Text

FENOC' Beaver Valley Power Station P.O.Box4 Shippingport, PA 15077 RrstEnergy Nuclear Operating Company Richard D. Bologna 724-682-5234 Site Vice President Fax: 724-643-8069 December 12,2017 L-17-360 10 CFR 73.22 ATTN: Document Control Desk U.S. Nuclear Regulatory Commission Washington, DC 20555-0001

SUBJECT:

Beaver Valley Nuclear Power Station, Unit Nos.1 and 2 Docket No. 50-334 License Number DPR-66

• Docket No. 50-412 License Number NPF-73 Use of Encryption*So'ftware for Electronic Transmission of Safeguards Information Pursuant to the requirements of 10 CFR 73.22(f)(3) and the guidance provided in NRC Regulatory Issue Summary 2002-15, Revision 1, "NRC Approval of Commercial Data Encryption Systems for the Electronic Transmission of Safeguards Information, " dated January 26, 2006, the FirstEnergy Nuclear Operating Company (FENOC) requests approval to process and transmit Safeguards Information (SGI) at the Beaver Valley Power Station (BVPS) using Symantec Endpoint Encryption version 11.1.2, or the latest validated version. This version of encryption product was developed with PGP Cryptographic Engine Software Version 4.3 and complies with Federal Information Processing Standard (FIPS) 140-2 as validated by the National Institute of Standards and Technology (NIST) Consolidated Certificate No. 0053 (Enclosure).

An information protection system for SGI that meets the requirements of 10 CFR 73.22 has been established and is being maintained. Written procedures are in place which describe: access controls; where and when encrypted communications can be made; how encryption keys, codes, and passwords will be protected from compromise; .actions to be taken if the encryption keys, codes or passwords are, or are suspected to have been compromised; and how the identity and access authorization of the recipient will be verified.

FENOC intends to exchange SGI with the NRC, the Nuclear Energy Institute (NEl),,and other SGI holders who have received NRC approval to use PGP software. Processing SGI on electronic systems is performed in accordance with the provisions of 10 CFR 73.22(g). BVPS will maintain a single (one) public key named with the following syntax:

LastName- FirstName- SiteName.asc.

Mr. John Sharpless, Supervisor - Nuclear Security Support, is responsible for the overall implementation of the SGI encryption program at the BVPS. So O ~

ti/{(_{(.

Beaver Valley Power Station, Unit No.1 and 2 L-17-360 Page 2 There are no regulatory commitments contained in this letter. If there are any questions or if additional information is required, please contact Mr. Brian Kremer, Manager, Regulatory Compliance, at (724) 682-4284.

Sincerely, Richard D. Bologna Site Vice President

Enclosure:

FIPS 140-2 Consolidated Certificate No. 0053 cc: NRC Region I Administrator NRC Resident Inspector NRC Project Manager

FOR INTERNAL DISTRIBUTION USE ONLY Internal Distribution of Letter L-17-360 R. A. Ritzman J. D. Ellis K. F. Sloan J. W. Sharpless M.A. Fox

~.

J. P Young \.,

D. W. Jenkins

FIPS 140-2 Consolidated Validation Certificate *

.. ,

• 4 '

~

0 ...... ...

'Ii'

,, 4

• r

'rlle National lnstllullt of Slmtdanls and Tecltnalogy of Iha Unlllld Staleli of America

• -* 'nle Cammunk:allcms Socurlly Eatabllshmant of lM Government GfCUada Consolidated Certificate No. 0053 The National Institute of Standards and Technology, as the United States FIPS 140-2 Cryptographic Module Va&datlon Authority, and the Communications Security Establishment Canada, as the Canadian FIPS 140-2 Cryptographic Module Validation Authority; heseby validate the FIPS 140-2 testing results of the cryptographic modules listed below in accordance with the Derived Test Requiremenls for APS 140-2, Securily Requirements for Cryptographic Modules. FIPS 14Q-2 specjfies the security requirements that are to be satisfied by a ~raphic module utilized within a security system protecting Sensitive Information (United States} or Protected lnfonnatlon (Canada) within computer and telecommunications systems (including voice systems).

Products which use a cryptographic module identified below maybe labeled as complying with the requirements of FIPS 140-2 so long as 1he product. throughout Its life.cycle, continues to use the validated version of the cryptographic module as specified In this consolidated certificate.

Ths validation report contains additfonal delalls concerning test results. No re!iabiHty test has been performed and no warranty of the products by both agencies is either expressed or implied.

FIPS 140-2 provides four increasing, qualitative levels af security: Level 1, Level 2, Level 3, and Level 4. These levels are intended to cover the wide range and potential applications and environments In which cryptographic modules may be employed. The secunly requirements cover eleven areas related to the secure design and implementation of a cryptographic module.

The scope of conformance achieved by the cryptographic modules as tested are identified and ffsted an the Cryptographic Module Validation Program website. The website listing Is the official list of val'ldated cryptographic modules. Each validation entry corresponds to a uniquely assigned certificate number. Assaclated with each certificate number is the module name(s), module versioning fnfonnation, applicable caveats, module type, date of initial varldation and appllcable revisions, OveraD Level, individual Levels if cflfferent than the OVerall Level, FIPS-approved .

and other algorithms, vendor contact Information, a vendor provided descripUon and the accredited Cryptographic Module Testing laboratory which performed the testing.

S'.gned on be~of lh~

Signature: ;o/',,f~,f ~

7"'~~ State*

Dated: v"' ,:tru: t1 ,et1 2e, t S Chief, Computer Security Division Director, Architecture and Technology Assurance National Institute of Standards and Technology Communications Security Establishment Canada Page 1 ofB e/112015