Text

May 5, 2010 Mr. Jack Roe, Director Nuclear Energy Institute 1776 I Street, NW, Suite 400 Washington, DC 20006

SUBJECT:

NUCLEAR ENERGY INSTITUTE 08-09, CYBER SECURITY PLAN TEMPLATE, REV. 6

Dear Mr. Roe:

In your letter dated April 28, 2010, you requested that the U.S. Nuclear Regulatory Commissions (NRC) staff review and approve by letter the Nuclear Energy Institute (NEI) 08-09, Cyber Security Plan Template, Rev. 6, stating that NEI 08-09, Rev. 6, (1) resolves all generic Requests for Information (RAIs), (2) is an approved method to meet the requirements of Title 10 of the Code of Federal Regulations (10 CFR) 73.54 and will be endorsed in the next revision to Regulatory Guide (RG) 5.71, and (3) should be used by licensees to submit revised cyber security plans that will supersede those plans previously submitted based on NEI 08-09, Revision 3. This letter is a partial response to your request; items (1) and (3) will be addressed as part of the licensing process.

The NRC staff met with NEI and industry representatives on several occasions to discuss the current NEI document, NEI 08-09, Rev. 6. Based on a technical review of the document, the NRC staff concludes that submission of a cyber security plan using the template provided in NEI 08-09, Rev. 6 dated April 2010, would be acceptable for use by licensees to comply with the requirements of 10 CFR 73.54 with the exception of the definition of cyber attack.

The definition of cyber attack that the NRC would find acceptable and as stated in RG 5.71 is as follows: The manifestation of either physical or logical (i.e., electronic or digital) threats against computers, communication systems, or networks that may (1) originate from either inside or outside the licensees facility, (2) have internal and external components, (3) involve physical or logical threats, (4) be directed or non directed in nature, (5) be conducted by threat agents having either malicious or non malicious intent, and (6) have the potential to result in direct or indirect adverse effects or consequences to critical digital assets or critical systems. This includes attempts to gain unauthorized access to a Critical Digital Asset (CDA) and/or Critical System (CS) services, resources, or information, attempt to compromise a CDA and/or CSs integrity, availability, or confidentiality or the attempt to cause an adverse impact to a Safety, Security, and Emergency Preparedness (SSEP) function. Further background on cyber attacks which are up to and including the Design Basis Threat (DBT), can be found in Sections 1.1(c),

1.2, and 1.5 of Regulatory Guide 5.69, and the cyber attack may occur individually or in any combination. Licensees that submit a Cyber Security Plan using the NEI 08-09, Rev. 6 template can expect to see an RAI about the difference between the NEI and NRC definition of cyber attack.

J. Roe Formal endorsement of NEI 08-09, Rev. 6 is planned in a future regulatory guide. We wish to note that NEI 08-09, Rev. 6 does not preclude licensees from incorporating additional security measures to address site-specific issues.

Should you or your staff have any questions, please contact Craig Erlanger at (301) 415-5374 or Eric Lee at (301) 415-8099.

Sincerely, Richard P. Correia, Director /RA/

Division of Security Policy Office of Nuclear Security and Incident Response

J. Roe Formal endorsement of NEI 08-09, Rev. 6 is planned in a future regulatory guide. We wish to note that NEI 08-09, Rev. 6 does not preclude licensees from incorporating additional security measures to address site-specific issues.

Should you or your staff have any questions, please contact Craig Erlanger at (301) 415-5374 or Eric Lee at (301) 415-8099.

Sincerely, Richard P. Correia, Director /RA/

Division of Security Policy Office of Nuclear Security and Incident Response DISTRUBTION:

DSP r/f ADAMS ACCESSION NO.: ML101190371 OFFICE ISCPB/NSIR/DSP ISCPB/NSIR/DSP DD/DDRS/NSIR DSP/NSIR NAME M. Coflin C. Erlanger For /RA/ S. Morris R. Correia P. Pederson DATE 5/ 3 /10 5/ 3 /10 5/ 03 /10 5/5/10 OFFICIAL RECORD COPY