A high-level introduction to List N for contractors holding Sensitive Nuclear Information (SNI), with useful links to help achieve List N certification. Tweet this textIf you are a commercial company working in the civil nuclear sector, with a contractual requirement to hold Sensitive Nuclear Information (SNI), you’ll need a facility certified as ‘List N’.
This blog will give you a high-level introduction to List N, with useful links and points of contact that will help you in the process. It is the first of two articles; the second covers ‘How to prepare your company for achieving and maintaining List N’. You might also visit our List N services page.
What is List N?
Unlike List X, which is required for companies typically with an MOD contractual requirement to hold or generate information with a security classification of SECRET or above at their premises, List N is required for information holdings classified at OFFICIAL-SENSITIVE:SNI (O-S:SNI) or above.
The term ‘List N’ is akin to a Facility Security Clearance (FSC), as it is more commonly known by the rest of the world. The term refers to contractors or subcontractors that have been certified and placed on the List N database because they are carrying out work on their own facility or facilities that requires them to hold or generate O-S:SNI or higher.
List N facilities are required to protect SNI in accordance with Regulation 22 of the Nuclear Industries Security Regulations 2003 (NISR 2003). In simple terms, Regulation 22 expects adherence to HMG’s Security Policy Framework (SPF).
Becoming List N
Companies cannot ‘apply’ for List N status; they must have a contractual requirement to handle or generate SNI.
Civil nuclear contracting authorities or ‘CAs’ (such as Sellafield, NDA, EDF) are responsible for ensuring that their civil nuclear supply chain organisations, who are required to handle or generate SNI, are contractually obliged to become and maintain List N status. This is normally formalised under a Security Aspects Letter (SAL) which is attached to the contract.
The CA will detail the security aspects of the List N requirement, for example, what SNI is to be held, how, why and any requirements for secure disposal at contract end.
Who Manages List N?
The Office for Nuclear Regulation (ONR) requires civil nuclear CAs to maintain a record of List N facilities. The List N database is currently hosted by the Nuclear Decommissioning Authority (NDA). ONR and all civil nuclear CAs have access to it and are responsible for its accuracy. ONR has plans to host the List N database itself in the future.
Under NISR 2003, civil nuclear CAs are responsible for certifying List N facilities and for conducting ongoing audits of those facilities as part of their supply chain due diligence activities. If a civil nuclear supply chain organisation has numerous contracts with different CAs, it is likely that each CA will conduct its own List N certification activity and audits.
ONR is empowered to regulate the entire civil nuclear industry, including List N facilities that are typically supply chain organisations. As such, ONR also conducts inspections, both announced and unannounced of List N facilities to assess the adequacy of their security arrangements for handing, storing or generating SNI. As they operate on a cost recovery basis, ONR recover their fees for List N inspections. More information on current fees are available from [email protected].
List N Security Requirements
The process of becoming List N is not just about an assessment of the physical security controls in place at the facility where the SNI is to be held or generated. In line with ONRs SyAPs, it encompasses applicable List N facility arrangements for leadership and management for security, organisational security culture, competence management for security roles, cyber security and information assurance and workforce trustworthiness (typically processes for personnel security clearances).
CAs typically use ONRs SyAPs as a guide to set their List N security requirements for certification and audits. Currently, each CA has its own List N certification and audit processes, but there are ongoing collaborative initiatives to reach a common standard for all.
IT systems used for handling or generating SNI must also be formally accredited or risk assessed using an industry recognised methodology for use by CAs.
ONR conducts inspections against the standards set out in its Security Assessment Principles (SyAPs), which consists of 10 Fundamental Security Principles (FSyPs), five of which (FSyPs 1, 2, 3, 7 and 8) are considered to be applicable to List N facilities. ONR has recognised that NISR 2003 specifically references SPF and so they have helpfully mapped their SyAPs to the SPF to demonstrate alignment.
How Ascentor can help
Ascentor can steer you through what is needed to become List N certified or assist in your preparation for CA audits or ONR inspections (as described in our ‘How to prepare your company for achieving List N’ blog). We start with our tried and tested Gap Analysis, a four-step process that will arm you with the knowledge to make business decisions regarding improvements and related resources. Find out more on our List N services page.
You may also find our case study ‘Regulatory Oversight Support for the Office for Nuclear Regulation (ONR)‘ of interest.
Should you wish to gain further security advice on List N or just generally improving your company’s cyber security maturity, please contact the team at Ascentor.
For further information
If you have found this article of interest, the Ascentor blog regularly carries articles about Information Assurance (IA) and cyber security issues. You might also like to keep in touch with Ascentor by receiving our quarterly newsletter (sign-up using the form below).
Should you wish to gain further security advice on List N or just generally improving your company’s cyber security maturity, please contact the team at Ascentor using the details below.