Regulatory Guide 5.87, Suspicious Activity Reports Under 10 CFR Part 73
Suspicious Activity Reports Under 10 CFR Part 73. Related to 10 CFR 73.1215, Suspicious activity reports. A lower reporting level to 10 CFR 73.1200 or 10 CFR 73.1210.
- Rev 1: https://www.nrc.gov/docs/ML2329/ML23299A172.pdf
- Rev 0: https://www.nrc.gov/docs/ML1713/ML17138A384.pdf
see also
- 10 CFR 73.1215, Suspicious activity reports
- Other Reg guide related to higher level reporting: Regulatory Guide 5.62, Physical Security Event Notifications, Reports, and Records
text
U.S. NUCLEAR REGULATORY COMMISSION
REGULATORY GUIDE 5.87 REVISION 1
Issue Date: May 2024
Technical Lead: P. Brochman
Written suggestions regarding this guide may be submitted through the NRC’s public Web site in the NRC Library at
https://www.nrc.gov/reading-rm/doc-collections/reg-guides/index.html., under Document Collections, in Regulatory Guides, at
https://www.nrc.gov/reading-rm/doc-collections/reg-guides/contactus.html, and will be considered in future updates and
enhancements to the “Regulatory Guide” series. During the development process of new guides suggestions should be submitted
within the comment period for immediate consideration. Suggestions received outside of the comment period will be considered
if practical to do so or may be considered for future updates.
Electronic copies of this RG, previous versions of RGs, and other recently issued guides are also available through the NRC’s
public web site in the NRC Library at https://www.nrc.gov/reading-rm/doc-collections/reg-guides/index.html/under Document
Collections, in Regulatory Guides.
• This RG is also available through the NRC’s Agencywide Documents Access and Management System (ADAMS) at
http://www.nrc.gov/reading-rm/adams.html, under Accession Number No. ML23299A172.
• The associated draft guide DG-5082 may be found in ADAMS under Accession No. ML23198A151, and
• The staff responses to the public comments on DG-5082 may be found in ADAMS under Accession No.
SUSPICIOUS ACTIVITY REPORTS
UNDER 10 CFR PART 73
A. INTRODUCTION
Purpose
This regulatory guide (RG) describes methods and procedures that the staff of the U.S. Nuclear
Regulatory Commission (NRC) considers acceptable for use by licensees to comply with NRC
regulations for implementing the provisions of Title 10 of the Code of Federal Regulations
(10 CFR) Part 73, “Physical Protection of Plants and Materials” (Ref. 1).
Applicability
This RG applies to NRC licensees who are subject to the provisions of 10 CFR 73.1215,
“Suspicious activity reports” (SARs).
This includes licensees of facilities licensed under both 10 CFR Part 50, “Domestic Licensing of
Production and Utilization Facilities” (Ref. 2), and 10 CFR Part 52, “Licenses, Certifications, and
Approvals for Nuclear Power Plants” (Ref. 3).
This RG also applies to licensees possessing special nuclear material (SNM) licensed under
10 CFR Part 70, “Domestic Licensing of Special Nuclear Material” (Ref. 4), and licensees of radioactive
waste storage facilities licensed under 10 CFR Part 72, “Licensing Requirements for the Independent
Storage of Spent Nuclear Fuel and High-Level Radioactive Waste, and Reactor-Related Greater Than
Class C Waste” (Ref. 5).
Moreover, this RG also apples to licensees transporting certain types of special nuclear material
and radioactive waste. A detailed discussion of the applicability of 10 CFR 73.1215 to licensees who are
subject to 10 CFR Part 50, Part 52, Part 70, or Part 72 is found in this RG’s section B, “Discussion,”
under the subsection “Applicability to Specific Facilities, Materials, and Shipping Activities.”
RG 5.87, Revision 1, Page 2
Applicable Regulations
• 10 CFR Part 73 requires licensees to establish and maintain a physical protection system which
will have capabilities for the protection of SNM at fixed sites and in transit and of the plants or
facilities in which SNM is used. This includes production and utilization facilities, including both
operating and decommissioning production reactors, power reactors, non-power reactors, and
other non-power production and utilization facilities. It also includes facilities possessing or
transportation activities involving strategic special nuclear material (SSNM), SNM, spent nuclear
fuel (SNF), and high-level radioactive waste (HLW).
o 10 CFR 73.1200, “Notification of physical security events,” requires licensees to notify
the NRC Headquarters Operations Center of events involving imminent or actual hostile
actions, significant security events, security challenges, and security program failures.
o 10 CFR 73.1215, “Suspicious activity reports,” requires licensees to report suspicious
activities involving licensee facilities, materials, and shipping activities to their applicable
local law enforcement agency (LLEA), their applicable Federal Bureau of Investigation
(FBI) local field office, the NRC Headquarters Operations Center, and subsequently, their
applicable local Federal Aviation Administration (FAA) control tower if the suspicious
activity involves aircraft.
• 10 CFR Part 95, “Facility Security Clearance and Safeguarding of National Security Information
and Restricted Data,” establishes procedures for obtaining facility security clearances and for
safeguarding Secret and Confidential National Security Information (NSI) and Restricted Data
(RD) received or developed in conjunction with activities licensed, certified, or regulated by the
Commission (Ref. 6).
o 10 CFR 95.57, “Reports,” requires, in part, that licensees report any alleged or suspected
violation of the Atomic Energy Act of 1954, as amended (AEA); Espionage Act; or other
Federal statutes related to protection of classified information (e.g., the loss, theft, or
deliberate disclosure of classified NSI or RD to unauthorized persons).
• 10 CFR Part 150, “Exemptions and Continued Regulatory Authority in Agreement States and In
Offshore Waters Under Section 274,” provides certain exemptions to persons in Agreement
States from the licensing requirements contained in Chapters 6, 7, and 8 of the AEA and from the
regulations of the Commission imposing requirements upon persons who receive, possess, use or
transfer byproduct material, source, or special nuclear material in quantities not sufficient to form
a critical mass; and to define activities in Agreement States and in offshore waters over which the
regulatory authority of the Commission continues (Ref. 7).
o 10 CFR 150.11, “Critical mass,” specifies the maximum quantity of SSNM or SNM that
may be possessed by an Agreement State licensee.
o 10 CFR 150.14, “Commission regulatory authority for physical protection,” specifies that
Agreement State licensees possessing a Category III quantity of SSNM remain subject to
the NRC’s physical security requirements under 10 CFR 73.67, “Licensee fixed site and
in-transit requirements for the physical protection of special nuclear material of moderate
and low strategic significance.”
Related Guidance
RG 5.87, Revision 1, Page 3
• Regulatory Guide (RG) 5.62, “Physical Security Event Notifications, Reports, and Records,”
provides guidance on physical security event notifications. For example, a notification that may
arise because of an LLEA response to a suspicious activity report (Ref. 8).1
Purpose of Regulatory Guides
The NRC issues RGs to describe methods that are acceptable to the staff for implementing
specific parts of the agency’s regulations, to explain techniques that the staff uses in evaluating specific
issues or postulated events, and to describe information that the staff needs in its review of applications
for permits and licenses. Regulatory guides are not NRC regulations and compliance with them is not
required. Methods and solutions that differ from those set forth in RGs are acceptable if supported by a
basis for the issuance or continuance of a permit or license by the Commission.
Paperwork Reduction Act
This RG provides voluntary guidance for implementing the mandatory information collections in
10 CFR Part 73 that are subject to the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et. seq.). This
information collection was approved by the Office of Management and Budget (OMB), approval number
3150-0002. Send comments regarding this information collection to the FOIA, Library, and Information
Collections Branch (T6-A10M), U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, or
by email to Infocollects.Resource@nrc.gov, and to the OMB reviewer at: OMB Office of Information and
Regulatory Affairs (3150-0002), Attn: Desk Officer for the Nuclear Regulatory Commission, 725
17th Street, NW, Washington, DC 20503.
Public Protection Notification
The NRC may not conduct or sponsor, and a person is not required to respond to, a request for
information or an information collection requirement unless the requesting document displays a valid
OMB control number.
1 The NRC staff intends to develop a separate guidance document on suspicious activity reporting following licensee’s
implementation of 10 CFR 73.1215. The staff intends to hold a question and answer (Q&A) workshop subsequent to the 300-
day compliance period for implementing the new suspicious activity reporting requirements under the final rule to allow
licensees to share lessons learned from the implementation process. Issues raised during the Q&A workshop will inform the
NRC staff’s development of this separate guidance document.
B. DISCUSSION
Reason for Issuance
The NRC staff is issuing revision 1 to RG 5.87 to address issues raised by industry stakeholders
following the publication of the “Enhanced Weapons, Firearms Background Checks, and Security Event
Notifications” final rule (Ref. 9, hereafter the enhanced weapons rule) and revision 0 to this RG.
Revision 0 to RG 5.87 was issued because the NRC had promulgated new requirements under
10 CFR 73.1215 of the enhanced weapons rule on reporting suspicious activities.
Following the publication of the enhanced weapons rule and revision 0 to this RG, the NRC staff
conducted several pre-implementation workshops with licensees. The NRC staff also participated in
industry-led forums and symposiums in May and June 2023. In these meetings industry raised questions
about revision 0 to this RG and identified potential inconsistencies and areas where additional
clarification would be beneficial to licensees to assist them in implementing the enhanced weapons rule
effectively and efficiently. Revision 1 to this RG is being issued to resolve these inconsistencies and
improve the clarity of this RG.
Background
On February 3, 2011, the NRC issued the enhanced weapons proposed rule (Ref. 10). The
proposed rule set forth requirements for licensees seeking to apply for preemption authority under
Section 161A of the Atomic Energy Act of 1954, as amended. Also included in the proposed rule were
new requirements for certain security event notifications. On the same date, the NRC issued Draft
Regulatory Guide (DG)-5019, Revision 1, “Reporting and Recording Safeguards Events” (Ref. 11), for
public comment. The DG provided licensees with guidance in implementing the requirements in the
proposed enhanced weapons rule. Specifically, DG-5019 provided proposed guidance in three broad
areas: (1) physical security event notifications, reports, and records; (2) cybersecurity event notifications
and reports; and (3) suspicious activity reports. The NRC subsequently relocated the cybersecurity event
notification guidance in DG-5019 into RG 5.83, “Cyber Security Event Notifications” (Ref. 12). The
NRC further divided DG-5019 by placing the suspicious activity reporting guidance in this separate final
RG 5.87. The remaining guidance on physical security event notifications, written follow-up reports, and
records will remain in RG 5.62.
This regulatory guide provides acceptable methods that licensees subject to 10 CFR 73.1215 may
use in reporting suspicious activities to applicable LLEA, applicable FBI local field office, the NRC, and
the applicable local FAA control tower for activities involving suspicious aircraft (Appendix A, Section
A-2.1, of this RG for further guidance). Following the events of September 11, 2001, the NRC issued
security advisories and other guidance on suspicious activities and requested that such activity be
voluntarily reported to the NRC. The new requirements in 10 CFR 73.1215 make the reporting of
suspicious activities to these various agencies mandatory for certain licensees. The guide contains both
examples of suspicious activities that require reporting and other examples of activities for which a
licensee may exercise discretion and not report the activity as suspicious. The NRC staff does not
consider these examples to be all-inclusive.
The NRC has determined that licensees’ timely submission of SARs to the NRC and to law
enforcement is an important part of the U.S. government’s efforts to disrupt or dissuade malevolent acts
against the nation’s critical infrastructure. Despite the increasingly fluid and unpredictable nature of the
threat environment, some elements of terrorist tactics, techniques, and procedures remain constant. For
example, attack planning and preparation generally proceed through several predictable stages, including
RG 5.87, Revision 1, Page 6
intelligence gathering and pre-attack surveillance. Reporting suspicious activities that could be indicative
of preoperational surveillance or reconnaissance efforts, challenges to security systems and protocols, or
elicitation of non-public information related to security or emergency response programs, offer law
enforcement and security personnel the greatest opportunity to disrupt or dissuade acts of terrorism before
they occur. Additionally, licensees’ timely submission of SARs to the NRC supports one of the agency’s
primary mission essential functions of threat assessment for licensed facilities, materials, and shipping
activities.
In this regulation, the NRC sought to balance agency and national objectives of reporting
suspicious activities, while not imposing unnecessary or undue burden on licensees. In this regard, it is
not the NRC’s intent to dispute a licensee’s conclusions about whether an event is considered to be
suspicious. Accordingly, the NRC intends to focus any inspection and enforcement efforts regarding this
new regulation on programmatic aspects (e.g., adherence to established procedures, training, points of
contact, and the reporting process).
=Completing Assessments
The regulations in 10 CFR 73.1215(c) require licensees to promptly assess whether an activity is
suspicious and if so, report it as soon as possible, but within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> of the time of discovery. The
language in 10 CFR 73.1215(c)(2)(i) establishes a firm 4-hour time limit for reporting suspicious
activities. By the end of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, licensees need to use their best judgment and conclude their assessment
of whether a given activity is suspicious and must be reported. In accomplishing such assessments, the
licensee may take into account other information, as determined to be relevant by the licensee, associated
with its locale and the local population (e.g., the presence of parks and recreational areas or hunting
seasons), video or surveillance imagery, and discussions with LLEA or other appropriate officials (e.g.,
government officials or campus police). A licensee’s actions in gathering additional information or
conducting discussions with LLEA or others are not considered, in and of themselves, to constitute a
conclusion that an activity is suspicious.
The intelligence-collection value of a SAR to law enforcement is perishable; therefore, a
licensee’s timely submission is more important than a detailed assessment to determine whether a
potential activity is suspicious. Accordingly, the NRC staff recommends that licensees should err on the
side of prompt reporting of activities that initially appear to be suspicious. Suspicious activity reporting is
not part of the NRC’s performance monitoring program, nor is a retraction required for an activity that is
subsequently determined not to be suspicious. Licensees face no consequences for submitting a report that
is later determined not to be a suspicious activity. The regulations in 10 CFR 73.1215(c) do not require a
licensee to report an activity that the licensee assesses is innocent or innocuous.
Retraction of Invalid Reports Not Required
A licensee is not required to retract a suspicious activity report when the licensee subsequently
discovers that the activity reported is not suspicious. Licensees will not face any consequences or
penalties for reporting an activity that is subsequently determined not to be suspicious.
Elimination of Duplication
Certain activities may be both a suspicious activity and a physical security event. A suspicious
activity that requires the licensee to make a physical security event notification pursuant to
10 CFR 73.1200 does not need to also be reported as a suspicious activity under 10 CFR 73.1215(c).
RG 5.87, Revision 1, Page 7
Certain activities may be both a suspicious activity and an information security event. A licensee
is not required by 10 CFR 73.1215(f) to report a suspicious activity involving conspiracies to obtain or,
actual or attempted efforts by unauthorized individuals to obtain RD, communicate RD, remove RD, or
disclose RD if the suspicious activity is also required to be reported pursuant to 10 CFR 95.57.
Additionally, under 10 CFR 73.1215(c)(1)(iii), if a suspicious activity report subsequently results
in a LLEA response then the licensee must notify the NRC of the event pursuant to
10 CFR 73.1200(e)(3), if the LLEA response could reasonably be expected to result in public or media
inquiries to the NRC. Licensees should refer to RG 5.62 for further guidance on such a notification.
Reporting Timeliness and Order of Precedence
The regulations in 10 CFR 73.1215(c) requires a licensee (or a licensee’s movement control
center for shipping activities) to report suspicious activities applicable to their NRC-licensed facility,
material, or shipping activity as soon as possible, but within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> of the time of discovery in the
following order:
1. First, to the applicable LLEA;
Notes: The applicable LLEA refers to the agency with jurisdiction over the NRC-licensed
facility or material.
For licensees located on a college campus, the applicable LLEA refers to a city or
county police department or a sheriff’s department and may also refer to a campus
police department, depending on jurisdiction. If campus police have jurisdiction over
the site, then licensees may also report the suspicious activity to the local off campus
police department, as appropriate.
For shipping activities, the applicable LLEA refers to the agency with jurisdiction
over the physical location where the suspicious activity occurred.
2. Second, to the applicable FBI local field office;
Note: See Staff Regulatory Guidance position 4 for further guidance on determining the
applicable FBI local field office for reporting suspicious activities for shipping
activities.
3. Third, to the NRC Headquarters Operations Center;2
and
4. Lastly, to the applicable local FAA control tower if the suspicious activity involves aircraft
overflights in proximity to the licensee’s facility.
Notes: The requirement to report suspicious aircraft activities to the applicable local FAA
control tower applies only to NRC-licensed facilities and materials subject to
Additional guidance on the applicable local FAA control tower and contact
information is found in Appendix A, Section A-2.1 of this RG.
2 Contact information for the NRC Headquarters Operations Center is found in Table 1 of Appendix A to 10 CFR Part 73.
Under 10 CFR 73.1215(c)(2), a licensee must promptly assess whether an activity is suspicious.
However, in completing the assessment process, a licensee may wish to review additional information to
assess whether the activity is suspicious, including interacting with LLEA. When conducting its
assessment, a licensee may contact its applicable local FAA control tower to obtain additional
information on potentially suspicious aircraft activity. If, during this call, the licensee concludes that the
aircraft activity is suspicious, then the licensee may immediately notify the FAA of that conclusion and
then return to the standard order of precedence for the remainder of the reporting.
In establishing a point of contact with an applicable local FAA control tower under
10 CFR 73.1215(c)(5)(ii), the licensee should request that the FAA specify the local control tower most
appropriate to the licensee’s location and airspace considerations as the best point of contact.
Applicability to Specific Facilities, Materials, and Shipping Activities
The suspicious activity reporting requirements in 10 CFR 73.1215 apply to a broad range of
NRC-licensed facilities, materials, and shipping activities that are subject to the physical security program
requirements in 10 CFR Part 73. However, certain specific suspicious activity reporting requirements may
only be applicable to a particular class of facilities, materials, or shipping activities. The NRC staff is
providing the following information regarding the applicability of specific provisions in 10 CFR 73.1215.
1. The requirements in 10 CFR 73.1215(d) apply to licensees that are subject to the following
regulations:
a. 10 CFR 73.20, “General performance objective and requirements”;
b. 10 CFR 73.45, “Performance capabilities for fixed site physical protection systems”;
c. 10 CFR 73.46, “Fixed site physical protection systems, subsystems, components, and
procedures”;
d. 10 CFR 73.50, “Requirements for physical protection of licensed activities”;
e. 10 CFR 73.51, “Requirements for the physical protection of stored spent nuclear fuel and
high-level radioactive waste”;
f. 10 CFR 73.55, “Requirements for physical protection of licensed activities in nuclear
power reactors against radiological sabotage”;
g. 10 CFR 73.60, “Additional requirements for physical protection at nonpower reactors”;
and
h. 10 CFR 73.67, “Licensee fixed site and in-transit requirements for the physical protection
of special nuclear material of moderate and low strategic significance.”
These regulations affect the following:
a. Facilities authorized to possess Category I, Category II, or Category III quantities of
SSNM;
b. Facilities authorized to possess Category II or Category III quantities of SNM;
RG 5.87, Revision 1, Page 9
Notes:
• Under the exemption in 10 CFR 73.1215(d)(2)(i), NRC licensees who are subject to
10 CFR 73.67 and who are engaged in the enrichment of uranium using RD
information, technology, or materials, are not subject to the reporting requirements of
10 CFR 73.1215(d). This applies to licensees who are engaged in enrichment and
who are authorized to only possess either Category II or Category III quantities of
SSNM or Category II or Category III quantities of SNM. However, licensees
engaged in such enrichment activities are subject to the reporting requirements of
• Under the exemption in 10 CFR 73.1215(d)(2)(ii), NRC licensees who are subject to
10 CFR 73.67 and who are engaged in the fabrication of new fuel assemblies are not
subject to the reporting requirements of 10 CFR 73.1215(d). This applies to licensees
who are engaged in the fabrication of new fuel assemblies and who are authorized to
only possess either Category II or Category III quantities of SSNM or Category II or
Category III quantities of SNM.
• Under the exemption in 10 CFR 73.1215(g)(1), NRC or Agreement State licensees
who are subject to 10 CFR 73.67 and who are authorized to possess a Category III
quantity of SSNM, where the total quantity of SSNM is limited to less than the
critical mass limit specified in 10 CFR 150.11(a) are not subject to the reporting
requirements of 10 CFR 73.1215. This exception includes a licensee who is
authorized to possess a total quantity of SSNM greater than 15 grams (g) but is less
than 350 g of U-235 (enriched to 20 percent or greater in U-235), less than 200 g of
U-233, less than 200 g of Pu, or less than any combination of these three nuclides
using the following unity formula.
ቈቆ
𝑔𝑟𝑎𝑚𝑠 𝑈ଶଷହ
350 ቇ + ቆ
𝑔𝑟𝑎𝑚𝑠 𝑈ଶଷଷ
200 ቇ + ൬
𝑔𝑟𝑎𝑚𝑠 𝑃𝑢
200 ൰ ≤ 1.0
c. Hot cell facilities (for examination of irradiated SNM and SNF);
d. Independent spent fuel storage installations (ISFSIs) (both general license and specific
license ISFSIs);
e. Monitored retrievable storage installations;
f. Geologic repository operations areas; and
g. Production and utilization facilities licensed under 10 CFR 50.21 and 10 CFR 50.22
(including both operating and decommissioning production reactors, power reactors, and
non-power reactors).
Note: The terms “production facility” and “utilization facility” have the same meanings
given these terms in 10 CFR 50.2, “Definitions.”
2. The regulations in 10 CFR 73.1215(d) apply to:
RG 5.87, Revision 1, Page 10
a. Licensees that are engaged in the enrichment of SNM, using RD technology, equipment, or
materials where the licensee is authorized to enrich and/or possess Category I quantities of
SSNM.
b. Licensees of utilization facilities (power reactors and non-power reactors) that have
permanently ceased operations, provided that the licensee still has SNF stored within the
reactor facility. However, once the licensee has transferred all of its SNF from their spent fuel
pool to an offsite facility or to an ISFSI, and that reality is reflected in the licensee’s revised
physical security plan, then the licensee may no longer report suspicious activities related to
the reactor facility.
3. The requirements in 10 CFR 73.1215(e) are applicable to licensees engaged in the transportation of
radioactive and nuclear materials and who are also subject to the following regulations:
a. 10 CFR 73.20, “General performance objective and requirements”;
b. 10 CFR 73.25, “Performance capabilities for physical protection of strategic special
nuclear material in transit”;
c. 10 CFR 73.26, “Transportation physical protection systems, subsystems, components,
and procedures”;
d. 10 CFR 73.27, “Notification requirements”; and
e. 10 CFR 73.37, “Requirements for physical protection of irradiated reactor fuel in transit.”
These regulations affect licensees engaged in the following shipping activities:
a. The transportation of Category I quantities of SSNM;
b. The transportation of SNF; and
c. The transportation of HLW.
Notes:
• The regulations in 10 CFR 73.1215(e) do not apply to licensees who are subject to 10
CFR 73.67 and who are engaged in the transportation of unirradiated Category II or
Category III quantities of SSNM or Category II or Category III quantities of SNM.
• However, the regulations in 10 CFR 73.1215(e) do apply to licensees who are subject
to 10 CFR 73.67 and who are engaged in the transportation of SNF under 10 CFR
73.37 (e.g., a non-power reactor shipping SNF).
4. The requirements in 10 CFR 73.1215(f) are applicable to licensed facilities subject to 10 CFR 73.67
that are engaged in the enrichment of SNM using RD technology, equipment, or materials. These
licensees include the following:
a. Fuel cycle facilities that are authorized to enrich SNM to Category II or III quantity
levels.
5. 10 CFR 73.1215 (g)states, Suspicious activities—exemptions.
(1) Licensees subject to § 73.67 who possess strategic special nuclear material in quantities
greater than 15 grams but less than the quantity necessary to form a critical mass, as
specified in § 150.11(a) of this chapter, are exempt from the provisions of this section.
(2) The following licensees are exempt from the provisions of this section:
(i) Docket number 70–7020; and (ii) Docket number 70–7028
6. Certain facilities, materials, and shipping activities are not subject to the physical security program
requirements in 10 CFR Part 73. Therefore, these facilities, materials, and shipping activities are also
not subject to the suspicious activity reporting requirements in 10 CFR 73.1215. Consequently, this
guide does not apply to the following classes of facilities, materials, and shipping activities:
a. NRC-licensed or Agreement State-licensed facilities, materials, and activities that involve
the production, use, storage, and transportation of byproduct materials that are subject to
the requirements of 10 CFR Part 37, “Physical Protection of Category 1 and Category 2
Quantities of Radioactive Material” (Ref. 13). These 10 CFR Part 37 licensees are subject
to a separate suspicious activity reporting requirement found in 10 CFR 37.57,
“Reporting of Events.”
b. NRC-licensed or Agreement State-licensed facilities, materials, and activities that involve
the production, use, storage, conversion, deconversion, and transportation of source
materials that are subject to the requirements of 10 CFR Part 40, “Domestic Licensing of
Source Material” (Ref. 14).
Applicants for a License or Construction Permit Holders
Suspicious activity reporting requirements apply to licensees as that term is defined in
10 CFR 50.2, “Definitions.” The term license is broadly defined in 10 CFR 50.2. These reporting
requirements do not apply to an applicant for a license as that term is defined in 10 CFR 50.2.
Notification Process
Under 10 CFR 73.1215, licensees are required to report suspicious activities involving facilities,
material, and shipping activities to the applicable LLEA. This LLEA would typically have jurisdiction
over the physical location of the facility or material. For shipments this would be the physical location of
the shipment when the suspicious activity occurred. If a licensee has an existing LLEA point of contact,
then the licensee should confirm if this LLEA point of contact is also appropriate for receiving reports of
suspicious activities. If not appropriate, then the licensee should coordinate with the LLEA to update its
point of contact. For reports of suspicious activities for shipments, the appropriate LLEA contact phone
numbers along the shipment route are specified in the NRC-reviewed route approval document (e.g., a
state police force communications center).
Under 10 CFR 73.1215(c), licensees that are required to report suspicious activities must
establish a point of contact with the applicable FBI local field office. The applicable FBI local field office
should be based on the geographic location of the licensee’s facility or material. A list of the FBI’s local
field offices is available on the FBI’s Web site at https://www.fbi.gov/contact-us/field-offices.
For a licensee that uses a third-party movement control center to monitor shipments, the licensee
may also elect to have movement control center report suspicious activities to the applicable LLEA, FBI
local field office, and subsequently the NRC. Licensees involved in shipping activities or movement
control centers employed to monitor licensee shipments must establish a point of contact with the
appropriate FBI local field office.
RG 5.87, Revision 1, Page 12
Note: A licensee or its movement control center should refer to Staff Regulatory Guidance
position 4 to determine the most appropriate FBI local field office with which to establish
a point of contact for shipping activities.
A good practice for a licensee or its movement control center employed to monitor shipping
activities is to also establish a preferred communications method to use with the appropriate FBI local
field office (e.g., voice, fax, or electronic message).
After reporting a suspicious activity to the FBI, a licensee, or a movement control center, as
applicable, must report the suspicious activity to the NRC Headquarters Operations Center. The NRC
may be reached by telephone 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> a day at the telephone numbers found in Table 1 of “Appendix A
to Part 73–U.S. Nuclear Regulatory Commission Offices and Classified Mailing Addresses.”
Under 10 CFR 73.1215(c), licensees that are subject to 10 CFR 73.1215(d) are required to report
suspicious aircraft activities to the licensee’s applicable local FAA control tower. Consistent with
10 CFR 73.1215(c)(5)(ii), licensees must establish a point of contact with the applicable local FAA
control tower. See Appendix A, Section A-2.1, of this RG for further guidance regarding the applicable
local FAA control tower. The NRC staff recommends as a good practice that a licensee should, based
upon discussions with the FAA, also establish a preferred communications method to use with their
applicable local FAA control tower.
Under 10 CFR 73.1215(c)(8) a licensee or its movement control center must document any LLEA
or FBI point of contact information for reporting suspicious activities in their written security
communication procedures or route approval documents. A licensee must document any FAA contact
information in written communications procedures.
Licensees should report watercraft entries into posted areas to the applicable law enforcement
agency, e.g., U.S. Coast Guard, State Departments of Conservation, or State Department of Natural
Resources. Licensees should treat the activity in the same way that they would report a suspicious activity
to the LLEA. However, licensees are not required to report unauthorized personnel inside of posted areas
that do not have a direct nexus to facility safety (e.g., entry into a circulating cooling water discharge
canal cascade that is located a distance from the facility and is posted as “Danger—No Entry” (because of
personnel safety concerns)).
Consideration of International Standards
The International Atomic Energy Agency (IAEA) works with member states and other partners to
promote the safe, secure, and peaceful use of nuclear technologies. The IAEA develops Safety
Requirements and Safety Guides for protecting people and the environment from harmful effects of
ionizing radiation. This system of safety fundamentals, safety requirements, safety guides, and other
relevant reports, reflects an international perspective on what constitutes a high level of safety. To inform
its development of this RG, the NRC considered IAEA Safety Requirements and Safety Guides pursuant
to the Commission’s International Policy Statement (Ref. 15), and Management Directive and
Handbook 6.6, “Regulatory Guides” (Ref. 16). The NRC staff did not identify any IAEA Safety
Requirements or Guides with information related to the topic of this RG.
RG 5.87, Revision 1, Page 13
C. STAFF REGULATORY GUIDANCE
1. General Guidance on Assessing What Constitutes a Suspicious Activity
Licensees have the best knowledge and understanding of their facilities and the local population
and environment in which their facilities are situated. The NRC staff views licensees as best positioned to
assess whether wrong, abnormal, or unusual activities or behaviors are actually suspicious relative to their
facility, material, or activity and, therefore, warrant reporting. Similarly, the NRC staff also views
licensees as best positioned to assess whether the activity or behavior is innocent or innocuous and does
not warrant reporting. Therefore, licensees should use their experience and a broad perspective in
evaluating an activity and based on this experience and perspective report as suspicious any activity that
they consider wrong, abnormal, or unusual. The NRC staff recommends that licensees apply an overall
philosophy regarding the reporting of suspicious activities that is best reflected by the U.S Department of
Homeland Security’s (DHS’s) campaign message, “If You See Something, Say Something®.”
To reduce unnecessary burden on licensees, the NRC has structured the suspicious activity
reporting requirements and this supporting guide to provide licensees with flexibility to use their best
judgment to determine if an activity appears suspicious. Consequently, a licensee should consider
locality-specific information when assessing whether an activity is suspicious. This can include the locale
surrounding the facility, the local population, and other individual circumstances (e.g., the presence of
recreational areas or activities such as hunting, fishing, and hiking) in its surroundings. For example, what
“Licensee A” considers to be a suspicious activity at a research reactor located on a college campus in a
large urban city may differ significantly from what “Licensee B” considers to be a suspicious activity for
similar circumstances at an operating power reactor site located on a 5,000-acre rural complex next to a
recreational lake. A licensee may gather additional information, review electronic records, or
communicate with its LLEA to assess whether an activity is suspicious. However, in gathering such
information and conducting an assessment, NRC staff notes that law enforcement has indicated that
receiving reports of suspicious activity within 60 minutes of the time of discovery provides the greatest
potential for their effective use of this information. Consistent with 10 CFR 73.1215(c)(2)(i), the
assessment of the activity, to include interactions with LLEA, must be completed within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> of the
Given the subjective nature of such assessments, the NRC staff intends to defer to the licensee’s
conclusions as to whether an activity is suspicious. Consequently, the NRC will focus its oversight
actions regarding this regulation on whether a licensee has implemented the programmatic aspects of
10 CFR 73.1215 (e.g., establishing points of contact, documenting this information in communications
procedures, and training responsible personnel on this information). The NRC’s oversight process will not
typically focus on a licensee’s substantive conclusion regarding the assessment of a potentially suspicious
activity.
A good practice for licensees or applicable movement control centers is to consider including any
point of contact information and preferred communication method for reporting suspicious activities in
their security communication procedures or route approval document. This information should include
LLEA, FBI, and FAA contact information, as applicable. Licensees or applicable movement control
centers should include this written contact information in periodic training for personnel responsible for
making such reports (e.g., security managers, alarm station operators, facility operators, or shipment
monitors).
RG 5.87, Revision 1, Page 14
The NRC has included the following definition of “time of discovery” to 10 CFR 73.2,
“Definitions,” to clarify timeliness goals for both physical security event notifications under
10 CFR 73.1200 and suspicious activity reporting under 10 CFR 73.1215.
Time of discovery means the time at which a cognizant individual observes, identifies, or
is notified of a security-significant event or condition. A cognizant individual is considered
anyone who, by position, experience, and/or training, is expected to understand that a
particular condition or event adversely impacts security.
Licensees have broad flexibility regarding the positions and numbers of individuals that are
identified and trained as a cognizant individual authorized to make a time of discovery determination. The
NRC recommends as a good practice that a license specify in its implementing procedures the personnel
who are considered a “cognizant individual” and can make a time of discovery determination under
3. Priority of Timely Reporting versus Accuracy of Assessment
The NRC recognizes that a licensee’s assessment of whether an activity is suspicious may involve
complexities and unknowns. The purpose of the suspicious activity reporting requirement is to have
licensees report in a timely manner any activities that they determine are suspicious, even if the activity is
subsequently determined to be innocent. Therefore, the NRC considers the timely reporting of a
suspicious activity based on a reasonable assessment of the circumstances to have greater value than
making a definitive determination that the activity is actually associated with some potentially malevolent
intent. Under 10 CFR 73.1215(c), the NRC allows a licensee up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> to assess and report a
suspicious activity. Consequently, licensees should not delay reporting a suspicious activity to gather
more information or complete a more thorough assessment beyond the 4-hour timeliness requirement.
4. Applicable FBI Local Field Office for Shipping Activities
For licensees engaged in shipping activities specified under 10 CFR 73.1215(e), the location of
the applicable FBI local field office to report suspicious activities may vary. For example, the originating
licensee may be responsible for monitoring the shipment or the receiving licensee may be responsible for
monitoring the shipment. Consequently, the applicable FBI local field office may be located nearest to the
monitoring facility. Alternatively, the licensee may use a transportation contractor or a third-party entity
to perform the functions of a movement control center. Consequently, the applicable FBI local field office
may be located nearest to the movement control center. Any contractual agreements between the licensee
and the movement control center and the associated security plans to transport radioactive or special
nuclear material should clearly delineate responsibility for reporting suspicious activities. The licensees
should discuss such considerations with the FBI when establishing the points of contact for reporting
suspicious activities that involve shipping activity.
5. Examples of Suspicious Activity
The regulations in 10 CFR 73.1215(d), (e), and (f) identify several broad categories of activities
that licensees should assess as potentially suspicious depending upon the type of facility or activity. The
NRC staff have developed the following examples and/or clarifications of these broad categories to assist
a licensee or its movement control center in assessing whether a particular activity is suspicious.
RG 5.87, Revision 1, Page 15
When a licensee uses a movement control center to monitor shipments, the movement control
center may report suspicious activity (as specified in 10 CFR 73.1215(e)) on behalf of the licensee. In
such circumstances, the guidance, examples, and direction contained in Section C of this RG applying to
licensees may also be used by a movement control center. Suspicious activities may target a movement
control center itself or the personnel supporting a movement control center’s operation, rather than just
the ongoing or future shipments that the movement control center is monitoring. In such circumstances,
the movement control center should report such suspicious activities against itself using the process
specified in 10 CFR 73.1215(c).
5.1 Elicitation of Sensitive Non-Public Information
Elicitation refers to a process used by individuals to gather classified or sensitive non-public
information through their interactions with people. Such information can be extracted knowingly or
unknowingly (e.g., through casual conversations).
(1) For facilities: Elicitation may be used to gain access to information on security programs,
emergency response programs, or sensitive design details associated with protection of the
facility or material.
(2) For shipments: Elicitation may be used to gain access to information on security programs,
emergency response programs, or sensitive design details associated with security programs,
emergency response programs, shipment routes, safe-haven locations, or other sensitive
design details associated with protection of the shipment (e.g., immobilization devices).
(3) For enrichment facilities with RD technology, information, or materials: Elicitation may be
used to gain access to information on security programs associated with the facility’s
protection of the RD technology, or information, or materials.
Note: If the elicitation activities shift from the security measures protecting the RD
technology, information, or materials to the RD information itself, then the licensee
should refer to Staff Regulatory Guidance position 6.
(4) Licensees should consider that knowledgeable personnel are more likely to be the target of
elicitation. Such personnel typically have the greatest access to and knowledge of a licensee’s
sensitive non-public information. Such personnel should include individuals in the licensee’s
insider mitigation or human reliability programs and persons with detailed knowledge of the
licensee’s security programs or emergency response programs, response actions, or
vulnerabilities. However, licensees should also be aware that adversaries often attempt to
elicit information from less knowledgeable personnel in order to compile (or aggregate)
sensitive non-public information on a licensee’s facility or activities.
(5) Licensees should consider elicitation activities directed at obtaining sensitive non-public
information as a suspicious activity. This is especially true where the elicitation activity
involves illegal or questionable activities.
(6) Elicitation may include: an offer of tangible material goods (i.e., quid pro quo acts), such as
cash payments, illegal drugs, illegal pornography, credit line towards gambling, debt
repayment, expensive meals, expensive vacations or travel, or sexual favors, in exchange for
sensitive non-public information; or intangible acts, such as extortion, blackmail, or threats of
physical violence directed against the individual or their family members.
RG 5.87, Revision 1, Page 16
(7) Licensees may receive requests for sensitive non-public information from individuals. In
considering whether these requests are suspicious, a licensee may take into account the nature
of the relationship with the questioner, the degree of specificity or probing in the questions,
and whether repeated attempts are made to obtain the information. A licensee may consider
repeated attempts by the same individual to obtain sensitive non-public information, after
such requests have been denied by the licensee, as potentially suspicious activity. A licensee
may wish to consider the legitimate role played by members of the press and other media in
gathering information for the public when determining if such questioning is a potentially
suspicious activity. Similarly, a licensee may consider the circumstances surrounding an
information request from a vendor (supplier) when determining if the inquiry is a potentially
suspicious activity.
5.2 Challenges to Licensee’s Security Systems and Procedures - Facilities
Licensees should be aware that adversaries may initiate activities to challenge a licensee’s
security systems or response procedures. Adversary activities that challenge a licensee’s security systems
or response procedures are typically intended to assess a licensee’s response to an abnormal security
situation. Such activities may be significant enough to warrant the licensee’s initiation of security
response functions, protocols, or contingency response procedures. In such instances, a licensee should
make any notifications required by 10 CFR 73.1200. If a physical security event notification is not
required, a licensee may consider whether this activity should instead be reported as a suspicious activity.
The NRC staff is providing the following examples of some activities challenging a licensee’s
security systems or response procedures that a licensee may consider assessing as a potentially reportable
suspicious activity.
(1) Apparent willful, deliberate, or aggressive attempts to not follow facility traffic control
directions or stop at traffic control or security control checkpoints or control points.
(2) Unauthorized entry of personnel or watercraft into posted off-limit areas (e.g., near cooling
water intake structures).
(3) Individuals entering posted off-limit areas in watercraft and then fail to exit when directed by
security personnel.
(4) Unauthorized tests or challenges of security screening, detection, and assessment systems.
This reporting applies to both interior and exterior security systems.
An event that involves human performance errors is not required to be reported as a suspicious
activity. A licensee may exercise discretion for an event that involves individuals that appear to be lost or
inebriated.
5.3 Preattack Surveillance or Reconnaissance - Facilities
Preattack surveillance or reconnaissance activities are typically intended to assess a licensee’s
physical layout for a facility, as well as the arrangement, coverage, and implementation of intrusion
detection, monitoring, and assessment systems. Such activities may include surface, subsurface, and aerial
events and may occur from within public areas adjacent to the facility or within restricted or posted areas.
Additionally, although such activities are typically conducted external to the facility, reconnaissance
activities may also occur internally, such as at the facility or its personnel screening systems (e.g., during
tours or visits). Preattack activities can be differentiated from operational surveillance activities
RG 5.87, Revision 1, Page 17
(i.e., those surveillance activities directly related to actual or imminent hostile actions). Licensees
experiencing surveillance that may be indicative of imminent hostile actions (e.g., where a licensee
implements a change in its protective response status) should refer to Regulatory Guide 5.62 regarding
physical security event notifications.
5.3.1 Potentially Reportable Examples
The NRC staff is providing the following examples of some activities a licensee may consider
assessing as a potentially reportable suspicious activity. These examples are not exhaustive.
(1) Observed pre-operational surveillance, reconnaissance, or intelligence gathering activity from
within posted or restricted areas (i.e., non-public areas).
(2) Individuals entering or loitering in areas immediately adjacent to the licensee’s facility. For
example, individuals loitering in unposted areas outside of a nonpower reactor located within
a multiuse building on a college campus in a large metropolitan area may not raise the same
concern as individuals loitering outside of a power reactor site within a 2,000-acre rural
complex.
(3) Individuals taking photographs or videos from public areas adjacent to the licensee’s facility.
(4) Individuals taking photographs or videos from non-public areas immediately adjacent to their
facility (e.g., within the owner-controlled area), regardless of whether an area is posted as not
permitting photography. Individuals taking unauthorized photographs or videos from inside
the facility.
(5) Unauthorized aerial overflights by unmanned aerial systems (UAS) or low flying or circling
manned aircraft overflights of a licensee’s facility, even if space is not specially designated
by FAA.
(6) Unauthorized aerial overflights by UAS over a licensee’s facility when the FAA has
designated the airspace under 14 CFR 99.7, “Special security instructions” (Ref. 17).
Note: See Appendix A, Section A-5, of this RG for further discussion of restricted airspace.
5.3.2 Potentially Not-Reportable Examples
The NRC staff is also providing the following examples of some activities that a licensee may not
consider as suspicious activity. These examples are not exhaustive.
(1) Recording of information for normal work activities would not be indicative of potential
preoperational surveillance, reconnaissance, or intelligence-gathering activities. Similarly,
recording information on work activities in a personal diary would not necessarily be
indicative of potential preoperational surveillance, reconnaissance, or intelligence-gathering
activities.
(2) Photographs by members of a tour group at locations where the licensee has authorized
photography.
(3) Planned aerial overflights supporting licensee transmission line monitoring or maintenance,
emergency preparedness planning, emergency preparedness exercises, emergency response
RG 5.87, Revision 1, Page 18
events, and thermal imaging or radiation survey studies. Licensees should coordinate such
flights with the FAA if the airspace over their facility has been designated by the FAA as
restricted airspace.
(4) Planned aerial overflights conducted by State or Federal agencies or their contractors or other
external entities that have coordinated their flights in advance with the licensee.
5.4 Challenges to Communication Systems or Security Systems - Shipping
Challenges to a licensee’s communication or security systems are typically intended to assess the
ability of a licensee or a movement control center to evaluate an abnormal security situation and then to
observe responses by personnel and any implementation of contingency response procedures or protocols.
The NRC staff is providing the following examples of activities a licensee may consider assessing
as a potentially reportable suspicious activity.
(1) Attempted challenges to transport vehicle security systems, vehicle communication or
position monitoring systems, immobilization systems, or transportation package security
systems.
(2) Attempted challenges involving the testing of response capabilities of protective forces or
escort personnel.
(3) Attempted challenges to a movement control center’s shipment position monitoring or
communications systems.
5.5 Interference with or Harassment of an Ongoing Shipment
Consistent with 10 CFR 73.12115(e)(1(iii), licensees must report suspicious activities involving
interference with or harassment of an ongoing shipment.
The NRC staff is providing examples of some activities a licensee may consider assessing as a
potentially reportable suspicious activity.
(1) Blocking or harassing a shipment’s transport or escort vehicles.
(2) Interfering with the safe operation of a shipment’s transport or escort vehicles.
(3) Pouring or throwing biologic material (e.g., blood) or simulants (e.g., red paint or water) onto
a transportation package.
5.6 Preattack Surveillance or Reconnaissance - Shipment
Preattack surveillance or reconnaissance of shipments typically occurs in the public domain away
from the licensee’s facility. Consequently, adversaries may choose both the time and location for such
activities. Preattack surveillance or reconnaissance activities are typically intended to assess a licensee’s
ongoing (i.e., actual) shipments and the security and communication systems used for such shipments. In
addition, for extended shipping campaigns, the use of the same routes or schedules increases the
vulnerability of these shipments to adversaries conducting pattern analysis or traffic analysis to identify
potential points of greatest vulnerability or of highest exploitability.
RG 5.87, Revision 1, Page 19
Preattack activities are differentiated from operational surveillance activities (i.e., those directly
related to actual or imminent hostile actions). Licensees should refer to Regulatory Guide 5.62 regarding
actual or imminent hostile actions.
The NRC staff is providing examples of some activities a licensee may not consider as a
suspicious activity.
(1) Individuals entering or loitering in public areas immediately adjacent to a temporarily
stopped shipment (e.g., at a truck stop, interstate highway rest areas, or weigh scales).
(2) Individuals photographing or video recording of shipments or shipment vehicles from public
areas (e.g., “train spotting” activities).
5.7 Aggressive Actions to Gather Information - Enrichment Facilities
Category II or Category III SNM enrichment facilities subject to 10 CFR 73.67 are also subject to
the suspicious activity reporting requirements of 10 CFR 73.1215(f) with respect to their RD information,
technology, or materials.
Accordingly, the NRC staff is providing examples of some activities a licensee may consider
assessing as a potentially reportable suspicious activity.
(1) Consistent with 10 CFR 73.1215(f)(1), licensees must report suspicious activities involving
aggressive noncompliance with visitor restrictions during onsite visits or tours, including but
not limited to the following:
(a) Willful unauthorized departure from a tour group, or
Note: As a good practice, a licensee may wish to apply a separation criterion from an
escort of no more than 5 minutes time or 7 meters (23 feet) distance, if not within
the escort’s line-of-sight.
(b) Willful entry into unauthorized areas or into 10 CFR Part 95 security areas.
(c) Persistent, aggressive, or detailed questions by visitors or tour groups or significant
unauthorized behavior by visitors or tour groups.
Note: For example, persistent questioning following a licensee’s initial reply that the
information is non-public or sensitive and, therefore, cannot be discussed. The
NRC staff considers persistent questioning to be different from mere curiosity by
visitors or tour groups.
Such activities, especially by foreign national visitors, may also be potentially
indicative of attempted espionage activities. (See also Staff Regulatory Guidance
position 6)
(2) Licensees should be aware that official foreign visitors and joint research efforts may be
exploited by foreign government organizations, including their intelligence services, to target
and collect sensitive information. This may include official visits to facilities, as well as joint
research projects between foreign entities and U.S. licensees.
RG 5.87, Revision 1, Page 20
6. Potential Prohibited Activities Involving Restricted Data
Licensees are required under 10 CFR 95.57(a) to report alleged or suspected activities where
unauthorized personnel obtain, attempt to obtain, or conspire to obtain RD, communicate RD, remove
RD, or disclose RD. Consistent with 10 CFR 73.1215(f)(2)(ii), licensees are not required to report
suspicious activities that were reported separately under the requirements of 10 CFR 95.57(a) or (b).
Licensees have the discretion to notify their local FBI field office regarding the unauthorized introduction
of electronic devices or recording media at RD facilities.
7. Recording the Disposition of Suspicious Activities
The NRC staff suggests as a good practice that licensees may wish to keep a record (e.g., a simple
log) of potential suspicious activities and their disposition (e.g., a description of the activities and whether
the activities were assessed as nonsuspicious or were reported as suspicious). This record may also assist
the licensee in long term tracking or trending of potential suspicious activities.
8. Non-Power Reactor Suspicious Activity Reporting
Licensees of non-power reactors located in college or university campus settings may consider
activities conducted by the campus police force as being part of a licensee’s overall security program
provided that role of the campus police force is adequately described in the facility security plan. For
some non-power reactor licensees located on college or university campus or similar settings (e.g., a
research facility or government installation), LLEA carries out the police functions on the campus. In
other scenarios, the campus police force may carry out all LLEA police functions and responsibilities. In
such cases, suspicious activity reports provided to the campus police force would constitute notification to
LLEA. In cases where the campus police force does not carry out LLEA police functions and
responsibilities, reports to the campus police would not comply with the requirement to report suspicious
activities to LLEA. A licensee that requests a response by campus police forces for minor matters
(e.g., illegal parking or loitering) does not need to consider these as suspicious activities and, therefore, do
not require a report under 10 CFR 73.1215. The licensee should also follow the guidance contained in
Section B above regarding reports of suspicious activity to the FBI and the NRC.
9. Discontinue Use of Previous Guidance IA-04-08
Licensees that are subject to the requirements of 10 CFR 73.1215 should use this regulatory
guide. Additionally, such licensees should discontinue using the NRC’s previous guidance on reporting
suspicious activities contained in Information Assessment Team Advisory (IA)-04-08, “Reporting
Suspicious Activity Criteria,” dated October 5, 2004.
10. DHS and FBI Guidance on Suspicious Activity Reporting
The DHS and the FBI have issued separate guidance and information bulletins on suspicious
activity reporting. Some previous examples of such guidance include:
(1) DHS and FBI, “Suspicious Activity Reporting Criteria for Infrastructure Owners and
Operators,” dated August 3, 2004,
(2) DHS, Information Bulletin HQ-006-1B-2015, “(U) Suspicious Activity Reporting,” dated
May 7, 2015.
RG 5.87, Revision 1, Page 21
Such guidance is typically not publicly available, and the NRC staff is not aware if such guidance
has been superseded by more current guidance. The NRC is not requiring licensees to use such guidance
to comply with the requirements of 10 CFR 73.1215. However, licensees wishing to access DHS or FBI
guidance should contact the DHS or the FBI directly to request access to these documents or other current
suspicious activity reporting guidance.
RG 5.87, Revision 1, Page 22
D. IMPLEMENTATION
The NRC staff may use this regulatory guide as a reference in its regulatory processes, such as
licensing, inspection, or enforcement. The NRC staff does not expect or plan to require the use of this
regulatory guide. However, should the NRC determine to require the use of this regulatory guide, such an
imposition would not constitute backfitting, as that term is defined in 10 CFR 50.109, “Backfitting,”
10 CFR 70.76, “Backfitting,” or 10 CFR 72.62, “Backfitting”; affect the issue finality of an approval
issued under 10 CFR Part 52, “Licenses, Certifications, and Approvals for Nuclear Power Plants”; or
constitute forward fitting, as that term is defined in NRC Management Directive 8.4, “Management of
Backfitting, Forward Fitting, Issue Finality, and Information Requests” (Ref. 18), because reporting
requirements are not included within the scope of the NRC’s backfitting or issue finality rules or forward
fitting policy.
RG 5.87, Revision 1, Page 23
GLOSSARY
assessment An evaluation performed by a licensee to determine whether an event is reportable as
a suspicious activity under the provisions of 10 CFR 73.1215. An assessment may
include review of electronic surveillance records, interviews of individuals, or
discussion with the licensee’s LLEA regarding the circumstances of the event.
cognizant
individual
An individual designated by a licensee who has the requisite experience and/or
training and who is expected to understand that a particular condition or event is a
potentially suspicious activity.
Cognizant
Security Agency
(CSA)
The term Cognizant Security Agency has the same meaning as found in 10 CFR 95.5,
“Definitions.”
LLEA A local law enforcement agency that has jurisdiction over the physical location of the
licensee’s facility or the location of an underway shipment.
movement control
center
A movement control center (on behalf of a licensee) maintains position information
during the shipment (i.e., transportation) of SSNM or SNF; receives reports of actual
or attempted attacks, thefts, or sabotage; receives reports of suspicious activity;
notifies and reports any suspicious activities to the NRC and other agencies, as
appropriate; and requests and coordinates aid or response from the appropriate
LLEA, as necessary.
production facility The term production facility has the same meaning as found in 10 CFR 50.2,
“Definitions.”
Restricted Data
(RD)
security area
The term Restricted Data has the same meaning as found in 10 CFR 95.5.
The term security area has the same meaning as found in 10 CFR 95.5.
time of discovery The term time of discovery has the same meaning as found in 10 CFR 73.2. With respect to suspicious activity reporting, the time of discovery begins the 4-hour timeliness requirement for assessing whether an activity is suspicious, and if so, completing the required reports. The time of discovery is determined by a cognizant individual. Consequently, the time of initial identification of a potential suspicious activity to the licensee may be different than the formal time of discovery determination made by a cognizant individual. Time of discovery is also applicable to security event notifications and recordkeeping requirements as discussed in RG 5.62.
These event notifications and recordkeeping requirements are outside the scope of RG 5.87.
UAS Unmanned aircraft systems or uncrewed aerial systems (also known as drones) as defined by the FAA under 14 CFR Part 107 (Ref. 19).
utilization facility The term utilization facility has the same meaning as found in 10 CFR 50.2.
APPENDIX A SUSPICIOUS AVIATION-RELATED ACTIVITIES
This appendix provides further guidance to licensees regarding prior coordination, assessing potentially suspicious aviation-related activities, and reporting of suspicious aviation-related activities with law enforcement, the NRC, and the Federal Aviation Administration (FAA).
A-1. Types of Aircraft
Suspicious aviation-related activities may involve either manned aircraft or unmanned aircraft or uncrewed aerial systems (colloquially referred to as drones) operating over or in proximity to a licensee’s facilities.
A-2. Prior Coordination
Under 10 CFR 73.1215(c)(5)(ii), licensees subject to 10 CFR 73.1215(d) must establish a point of contact with their local FAA control tower. The NRC staff also recommends as a good practice that licensees subject to 10 CFR 73.1215(d) establish a point of contact with any nearby military airfields.
A-2.1 Coordination with the FAA
In 2004, the FAA issued the following Notice to Airmen (NOTAM). This NOTAM advises pilots to avoid not only the airspace above or in proximity to U.S. nuclear power plants, but the notice also includes other key infrastructure facilities. The following is the published language contained in the most current NOTAM:
Flight Data Center (FDC) 4/0811 FDC Special Notice: “This is a restatement of a previously issued advisory notice. In the interest of national security and to the extent practicable, pilots are strongly advised to avoid the airspace above, or in proximity to such sites as power plants (nuclear, hydro-electric, or coal), dams, refineries, industrial complexes, military facilities, and other similar facilities. Pilots should not circle as to loiter in the vicinity over these types of facilities.”
The NRC staff recommends that licensees remain cognizant of changes to NOTAMs that are relevant to their NRC-licensed facility’s location for situational awareness in evaluating potential suspicious activity.
Under 10 CFR 73.1215(c)(3)(iv), licensees must report suspicious activity involving aircraft
overflights in proximity to the licensee’s facility to the local FAA control tower. Under
10 CFR 73.1215(c)(5)(ii), licensees must establish a point of contact with their local FAA control tower.
The NRC is aware that some licensees have already established a point of contact with their local
FAA control tower. The NRC is also aware that some licensees have encountered difficulty in
establishing such points of contact. To address these difficulties, the NRC staff has issued Enforcement
Guidance Memorandum EGM-23-001 (Ref. 20). EGM-23-001 provides direction to NRC staff on
enforcement considerations in instances where a licensee is unable to establish a point of contact with
their local FAA control tower to report suspicious aircraft activities.
Note: The NRC is evaluating the need for rulemaking to permanently resolve the issue of the appropriate FAA locations for reporting suspicious aircraft activities and establishing a point of contact with the FAA.
A-2.2 Coordination with Nearby Military Airfields
Licensees should also establish one or more points of contact with any nearby active-duty or
reserve military airfields, as applicable (e.g., the airfield’s operations center or control tower). This point
of contact can facilitate advance notifications of planned training activities as well as queries of
unplanned low-level, military flights in proximity to or over licensee facilities. For example, some
licensees have experienced overflights due to routine military aerial training exercises that used the
licensee’s facility as a low-level navigation way point. Such planned military aircraft overflights are not
considered suspicious.
A-3. Assessing Potentially Suspicious Aviation-Related Activity
Under 10 CFR 73.1215(c)(2), a licensee must promptly assess whether an activity is suspicious.
However, in completing the assessment process, a licensee may review additional information, including
interacting with LLEA, to assess whether the activity is suspicious. Additionally, for potentially
suspicious aviation-related activity, the licensee may also interact with the applicable local FAA control
tower and/or a nearby military airfield, to assess whether the activity is suspicious. The NRC staff also
recommends that licensees assess as suspicious multiple sightings of the same aviation-related asset,
circling or loitering above or in close proximity to its facilities, or photographing its facilities or
surrounding areas.
If the interaction with the local FAA control tower or military airfield indicates that the aviation-related activity is associated with a municipal, State, or Federal entity, or a contractor for such entities, or
if the FAA indicates that an authorized flight deviation had occurred, then the licensee may assess the
activity as not suspicious. If a licensee assesses that a potentially suspicious aviation-related activity is
suspicious, then the activity should be reported as specified under 10 CFR 73.1215(c)(3).
Moreover, licensees should also exercise judgment in determining whether an aviation-related
activity is suspicious with respect to normal air traffic patterns, proximity of the facility to local airports
and military airfields, the use of rivers and coastal waterways for navigational purposes, local weather
conditions, and other unforeseen local circumstances.
A-4. Reporting of Suspicious Aviation-Related Activity
Licensees subject to 10 CFR 73.1215(d) should report suspicious flight activity above or in close
proximity to their facility as required by 10 CFR 73.1215(c)(3) (see “Reporting Timeliness and Order of
Precedence” under Section B of this RG).
As a good practice, NRC staff recommends that licensee’s reporting of suspicious aviation�related activity include key information, if available, that is of interest to law enforcement and FAA
authorities. The following are examples of key information (listed in no specific order):
- (1) Facility location;
- (2) Flyover location (e.g., owner-controlled area, protected area, cooling tower, power block);
- (3) Date and time of day;
- (4) Duration of flight;
- (5) Number of manned aircraft or UAS;
- (6) Description of manned aircraft or UAS (e.g., size, fixed wing, multirotor);
- (7) Whether or not the manned aircraft or UAS is utilizing any lights;
- (8) Types of maneuvers;
- (9) Pictures and video of the manned aircraft or UAS, if obtained;
- (10) Payload, if observed (e.g., camera, attachments);
- and
- (12) Operator identification, if observed.
The licensee’s use of special photographic or visual sighting equipment may enhance its ability to
capture pertinent identification information more accurately. However, the NRC staff does not consider
such special photographic or visual sighting equipment to be a requirement; rather, it is simply an
enhancement licensee’s may choose to make to facilitate their reporting of suspicious aviation-related
activities.
A-5. Restricted Airspace Designation
In 2018, power reactor industry representatives coordinated with the U.S. Department of Energy
(DOE) to obtain Federal sponsorship for nuclear facilities to petition the FAA for restricted airspace
under 14 CFR 99.7, “Special security instructions.” [2]
The Diablo Canyon Power Plant in California
volunteered to pilot the process for receiving FAA approval for restricted airspace for UAS at commercial
nuclear facilities. The power reactor industry representatives, the DOE, and the FAA developed a process
that all operating reactor sites may use to request these airspace restrictions. On October 28, 2020, Diablo
Canyon received a “National Security” designation for restricted airspace over their facility.
The NRC encourages licensees to voluntarily inform the NRC Headquarters Operations Center of
any requests to the FAA for a restricted airspace designation for its facilities and any action taken by the
FAA in response to such a request. The NRC Headquarters Operations Center may be reached by
telephone 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> a day at the telephone numbers found in Table 1 of “Appendix A to Part 73–
U.S. Nuclear Regulatory Commission Offices and Classified Mailing Addresses.”
REFERENCES5
1 U.S. Code of Federal Regulations (CFR), “Physical Protection of Plants and Materials,” Part 73,
Chapter I, Title 10, “Energy.”
2 CFR, “Domestic Licensing of Production and Utilization Facilities,” Part 50, Chapter I, Title 10,
“Energy.”
3 CFR, “Licenses, Certifications, and Approvals for Nuclear Power Plants,” Part 52, Chapter I,
Title 10, “Energy.”
4 CFR, “Domestic Licensing of Special Nuclear Material,” Part 70, Chapter I, Title 10, “Energy.”
5 CFR, “Licensing Requirements for the Independent Storage of Spent Nuclear Fuel, High-Level
Radioactive Waste, and Reactor-Related Greater Than Class C Waste,” Part 72, Chapter I,
Title 10, “Energy.”
6 CFR, “Facility Security Clearance and Safeguarding of National Security Information and
Restricted Data,” Part 95, Chapter I, Title 10, “Energy.”
7 CFR, “Exemptions and Continued Regulatory Authority in Agreement States and In Offshore
Waters Under Section 274,” Part 150, Chapter I, Title 10, “Energy.”
8 U.S. Nuclear Regulatory Commission (NRC), Regulatory Guide (RG) 5.62, “Physical Security
Event Notifications, Reports, and Records,” Washington, DC.
9 NRC, “Enhanced Weapons, Firearms Background Checks, and Security Event Notifications”
[Final Rule], Federal Register, Vol. 88, No. 49: pp. 15864-15899 (88 FR 15864),
Washington, DC, March 14, 2023.
10 NRC, “Enhanced Weapons, Firearms Background Checks, and Security Event Notifications”
[Proposed Rule], Federal Register, Vol. 76, No. 23: pp. 6200-6245 (76 FR 6200),
Washington, DC, February 3, 2011.
11 NRC, Draft Regulatory Guide (DG)-5019, Revision 1, “Reporting and Recording Safeguards
Events,” Washington, DC, Agencywide Documents Access and Management System (ADAMS)
Accession No. ML100830413.
12 NRC, RG 5.83, “Cyber Security Event Notifications,” Washington, DC.
5 Publicly available NRC published documents are available electronically through the NRC Library on the NRC’s public
website at http://www.nrc.gov/reading-rm/doc-collections/ and through the NRC’s Agencywide Documents Access and
Management System (ADAMS) at http://www.nrc.gov/reading-rm/adams.html. For problems with ADAMS, contact the
Public Document Room staff at 301-415-4737 or (800) 397-4209, or email pdr.resource@nrc.gov. The NRC Public
Document Room (PDR), where you may also examine and order copies of publicly available documents, is open by
appointment. To make an appointment to visit the PDR, please send an email to PDR.Resource@nrc.gov or call 1-800-397-
4209 or 301-415-4737, between 8 a.m. and 4 p.m. eastern time (ET), Monday through Friday, except Federal holidays.
RG 5.87, Revision 1, Page 28
13 CFR, “Physical Protection of Category 1 and Category 2 Quantities of Radioactive Material,”
Part 37, Chapter I, Title 10, “Energy.”
14 CFR, “Domestic Licensing of Source Material,” Part 40, Chapter I, Title 10, “Energy.”
15 NRC, “Nuclear Regulatory Commission International Policy Statement,” Federal Register,
Vol. 79, No. 132: pp. 39415-39418, (79 FR 39415) Washington, DC, July 10, 2014.
16 NRC, Management Directive (MD) 6.6, “Regulatory Guides,” Washington, DC.
17 CFR, “Security Control of Air Traffic,” Part 99, Subchapter F, Chapter I, Title 14, “Aeronautics
and Space.”
18 NRC, MD 8.4, “Management of Backfitting, Forward Fitting, Issue Finality and Information
Requests,” Washington, DC.
19 CFR, “Small Unmanned Aircraft Systems,” Part 107, Subchapter F, Chapter I, Title 14,
“Aeronautics and Space.”
20 NRC, Enforcement Guidance Memorandum (EGM-23-001), “Enforcement Guidance
Memorandum – Interim Guidance for Dispositioning Violations Associated With the Enhanced
Weapons, Firearms Background Checks, and Security Event Notification Rule,”
Washington, DC, December 5, 2023, ADAMS Accession No. ML23312A221.
- ↑ 3 Several Websites are available to aid in identifying aircraft N-numbers. These include: https://www.faa.gov/licenses_certificates/aircraft_certification/aircraft_registry/, https://www.faa.gov/licenses_certificates/airmen_certification/, and http://www.landings.com/ (a non-government website).
- ↑ 4 Unmanned aircraft are prohibited from flying over designated national security sensitive facilities without lawful cause. Operations are prohibited from the ground up to 400 feet above ground level, and this restriction applies to all types and purposes of UAS flight operations, according to the FAA. Licensees conducting UAS flight operations within a restricted airspace above its own facility should discuss this planned operation in advance with their local FAA air traffic control facility.