REAL ID and Access to Nuclear Power Plants

Mark Resner
Senior Security Specialist

October 10 was the deadline for five states to comply with the REAL ID Act of 2005, implementing federal standards for tamper-proof identification documents such as driver’s licenses. According to the Department of Homeland Security, effective Jan. 30, 2017, “nuclear power plants may not accept for official purposes driver’s licenses and state IDs from a noncompliant state/territory without an extension.”

deadly force horzThe five states now coming under REAL ID Act enforcement are Kentucky, Maine, Oklahoma, Pennsylvania and South Carolina. They join Minnesota, Missouri and Washington state on DHS’s “non-compliant” list. Several other states have extensions in effect through either June or October of next year, allowing federal facilities to accept their existing identification documents while the states try to come into compliance with the Act’s requirements.

What does this mean for nuclear plants? Will residents of non-compliant states have trouble gaining access to plants?

For the majority of people entering nuclear plants – those who work there – this will have virtually no effect. State issued IDs such as driver’s licenses are never the sole data point for admitting anyone to a nuclear plant, either a worker or a visitor. Nuclear power plant workers have employee badges issued by their employers following an extensive background and criminal records check, psychological assessments, and drug and alcohol testing.

Visitors are generally known in advance of their arrival, screened through the industry database against a list of individuals who would be denied access, approved by a nuclear plant employee who has undergone the required background screening, and continuously escorted while inside the protected area of the facility.

The REAL ID program is intended to enhance the nation’s security by making it harder for terrorists to obtain state-issued identification documents. The NRC’s access authorization requirements for nuclear power plants (set out in regulation at 10 CFR 73.56 and 10 CFR 73.57) already go beyond REAL ID in ensuring anyone allowed into the protected area of nuclear plants is properly vetted.

Five Questions With Tom Rich

Tom Rich is head of the agency’s Information Security Directorate

  1. How would you describe your job in three sentences or less?

5 questions_9with boxMy job is to work with others to protect NRC’s information and information systems. This includes providing security training, performing security assessments, testing the vulnerability of our IT systems to phishing and penetration attacks, responding to security incidents and keeping up with situational awareness to see where we may need to strengthen our defenses.

  1. What is the single most important thing you do at work?

Communication with NRC managers and employees regarding threats to our IT systems and data. We do security briefings, security awareness events for staff, and daily meetings with the Chief Information Officer.

  1. What is the single biggest challenge you face?

tomrichThe dynamic pace of technology changes and the need for cyber defenders to keep up. With the “Internet of Things” becoming more and more a part of our daily lives, the devices we now use in virtually everything we do present security and privacy concerns and introduce a much larger avenue of attack. These devices want to communicate, in some cases sensitive data, through multiple channels with each other and cloud services. The challenge is that these devices do not have adequate security controls built into their design.

  1. What would you consider one of your biggest successes on the job?

We established a cyber security dashboard that measures the NRC’s improvements in security practices. This is an internal mechanism to let NRC stakeholders see what they are doing well and where improvements are needed. Since implementation, we have seen significant improvement in cybersecurity across the agency.

  1. What one thing about the NRC do you wish more people knew?

That we have Resident Inspectors at each of the nuclear plants. I think a lot of the public believe we regulate and inspect from a distance. I do not believe many know we have feet on the ground at the nuclear plants.

Five Questions With is an occasional series where we pose the same five questions to NRC staff.

ncsam-web_edited-1For more information on National Cyber Security Awareness Month, go here.