Sensitive Nuclear Information (SNI) has a number of legal definitions within UK legislation, within The Anti-Terrorism, Crime and Security Act 2001, The Nuclear Industries Security Regulations (NISR) 2003, and The Energy Act (TEA) 2013. Whilst not taking precedent over these legal definitions, a simple, working definition of SNI can be described as information relating to activities carried out on or in relation to civil nuclear premises; and deemed to be of value to an adversary planning a hostile act. This definition and further guidance on how to classify information can be found within ONR's Classification Policy.
Within the UK, regulation of the Civil Nuclear Industry's Supply Chain, and specifically holders of Sensitive Nuclear Information (SNI) outside of nuclear facilities, falls under Regulation 22 of the Nuclear Industries Security Regulations (NISR) 2003 and they are commonly called List N Dutyholders. The Office for Nuclear Regulation (ONR) has responsibility for the regulation of these dutyholders.
Prior to becoming a List N dutyholder, organisations are typically subject to formal assurance by their respective Contracting Authorities. This process is commonly known as a Facility Security Clearance (FSC).
Once this assurance activity has taken place, the designated facility can then be included on the List N Portal, maintained by ONR (for further detail on the List N portal see below). This then informs ONR as to those dutyholders that fall under this regulation. Entry onto the portal is subject to the business needs of the Contracting Authorities who may issue or terminate contracts across their supply chain as deemed necessary.
NISR requires responsible persons to maintain such security standards, procedures and arrangements as are necessary for the purpose of minimising the risk of loss, theft or unauthorised disclosure of, or unauthorised access to, any SNI.
ONR uses the Security Assessment Principles (SyAPs), together with supporting Technical Assessment Guides (TAGs) and Technical Inspection Guides (TIGs), when undertaking assessments of dutyholders' security arrangements to guide regulatory judgements. In order for a dutyholder to demonstrate evidence of effective arrangements for SNI, and noting that SNI always accompanies a Government Security Classification (GSC), ONR considers the expectations and requirements articulated within the HMG Government Functional Standard GovS 007, and its predecessor HMG Security Policy Framework (SPF), to be relevant good practice. As such ONR have directly mapped 5 of the 10 Fundamental Security Principles (FSyP) from the SyAPs to HMG GovS 007 / SPF in order to provide a framework for dutyholders to evidence their arrangements and for regulators to make judgements on their adequacy. The 5 Fundamental Security Principles applicable are:
The 5 Fundamental Security Principles and their associated Technical Assessment Guides have been used as a basis for the development of a set of questions for dutyholders to demonstrate their security standards, procedures and arrangements in place. This is commonly called Evidencing Expectations (EE). The questions have been split between a Corporate, Facility and System question set that are used depending on where and how SNI is held. All dutyholders will be asked to complete the Corporate question set (once per dutyholder) but the Facilities and System questions are asked depending on the number of facilities and/or systems holding SNI.
ONR is taking a risk-based approach to the regulation of List N dutyholders, to apply a level of proportionality. As each contract is added to the List N portal, a short inherent risk profile questionnaire surrounding the type and quantity of SNI, handled as part of the contract, will be completed. This will then provide an inherent risk level for SNI held, ranging from very low to high. Evidencing Expectations are set at the risk level held by that dutyholder. This is cumulative in design so that all dutyholders will be asked questions at the very low inherent risk profile (IRP) level and additional supplementary questions based upon their risk profile level.
In addition to assurance activities conducted by Contracting Authorities, ONR conducts independent sampling inspections, both desktop or site-based (announced and unannounced) on Regulation 22 dutyholders, to ensure adequate arrangements are in place for the protection of SNI. The regularity and method of inspection is based on the inherent risk level relating to SNI holdings, meaning those at higher risk would be inspected on a more frequent basis. If there was evidence or regulatory intelligence that SNI may be at increased risk, then this may increase the regularity.
There are a number of scenarios that could lead to this which include: a major security breach; a series of more minor breaches; an increased threat, significant increases in SNI holdings or a significant change in the facility or its governance arrangements.
It should be noted that ONR operates a full cost recovery model for all regulatory activities undertaken with dutyholders under the Nuclear Industries Security (Fees) Regulations 2005.
ONR has introduced a List N Dutyholder Portal from June 2022. This portal will enable Dutyholders to provide regulatory evidence to all of their Contracting Authorities and ONR in a single submission which can be updated as required.
In addition, Contracting Authorities will have the ability to view existing assurance activities undertaken as part of the Facility Security Clearance process by other Contracting Authorities, subject to a contractual relationship being established with that contractor. It is anticipated that this will reduce the regulatory burden on contractors and improve risk management and awareness across the sector.
For a contractor to be added to the List N Portal, Contracting Authorities will input the contact details for the lead contact. This will initiate an email to that person with a link to the portal. The lead contact can then enter the facilities and systems that are utilised with the Contracting Authority for holding SNI. Once the associated contract has been added, the List N dutyholder will then answer the inherent risk profile and subsequent evidencing expectations question sets.
In order to facilitate the change from the interim List N database to the new Portal, all current List N entries on the interim database can remain as an active record until such time as their current approval expiry date is reached, or 31st March 2024, whichever comes sooner. By that date, they should have been migrated onto the portal. Any suppliers whose approval has already expired, should not renew their approvals on the legacy List N Database but rather migrate promptly to the List N Portal. Legal accountability will remain unchanged under this process.
The international exchange of SNI is a complex area and requirements can vary depending upon the countries involved. As well as the HMG SPF, Government Security Classification (GSC) and SyAPs, dutyholders must take into account: Cabinet Office Guidance for the sharing of Classified Information with international partners; General Security Agreements (where appropriate); and the security requirements of the overseas country concerned.
ONR's regulatory expectations are that the Contracting Authority must ensure appropriate protective security controls are in place for the protection of SNI against compromise or loss wherever it is stored, processed, transmitted, controlled, secured or accessed regardless of whether this is in the UK or overseas. Dutyholders should undertake a risk assessment of any such proposed transfers of SNI overseas, involving HMG where concerns arise, or risks appear unacceptable for additional guidance.