AEP-NRC-2014-04, License Amendment Request to Revise the Cyber Security Implementation Schedule

From kanterella
Jump to navigation Jump to search

License Amendment Request to Revise the Cyber Security Implementation Schedule
ML14015A142
Person / Time
Site: Cook  American Electric Power icon.png
Issue date: 01/10/2014
From: Gebbie J
Indiana Michigan Power Co
To:
Document Control Desk, Office of Nuclear Reactor Regulation
Shared Package
ML14015A133 List:
References
AEP-NRC-2014-04, TAC ME4275, TAC ME4276, TAC ME9523, TAC ME9524
Download: ML14015A142 (19)
v  d  e


Text

INDIANA Indiana Michigan Power MICHIGAN Cook Nuclear Plant pW'ER One Cook Place Bridgrnan, MVI49106 A unit ofAmerican Electric Power Indiana MichiganPower.com January 10, 2014 AEP-NRC-2014-04 10 CFR 50.90 U. S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, DC 20555-0001

SUBJECT:

Donald C. Cook Nuclear Plant Units 1 and 2 Docket Nos.: 50-315 and 50-316 License Amendment Request to Revise the Cyber Security Implementation Schedule

References:

1. U. S. Nuclear Regulatory Commission (NRC) Internal Memorandum to Barry Westreich from Russell Felts, "Review Criteria for Title 10 of the Code of Federal Regulations Part 73.54, Cyber Security Implementation Schedule Milestone 8 License Amendment Requests," dated October 24, 2013 (Adams Accession No. ML13295A467)
2. Letter from J. P. Gebbie, Indiana Michigan Power Company (I&M), to NRC Document Control Desk, "Response to Request for Information Regarding a License Amendment Request for Approval of the Donald C. Cook Nuclear Plant Cyber Security Plan (TAC Nos.

ME4275 and ME4276)," dated April 8, 2011 (ML11111A058)

3. Letter from NRC to I&M "Donald C. Cook Nuclear Plant, Units 1 and 2 - Issuance of Amendments re: Cyber Security Plan (TAC Nos. ME4275 AND ME4276), dated July 28, 2011 (ML11182A178)
4. Letter from J. P. Gebbie, I&M, to NRC Document Control Desk, "License Amendment Request - Cyber Security Plan Implementation Schedule Milestones," dated September 11, 2012 (ML12262A480)
5. Letter from NRC to I&M "Donald C. Cook Nuclear Plant, Units 1 and 2 - Issuance of Amendments re: Revised Cyber Security Plan Implementation Schedule Milestone 6 (TAC Nos. ME9523 and ME9524)," dated December 13, 2012 (ML12318A234)

Pursuant to 10 CFR 50.90, Indiana Michigan Power Company (I&M), the licensee for Donald C. Cook Nuclear Plant (CNP) Units 1 and 2, hereby requests an amendment to Renewed Facility Operating Licenses (FOL) DPR-58 and DPR-74. In accordance with the guidelines provided in Reference 1, this request proposes a change to the CNP Cyber Security Plan (CSP)

Milestone 8 full implementation date as set forth in the CNP CSP Implementation Schedule that was submitted via Reference 2 and originally approved by the U. S. Nuclear Regulatory Commission (NRC) in Reference 3. In Reference 4, I&M proposed a change to the scope of Milestone 6 of the implementation schedule. No change to the completion date for Milestone 6 was proposed. This request was approved by the NRC in Reference 5, and the license condition in each FOL was modified accordingly.

Sections 1, 2, and 3 of Enclosure 2 and Enclosure 5 to this letter contain sensitive information .D Withhold from public disclosure under 10 CFR 2.390 I' Upon removal of Sections 1, 2, and 3 of Enclosure 2 and Enclosure 5, this letter is decontrolled

U. S. Nuclear Regulatory Commission AEP-NRC-2014-04 Page 2 to this letter provides an affirmation statement pertaining to the information contained herein. Enclosure 2 provides I&M's evaluation of the proposed FOL change, which includes a detailed description of the proposed changes, a technical analysis of the proposed changes, I&M's determination that the proposed changes do not involve a significant hazards consideration, a regulatory analysis of the proposed changes, and an environmental evaluation. Enclosures 3 and 4 provide Unit 1 and Unit 2 Renewed FOL pages, respectively, marked to show the proposed changes. Revised Unit 1 and Unit 2 Renewed FOL pages with proposed changes incorporated will be provided to the NRC Licensing Project Manager when requested. to this letter contains the revised regulatory commitment for the full implementation date of the CNP CSP (Milestone 8). Enclosure 6 contains a report of open corrective action program items for CSP implementation.

The current CSP Implementation Schedule calls for full implementation (Milestone 8) by December 31, 2014. Therefore, I&M requests approval of the proposed license amendment by October 30, 2014. The proposed change will be implemented within 60 days of NRC approval.

In accordance with 10 CFR 50.91(b), I&M is providing the State of Michigan with a copy of this proposed amendment.

I&M requests that Sections 1, 2, and 3 of Enclosure 2 and Enclosure 5, which contain security-related information (SRI), be withheld from public disclosure in accordance with 10 CFR 2.390.

This letter contains a revised regulatory commitment for full implementation of the CNP CSP.

Should you have any questions, please contact Mr. Michael K. Scarpello, Regulatory Affairs Manager, at (269) 466-2649.

Sincerely, Joel P. Gebbie Site Vice President TLC/dmb

Enclosures:

1. Affirmation
2. Evaluation of Proposed License Amendment Request to Revise Milestone 8 of the Donald C.

Cook Nuclear Plant Cyber Security Plan (contains SRI)

3. Proposed Revision to Unit 1 Renewed Facility Operating License (mark-up)
4. Proposed Revision to Unit 2 Renewed Facility Operating License (mark-up)
5. Revised Cyber Security Plan Implementation Schedule as Regulatory Commitments (contains SRI)
6. CNP Cyber Security CAP Report Sections 1, 2, and 3 of Enclosure 2 and Enclosure 5 to this letter contain sensitive information Withhold from public disclosure under 10 CFR 2.390 Upon removal of Sections 1, 2, and 3 of Enclosure 2 and Enclosure 5, this letter is decontrolled

U. S. Nuclear Regulatory Commission AEP-NRC-2014-04 Page 3 c: J.T. King - MPSC S. M. Krawec - Ft. Wayne AEP, w/o attachments MDEQ - RMD/RPS NRC Resident Inspector C. D. Pederson - NRC Region III T. J. Wengert - NRC Washington DC Sections 1, 2, and 3 of Enclosure 2 and Enclosure 5 to this letter contain sensitive information Withhold from public disclosure under 10 CFR 2.390 Upon removal of Sections 1, 2, and 3 of Enclosure 2 and Enclosure 5, this letter is decontrolled

Enclosure I to AEP-NRC-2014-04 AFFIRMATION I, Joel P. Gebbie, being duly sworn, state that I am Site Vice President of Indiana Michigan Power Company (I&M), that I am authorized to sign and file this request with the Nuclear Regulatory Commission on behalf of I&M, and that the statements made and the matters set forth herein pertaining to I&M are true and correct to the best of my knowledge, information, and belief.

Indiana Michigan Power Company Joel P. Gebbie Site Vice President SWORN TO AND SUBSCRIBED BEFORE ME THIS DAY OF 2014 DANIELLE BURGOYNE Notary Public, State of Michigan MNotary Pubire J- County of Berrien My Commission Expires 04-04-2018 My Commission Expires ***- -kJ _**_* Acting In the County of !Z-,,

Sections 1, 2, and 3 of Enclosure 2 and Enclosure 5 to this letter contain sensitive information Withhold from public disclosure under 10 CFR 2.390 Upon removal of Sections 1, 2, and 3 of Enclosure 2 and Enclosure 5, this letter is decontrolled to AEP-NRC-2014-04 Page 16

4.0 REGULATORY EVALUATION

4.1 Applicable Regulatory Requirements 10 CFR 73.54 requires licensees to implement and maintain a CSP. CNP Renewed FOL DPR-58 and DPR-74 include a Physical Protection license condition that requires I&M to fully implement and maintain in effect all provisions of the Commission-approved CSP, including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p).

The CSP and associated implementation schedule for CNP Units 1 and 2 were approved by the NRC on July 28, 2011 (Reference 3) via License Amendments 315 and 299, respectively and modified by an NRC-approved LAR on December 13, 2012 (Reference 4). Any change to the NRC-approved CSP implementation schedule requires prior NRC approval pursuant to 10 CFR 50.90. This LAR is submitted pursuant to 10 CFR 50.90 requesting an amendment to the Renewed FOL regarding the implementation schedule for the CNP CSP.

4.2 Precedents No precedents were identified where the NRC had approved the extension of a CSP full implementation date beyond that originally approved.

4.3 No Significant Hazards Consideration I&M has evaluated whether a significant hazards consideration is involved with the proposed amendment by focusing on the three standards set forth in 10 CFR 50.92, "Issuance of amendment," as discussed below:

1. Does the proposed change involve a significant increase in the probability of occurrence or consequences of an accident previously evaluated?

Response: No The amendment proposes a change to the CNP Unit 1 and Unit 2 CSPs Milestone 8 full implementation date as set forth in the CNP CSP Implementation Schedule. The revision of the full implementation date for the CNP CSP does not involve modifications to any safety-related structures, systems or components (SSCs). Rather, the implementation schedule provides a timetable for fully implementing the CNP CSP. The CSP describes how the requirements of 10 CFR 73.54 are to be implemented to identify, evaluate, and mitigate cyber attacks up to and including the design basis cyber attack threat, thereby achieving high assurance that the facility's digital computer and communications systems and networks are adequately protected from cyber attacks.

The revision of the CNP CSP Implementation Schedule will not alter previously evaluated design basis accident analysis assumptions, add any accident initiators, modify the function of the plant safety-related SSCs, or affect how any plant safety-related SSCs are operated, maintained, modified, tested, or inspected.

Therefore, the proposed changes do not involve a significant increase in the probability or consequences of an accident previously evaluated.

Sections 1, 2, and 3 of Enclosure 2 and Enclosure 5 to this letter contain sensitive information Withhold from public disclosure under 10 CFR 2.390 Upon removal of Sections 1, 2, and 3 of Enclosure 2 and Enclosure 5, this letter is decontrolled to AEP-NRC-2014-04 Page 17

2. Does the proposed change create the possibility of a new or different kind of accident from any accident previously evaluated?

Response: No A revision to the CSP Implementation Schedule does not require any plant modifications. The proposed revision to the CSP Implementation Schedule does not alter the plant configuration, require new plant equipment to be installed, alter accident analysis assumptions, add any initiators, or affect the function of plant systems or the manner in which systems are operated, maintained, modified, tested, or inspected.

Revision of the CNP CSP Implementation Schedule does not introduce new equipment that could create a new or different kind of accident, and no new equipment failure modes are created. No new accident scenarios, failure mechanisms, or limiting single failures are introduced as a result of this proposed amendment.

Therefore, the proposed change does not create the possibility of a new or different kind of accident from any previously evaluated.

3. Does the proposed change involve a significant reduction in a margin of safety?

Response: No Plant safety margins are established through limiting conditions for operation, limiting safety system settings, and safety limits specified in the technical specifications. The proposed amendment does not alter the way any safety-related SSC functions and does not alter the way the plant is operated. The CSP, as implemented by milestones 1-7, provides assurance that safety-related SSCs are protected from cyber attacks. The proposed amendment does not introduce any new uncertainties or change any existing uncertainties associated with any safety limit. The proposed amendment has no effect on the structural integrity of the fuel cladding, reactor coolant pressure boundary, or containment structure.7 Therefore the proposed change does not involve a significant reduction in a margin of safety.

4.4 Conclusions In conclusion, based on the considerations discussed above, (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public. I&M concludes that the proposed amendment present no significant hazards consideration under the standards set forth in 10 CFR 50.92(c) and, accordingly, a finding of "no significant hazards consideration" is justified.

Sections 1, 2, and 3 of Enclosure 2 and Enclosure 5 to this letter contain sensitive information Withhold from public disclosure under 10 CFR 2.390 Upon removal of Sections 1, 2, and 3 of Enclosure 2 and Enclosure 5, this letter is decontrolled to AEP-NRC-2014-04 Page 18

5.0 ENVIRONMENTAL CONSIDERATION

The proposed amendment would change the full implementation date for the CNP CSP Implementation Schedule. Based on that information, the proposed amendment meets the eligibility criterion for categorical exclusion set forth in 10 CFR 51.22(c)(12). Therefore, pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the proposed amendment.

6.0 REFERENCES

1. NRC Internal Memorandum to Barry Westreich from Russell Felts, Review Criteria for Title 10 of the Code of Federal Regulations Part 73.54, Cyber Security Implementation Schedule Milestone 8 License Amendment Requests, dated October 24, 2013 (Adams Accession No. ML13295A467)
2. Letter from J. W. Roe, Nuclear Energy Institute, to S. A. Morris, Nuclear Regulatory Commission (NRC), "NEI 08-09, Revision 6, Cyber Security Plan for Nuclear Power Reactors, April 2010," dated April 28, 2010. (ADAMS Accession No. ML101180434)
3. Letter from NRC to L. J. Weber, Indiana Michigan Power Company (I&M), "Donald C. Cook Nuclear Plant, Units 1 and 2 -- Issuance of Amendments re: Cyber Security Plan (TAC Nos. ME4275 and ME4276)," dated July 28, 2011, (ML11182A178)
4. Letter from NRC to I&M "Donald C. Cook Nuclear Plant, Units 1 and 2 - Issuance of Amendments re: Revised Cyber Security Plan Implementation Schedule Milestone 6 (TAC Nos. ME9523 and ME9524)," dated December 13, 2012 (ML12318A234)
5. NRC Internal Memorandum from Barry Westreich to C. G. Miller, et.al., "Enhanced Guidance for Licensee Near-Term Corrective Actions to Address Cyber Security Inspection Findings and Licensee Eligibility for "Good-Faith" Attempt Discretion, dated July 1, 2013 (ML13178A203)

Sections 1, 2, and 3 of Enclosure 2 and Enclosure 5 to this letter contain sensitive information Withhold from public disclosure under 10 CFR 2.390 Upon removal of Sections 1, 2, and 3 of Enclosure 2 and Enclosure 5, this letter is decontrolled

Enclosure 3 to AEP-NRC-2014-04 Proposed Revision to Unit 1 Renewed Facility Operating License Sections 1, 2, and 3 of Enclosure 2 and Enclosure 5 to this letter contain sensitive information Withhold from public disclosure under 10 CFR 2.390 Upon removal of Sections 1, 2, and 3 of Enclosure 2 and Enclosure 5, this letter is decontrolled to AEP-NRC-2014-04 Page 1 Proposed Revision to the Unit 1 Renewed Facility Operating License For Donald C. Cook Nuclear Plant Unit 1 Renewed Facility Operating License (FOL), revise the text within the current Renewed FOL license condition for Physical Protection as shown:

The Indiana and Michigan Power Company shall fully implement and maintain in effect all provisions of the Commission-approved Donald C. Cook Nuclear Plant Cyber Security Plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The Donald C. Cook Nuclear Plant CSP was approved by License Amendment No. 315 as supplemented by a-changes approved by License Amendment Nos. 319 and [number for this approved license amendment].

Sections 1, 2, and 3 of Enclosure 2 and Enclosure 5 to this letter contain sensitive information Withhold from public disclosure under 10 CFR 2.390 Upon removal of Sections 1, 2, and 3 of Enclosure 2 and Enclosure 5, this letter is decontrolled

Enclosure 4 to AEP-NRC-2014-04 Proposed Revision to Unit 2 Renewed Facility Operating License Sections 1, 2, and 3 of Enclosure 2 and Enclosure 5 to this letter contain sensitive information Withhold from public disclosure under 10 CFR 2.390 Upon removal of Sections 1, 2, and 3 of Enclosure 2 and Enclosure 5, this letter is decontrolled to AEP-NRC-2014-04 Page 1 Proposed Revision to the Unit 2 Renewed Facility Operating License For Donald C. Cook Nuclear Plant Unit 2 Renewed Facility Operating License (FOL), revise the text within the current Renewed FOL license condition for Physical Protection as shown:

The Indiana and Michigan Power Company shall fully implement and maintain in effect all provisions of the Commission-approved Donald C. Cook Nuclear Plant Cyber Security Plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The Donald C. Cook Nuclear Plant CSP was approved by License Amendment No. 299 as supplemented by a-changes approved by License Amendment Nos. 303 and [number for this approved license amendmentl..

Clean copies of the affected Renewed FOL pages with the proposed changes incorporated will be provided to the Nuclear Regulatory Commission Licensing Project Manager upon request.

Sections 1, 2, and 3 of Enclosure 2 and Enclosure 5 to this letter contain sensitive information Withhold from public disclosure under 10 CFR 2.390 Upon removal of Sections 1, 2, and 3 of Enclosure 2 and Enclosure 5, this letter is decontrolled

Enclosure 6 to AEP-NRC-2014-04 Donald C. Cook Nuclear Plant Cyber Security Plan Corrective Action Program Report Sections 1, 2, and 3 of Enclosure 2 and Enclosure 5 to this letter contain sensitive information Withhold from public disclosure under 10 CFR 2.390 Upon removal of Sections 1, 2, and 3 of Enclosure 2 and Enclosure 5, this letter is decontrolled to AEP-NRC-2014-04 Page 1 Identifier Due date Subject Action Subject Comments AR 2013-17510 - 2 1/17/2014 Procedure Revision Revise PMP-5047-CSP-006 Define Cyber Security - CSAT quorum requirements and when a quorum is required. Update PMP-5047-CSP-006 with these changes AR 2013-17522 - 2 3/11/2014 Quality Records Retention of Cyber Security Submit the list of CDAs to document Documents control for retention as a quality record AR 2013-17569 - 5 2/14/2014 Records Verification Verify Target Set CDAs Verify that all CDAs related to target sets have been reveiwed and documented. The previous methodology used to perform this work excluded some CDAs.

AR 2013-17569- 6 2/14/2014 Procedure Revision Revise PMP-5047-CSP-003 Revise the procedure to include dcocumentation and justification for why a digital asset is not a CDA.

Currently, only digital devices determined to be a CDA have this justification and documentation.

AR 2013-17632 - 1 1/31/2014 Database Update Implement Procedure Add missing CDAs to electronic Requirements for PA-13-17, database (EDB) in Indus. The missing Cyber Security-Critical CDAs are all related to the recent Digital Asset control plant process computer (PPC) upgrade project. The identified CDAs were provided to the PPC project to include in EDB with the CDA flag as part of the project, but this information was missed by the project.

Sections 1, 2, and 3 of Enclosure 2 and Enclosure 5 to this letter contain sensitive information Withhold from public disclosure under 10 CFR 2.390 Upon removal of Sections 1, 2, and 3 of Enclosure 2 and Enclosure 5, this letter is decontrolled to AEP-NRC-2014-04 Page 2 Identifier Due date Subject Action Subject Comments AR 2013-17804 - 4 3/21/2014 Create Procedure Formalize SFAQ review Create a new procedure with Site process Protective Services to formalize the SFAQ review process. Currently, there is no formal process to insure that this review is completed and documented when a new SFAQ is issued.

AR 2013-17804 - 5 3/21/2014 Address SFAQs Review existing SFAQs for Review SFAQs marked as cyber Cyber Security impact. released since 2010 and create any GT action assignments to verify the implementation of the SFAQ requirement, ifany.

AR 2013-17804- 6 3/21/2014 Address SFAQs Implement SFAQ 10-05 Identify and complete actions necessary to implement SFAQ 10-05.

This is to ensure that all personnel who work on CDAs or escort visitors working on a CDA are a member of the critical group.

AR 2013-18016 - 2 2/28/2014 Procedure Change Add guidance on escorted Provide responsible groups with the personnel interacting with appropriate wording to change PMP-CDA 2060-ACS-003, PMP-2060-SEC-006, and PMP-3140-CON-003 to include guidance to station personnel regarding work performed on CDAs and critical group membership.

Sections 1, 2, and 3 of Enclosure 2 and Enclosure 5 to this letter contain sensitive information Withhold from public disclosure under 10 CFR 2.390 Upon removal of Sections 1, 2, and 3 of Enclosure 2 and Enclosure 5, this letter is decontrolled to AEP-NRC-2014-04 Page 3 Identifier Due date Subject Action Subject Comments AR 2013-18060 -2 4/25/2014 Database Update Listing of Critical Digital Update Lumension Risk Manager Asset (LRM) to match EDB for Physical Security Equipment. This equipment was recently added to LRM and did not have component identifications until being added to EDB.

AR 2013-18624 - 4 1/17/2014 Cyber Security Milestone 1-7 Perform an Apparent Cause Station management did not provide Implementation Evaluation of Performance adequate oversight during the Assurance Audit Findings implementation of the Cyber Security Program to ensure effectiveness.

Based on the conditions identified during the audit investigation, Performance Assurance concluded that the current Cyber Security Program was ineffective.

A recovery plan is required in order to provide assurance that the Cyber Security Program will be effective.

See next action item for interim effectiveness resolution.

AR 2013-18624 - 9 1/17/2014 Cyber Security Milestone 1-7 Provide a response to PA Performance Assurance (PA) has Implementation within 30 days reviewed the written response and immediate corrective actions taken regarding finding PAA-13-17-01 and found them to be acceptable.

Specifically, the action plan and responses addressing the conditions associated with Milestones 6, 7, 5, and 3 (Action Requests 2013-17569, 2013-17804/Stop Work Order 2013-2, 2013-18016, and 2013-18272, respectively) were reviewed to judge the recovery of effectiveness of the Sections 1, 2, and 3 of Enclosure 2 and Enclosure 5 to this letter contain sensitive information Withhold from public disclosure under 10 CFR 2.390 Upon removal of Sections 1, 2, and 3 of Enclosure 2 and Enclosure 5, this letter is decontrolled to AEP-NRC-2014-04 Page 4 Identifier Due date Subject Action Subject Comments interim CNP Cyber Security Program.

PA concluded that the actions taken to date provide reasonable assurance that the CNP Cyber Security Program will provide necessary protection for all CNP Critical Digital Assets, Critical Systems, Computer Systems, Computing Assets, Information Services, Internet, Intranet, Internal Network Infrastructure, and Data Security. Additionally, planned corrective actions should ensure sustainability and effective program controls for the same, once implemented.

AR 2013-7327 - 3 1/16/2014 Procedure Revision Revise PMP-5047-CSP- Revise procedure PMP-5047-CSP-004, Control of Removable 004, Control of Removable Media and Media and Mobile Devices. Mobile Devices, to incorporate changes based on NRC milestone 4 implementation guidance.

GT 2010-3343- 2 5/30/2014 Procedure Revision PMP-5047-CSP-001 needs Revise PMP-5047-CSP-001 to include enhancement. a mechanism to perform a cyber security review as listed in step 3.3.1.a Sections 1, 2, and 3 of Enclosure 2 and Enclosure 5 to this letter contain sensitive information Withhold from public disclosure under 10 CFR 2.390 Upon removal of Sections 1, 2, and 3 of Enclosure 2 and Enclosure 5, this letter is decontrolled to AEP-NRC-2014-04 Page 5 Identifier Due date Subject Action Subject Comments GT 2010-7260 - 8 12/31/2014 Conduct Assessment Perform and Document the This action is tracking the assessment Cyber Security Assessment phase of all digital assets installed at Described in the CSP the plant. This is being done in support of full cyber security program implementation and must be done in order to apply all required cyber security controls to applicable CDAs.

GT 2013-10014 - 1 8/29/2014 Procedure Change Change.the software control Change the software control GT 2013-10017 - 1 procedure, PMP-5046-SCP- procedure to reflect the requirements 001 of NEI-08-09 Rev. 6 and the CSP GT 2013-10018 - 1 3/28/2014 Create New Procedure Create PMP-5047-CSP- Create a new procedure to govern 005, CDA Access Control how access to CDAs is granted and monitored for cyber security requirements identified in NEI-08-09 Rev. 6 and the CSP GT 2013-10021 - 1 3/28/2014 Procedure Change Change cyber security Change the cyber security assessment methodology assessment methodology procedure procedure, PMP-5047-CSP- to incorporate lessons learned from 003 internal OE and to incorporate industry OE from NRC inspection activities.

Sections 1, 2, and 3 of Enclosure 2 and Enclosure 5 to this letter contain sensitive information Withhold from public disclosure under 10 CFR 2.390 Upon removal of Sections 1, 2, and 3 of Enclosure 2 and Enclosure 5, this letter is decontrolled to AEP-NRC-2014-04 Page 6 Identifier Due date Subject Action Subject Comments GT 2013-10304- 2 2/7/2014 Training Needs Analysis Cyber Security Training per Review and approve the training NEI 08-09 needs analysis for the station. This includes cyber security awareness training and technical training for specific individuals/departments.

GT 2013-12698 - 1 6/1/2014 Records Retention Develop records retention Create a records retention schedule schedule for Cyber Security for all quality records to be generated as part of the cyber security program and program implementation.

GT 2013-14353 - 2 4/23/2014 Procedure Change Revise PMI-5046 Revise PMI-5046 to include NRC commitment 6005 as a reference.

GT 2013-17630- 1 1/31/2014 Revise Qualification Revise SE-JFG-CSAT Revise the job familiarization guide (JFG) to include additional signature lines as required by the current revision of TRP-2070-TAP-300.

GT 2013-18833 - 1 1/10/2014 Corrective Action Trending Trending Codes for Cyber Consider adding additional equipment Security reason codes for cyber security equipment. There are already two codes in the system, this is just to evaluate the need for additional codes.

Sections 1, 2, and 3 of Enclosure 2 and Enclosure 5 to this letter contain sensitive information Withhold from public disclosure under 10 CFR 2.390 Upon removal of Sections 1, 2, and 3 of Enclosure 2 and Enclosure 5, this letter is decontrolled to AEP-NRC-2014-04 Page 7 Identifier Due date Subject Action Subject Comments GT 2013-18909 - 1 6/30/2014 Revise Procedure Revise PMP-5047-CSP-006 Revise PMP-5047-CSP-006 to refine the CSAT function and subject matter expert (SME) representation functions for Critical System and CDA assessments GT 2013-19028 - 2/20/2014 Familiarization Develop briefing material Brief the ESP PRC on the status of 10 Communication the PD defiencies relating to the use of portable and removable media on plant equipment.

GT 2013-19494 - 1 12/15/2014 Lessons Learned Review Lessons Learned Review all published lessons learned from NRC inspections documents from NRC TI Inspections and create GT Actions to track implementation of any changes needed from these reviews.

GT 2013-7501 - 1 6/1/2014 Determine resolution for PPC/CRA Room Access There is an unmonitored access hatch compliance Control for TSC between the TSC and the TSC Passageway computer room that does not meet cyber security requirements for restricting and monitoring physical access to CDAs. This action is to track the correction of this issue.

GT 00812079 - 24 6/27/2014 Procedure Change Revise PMI-7032 Identify and provide procedure wording changes for PMI-7032, Event Response Procedure, to include any necessary cyber security event initiators.

Sections 1, 2, and 3 of Enclosure 2 and Enclosure 5 to this letter contain sensitive information Withhold from public disclosure under 10 CFR 2.390 Upon removal of Sections 1, 2, and 3 of Enclosure 2 and Enclosure 5, this letter is decontrolled

Retrieved from "https://kanterella.com/w/index.php?title=AEP-NRC-2014-04,_License_Amendment_Request_to_Revise_the_Cyber_Security_Implementation_Schedule&oldid=2454178"