ML041680487
| ML041680487 | |
| Person / Time | |
|---|---|
| Site: | Grand Gulf, Arkansas Nuclear, River Bend, Waterford  |
| Issue date: | 06/14/2004 |
| From: | Bhalchandra Vaidya NRC/NRR/DLPM |
| To: | Burford F Entergy Operations |
| vaidya B, NRR/DLPM, 415-3308 | |
| References | |
| TAC MC3300, TAC MC3301, TAC MC3302, TAC MC3303, TAC MC3304 | |
| Download: ML041680487 (3) | |
Text
June 14, 2004 Mr. F. G. Burford Acting Director, Nuclear Safety & Licensing Entergy Operations, Inc.
1340 Echelon Parkway Jackson, MS 39213-8298
SUBJECT:
ARKANSAS NUCLEAR ONE, UNITS 1 AND 2, GRAND GULF NUCLEAR STATION, UNIT 1, RIVER BEND STATION, UNIT 1, AND WATERFORD STEAM ELECTRIC GENERATING STATION, UNIT 3 - USE OF ENCRYPTION SOFTWARE FOR SECURE TRANSMISSION OF SAFEGUARDS INFORMATION (TAC NOS. MC3300, MC3301, MC3302, MC3303, AND MC3304)
Dear Mr. Burford:
By letter dated May 25, 2004, you requested approval to use encryption software for the transmission of Safeguards Information (SGI) for Arkansas Nuclear One, Units 1 and 2, Grand Gulf Nuclear Station, Unit 1, River Bend Station, Unit 1, Waterford Steam Electric Generating Station, Unit 3. Specifically, you requested approval for the use of Pretty Good Protection (PGP) Software (Enterprise, Corporate, or Personal) Desktop Version 8.0 or the latest validated version developed with PGP Software Development Kit (SDK) 3.0.3 for encryption of sensitive unclassified SGI.
Title 10 of the Code of Federal Regulations (10 CFR) Section 73.21(g)(3) states, in part,
... Safeguards Information shall be transmitted only by protected telecommunication circuits (including facsimile) approved by the NRC. The Nuclear Regulatory Commission (NRC) considers those encryption systems that the National Institute of Standards and Technology (NIST) has determined conform to the Security Requirements for Cryptographic Modules in Federal Information Processing Standard (FIPS) 140-2, as being acceptable. The Secretary of Commerce has made use of Cryptographic Module Validation Program products mandatory and binding for Federal agencies when a Federal agency determines that cryptography is necessary for protecting sensitive information.
PGP Software Corporate Desktop Version 8.0 was developed with PGP SDK 3.0.3. NIST Certificate, Number 394, validates compliance of this software development tool with FIPS 140-2 requirements. Therefore, the NRC staff finds the use of this encryption software acceptable for processing and transmitting SGI electronically for your site. Later versions of PGP Software Corporate Desktop are also acceptable provided that:
- 1.
They were developed using a software development tool i.e., PGP SDK 3.0.3 that meets and is validated by NIST to FIPS 140-2 requirements.
F. G. Burford 2.
You notify the NRC of your intention to update your encryption software 30 days prior to its first use. When notifying the NRC, include a description of the new software you will be using and provide a statement indicating NIST certification of the software development tool.
It is important to remind you that in accordance with 10 CFR 73.21(a), you are required to establish and maintain an information protection system that satisfies 10 CFR 73.21(b) through (i). Compliance with the provisions of 10 CFR 73.21, including the use of encryption software for transmittal of SGI, is mandatory and inspectable. We recognize that you have made a regulatory commitment to implement procedures to control the transmission of SGI.
However, this commitment addresses requirements of 10 CFR 73.21(b) - (i) that are regulatory obligations and not commitments.
Additionally, only one public key is to be generated per site. The PGP file containing the public key must be named according to the following syntax: LastName_FirstName_SiteName.asc.
This naming convention represents the organizational point of contact indicated as owning the key-pair.
As stated in letter dated May 5, 2004, from R. P. Zimmerman, NRC, Office of Nuclear Security and Incident Response, to Stephen D. Floyd, Nuclear Energy Institute (NEI), please provide the public key for transmitting sensitive, unclassified SGI and the point of contact information (name, telephone number and e-mail address) to NEI and the NRC points of contact provided below. Once this information has been provided, we will provide a copy of the NRC public key to your point of contact. All SGI holders must employ an appropriate credentialing process to verify that individuals providing public keys are legitimate users. Private keys must be controlled as SGI.
The NRC point of contact for all transmittals related to the review and approval of the supplemental responses to the security orders is Mr. Bhalchandra K. Vaidya, Project Manager, Security Plan Review Team, Division of Licensing Project Management, who can be reached at (301) 415-3308, or via e-mail at bkv@nrc.gov. For transmittal of other SGI, and for public key coordination, the NRC point of contact is Mr. Louis Grosman, Office of the Chief Information Officer, who can be contacted at (301)415-5826, or via e-mail at lhg@nrc.gov. As coordinated with the NEI, the industry point of contact for public key coordination is Mr. James W. Davis, who can be reached at (202)739-8105 and via e-mail at jwd@nei.org.
F. G. Burford Encrypted SGI information shall be transmitted as attachments to an e-mail directed to sprt@nrc.gov. The e-mail message must also contain the name of the NRC staff member who is to receive the attachments.
If you have any questions, please contact me at (301)415-3308.
Sincerely,
/RA/
Bhalchandra K. Vaidya, Project Manager Security Plan Review Team Division of Licensing Project Management Office of Nuclear Reactor Regulation Docket Nos. 50-313, 50-368, 50-416, 50-382, and 50-458 cc: See next page
ML OFFICE SPRT/PM SPRT/LA NSIR/DNS/SC OCIO/PMAS SPRT/SC NAME BVaidya CHawes SMorris LHGrosman Jnakoski:RF for DATE 06/10/04 06/10/04 06/14/04 06/14/04 06/14/04