Letter Sequence Draft RAI |
|---|
|
|
MONTHYEARML1020800392010-07-22022 July 2010
Withdrawal and Resubmittal of Cyber Security Plan, Amendment Application Numbers 257 and 243, Proposed Change Number NPF-10/15-595, Rev. 1
Project stage: Request
ML1022405522010-08-12012 August 2010
Acceptance Review Email, License Amendment Request for Cyber Security Plan
Project stage: Acceptance Review
ML1106006612011-03-0101 March 2011
Draft Generic Request for Additional Information, License Amendment Request to Revise License Condition and Approve Cyber Security Plan
Project stage: Draft RAI
ML1106006502011-03-0101 March 2011
Email, Draft Generic Request for Additional Information, License Amendment Request to Revise License Condition and Approve Cyber Security Plan
Project stage: Draft RAI
2010-08-12
[Table View] |
|
|---|
Category:Request for Additional Information (RAI)
MONTHYEARML21117A3492021-03-30030 March 2021
March 30, 2021, Email from Public Watchdogs on Providing New Information to Its October 13, 2020, 2.206 Petition
ML21068A2722021-03-0909 March 2021
SONGS Endangered Species Act Additional Information Request
ML20343A1292020-12-0808 December 2020
NRR E-mail Capture - Request for Additional Information
ML18193A2002018-07-19019 July 2018
SONGS ISFSI Only Dqap RAI
ML15083A4552015-03-27027 March 2015
and Independent Spent Fuel Storage Installation - Request for Additional Information Decommissioning Quality Assurance Program Review
ML15071A1842015-03-19019 March 2015
Independent Spent Fuel Storage Installation - Request for Additional Information Regarding the 10 CFR 50.54(p) Changes to the Security Plans
ML15042A3942015-01-23023 January 2015
NRR E-mail Capture - SONGS - Draft RAI Permanently Defueled Technical Specifications License Amendment Request
ML15033A0522014-12-11011 December 2014
NRR E-mail Capture - SONGS - Draft RAI Permanently Defueled Technical Specifications License Amendment Request
ML14248A5902014-09-18018 September 2014
Independent Spent Fuel Storage Installation - Request for Additional Information, Amendment Request to Revise Emergency Plan to Support Permanently Defueled Condition
ML14248A5602014-09-18018 September 2014
Independent Spent Fuel Storage Installation - Request for Additional Information, Amendment Request to Revise Emergency Action Level Scheme to Support Permanently Defueled Condition
ML14258A0172014-09-11011 September 2014
NRR E-mail Capture - SONGS - Revised Draft RAI Concerning TS Section 5 Administrative Controls License Amendment Request (TACs MF2954 and MF2955)
ML14209A0052014-08-27027 August 2014
Request for Additional Information, Exemption Request from 10 CFR 50.47 and 10 CFR Part 50 Appendix E, Discontinue Offsite Emergency Planning Activities and Reduce Scope of Onsite Emergency Planning (TAC MF3835-MF3837)
ML14139A4782014-06-0505 June 2014
Request for Additional Information, License Amendment Request to Revise Technical Specifications 5.1, 5.2, and 5.3 to Reflect Reduced Staffing/Training in Permanently Shutdown and Defueled Condition
ML14093A6772014-05-0101 May 2014
SONGS - Request for Additional Information Concerning Pre-Emption Authority
ML13352A0912013-12-30030 December 2013
Decommissioning Funding Status Report - Request for Additional Information
ML13191A8372013-09-12012 September 2013
Request for Additional Information, Review of Decommissioning Funding Status Report
ML13154A4312013-06-0404 June 2013
Rai'S Following Ifib Analysis of Edison'S 2013 Decommissioning Funding Status Report for San Onofre Units 2 and 3
ML13113A2562013-05-10010 May 2013
Request for Additional Information No. 73 Regarding Response to Confirmatory Action Letter
ML13072A0542013-03-18018 March 2013
Redacted, Request for Additional Information, Nos. 33-67, Southern California Edison'S Response to Nrc'S Confirmatory Action Letter
ML13074A6872013-03-15015 March 2013
Email, Draft Request for Additional Information, Nos. 68-72, Southern California Edison'S Response to Nrc'S Confirmatory Action Letter
ML13053A1842013-02-21021 February 2013
Draft Request for Additional Information, Nos. 53-67, Southern California Edison'S Response to Nrc'S Confirmatory Action Letter
ML13056A0922013-02-20020 February 2013
Email, Draft Request for Additional Information Nos. 38-52, Southern California Edison'S Response to Nrc'S Confirmatory Action Letter
ML13053A3672013-02-0101 February 2013
E-mail, Draft Request for Additional Information Southern California Edison'S Response to Nrc'S Confirmatory Action Letter
ML12356A1982012-12-20020 December 2012
Email, Request for Additional Information, Round 3, Review of Southern California Edison'S Response to Nrc'S 3/27/2012 Confirmatory Action Letter (CAL) 4-12-001 and Return to Service Report
ML12345A4272012-12-10010 December 2012
Revised Email, Request for Additional Information Review of Southern California Edison'S Response to Nrc'S 3/27/2012 Confirmatory Action Letter (CAL) 4-12-001 and Return to Service Report
ML12338A1102012-11-30030 November 2012
Email, Request for Additional Information Southern California Edison'S Response to Nrc'S Confirmatory Action Letter (CAL) 4-12-001 Dated March 27, 2012
ML12313A4752012-11-0808 November 2012
Request for Additional Information Email, Relief Request IST-4-P-2, ASME OM Code Requirements for Testing CSS and LPSI Pumps, Fourth 10-Year Inservice Inspection Interval
ML12297A3972012-10-23023 October 2012
Request for Additional Information Email, Relief Request ISI-3-36, Reactor Coolant Pressure Boundary Testing, Third 10-Year Inservice Inspection Interval
ML12283A2302012-10-0909 October 2012
Request for Additional Information Email, Round 3 W/Corrected Due Date, Request to Revise Technical Specification (TS) 2.1.1.2, TS 4.2.1, and TS 5.7.1.5, to Support Unrestricted Use of Areva Fuel
ML12283A2252012-10-0909 October 2012
Request for Additional Information Email, Round 3, Request to Revise Technical Specification (TS) 2.1.1.2, TS 4.2.1, and TS 5.7.1.5, to Support Unrestricted Use of Areva Fuel
ML12220A0492012-08-0707 August 2012
Request for Additional Information Email, Round 2, License Amendment Request to Revise Technical Specification (TS) 2.1.1.2, TS 4.2.1, and TS 5.7.1.5, to Support Unrestricted Use of Areva Fuel
ML12207A2612012-08-0101 August 2012
Redacted, Request for Additional Information, License Amendment Request to Revise Technical Specification (TS) 2.1.1.2, TS 4.2.1, and TS 5.7.1.5, to Support Unrestricted Use of Areva Fuel
ML12201A1552012-07-19019 July 2012
R. Onge Ltr Request for Additional Information Decommissioning Funding
ML12056A0502012-03-12012 March 2012
Enclosure 4 - Recommendation 2.3: Flooding
ML12056A0512012-03-12012 March 2012
Enclosure 5 - Recommendation 9.3: Emergency Preparedness
ML12056A0482012-03-12012 March 2012
Enclosure 2 - Recommendation 2.1: Flooding
ML12056A0472012-03-12012 March 2012
Enclosure 1 - Recommendation 2.1: Seismic
ML12056A0492012-03-12012 March 2012
Enclosure 3 - Recommendation 2.3: Seismic
ML1200603242012-01-19019 January 2012
Fleet, RAI, Proposed Alternative to Use American Society of Mechanical Engineers (ASME) Boiler and Pressure Vessel Code Case N-789 (N-789)
ML1126604602011-10-14014 October 2011
Request for Additional Information Regarding Use of American Concrete Institute Reports for Restoration of Unit 3 Containment
ML11182C0322011-06-30030 June 2011
Notification of Inspection (Inspection Report 05000361; 05000362/2011004) and Request for Information
ML1113003952011-05-10010 May 2011
Email, Draft Request for Additional Information, Review of Biennial Decommissioning Funding Status Report
ML1113004002011-05-10010 May 2011
Draft Request for Additional Information, Review of Biennial Decommissioning Funding Status Report
ML1112307842011-05-0303 May 2011
Draft Request for Additional Information, Relief Requests ISI-3-32 Through ISI-3-34, Alternative to Requirements for Examinations of Welds and Core Support Structure Surfaces, Third 10-Year Inservice Inspection
ML1106006612011-03-0101 March 2011
Draft Generic Request for Additional Information, License Amendment Request to Revise License Condition and Approve Cyber Security Plan
ML1024301262010-08-31031 August 2010
Request for Additional Information Relief Request ISI-3-31
ML1022404532010-08-11011 August 2010
Draft Request for Additional Information LAR on Fuel Assembly Movement
ML0933601212009-12-0202 December 2009
Request for Additional Information Relief Request ISI-3-30
ML0831705532008-12-0808 December 2008
Request for Additional Information, License Amendment Request to Support Replacement Steam Generators
ML0831901202008-11-26026 November 2008
Request for Additional Information Test Protocol Used in the Testing at Vuez
2021-03-09
[Table view] |
Text
DRAFT REQUEST FOR ADDITIONAL INFORMATION REQUEST FOR APPROVAL OF THE CYBER SECURITY PLAN SOUTHERN CALIFORNIA EDISON COMPANY SAN ONOFRE NUCLEAR GENERATING STATION, UNITS 2 AND 3 DOCKET NUMBERS 50-361 AND 50-362 By letter dated July 22, 2010 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML102080039), Southern California Edison Company (SCE, the licensee), submitted a license amendment request for approval of the Cyber Security Plan for the San Onofre Nuclear Generating Station (SONGS), Units 2 and 3.
The NRC staff has reviewed the information provided in your application and has determined that the following additional information is required in order to complete its review.
- 1. Records Retention The regulation at 10 CFR 73.54(c)(2) requires licensees to design a cyber security program to ensure the capability to detect, respond to, and recover from cyber attacks. Furthermore, 10 CFR 73.54(e)(2)(i) requires licensees to maintain a CSP that describes how the licensee will maintain the capability for timely detection and response to cyber attacks. The ability for a licensee to detect and respond to cyber attacks requires accurate and complete records and is further supported by 10 CFR 73.54(h), which states that the licensee shall retain all records and supporting technical documentation required to satisfy the requirements of 10 CFR Section 73.54 as a record until the Commission terminates the license for which the records were developed, and shall maintain superseded portions of these records for at least 3 years after the record is superseded, unless otherwise specified by the Commission.
The licensees CSP in Section 4.13 states that Critical Digital Asset (CDA) audit records and audit data (e.g., operating system logs, network device logs) are retained for a period of time that is less than what is required by 10 CFR 73.54(h).
Explain the deviation from the 10 CFR 73.54(h) requirement to retain records and supporting technical documentation until the Commission terminates the license (or to maintain superseded portions of these records for at least 3 years) and how that meets the requirements of 10 CFR 73.54.
- 2. Implementation Schedule The regulation at 10 CFR 73.54, Protection of digital computer and communication systems and networks, requires licensees to submit a CSP that satisfies the requirements of this section for Commission review and approval. Furthermore, each submittal must include a proposed implementation schedule and the implementation of the licensees cyber security program must be consistent with the approved schedule. Paragraph 73.54(a) of 10 CFR requires licensees to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat.
The completion of several key intermediate milestones (Items (a) through (g) below) would demonstrate progress toward meeting the requirements of 10 CFR 73.54. The NRC staffs expectation is that the key intermediate milestones will be completed in a timely manner, but no later than December 31, 2012. The key CSP implementation milestones are as follows:
(a) Establish, train and qualify Cyber Security Assessment Team, as described in Section 3.1.2, Cyber Security Assessment Team, of the CSP.
(b) Identify Critical Systems and CDAs, as described in Section 3.1.3, Identification of Critical Digital Assets, of the CSP.
(c) Implement cyber security defense-in-depth architecture by installation of deterministic one-way devices, as described in Section 4.3, Defense-In-Depth Protective Strategies of the CSP.
(d) Implement the management, operational and technical cyber security controls that address attacks promulgated by use of portable media, portable devices, and portable equipment as described in Appendix D, Section 1.19 Access Control for Portable and Mobile Devices, of Nuclear Energy Institute (NEI) 08-09, Revision 6.
(e) Implement observation and identification of obvious cyber related tampering to existing insider mitigation rounds as described in Appendix E, Section 4.3, Personnel Performing Maintenance and Testing Activities, and Appendix E, Section 10.3, Baseline Configuration of NEI 08-09, Revision 6.
(f) Identify, document, and implement cyber security controls to physical security target set CDAs in accordance with Section 3.1.6, Mitigation of Vulnerabilities and Application of Cyber Security Controls, of the CSP.
(g) Ongoing monitoring and assessment activities will commence for those target set CDAs whose security controls have been implemented, as described in Section 4.4, Ongoing Monitoring and Assessment, of the CSP (h) Full implementation of the CSP for all safety, security, and emergency preparedness functions.
Provide a revised CSP implementation schedule that identifies the appropriate milestones, completion dates, supporting rationale, and level of detail to allow the NRC to evaluate the licensees proposed schedule and associated milestone dates which include the final completion date. The NRC staff intends to develop a license condition incorporating your revised CSP implementation schedule containing the key milestone dates.
- 3. Scope of Systems Paragraph 73.54(a) of 10 CFR requires licensees to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat as described in 10 CFR 73.1. In addition, 10 CFR 73.54(a)(1) states that the licensee shall protect digital computer and communication systems and networks associated with:
(i) Safety-related and important-to-safety functions;
(ii) Security functions; (iii) Emergency preparedness functions, including offsite communications; and (iv) Support systems and equipment which, if compromised, would adversely impact safety, security, or emergency preparedness functions.
Subsequent to the issuance of the cyber security rule, the NRC stated that 10 CFR 73.54 should be interpreted to include structures, systems, and components (SSCs) in the balance of plant (BOP) that have a nexus to radiological health and safety (ADAMS Accession No. ML103490344, dated November 19, 2010). The SSCs in the BOP are those that could directly or indirectly affect reactivity of a nuclear power plant and could result in an unplanned reactor shutdown or transient and are therefore, within the scope of important-to-safety functions described in 10 CFR 73.54(a)(1). Furthermore, the NRC issued a letter to NEI dated January 5, 2011 (ADAMS Accession No. ML103550480), that provided licensees with additional guidance on one acceptable approach to comply with the Commissions policy determination.
Explain how the scoping of systems provided by the CSP for the San Onofre Nuclear Generating Station, Units 2 and 3, meets the requirements of 10 CFR 73.54 and the additional guidance provided by the NRC.
