ML041670676
| ML041670676 | |
| Person / Time | |
|---|---|
| Site: | Cooper  |
| Issue date: | 06/14/2004 |
| From: | Bhalchandra Vaidya NRC/NRR/DLPM |
| To: | Edington R Nebraska Public Power District (NPPD) |
| vaidya B, NRR/DLPM, 415-3308 | |
| References | |
| TAC MC3319 | |
| Download: ML041670676 (4) | |
Text
June 14, 2004 Mr. Randall K. Edington Vice President-Nuclear and CNO Nebraska Public Power District P. O. Box 98 Brownville, NE 68321
SUBJECT:
COOPER NUCLEAR STATION - USE OF ENCRYPTION SOFTWARE FOR SECURE TRANSMISSION OF SAFEGUARDS INFORMATION (TAC NO. MC3319)
Dear Mr. Edington:
By letter dated May 28, 2004, you requested approval to use encryption software for the transmission of Safeguards Information (SGI) for Cooper Nuclear Station. Specifically, you requested approval for the use of Pretty Good Protection (PGP) Software Corporate Desktop Version 8.0 or the latest validated version developed with PGP Software Development Kit (SDK) 3.0.3 for encryption of sensitive unclassified SGI.
Title 10 of the Code of Federal Regulations (10 CFR) Section 73.21(g)(3) states, in part,
. . . Safeguards Information shall be transmitted only by protected telecommunication circuits (including facsimile) approved by the NRC. The Nuclear Regulatory Commission (NRC) considers those encryption systems that the National Institute of Standards and Technology (NIST) has determined conform to the Security Requirements for Cryptographic Modules in Federal Information Processing Standard (FIPS) 140-2, as being acceptable. The Secretary of Commerce has made use of Cryptographic Module Validation Program products mandatory and binding for Federal agencies when a Federal agency determines that cryptography is necessary for protecting sensitive information.
PGP Software Corporate Desktop Version 8.0 was developed with PGP SDK 3.0.3 NIST Certificate, Number 394, validates compliance of this software development tool with FIPS 140-2 requirements. Therefore, the NRC staff finds the use of this encryption software acceptable for processing and transmitting SGI electronically for your site. Later versions of PGP Software Corporate Desktop are also acceptable provided that:
- 1. They were developed using a software development tool e.g., PGP SDK 3.0.3 that meets and is validated by NIST to FIPS 140-2 requirements.
- 2. You notify the NRC of your intention to update your encryption software 30 days prior to its first use. When notifying the NRC, include a description of the new software you will be using and provide a statement indicating NIST certification of the software development tool.
R. K. Edington It is important to remind you that in accordance with 10 CFR 73.21(a), you are required to establish and maintain an information protection system that satisfies 10 CFR 73.21(b) through (i). Compliance with the provisions of 10 CFR 73.21, including the use of encryption software for transmittal of SGI, is mandatory and inspectable. We recognize that you have made a regulatory commitment to implement procedures to control the transmission of SGI.
However, this commitment addresses requirements of 10 CFR 73.21(b) - (i) that are regulatory obligations and not commitments.
Additionally, only one public key is to be generated per site. The PGP file containing the public key must be named according to the following syntax: LastName_FirstName_SiteName.asc.
This naming convention represents the organizational point of contact indicated as owning the key-pair.
As stated in letter dated May 5, 2004, from R. P. Zimmerman, NRC, Office of Nuclear Security and Incident Response, to Stephen D. Floyd, Nuclear Energy Institute (NEI), please provide the public key for transmitting sensitive, unclassified SGI and the point of contact information (name, telephone number and e-mail address) to NEI and the NRC points of contact provided below. Once this information has been provided, we will provide a copy of the NRC public key to your point of contact. All SGI holders must employ an appropriate credentialing process to verify that individuals providing public keys are legitimate users. Private keys must be controlled as SGI.
The NRC point of contact for all transmittals related to the review and approval of the supplemental responses to the security orders is Mr. Bhalchandra K. Vaidya, Project Manager, Security Plan Review Team, Division of Licensing Project Management, who can be reached at (301)415-3308, or via e-mail at bkv@nrc.gov. For transmittal of other SGI, and for public key coordination, the NRC point of contact is Mr. Louis Grosman, Office of the Chief Information Officer, who can be contacted at (301)415-5826, or via e-mail at lhg@nrc.gov. As coordinated with the NEI, the industry point of contact for public key coordination is Mr. James W. Davis, who can be reached at (202)739-8105 and via e-mail at jwd@nei.org.
Encrypted SGI information shall be transmitted as attachments to an e-mail directed to sprt@nrc.gov. The e-mail message must also contain the name of the NRC staff member who is to receive the attachments.
If you have any questions, please contact me at (301)415-3308.
Sincerely,
/RA/
Bhalchandra K. Vaidya, Project Manager Security Plan Review Team Division of Licensing Project Management Office of Nuclear Reactor Regulation Docket No. 50-298 cc: See next page
ML041670676 OFFICE SPRT/PM SPRT/LA NSIR/DNS/SC OCIO/PMAS SPRT/SC NAME BVaidya CHawes SMorris LHGrosman JNakoski:RF for DATE 06/10/04 06/10/04 06/14/04 06/14/04 06/14/04 Cooper Nuclear Station cc: Senior Resident Inspector U.S. Nuclear Regulatory Commission Mr. William J. Fehrman P. O. Box 218 President and Chief Executive Officer Brownville, NE 68321 Nebraska Public Power District 1414 15th Street Regional Administrator, Region IV Columbus, NE 68601 U.S. Nuclear Regulatory Commission 611 Ryan Plaza Drive, Suite 400 Mr. Clay C. Warren Arlington, TX 76011 Vice President of Strategic Programs Nebraska Public Power District Jerry Uhlmann, Director 1414 15th Street State Emergency Management Agency Columbus, NE 68601 P. O. Box 116 Jefferson City, MO 65101 Mr. John R. McPhail, General Counsel Nebraska Public Power District Chief, Radiation and Asbestos P. O. Box 499 Control Section Columbus, NE 68602-0499 Kansas Department of Health and Environment Mr. Paul V. Fleming Bureau of Air and Radiation Licensing Manager 1000 SW Jackson Nebraska Public Power District Suite 310 P.O. Box 98 Topeka, KS 66612-1366 Brownville, NE 68321 Mr. Daniel K. McGhee Mr. Michael J. Linder, Director Bureau of Radiological Health Nebraska Department of Environmental Iowa Department of Public Health Quality 401 SW 7th Street P. O. Box 98922 Suite D Lincoln, NE 68509-8922 Des Moines, IA 50309 Chairman Mr. Scott Clardy, Director Nemaha County Board of Commissioners Section for Environmental Public Health Nemaha County Courthouse P.O. Box 570 1824 N Street Jefferson City, MO 65102-0570 Auburn, NE 68305 Jerry C. Roberts, Director of Nuclear Ms. Cheryl K. Rogers, Program Manager Safety Assurance Nebraska Health & Human Services Nebraska Public Power District System P.O. Box 98 Division of Public Health Assurance Brownville, NE 68321 Consumer Services Section 301 Centennial Mall, South P. O. Box 95007 Lincoln, NE 68509-5007 Mr. Ronald A. Kucera, Director of Intergovernmental Cooperation Department of Natural Resources P.O. Box 176 Jefferson City, MO 65102 June 2004