Request for Approval of the Carolina Power & Light Company and Florida Power Corporation Cyber Security Plan

ML101950043
Person / Time
Site:	Harris, Brunswick, Crystal River, Robinson
Issue date:	07/08/2010
From:	Kamilaris C Progress Energy Co
To:	Document Control Desk, Office of Nuclear Reactor Regulation, Office of Nuclear Security and Incident Response
References
RA-10-011
Download: ML101950043 (21)
v • d • e

Text

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 Pr greIss Energy 10 CFR 73.54 10 CFR 50.90 PO Box 1551 411 Fayetteville Street Mall Raleigh NC 27602 Serial: RA-10-0 11 July 8, 2010 United States Nuclear Regulatory Commission ATTENTION: Document Control Desk Washington, DC 20555-0001 BRUNSWICK STEAM ELECTRIC PLANT, UNIT NOS. I AND 2 DOCKET NOS. 50-325 AND 50-324 / LICENSE NOS. DPR-71 AND DPR-62 SHEARON HARRIS NUCLEAR POWER PLANT, UNIT NO. I DOCKET NO. 50-400 / LICENSE NO. NPF-63 H. B. ROBINSON STEAM ELECTRIC PLANT, UNIT NO. 2 DOCKET NO. 50-261 / LICENSE NO. DPR-23 CRYSTAL RIVER UNIT 3 NUCLEAR GENERATING PLANT DOCKET NO. 50-302 / LICENSE NO. DPR-72

SUBJECT:

REQUEST FOR APPROVAL OF THE CAROLINA POWER & LIGHT COMPANY AND FLORIDA POWER CORPORATION CYBER SECURITY PLAN

REFERENCES:

1. Carolina Power & Light Company letter from Benjamin C. Waldrep to the USNRC Document Control Desk, Request For Approval of the Brunswick Steam Electric Plant, Unit Nos. 1 and 2, Cyber Security Plan, dated November 18, 2009

2. Carolina Power & Light Company letter from Christopher L. Burton to the USNRC Document Control Desk, Request ForApproval of the Shearon HarrisNuclear Power Plant, Unit No. 1, Cyber Security Plan, dated November 19, 2009

3. Carolina Power & Light Company letter from Benjamin C. White to the USNRC Document Control Desk, Request ForApproval of the H. B. Robinson Steam Electric Plant, Unit No. 2, Cyber Security Plan, dated November 23, 2009

4. Florida Power Corporation letter from Jon A. Franke to the USNRC Document Control Desk, Crystal River Unit 3 - Request ForApproval of the Crystal River Unit 3 Cyber Security Plan, dated November 19, 2009

5. USNRC letter from Farideh E. Saba to Michael J. Annacone, Brunswick Steam Electric Plant, Units 1 and 2 - License Amendment Requestfor Approval of the Cyber Security Plan (TAC Nos. ME2664 and ME2665), dated June 7, 2010

6. USNRC letter from Marlayna Vaaler to Christopher L. Burton, Shearon HarrisNuclear Power Plant, Unit I - Initial Review Regarding the License Amendment Request for Approval of the Cyber Security Plan (TA C No. ME2 796), dated May 21, 2010

7. USNRC letter from Tracy J. Orf to Eric McCartney, H. B. Robinson Steam Electric Plant, Unit No. 2 - License Amendment Requestfor Approval of the Cyber Security Plan (TA C No. ME2 746), dated June 9, 2010

8. USNRC letter from Farideh E. Saba to Jon A. Franke, Crystal River Unit 3 - License Amendment Requestfor Approval of the Cyber Security Plan (TAC No. ME2665), dated June 7, 2010 Enclosures 2 and 3 to this letter contain SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 Upon removal of Enclosures 2 and 3, this letter is uncontrolled.

United States Nuclear Regulatory Commission RA-10-0 11 Page 2 of 3 Ladies and Gentlemen:

In accordance with the provisions of 10 CFR 50.4 and 50.90, Carolina Power & Light Company (CP&L), now doing business as Progress Energy Carolinas, Inc., and Florida Power Corporation (FPC), now doing business as Progress Energy Florida, Inc., are submitting requests for amendments to the Facility Operating Licenses (FOL) for the above listed facilities.

This proposed amendment requests NRC approval of the CarolinaPower & Light Company and FloridaPower CorporationCyber Security Plan, revisions to the existing FOL Physical Protection license condition for the above listed facilities to fully implement and maintain in effect all provisions of the Commission approved Cyber Security Plan, and the Cyber Security Plan Implementation Schedule.

This amendment request supersedes, in their entirety, the requests made in References 1, 2, 3, and 4. Therefore, CP&L and FPC withdraw the previous requests (i.e., References 1, 2, 3, and 4).

In response to References 5, 6, 7, and 8, CP&L and FPC are submitting a fleet Cyber Security Plan that conforms to the model Cyber Security Plan contained in Appendix A of NEI 08-09, Cyber Security Planfor Nuclear Power Reactors, Revision 6, dated April 2010, with one deviation regarding the definition of Cyber Attack as described in Enclosure 2. provides an evaluation of the proposed change. Enclosure 1 also contains the following attachment:

0 Attachment 1 provides the existing FOL pages marked-up to show the proposed change. provides a copy of the CarolinaPower & Light Company and FloridaPower CorporationCyber Security Plan, Revision 0, which is a standalone document that has been incorporated by reference into the Carolina Power and Light and Florida Power Corporation's Physical Security Plan. Enclosure 2 contains security-related information. provides a copy of the CarolinaPower & Light Company and FloridaPower CorporationCyber Security Plan Implementation Schedule. Enclosure 3 contains security-related information.

CP&L and FPC request that Enclosures 2 and 3, which contain security-related information, be withheld from public disclosure in accordance with 10 CFR 2.390.

In accordance with 10 CFR 50.91(b), a copy of this application, without Enclosures 2 and 3, is being provided to the designated representatives for Florida, North Carolina, and South Carolina.

CP&L and FPC request that the license amendments be effective as of their date of issuance.

Once approved, the amendments will be implemented in accordance with the approved implementation schedule. CP&L and FPC request approval of the proposed license amendments by June 30, 2011.

This letter contains new regulatory commitments as identified in the CarolinaPower & Light Company and FloridaPower CorporationCyber Security Plan Implementation Schedule in .

Enclosures 2 and 3 to this letter contain SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 Upon removal of Enclosures 2 and 3, this letter is uncontrolled.

United States Nuclear Regulatory Commission RA-10-01 1 Page 3 of 3 If you should have any questions regarding this submittal, please contact Mr. Brian McCabe, Manager, Nuclear Regulatory Affairs, at (919) 546-4579.

I declare under the penalty of perjury that the foregoing is true and correct. Executed on July 8, 2010.

Sincerely, C. S. Kamilaris Director - Fleet Support Services CSKJdbm

Enclosures:

1. Evaluation of Proposed Change

2. Carolina Power & Light Company and Florida Power Corporation Cyber Security Plan, Revision 0

3. Carolina Power & Light Company and Florida Power Corporation Cyber Security Plan Implementation Schedule c: L. Reyes, USNRC Regional Administrator - Region 11 F. Saba, NRR Project Manager - BSEP, Unit Nos. I and 2; CR3 M. Vaaler, NRR Project Manager - SHNPP, Unit No. 1 T. Orf, NRR Project Manager - HBRSEP, Unit No. 2 USNRC Resident Inspector - BSEP, Unit Nos. I and 2 USNRC Resident Inspector - CR3 USNRC Resident Inspector - SHNPP, Unit No. I USNRC Resident Inspector - HBRSEP, Unit No. 2 State of Florida Contact (w/o Enclosures 2 and 3)

Chair - North Carolina Utilities Commission (w/o Enclosures 2 and 3)

W. L. Cox, I11,Section Chief N.C. DENR (w/o Enclosures 2 and 3)

S. E. Jenkins, Manager, Infectious and Radioactive Waste Management Section (SC)

(w/o Enclosures 2 and 3)

A. Gantt, Chief, Bureau of Radiological Health (SC) (w/o Enclosures 2 and 3)

Attorney General (SC) (w/o Enclosures 2 and 3)

Enclosures 2 and 3 to this letter contain SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 Upon removal of Enclosures 2 and 3, this letter is uncontrolled.

United States Nuclear Regulatory Commission Enclosure I to RA-10-0 11 Page 1 of 7 Evaluation of Proposed Change Request for Approval of the Carolina Power & Light Company and Florida Power Corporation Cyber Security Plan 1.0 Summary Description 2.0 Detailed Description 3.0 Technical Evaluation 4.0 Regulatory Evaluation 4.1 Applicable Regulatory Requirements / Criteria 4.2 No Significant Hazards Consideration 4.3 Conclusions 5.0 Environmental Consideration 6.0 Regulatory Commitments 7.0 References ATTACHMENT: - Marked-up Facility Operating License Pages

United States Nuclear Regulatory Commission Enclosure I to RA-l10-0 1 Page 2 of 7 1.0

SUMMARY

DESCRIPTION The license amendment request (LAR) includes the proposed CarolinaPower & Light Company and FloridaPower CorporationCyber Security Plan (Plan), an Implementation Schedule, and a proposed change to the existing Facility Operating License (FOL) physical protection license conditions for Brunswick Steam Electric Plant (BSEP), Unit Nos. I and 2; Crystal River Unit 3. (CR-3); Shearon Harris Nuclear Power Plant, Unit No. 1 (HNP); and H. B.

Robinson Steam Electric Plant (HBRSEP), Unit No. 2.

2.0 DETAILED DESCRIPTION The LAR includes three parts: the proposed CarolinaPower & Light Company and Florida Power CorporationCyber Security Plan, an Implementation Schedule, and a change to the existing FOL physical protection license conditions to require BSEP, Unit Nos. 1 and 2, CR-3, HNP, and HBRSEP, Unit No. 2 to fully implement and maintain in effect all provisions of the Commission approved Cyber Security Plan as required by 10 CFR 73.54.

Existing BSEP FOL Paragraphs 2.D for Unit 1 and 2.C.(6) for Unit 2:

The licensee shallfully implement and maintain in effect all provisionsof the Commission-approvedphysical security, trainingand qualification,and safeguards contingency plans, including amendments made pursuantto provisionsof the MiscellaneousAmendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 2 7817 and 2 7822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The plans, which contain SafeguardsInformationprotected under 10 CFR 73.21, are entitled: "PhysicalSecurity Plan,Revision 2, " and "SafeguardsContingency Plan, Revision 2, "submitted by letter datedMay 17, 2006, and "GuardTrainingand QualificationPlan, Revision 0, "submitted by letter dated September 30, 2004.

Will be revised to read:

'The licensee shallfully implement and maintain in effect all provisions of the Commission-approvedphysical security, trainingand qualification,ad-safeguards contingency, and cyber securityplans, including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The physical securioy, trainingand qualification,and safeguards contingency plans, which contain Safeguards Informationprotected under 10 CFR 73.21, are entitled.: "PhysicalSecurity Plan, Revision 2, "and "SafeguardsContingency Plan, Revision 2, "submitted by letter dated May 17, 2006, and "GuardTraining and QualificationPlan, Revision 0, "submitted by letter dated September 30, 2004. The cyber security plan, which contains security-relatedinformation withheld from public disclosure under 10 CFR 2.390, is entitled: "Carolina Power & Light Company and FloridaPower CorporationCyber Security Plan,Revision 0, "submitted by letter dated July 8. 2010.

Existing CR-3 FOL Paragraph 2.D:

The licensee shallfully implement and maintain ineffect all provisionsof the Commission-approvedphysical security, training andqualification,and safeguards contingency plans including amendments made pursuant to provisions of the

United States Nuclear Regulatory Commission Enclosure I to RA-10-0 11 Page 3 of 7 Miscellaneous Amendments and Search Requirements revisionsto 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90,and 10 CFR 50.54(p). The plans, which contain Safeguards Informationprotected under 10 CFR 73.21, are entitled.- "PhysicalSecurity Plan, Revision 5, "and "SafeguardsContingency Plan, Revision 4, "submitted by letter datedMay 16, 2006, and "GuardTrainingand QualificationPlan, Revision 0, "submitted by letter dated September 30, 2004, as supplemented by letters dated October 20, 2004, and September 29, 2005.

Will be revised to read:

The licensee shallfully implement and maintain in effect all provisions of the Commission-approvedphysical security, trainingand qualification,eH*d safeguards contingency-phAce, and cyber security plans, including amendments made pursuantto provisions of the MiscellaneousAmendments andSearch Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authorityof 10 CFR 50.90 and I0 CFR 50.54(p). The physical security, trainingand qualification,and safeguards contingencyplans, which contain SafeguardsInformationprotectedunder 10 CFR 73.21, are entitled. "PhysicalSecurity Plan,Revision 5, '"and "SafeguardsContingency Plan, Revision 4, "submitted by letter dated May 16, 2006, and "GuardTrainingand QualificationPlan, Revision 0, "submitted by letter dated September 30, 2004, as supplemented by letters dated October 20, 2004, and September 29, 2005. The cyber security plan, which contains security-relatedinformation withheld from public disclosure under 10 CFR 2.390, is entitled: "CarolinaPower & Light Companv and FloridaPower CorporationCyber Security Plan,Revision 0, "submitted by letter dated July 8, 2010.

Existing HNP FOL Paragraph 2.E:

The licensee shallfully implement and maintain in effect all provisions of the Commission-approvedphysical security, trainingand qualification,and safeguards contingencyplans includingamendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The plans, which contain Safeguards Informationprotected under 10 CFR 73.21, are entitled.&

"GuardTraining and QualificationPlan'" submitted by letter dated October 19, 2004, "PhysicalSecurity Plan" and "Safeguards Contingency Plan" submitted by letter dated October 19, 2004 as supplemented by letter dated May 16, 2006.

Will be revised to read:

The licensee shallfully implement and maintain in effect all provisions of the Commission-approvedphysical security, trainingand qualification,and safeguards contingency-pk-, and cyber security plans, including amendments made pursuant to provisions of the MiscellaneousAmendments andSearch Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The physical security, trainingand qualification,and safeguards contingency.

plans, which contain SafeguardsInformationprotected under 10 CFR 73.21, are entitled.- "GuardTrainingand QualificationPlan" submitted by letter dated October 19, 2004, "PhysicalSecurity Plan" and "Safeguards Contingency Plan" submitted by letter dated October 19, 2004 as supplemented by letter dated May 16,

United States Nuclear Regulatory Commission Enclosure I to RA-10-011 Page 4 of 7 2006. The cyber security plan, which contains security-relatedinformation withheld from public disclosure under 10 CFR 2.390, is entitled: "CarolinaPower & Light Company and FloridaPower CorporationCyber Security Plan,Revision 0, "submitted by letter datedJuly 8, 2010.

Existing HBRSEP, Unit No. 2, FOL Paragraph 3.F:

The licensee shallfully implement and maintain in effect all provisionsof the Commission-approvedphysical security, trainingand qualification,and safeguards contingencyplans including amendments made pursuant to provisionsof the MiscellaneousAmendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set ofplans, which contains SafeguardsInformationprotected under 10 CFR 73.21, is entitled. "H. B. Robinson Steam Electric PlantSecurity, Trainingand Qualification,and Safeguards Contingency Plan,Revision 0" submitted by letter dated October 1, 2004, as supplemented by letter dated October 20, 2004.

Will be revised to read:

The licensee shallfully implement and maintain in effect all provisions of the Commission-approvedphysical security, trainingand qualification,affd safeguards contingency-piano. and cyber security plans, including amendments made pursuant to provisionsof the MiscellaneousAmendments andSearch Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of physical security, trainingand qualification,and safeguards contingency plans, which contains SafeguardsInformationprotected under 10 CFR 73.21, is entitled.: "H. B. Robinson Steam Electric PlantSecurity, Trainingand Qualification,and Safeguards Contingency Plan,Revision 0" submitted by letter dated October 1, 2004, as supplemented by letter dated October 20, 2004. The cyber security plan, which contains security-relatedinformationwithheld from public disclosure under 10 CFR 2.390, is entitled.: "CarolinaPower & Light Company and FloridaPower CorporationCyber Security Plan,Revision 0, "submitted by letter datedJuly 8, 2010.

FederalRegister notice 74 FR 13926 issued the final rule that amended 10 CFR Part 73. The regulations in 10 CFR 73.54, "Protection of digital computer and communication systems and networks," establishthe requirements for a Cyber Security Program. This regulation specifically requires each licensee currently licensed to operate a nuclear power plant under 10 CFR Part 50 to submit a Cyber Security Plan that satisfies the requirements of the Rule. Each submittal must include a proposed implementation schedule and implementation of the licensee's Cyber Security Program must be consistent with the approved schedule. The background for this application is addressed by the NRC Notice of Availability published on March 27, 2009, 74 FR 13926 (Reference 1).

3.0 TECHNICAL EVALUATION

FederalRegister notice 74 FR 13926 issued the final rule that amended 10 CFR Part 73. Cyber Security requirements are codified as new 10 CFR 73.54 and are designed to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks up to and including the design basis threat established by 10 CFR 73. l (a)(1)(v). These requirements are substantial improvements upon the requirements

United States Nuclear Regulatory Commission Enclosure I to RA-l10-01 Page 5 of 7 imposed by EA-02-026 (Reference 2).

This LAR includes the proposed Plan (Enclosure 2) that conforms to the template provided in NEI 08-09, Revision 6, with one deviation regarding the definition of Cyber Attack. In addition, the LAR includes the proposed change to the existing FOLs license condition for "Physical Protection" (Attachment 1). Finally, the LAR contains the proposed Implementation Schedule (Enclosure 3) as required by 10 CFR 73.54.

4.0 REGULATORY EVALUATION

4.1 APPLICABLE REGULATORY REQUIREMENTS / CRITERIA This LAR is submitted pursuant to 10 CFR 73.54 which requires licensees currently licensed to operate a nuclear power plant under 10 CFR Part 50 to submit a Cyber Security Plan as specified in 10 CFR 50.4 and 10 CFR 50.90.

4.2 NO SIGNIFICANT HAZARDS CONSIDERATION Carolina Power & Light Company (CP&L) and Florida Power Corporation (FPC) have evaluated the proposed changes using the criteria in 10 CFR 50.92 and have determined that the proposed changes do not involve a significant hazards consideration. An analysis of the issue of no significant hazards consideration is presented below.

The proposed change incorporates a new requirement into the FOLs to implement and maintain a Cyber Security Plan. This new requirement is being included as part of an existing FOL condition that requires the implementation and maintenance of physical security, training and qualification, and safeguards contingency plans. The Cyber Security Plan describes how the requirements of 10 CFR 73.54 will be implemented in order to protect the health and safety of the public from radiological sabotage as a result of a cyber attack threat described in 10 CFR 73.1. The plan conforms to the template provided in NEI 08-09, Revision 6, with one deviation regarding the definition of Cyber Attack, and provides a description of how the requirements of 10 CFR 73.54 will be implemented at Brunswick Steam Electric Plant (BSEP), Unit Nos. I and 2; Crystal River Unit 3 (CR-3); Shearon Harris Nuclear Power Plant, Unit No. 1 (HNP);

and H. B. Robinson Steam Electric Plant (HBRSEP), Unit No. 2. The Cyber Security Plan establishes the licensing basis for the Cyber Security Program for BSEP, Unit Nos. 1 and 2; CR-3; HNP; and HBRSEP, Unit No. 2. The Cyber Security Plan establishes how to achieve high assurance that nuclear power plant digital computer and communication systems and networks associated with the following are adequately protected against cyber attacks, up to and including the design basis threat:

1. Safety-related and important-to-safety functions,

2. Security functions,

3. Emergency preparedness functions including offsite communications, and

4. Support systems and equipment which if compromised, would adversely impact safety, security, or emergency preparedness functions.

Criterion1: The proposedchange does not involve a significant increase in the probabilityor consequences of an accidentpreviously evaluated.

The proposed change incorporates a new requirement, in the FOL, to implement and maintain a Cyber Security Plan as part of the facility's overall program for physical

United States Nuclear Regulatory Commission Enclosure I to RA-10-0 11 Page 6 of 7 protection. The Cyber Security Plan itself does not require any plant modifications. Rather, the Cyber Security Plan describes how the requirements of 10 CFR 73.54 are implemented in order to identify, evaluate, and mitigate cyber attacks up to and including the design basis threat, thereby achieving high assurance that the facility's digital computer and communications systems and networks are protected from cyber attacks. The proposed change requiring the implementation and maintenance of a Cyber Security Plan does not alter the plant configuration, require new plant equipment to be installed, alter accident analysis assumptions, add any accident initiators, or affect the function of plant systems or the manner in which systems are operated, maintained, modified, tested, or inspected; therefore, the inclusion of the Cyber Security Plan as a part of the facility's other physical protection programs specified in the FOL has no impact on the probability or consequences of an accident previously evaluated.

Criterion2: The proposed change does not create the possibility of a new or different kind of accidentfrom any accidentpreviously evaluated.

The proposed change incorporates a new requirement, in the FOL, to implement and maintain a Cyber Security Plan as part of the facility's overall program for physical protection. The creation of the possibility of a new or different kind of accident requires creating one or more new accident precursors. New accident precursors may be created by modifications of the plant's configuration, including changes in the allowable modes of operation. The Cyber Security Plan itself does not require any plant modifications, nor does the Cyber Security Plan affect the control parameters governing unit operation or the response of plant equipment to a transient condition. Because the proposed change does not change or introduce any new equipment, modes of system operation, or failure mechanisms, no new accident precursors are created. Therefore, the proposed change does not create the possibility of a new or different kind of accident from any accident previously evaluated.

Criterion3: The proposedchange does not involve a significant reduction in a margin of safety.

The proposed change incorporates a new requirement, in the FOL, to implement and maintain a Cyber Security Plan as part of the facility's overall program for physical protection. Plant safety margins are established through Limiting Conditions for Operation, Limiting Safety System Settings and Safety Limits specified in the Technical Specifications.

Because the Cyber Security Plan does not require any plant modifications and does not alter the operation of plant equipment, the proposed change does not change established safety margins. Therefore, the proposed change does not involve a significant reduction in a margin of safety.

4.3 CONCLUSION

S Based on the above, CP&L and FPC conclude that the proposed change presents no significant hazards consideration under the standards set forth in 10 CFR 50.92(c), and accordingly, a finding of no significant hazards consideration is justified.

5.0 ENVIRONMENTAL CONSIDERATION

The proposed amendment establishes the licensing basis for a Cyber Security Program for BSEP, Unit Nos. 1 and 2; CR-3; HNP; and HBRSEP, Unit No. 2 by incorporating a new

United States Nuclear Regulatory Commission Enclosure I to RA-l10-0 1 Page 7 of 7 requirement into the FOL to implement and maintain a Cyber Security Plan. Incorporation of the Cyber Security Plan into the FOL, as part of the consolidated security plans, meets the eligibility criterion for categorical exclusion set forth in 10 CFR 51.22(c)(12). Therefore, in accordance with 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with issuance of the amendment.

6.0 REGULATORY COMMITMENTS The Carolina Power & Light Company and Florida Power Corporation Cyber Security Plan will be implemented in accordance with the implementation schedule provided in Enclosure 3 and be fully implemented by June 30, 2014, or three years after NRC approval of the Cyber Security Plan, whichever is later.

7.0 REFERENCES

1. Federal Register Notice, Final Rule 10 CFR Part 73, Power Reactor Security Requirements, published on March 27, 2009, 74 FR 13926.

2. EA-02-026, Interim CompensatoryMeasures (JCM)Order, issued February 25, 2002.

3. Nuclear Energy Institute (NEI) 08-09, Revision 6, Cyber Security Planfor Nuclear Power Reactors.

United States Nuclear Regulatory Commission , Attachment I to RA- 10-0 11 Enclosure 1, Attachment 1 Marked-up Facility Operating License Pages

United States Nuclear Regulatory Commission , Attachment I to RA-10-01 1 Enclosure 1, Attachment 1 Marked-up Facility Operating License Pages Carolina Power & Light Company - Brunswick Steam Electric Plant, Unit No. 1

at the end of the first surveillance interval that begins on the date the Surveillance was last performed prior to implementation of Amendment 203.

(a) Effective June 30, 1982, the surveillance requirements listed below need not be completed until July 15, 1982. Upon accomplishment of the surveillances, the provisions of Technical Specification 4.0.2 shall apply.

Specification 4.3.3.1, Table 4.3.3-1, Items 5.a and 5.b (b) Effective July 1, 1982, through July 8, 1982, Action statement "a" Technical Specification 3.8.1.1 shall read as follows:

ACTION:

a. With either one offsite circuit or one diesel generator of the above required A.C. electrical power sources inoperable, demonstrate the OPERABILITY of the remaining A.C.

sources by performing Surveillance Requirements 4.8.1.1.1 .a and 4.8.1.1.2.a.4 within two hours and at least once per 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> thereafter; restore at least two offsite circuits and four diesel generators to physical security, training and OPERABLE status within 7 days or be in at least HOT qualification, and safeguards contingency SHUTDOWN within the next 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and in COLD SHUTDOWN within-the following 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

and cyber security 3) Deleted by Am dment No. 206.

D. The licensee shall f imp ent and maintain in effect all provisions of the Commission-approve hysic security, training and qualification, a44-safeguards contingency plans, in uding amendments made pursuant to provisions of the Miscellaneous Am dments and Search Requirements revisions to 10 CFR 73.55 (51 FR 278 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The plans, which contain Safeguards Information protected under 10 CFR 73.21 are entitled: "Physical Security Plan, Revision 2," and "Safeguards Contingency Plan, Revision 2," submitted by letter dated May 17, 2006, and "Guard Training and Qualification Plan, Revision 0,"

submitted by letter dated September 30, 2004.

E. This license is subject to the following additional onditions for the protection of the environment:

a. Deleted per Amendment 54, 3-11-83

b. Deleted per Amendm ent 54, 3-11-83

c. The licensee shall comply with the effluent Ii itations contained in National Pollutant Discharge Elimination Syst m Permit No. NC0007064 The cyber security plan, which contains security-related information Renewed License No. DPR-71 withheld from public disclosure under 10 CFR 2.390, is entitled: Revision 2-24/10 "Carolina Power & Light Company and Florida Power Corporation Cyber Security Plan, Revision 0," submitted by letter dated July 8, 2010.

United States Nuclear Regulatory Commission , Attachment I to RA- 10-0 11 Enclosure 1, Attachment 1 Marked-up Facility Operating License Pages Carolina Power & Light Company - Brunswick Steam Electric Plant, Unit No. 2

physical security, training and qualification, and safeguards contingency (4) Eaualizer Valve Restrictic nJI The valves in the equalizer piping between the recirculation loops shall be closed at all times during reactor operation, except for one bypass valve which is left open to prevent pressure build-up due to ambient and conduction heating of the water between the equalizer valves.

(5) Deleted by Amendment No. 233. and cyber security (6) The licensee shall fully impleme t and maintain in effect all provisi ns of the Commission-approved p sical security, training and qualific tion, a44-safeguards contingency plans, including amendments ma pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 an 7822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The plans, which contain Safeguards Information protected under 10 CFR 73.21, are entitled: "Physical Security Plan, Revision 2," and "Safeguards Contingency Plan, Revision 2," submitted by letter dated May 17, 2006, and "Guard Training and Qualification Plan, Revision 0," submitted by letter dated September 30, 2004.

D. This license is subject to the following addi ional conditions for the protection of the environment:

a. Deleted per Amendment 79, 3-11-8

b. Deleted per Amendment 79, 3-11-83

c. Deleted per Amendment 79, 3-11-83

d. The licensee shall comply with the e ent limitations contained in National Pollutant Discharge Eliminati n System Permit No. NC0007064 issued pursuant to Section 402 of the ederal Water Pollution Control Act, as amended.

E. This license is effective as of the date of issua ce and shall expire at midnight on December 27, 2034.

F. Deleted per Amendment No. 98 dated 5-25-84.

G. Deleted per Amendment No. 98 dated 5-25-84.

H. Deleted by Amendment No. 236.

1. Power Uprate License Amendment Implementati n The licensee shall complete the following actions lsa condition of the approval of the power uprate license amendment (Amend nt No. 214):

The cyber security plan, which contains security-related information withheld from public disclosure under 10 CFR 2.390, is entitled: "Carolina Power & Light Company and Florida Power Corporation Cyber Security Plan, Revision 0," submitted by letter dated July 8, 2010.

Renewed License No. DPR-62 Revision 2-24-1-0

United States Nuclear Regulatory Commission , Attachment I to RA-10-0 11 Enclosure 1, Attachment 1 Marked-up Facility Operating License Pages Carolina Power & Light Company - Shearon Harris Nuclear Power Plant, Unit No. 1

an ,yb , physical security, training ar tybea - 8s- and qualification, and pns, safeguards contingency E. Physical Security (Section 13.6.2.10)

The licensee shall fully impl ment and m intain in effect all provisions of the Commission-approved physi I securit, training and qualification, aPd safeguards contingency includi amendments made pursuant to provisions of the Miscellaneous Am /ndments and Search Requirements revisions to 10 CFR 73.55 (51 F 7817 and 27822) and the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The plans, which contain Safeguards Information protected under 10 CFR 73.21, are entitled: "Guard Training and Qualification Plan" submitted by letter dated October 19, 2004, "Physical Security Plan" and "Safeguards Contingency Plan" submitted by letter dated October 19, 2004 as supplemented by letter dated May 16, 2006.

F. Fire Protection Program (Section 9.5.1)

Carolina Power & Light Company shall impl ment and maintain in effect all provisions of the approved fire protection p gram as described in the Final Safety Analysis Report for the facility as a ended and as approved in the Safety Evaluation Report (SER) dated November 983 (and Supplements 1 through 4),

and the Safety Evaluation dated January 2, 1987, subject to the following provision below.

The licensees may make changes to the pproved fire protection program without prior approval of the Commissio only if those changes would not adversely affect the ability to achieve an maintain safe shutdown in the event of a fire.

G. Reporting to the Commission Except as otherwise provided in the T chnical Specifications or Environmental Protection Plan, Carolina Power & Lig t Company shall report any violations of the requirements contained in Sectio' 2.C of this license in the following manner:

initial notification shall be made withi twenty-four (24) hours to the NRC Operations Center via the Emergen Notification System with written follow-up within 30 days in accordance with th procedures described in 10 CFR 50.73 (b),

(c) and (e).

H. The licensees shall have and main ain financial protection of such type and in such amounts as the Commission hall require in accordance with Section 170of the Atomic Energy Act of 1954, as amended, to cover public liability claims.

The cyber security plan, which contains security-related information withheld from public disclosure under 10 CFR 2.390, is entitled: "Carolina Power &

Light Company and Florida Power Corporation Cyber Security Plan, Revision 0," submitted by letter dated July 8, 2010.

Renewed License No. NPF-63 Amendment No. 4-28

United States Nuclear Regulatory Commission , Attachment 1 to RA- 10-011 Enclosure 1, Attachment 1 Marked-up Facility Operating License Pages Carolina Power & Light Company - H. B. Robinson Steam Electric Plant, Unit No. 2

4-C. Reports Carolina Power & Light Company shall make certain reports in accordance with the,requiements of the Technical Specifications.

D. Records Carolina Power & Light Company shall keep facility operating records in accordance with the, requirements of the Technical Specifications.

E. Fire Protection Program Carolina Power & Company shall implement and maintain in effect all provisions of the approved Fire Protection Program as descrbed in the Updated Final Safety Analysis Report for the facility and as appjroved in the Fire Protection Safety Evaluation Report dated February 28, 1978, and supplements thereto.. Carolina Power & Light Company may- make changes to the ,approved Fire Protection Program Without prior approval of the Commission :only if those changes Would not adversely affect the ability to achieve and maintain safe shutdown in the eVent of ,a fire.

F. PhysicalPr6tdction , and cyber security plans, The licensee, shall fullVi implement and maintain in effect all provisions, of-the Commissionwapprovedcphyskial securit training and qualification;, mi safeguardý contingencY r6mzincldding amendments made pursuant to provisions of the Miscellaneous Amendments and, Search Requirements revisions-to. 10 CFRk73.55 (51 FR 27817 and 27822),and the authouity of 10 CFR 50.90 and 10 CFR, 50.54(p). Te 'combined' et ofitanS, which contains Safeguards Information protected under 10 CFR'73.21, is entitled; "H. B.

Robinson Steam Electric Plant Security,. Training and Qualification, and Safeguards Contingency Plan; Revision 0" submitted by, letter dated October 1; 2004', as supplemented by letter dated October'20, 2004. 4 G. The, foll'owing programs shali be impl emenrted a-nd mnaintained by the licensee:'

(1) LD(ELETED The cyber security plan, which contains security-related information withheld from public disclosure under 10 CFR 2.390, is entitled: "Carolina Power & Light Company and Florida Power Corporation Cyber Security Plan, Revision 0," submitted by letter dated July 8, 2010.

physical security, training and qualification, and safeguards contingency Renewed Facility Operating. License No. DPR-23 Amendment No 94-

United States Nuclear Regulatory Commission , Attachment I to RA-10-011 Enclosure 1, Attachment 1 Marked-up Facility Operating License Pages Florida Power Corporation - Crystal River Unit 3

- 5d-2.D Mitigation Strategy License Condition The licensee shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, aitd safeguards contingency plaes, and cyber security plans, including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The physical security, training and qualification, and safeguards contingency plans, which contain Safeguards Information protected under 10 CFR 73.21, are entitled: "Physical Security Plan, Revision 5," and "Safeguards Contingency Plan, Revision 4," submitted by letter dated May 16, 2006, and "Guard Training and Qualification Plan, Revision 0,"

submitted by letter dated September 30, 2004, as supplemented by letters dated October 20, 2004, and September 29, 2005. The cyber security plan, which contains security-related information withheld from public disclosure under 10 CFR 2.390, is entitled: "Carolina Power & Light Company and Florida Power Corporation Cyber Security Plan, Revision 0," submitted by letter dated July 8, 2010.

Amendment No. 23.6