake a risk assessment of any such proposed transfers of SNI overseas, involving HMG where concerns arise or risks appear unacceptable for additional guidance.
Further guidance is available by contacting ONR directly by email at firstname.lastname@example.org