Nonproliferation
Data Tool

Nuclear Security Governance Template

An adaptable and dynamic tool that can strengthen governance mechanisms within nuclear facilities

The Stimson Center’s Governance Template offers nuclear operators an adaptable and dynamic tool for demonstrating their duty of care — going beyond the minimum regulatory requirement to foster an environment that promotes continuous improvement, adapts to evolving risk, and makes nuclear security a core value. Nuclear facilities face a wide range of challenges — from insider threats to cyber intrusion — and the consequences of failure can be catastrophic. The Template helps leaders define, communicate, and improve security-related management decision-making processes and systems without divulging sensitive information.

Share on facebook
Share with Friends
Share on twitter
Tweet this story
Share on linkedin
Post to LinkedIn
On this Page
Benefits

Implementation Benefits

Implementing the governance template can address the concerns and needs of a range of external and internal stakeholders.

  • Public Confidence
  • Internal Assessment
  • Flexible Implementation

Increase Public Confidence

The governance template provides leaders a framework to transform data-driven security process and policy into a narrative that is approachable and meaningful to the public and policymakers.

Narratives are an important part of effective communication; stories help people better understand the human impact of data. When the community of people who work at a nuclear facility show a commitment to good governance, it enhances “public confidence in the peaceful use of nuclear applications”3At the 2020 International Atomic Energy Agency Nuclear Security Ministerial, dozens of states endorsed a declaration emphasizing the importance of nuclear security in enhancing “public confidence in the peaceful use of nuclear applications.

Improve Internal Assessments

The governance template serves as an internal assessment and gap analysis tool for nuclear facilities, particularly in determining whether senior leadership has consistent understanding of, and commitment to security culture, by way of policy and in practice.

Highlighting areas where an organization is doing well offers an opportunity to reward good behaviors that might otherwise not be recognized. Understanding an organization’s culture builds common language and intent across a diverse workforce and offers snapshots of nuclear security improvement over time.

Customize a Flexible Implementation

The template is designed to be tailored to each nuclear facility as part of a full implementation plan and can be used by a variety of actors, such as Chief Operating Officers, Chief Security/Nuclear Officers, and Site Managers.

The Governance Template contains a survey that can be used to provide guidance, recommendations, and feedback to nuclear facilities and their leadership. The goals and best practices in the template are an indicative resource to help nuclear operators illustrate how security considerations are decided, implemented, and internalized by the entire organization. Facilities can build upon good practices and ensure that they fit their unique needs and requirements to strengthen their security culture.

Examples

From the Governance Template Survey

The survey portion of the Governance Template contains questions focused on “challenge areas” and can be used to provide guidance, recommendations, and feedback to nuclear facilities and their leadership.4The good practices and associated questions on the survey are based on existing guidance documents from the International Atomic Energy Agency, including NSS 7 on Nuclear Security Culture; NSS 13 on Nuclear Security Recommendations on Physical Protection of Nuclear Material and Nuclear Facilities; and NSS 28-T on Self-Assessment of Nuclear Security Culture in Facilities and Activities, among others. The survey also utilizes guidance from the World Institute for Nuclear Security Best Practice Guide on Security Governance and incorporates insights from the World Association of Nuclear Operators (WANO) and the U.S.-based Institute of Nuclear Power Operators (INPO) industry guidance for safety.

  • Sections based on Governance Template objectives
  • Good Practices linking nuclear security goals to documented actions.
  • Question Sets that help decisionmakers understand the state of their organization
Section

Leadership and Oversight
Gaining insight into the decision-making processes

Good Practice

The board should play an active role to ensure good governance and oversight of the organization’s security program.

Developing organizations with strong commitment to nuclear security requires active engagement from the security guards to the senior leadership. In privately owned organizations, this includes participation from a board of directors. Board members should have a process for understanding it’s organization’s approach to security, including relevant legal frameworks, regulatory and legal requirements, and their organization’s process for responding to evolving threats.

Sample Question

What is the Board’s review process of risks, security policy and performance?

Good Practice

Executives should show commitment to the organization’s nuclear security program.

Executives can demonstrate their commitment to nuclear security by communicating and demonstrating the importance of nuclear security, ensuring that decisions are based on systematic, rigorous, and thorough analysis, and building trust through transparency with internal and external stakeholders.

Sample Question

Are managerial accountabilities for nuclear security clearly defined; what are the mechanisms in place to implement security policies?

Section

Nuclear Security Risk Assessment
Gaining insight into how an organization assess the threat and adopts a risk-informed approach

Good Practice

The organization should have a methodology for defining acceptable risk.

An effective corporate governance framework includes the execution and evaluation of systems for risk management. Board members and executive managers should understand organizational risks and the cost benefit analysis used to decide to remediate or accept the risk.

Sample Question

How does your organization assess risk?

Good Practice

The organization should take measures to ensure proper coordination among safety, security, and emergency response arrangements, and should adopt an all-hazards approach to risk management.

Organizations should develop plans for maintain security during events with common effects to multiple hazards, rather than developing individual plans for each hazard. These plans should identify commons tasks to be performed, assign responsibility for executing these tasks, and include procedures for carrying out critical tasks. They should prioritize maintaining security throughout a crisis, including maintaining lines of communication, site access control, and physical protection systems.

Sample Question

Does your organization implement an integrated risk management approach to identify and manage risks?

Section

Shared Understanding of Nuclear Security
Gaining insight into how leadership communicate and encourage security practices in every level of the workforce

Good Practice

The organization should have a published policy for nuclear security.

A nuclear security policy should include the goal of strong and sustainable nuclear security capable of protecting against all possible threats. This should include, at a minimum, protecting against a well-placed insider; a modest group of well-trained and well-armed outsiders, capable of operating as more than one team; and both an insider and the outsiders working together. The policy should also recommend that countries require protection against evolving threats such as cyber and unmanned aerial vehicles.

Sample Question

How do you socialize this policy to the workforce?

Good Practice

Management should work ensure that significant security related decisions make sense to stakeholders, and will sensibly reinforce good behaviors throughout the organization.

Management should convey to stakeholders how physical protection systems are tied to timely and continuous assessment of threats. It should also encourage behavior throughout the organization that rewards focus on continuous nuclear security improvement.

Sample Question

What are the various methods used to communicate the importance of security throughout the organization and among its stakeholders, including the importance of confidentiality?

Good Practice

Organizations should identify supply chain vulnerabilities and should communicate the importance of supply chain security throughout the workforce.

In world where digital technology is increasingly common and threats are rapidly evolving, organizations must ensure that their supply chains are not producing technologies vulnerable to cyber attacks. Emphasizing the security of supply chains should be part of any targeted security culture program. This means that all staff, from management to security guards, need to be aware of the importance of supply chain security.

Sample Question

How do you evaluate supply chain security within contracting entities?

Good Practice

Management should ensure there are processes / mechanisms in place for leadership and workforce to continually challenge and test basic assumptions about security (and safety)

Management should encourage the development of “red teams” that look for security system weaknesses and how to fix them. These teams should be motivated and incentivized to defeat security systems.

Sample Question

Are there instances in which employee feedback has been used to improve security?

Section

Evaluation and Continuous Learning
Gaining insight into how all staff members are evaluated in their security proficiency and the opportunities provided for improvement

Good Practice

The organization’s nuclear security program should have benchmarks and targets to understand and improve performance.

Organizations must be able to demonstrate that reasonable steps have been taken to strengthen approaches to accountability and liability issues related to nuclear security incidents.

Sample Question

Is your nuclear security assessment program performance based?

Good Practice

Management should regularly assess the effectiveness of the organization’s nuclear security.

Performance testing is a critical component in evaluating the quality of a physical protection system. Performance testing must be capable of assessing how effectively a protection system responds to changing threats rather than only testing compliance against design and performance requirements. Performance tests, like force-on-force exercises, should be conducted regularly and based on realistic scenarios.

Sample Question

What, if any, peer or other third-party reviews or audits have been completed or planned?

Good Practice

In general, the organization should have tools and resources available to assess security performance and implement improvements.

Any system for assessing security performance should use a range of tools and resources, including red teaming exercises, and integrate a diverse range of exercises and simulations.

Sample Question

What types of other resources would be useful that the organization may not necessarily have access to at this time?

Good Practice

Personnel throughout the facility should be appropriately screened and trained in security.

Background checks and ongoing personnel reliability programs are a critical element of ensuring the trustworthiness of organizational staff. Appropriate standards for selection, training, and certification should be developed to ensure that managers and personnel with accountabilities for nuclear security are demonstrably competent.

Sample Question

How is human reliability ascertained, tested and demonstrated, and how regularly do reviews take place?

Consulting

Implementation Consulting

Stimson offers a full suite of consultation services to help facilities and other stakeholders implement the governance template.

Support is available for:

  • Workshop Development,
  • Facility-specific security culture training, and
  • Implementation planning.

Organizations interested in additional information or to request an implementation quote please submit your information below. 

Get Information About Implementation

Choose Your Subscription Topics
* indicates required
I'm interested in...
38 North: News and Analysis on North Korea
South Asian Voices