Companies often wonder or ask how they can achieve List N certification. As we explained in a previous blog, “List N Explained”, it’s not something you can just do; you must have a civil nuclear contracting authority (CA) contractual obligation, usually in the guise of a Security Aspects Letter (SAL) attached to the contract, to handle or generate hold Sensitive Nuclear Information (SNI) on your own premises.
In this blog, we explain some of the things you can do to prepare if you think a contract may be forthcoming. We give you a few hints and tips about some pragmatic steps you can take to get a List N facility up and running much quicker.
Before reading further, you should note that civil nuclear CAs should not give preference to existing List N contractors over non-List N companies. Investing in List N security requirements before a contract is awarded is entirely at your own risk, however, there may be advantages in improving security arrangements as a result of this exercise.
Tip 1 – Understand why you need List N
As stated above, the only way you can be a List N company is if you have a requirement to store, on your own premises, SNI. Unlike List X, which is required for companies typically with an MOD contractual requirement to hold or generate information with a security classification of SECRET or above at their premises, List N is required for information holdings classified at OFFICIAL-SENSITIVE:SNI (O-S:SNI) or above.
Civil nuclear CAs will detail the security aspects of the List N requirement, usually in a SAL, including what SNI is to be held, how, why and any requirements for secure disposal at contract end.
For non-UK List N facilities, CAs will need to consult with the Office for Nuclear Regulation (ONR) who regulates the civil nuclear industries in order to fully understand the requirements which are likely to be set on a case-by-case basis.
ONR requires civil nuclear CAs to maintain a record of List N facilities. A List N database is currently hosted by the Nuclear Decommissioning Authority (NDA). ONR and all civil nuclear CAs have access to it and are responsible for its accuracy. ONR has plans to host the List N database itself in the future.
Tip 2 – understand and establish the governance to meet the basic company requirements
List N facilities are required to protect SNI in accordance with Regulation 22 of the Nuclear Industries Security Regulations 2003 (NISR 2003). In simple terms, Regulation 22 expects adherence to HMG’s Security Policy Framework (SPF).
The process of becoming List N is not just about an assessment of the physical security controls in place at the facility where the SNI is to be held or generated. In line with ONRs SyAPs, it encompasses applicable List N facility arrangements for leadership and management for security, organisational security culture, competence management for security roles, cyber security and information assurance and workforce trustworthiness (typically processes for personnel security clearances).
CAs typically use ONRs SyAPs as a guide to set their List N security requirements for certification and audits.
Currently, each CA has its own List N certification and audit processes, but there are ongoing collaborative initiatives to reach a common standard for all.
IT systems used for handling or generating SNI must also be formally accredited or risk assessed using an industry-recognised methodology for use by CAs.
ONR conducts inspections against the standards set out in its Security Assessment Principles (SyAPs), which consist of 10 Fundamental Security Principles (FSyPs), five of which (FSyPs 1, 2, 3, 7 and 8) are considered to be applicable to List N facilities. ONR has mapped the SyAPs to the SPF. ONR will seek to understand a List N facility’s claims, arguments and evidence against the expectation of each of the applicable FSyPs.
List N generally expects the following positions (or a suitable equivalent) to be in place before a facility can be certified as List N and maintained throughout contracts. Having these roles in place is essential to meeting the most basic information security requirements. The roles can be sub-roles, but bigger organisations are generally expected to have more dedicated roles:
· Board Contact for Security: The Board Contact for Security must be a British national for SECRET:SNI and above and is responsible for ensuring the security requirements of a List N facility are maintained throughout the life of the contract. The Board Contact for Security usually also acts as the Senior Information Risk Owner (SIRO).
· Security Controller: Should also be a British national and is responsible to the Board Contact for the day to day security management within the premises.
· Clearance Contact: Responsible for coordinating clearance arrangements of employees involved in the contract.
· IT Security Officer: Responsible for the security aspects of any IT installations and networks that may handle O-S:SNI and above.
Depending on the type of contract, you may also need to appoint a Crypto Custodian.
Being able to demonstrate that your company has had these positions in place for some time and they are supported by written policy, processes and procedures will provide confidence to the civil nuclear CAs and ONR that an appropriate security governance framework is already in place.
Tip 3 – Assess your information security risks and develop a security improvement plan
HMG’s SPF and ONR’s outcome focused approach to regulation expect a risk-based approach to security.
Being a List N company does not just mean applying good security practices to a single area of your business; it means having those practices embedded in your every day working for the whole company. It is about maintaining good risk management around physical, personnel, procedural and technical security. The more mature your holistic company security practices are, the more likely that List N security requirements will be simple tweaks or easily applied enhancements.
Follow a recognised standard that is likely to be known by the List N CA auditors or ONR inspectors, such as ISO/IEC 27001:2013. It would be helpful to conduct an exercise that maps any existing security controls to ONR’s SyAPs; this will help ONR inspections to go much more smoothly. If nothing else, we recommend that you at least conduct a self-assessment of your information security arrangements against ONR’s SyAPs and maintain a record of your claims, arguments and evidence against each.
At a minimum, you should conduct and formalise physical and cyber security risk assessments and put together a security improvement plan to demonstrate your commitment to a risk-based approach. You may like to consider the Centre for the Protection of National Infrastructure’s (CPNI) guidance for the protection of critical assets against security threats and the National Cyber Security Centre’s (NCSC) guidance on cyber security risk management. Conducting physical and cyber security risk assessments and producing improvement plans will not only reduce your company’s information security risks generally but will also identify controls that will be required as part of achieving and maintaining a List N facility.
Tip 4 – Define the physical space to be used for your list N facility
Having a clear understanding of where you intend to create the List N physical space will help you get the security requirements in place before the contract is awarded. When assessing the most appropriate space and in line with the highest classification of SNI you are likely to handle or generate, you should consider the following:
· Boundary controls such as CCTV, approved doors, windows, locks. CPNI provides advice and guidance about the types of physical security barriers that are required.
· The alarm system will need to be from a reputable company, preferably NSI approved with an adequate response time (normally within 20 minutes). This is usually achieved by having the alarm monitored by a 24-hour service provider which alerts a nominated key-holder and the local police.
· Depending on the types of sensitive asset held, there may be a requirement for security furniture such as secure server racks, document safes, shredders.
Tip 5 – Prepare the IT system needed for SNI
Depending on your level of confidence in winning a List N contract and if you perceive there will be a requirement, you may like to understand and cost the IT system that is likely to be needed to meet the expectations of the contract. Whatever solution you need, it will need to be accredited by the appropriate civil nuclear CA for handling or generating SNI at the required classification.
Choosing an appropriate IT system will need to be supported by an appropriate formal information security risk assessment in order for CAs to make an informed accreditation decision.
Any IT system accredited for handling or generating SNI will be registered alongside your company’s entry on the List N database.
Assessing the accreditation requirements of the IT system before achieving List N will give you a head start on the accreditation process and allow you to get up and running much more quickly.
Tip 6 – Consider ongoing requirements for CA audits and ONR inspections
Under NISR 2003, civil nuclear CAs are responsible for certifying List N facilities and for conducting ongoing audits of those facilities as part of their supply chain due diligence activities. If a civil nuclear supply chain organisation has numerous contracts with different CAs, it is likely that each CA will conduct its own List N certification activity and audits.
ONR is empowered to regulate the entire civil nuclear industry, including List N facilities that are typically supply chain organisations.
As such, ONR also conducts inspections, both announced and unannounced of List N facilities to assess the adequacy of their security arrangements for handing, storing or generating SNI. As they operate on a cost recovery basis, ONR recover their fees for List N inspections. More information on current fees are available from [email protected].
Creating, formalising and maintaining your security arrangements will help to ensure that CA audits and ONR inspections will not result in significant issues and findings.
We hope you find the above tips useful in your endeavours to become a List N facility. Our overall opinion is that achieving List N should not be a major challenge as the security requirements these days are equally applicable to any business working with sensitive information in the cyber marketplace.
How Ascentor can help
Having designed the assessment methodology used by ONR for regulatory inspections of List N facilities and also conducted numerous List N inspections on behalf of ONR, Ascentor has considerable experience of both the requirements for and audit of List N facilities. See our case study Regulatory Oversight Support for the Office for Nuclear Regulation (ONR).