ML11152A037
| ML11152A037 | |
| Person / Time | |
|---|---|
| Site: | Calvert Cliffs, Nine Mile Point, Ginna  |
| Issue date: | 08/19/2011 |
| From: | Pickett D Plant Licensing Branch 1 |
| To: | Korsnick M Constellation Energy Nuclear Group |
| Pickett D, NRR/DORL/LPL1-1, 415-1364 | |
| References | |
| TAC ME4330, TAC ME4328, TAC ME4329, TAC ME4331, TAC ME4332 | |
| Download: ML11152A037 (55) | |
Text
\\"E.",II IIEGV,_
UNITED STATES
~c,
---v"
+
01>
NUCLEAR REGULATORY COMMISSION
~
WASHINGTON, D.C. 20555-0001 0
\\j; August 19, 2011
~
~
~I}
~
..,0*'
- i<
Ms. Maria G. Korsnick, Chief Nuclear Officer and Senior Vice President - Chief Operations Officer Constellation Energy Nuclear Group, LLC 100 Constellation Way, Suite 200C Baltimore, MD 21202 SUB~IECT:
CALVERT CLIFFS NUCLEAR POWER PLANT, UNIT NOS. 1 AND 2, NINE MILE POINT NUCLEAR STATION, UNIT NOS. 1 AND 2, AND R E. GINNA NUCLEAR POWER PLANT - ISSUANCE OF AMENDMENTS TO RENEWED FACILITY OPERATING LICENSES (FOLs) RE: CYBER SECURITY PLANS (TAC NOS. ME4328, ME4329, ME4330, ME4331, AND ME4332)
Dear Ms. Korsnick:
The Commission has issued the following enclosed amendments:
(1) Amendment No. 298 to Renewed FOL No. DPR-53 and Amendment No. 275 to Renewed FOL No. DPR-69 for the Calvert Cliffs Nuclear Power Plant, Unit Nos. 1 and 2 (CCNPP).
(2) Amendment No. 209 to Renewed FOL No. DPR-63 and Amendment No. 137 to Renewed FOL No. NPF-69 for the Nine Mile Point Nuclear Station, Unit Nos. 1 and 2 (I\\IMPNS).
(3) Amendment No. 113 to Renewed FOL No. DPR-18 for the RE. Ginna Nuclear Power Plant (Ginna).
These amendments are in response to the application by Constellation Energy Nuclear Group, LLC (hereafter referred to as the licensee) dated July 16, 2010, as supplemented by letters dated April 4, and July 1, 2011, for the subject facilities in order to implement the Cyber Security Plan (CSP) in accordance with Title 10 of the Code of Federal Regulations (10 CFR)
Section 73.54. "Protection of digital computer and communication systems and networks."
The licensee's application for the proposed amendments to the Renewed FOLs includes: (1) the proposed CSP for CCNPP, Ginna, and NMPNS, (2) an implementation schedule, and (3) a proposed sentence to be added to the existing physical protection license condition for CCNPP, NMPNS, and Ginna requiring the licensee to fully implement and maintain in effect all provisions of the U.S. Nuclear Regulatory Commission (NRC)-approved CSP for CCNPP, Ginna, and NMPNS, as required by 10 CFR 73.54. A Federal Register notice dated March 27, 2009, issued the final rule that amended 10 CFR Part 73.54. The regulations in 10 CFR 73.54, establish the requirements for a CSP. This regulation specifically requires each licensee currently licensed to operate a nuclear power plant under Part 50 of this chapter to submit a CSP that satisfies the requirements of the rule. Each submittal must include a proposed implementation schedule. Furthermore, implementation of the licensee's cyber security program must be consistent with the approved schedule. The background for this application is
M. Korsnick
- 2 addressed by the NRC Notice of Availability, Federal Register Notice, Final Rule 10 CFR Part 73, Power Reactor Security Requirements, published on March 27, 2009 (74 FR 13926).
These license amendments are effective as of the date of its issuance. Implementation of the CSP, including the key intermediate milestone dates and the full implementation date, shall be in accordance with the implementation schedule submitted by the licensee on July 16, 2010, as supplemented by letters dated April 4, and July 1, 2011, and approved by the NRC staff by these license amendments. All subsequent changes to the NRC-approved CSP implementation schedule will require prior NRC approval pursuant to 10 CFR 50.90.
A copy of the related Safety Evaluation is also enclosed. A Notice of Issuance will be included in the Commission's biweekly Federal Register notice.
Sincerely,
~vp~
Douglas Pickett, Senior Project Manager Plant Licensing Branch 1-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. 50-220, 50-410, 50-317, 50-318, and 50-244
Enclosures:
- 6. Safety Evaluation cc w/encls: Distribution via Listserv
UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 CALVERT CLIFFS NUCLEAR POWER PLANT LLC DOCKET NO. 50-317 CALVERT CLIFFS NUCLEAR POWER PLANT, UNIT NO.1 AMENDMENT TO RENEWED FACILITY OPERATING LICENSE Amendment No. 298 Renewed License No. DPR-53
- 1.
The Nuclear Regulatory Commission (the Commission) has found that:
A.
The application for amendment by Constellation Energy Nuclear Group, llC on behalf of Calvert Cliffs Nuclear Power Plant, lLC (the licensee), dated July 16, 2010, as supplemented by letters dated April 4, and July 1, 2011, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act) and the Commission's rules and regulations set forth in 10 CFR Chapter I; B.
The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C.
There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D.
The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E.
The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied.
-2
- 2.
Accordingly, the license is amended as indicated in the attachment to this license amendment, and paragraph 2.C.2. of Renewed Facility Operating License No. DPR-53 is hereby amended to read as follows:
- 2.
Technical Specifications The Technical Specifications contained in Appendices A and B, as revised through Amendment No. 298, are hereby incorporated into the renewed license.
The licensee shall operate the facility in accordance with the Technical Specifications.
Further, the following paragraph is added to the existing License Condition 2.0:
"The licensee shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The licensee's CSP was approved by License Amendment No. 298."
- 3.
This license amendment is effective as of the date of its issuance. The implementation of the CSP, including the key intermediate milestone dates and the full implementation date, shall be in accordance with the implementation schedule submitted by the licensee by letter July 16, 2010, as supplemented by letters dated April 4, and July 1, 2011, and approved by the NRC staff with this license amendment. All subsequent changes to the NRC-approved CSP implementation schedule will require prior NRC approval pursuant to 10 CFR 50.90.
FOR THE NUCLEAR REGULATORY COMMISSION
/,/;/1
("
/
f 1ft'f~C.7./.
,dtt~l'f.!'_dp Nancy L. Salgado, Chief Plant Licensing Branch 1-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation
Attachment:
Changes to the License Date of Issuance: August 19, 2011
ATTACHMENT TO LICENSE AMENDMENT AMENDMENT NO. 298 TO RENEWED FACILITY OPERATING LICENSE NO. DPR-53 DOCKET NO. 50-317 Replace the following pages of the Facility Operating License with the attached revised pages.
The revised pages are identified by amendment number and contain marginal lines indicating the areas of change.
Remove Pages Insert Pages 3
3 5
5
-3 rules, regulations, and orders of the Commission, now or hereafter applicable; and is subject to the additional conditions specified and incorporated below:
(1)
Maximum Power Level The licensee is authorized to operate the facility at steady-state reactor core power levels not in excess of 2737 megawatts-thermal in accordance with the conditions specified herein.
(2)
Technical Specifications The Technical Specifications contained in Appendices A and B, as revised through Amendment No. 298, are hereby incorporated into this license. The licensee shall operate the facility in accordance with the Technical Specifications.
(a)
For Surveillance Requirements (SRs) that are new, in Amendment 227 to Facility Operating License No. DPR-53, the first performance is due at the end of the first surveillance interval that begins at implementation of Amendment 227. For SRs that existed prior to Amendment 227, including SRs with modified acceptance criteria and SRs whose frequency of performance is being extended, the first performance is due at the end of the first surveillance interval that begins on the date the Surveillance was last performed prior to implementation of Amendment 227.
(3)
Additional Conditions The Additional Conditions contained in Appendix C as revised through Amendment No. 297 are hereby incorporated into this license. Calvert Cliffs Nuclear Power Plant, LLC shall operate the facility in accordance with the Additional Conditions.
(4)
Secondarv Water Chemistry Monitoring Program The Calvert Cliffs Nuclear Power Plant, LLC, shall implement a secondary water chemistry monitoring program to inhibit steam generator tube degradation. This program shall include:
- a.
Identification of a sampling schedule for the critical parameters and control points for these parameters;
- b.
Identification of the procedures used to quantify parameters that are critical to control points; Amendment No. 298
- 5 The licensee shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The licensee's CSP was approved by License Amendment No. 298.
E.
The licensee shall implement and maintain in effect all provisions of the approved fire protection program as described in the Updated Final Safety Analysis Report for the facility and as approved in the SER dated September 14, 1979 and Supplements dated October 2, 1980; March 18, 1982; and September 27, 1982; and Exemptions dated August 16, 1982; April 21, 1983; March 15, 1984; August 22, 1990; and April 7, 1999 subject to the following provision: The licensee may make changes to the approved fire protection program without prior approval of the Commission only if those changes would not adversely affect the ability to achieve and maintain safe shutdown in the event of a fire.
F.
At the time of the next scheduled update to the FSAR required pursuant to 10 CFR 50.71 (e)(4) following the issuance of this renewed license, the licensee shall update the FSAR to include the FSAR supplement submitted pursuant to 10 CFR 54.21 (d), as amended and supplemented by the program descriptions in Appendix E to the Safety Evaluation Report, NUREG-1705. Until that FSAR update is complete, the licensee may make changes to the programs described in Appendix E without prior Commission approval, provided that the licensee evaluates each such change pursuant to the criteria set forth in 10 CFR 50.59 and otherwise complies with the requirements in that section.
G.
Any future actions listed in Appendix E to the Safety Evaluation Report, NUREG-1705, shall be included in the FSAR. The licensee shall complete these actions by July 31, 2014, except for the volumetric inspections of the control element drive mechanisms, which must be completed no later than 2029 for Unit 1 (Appendix E, Item 65).
H.
This renewed license is effective as of the date of issuance and shall expire at midnight on July 31,2034.
FOR THE NUCLEAR REGULATORY COMMISSION Samuel J. Collins, Director Office of Nuclear Reactor Regulation Attachments:
Appendix A - Technical Specifications Appendix 8 - Environmental Protection Plan (non-radiological) Technical Specifications Appendix C - Additional Conditions Date of Issuance: March 23, 2000 Amendment No. 298
UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 CALVERT CLIFFS NUCLEAR POWER PLANT. LLC DOCKET NO. 50-318 CALVERT CLIFFS NUCLEAR POWER PLANT, UNIT NO.2 AMENDMENT TO RENEWED FACILITY OPERATING LICENSE Amendment No. 275 Renewed License No. DPR-69
- 1.
The Nuclear Regulatory Commission (the Commission) has found that:
A.
The application for amendment by Constellation Energy Nuclear Group, LLC on behalf of Calvert Cliffs Nuclear Power Plant, LLC (the licensee), dated July 16, 2010, as supplemented by letters dated April 4, and July 1,2011, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act) and the Commission's rules and regulations set forth in 10 CFR Chapter I; B.
The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C.
There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and Oi) that such activities will be conducted in compliance with the Commission's regulations; D.
The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E.
The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied.
-2
- 2.
Accordingly, the license is amended as indicated in the attachment to this license amendment, and paragraph 2.C.2. of Renewed Facility Operating License No. DPR-69 is hereby amended to read as follows:
- 2.
Technical Specifications The Technical Specifications contained in Appendices A and B, as revised through Amendment No. 275, are hereby incorporated in the renewed license.
The licensee shall operate the facility in accordance with the Technical Specifications.
Further, the following paragraph is added to the existing License Condition 2.D:
"The licensee shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The licensee's CSP was approved by License Amendment No. 275."
- 3.
This license amendment is effective as of the date of its issuance. The implementation of the CSP, including the key intermediate milestone dates and the full implementation date, shall be in accordance with the implementation schedule submitted by the licensee by letter July 16, 2010, as supplemented by letters dated April 4, and July 1, 2011, and approved by the NRC staff with this license amendment. All subsequent changes to the NRC-approved CSP implementation schedule will require prior NRC approval pursuant to 10 CFR 50.90.
FOR THE NUCLEAR REGULATORY COMMISSION
/P/
./ //
7/~1L-'-j X
.-c7-tLA-e;~~:
Nancy L. Salgado, Chief Plant Licensing Branch 1-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation
Attachment:
Changes to the License Date of Issuance:
August 19, 2011
ATTACHMENT TO LICENSE AMENDMENT AMENDMENT NO. 275 TO RENEWED FACILITY OPERATING LICENSE NO. DPR-69 DOCKET NO. 50-318 Replace the following pages of the Facility Operating License with the attached revised pages.
The revised pages are identified by amendment number and contain marginal lines indicating the areas of change.
Remove Pages Insert Pages 3
3 5
5
- 3 C.
This license is deemed to contain and is subject to the conditions set forth in 10 CFR Chapter I and is subject to all applicable provisions of the Act, and the rules, regulations, and orders of the Commission, now and hereafter applicable; and is subject to the additional conditions specified and incorporated below:
(1)
Maximum Power level The licensee is authorized to operate the facility at reactor steady-state core power levels not in excess of 2737 megawatts-thermal in accordance with the conditions specified herein.
(2)
Technical Specifications The Technical Specifications contained in Appendices A and B, as revised through Amendment No. 275 are hereby incorporated into this license.
The licensee shall operate the facility in accordance with the Technical Specifications.
(a)
For Surveillance Requirements (SRs) that are new, in Amendment 201 to Facility Operating license No. DPR-69, the first performance is due at the end of the first surveillance interval that begins at implementation of Amendment 201. For SRs that existed prior to Amendment 201, including SRs with modified acceptance criteria and SRs whose frequency of performance is being extended, the first performance is due at the end of the first surveillance interval that begins on the date the Surveillance was last performed prior to implementation of Amendment 201.
(3) less Than Four Pump Operation The licensee shall not operate the reactor at power levels in excess of five (5) percent of rated thermal power with less than four (4) reactor coolant pumps in operation. This condition shall remain in effect until the licensee has submitted safety analyses for less than four pump operation, and approval for such operation has been granted by the Commission by amendment of this license.
(4)
Environmental Monitoring Program If harmful effects or evidence of irreversible damage are detected by the biological monitoring program, hydrological monitoring program, and the radiological monitoring program specified in the Appendix B Technical Specifications, the licensee will provide to the staff a detailed analysis of the problem and a program of remedial action to be taken to eliminate or significantly reduce the detrimental effects or damage.
Amendment No. 275
- 5
- 4.
Procedures for implementing integrated fire response strategy
- 5.
Identification of readily available pre-staged equipment
- 6.
Training on integrated fire response strategy
- 7.
Spent fuel pool mitigation measures (c)
Actions to minimize release to include consideration of:
- 1.
Water spray scrubbing
- 2.
Dose to onsite responders D.
The licensee shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans, including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contain Safeguards Information protected under 10 CFR 73.21, is entitled: "Calvert Cliffs Nuclear Power Plant Security Plan, Training and Qualification Plan, and Safeguards Contingency Plan, Revision 1" submitted dated May 19, 2006.
The licensee shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The licensee's CSP was approved by License Amendment No. 275.
E.
The Calvert Cliffs Nuclear Power Plant, LLC, shall implement and maintain in effect all provisions of the approved fire protection program as described in the Updated Final Safety Analysis Report for the facility and as approved in the SER dated September 14, 1979, and Supplements dated October 2, 1980; March 18, 1982; and September 27, 1982; and Exemptions dated August 16, 1982; April 21, 1983; March 15, 1984; August 22, 1990; and April 7, 1999 subject to the following provision: The Calvert Cliffs Nuclear Power Plant, LLC may make changes to the approved fire protection program without prior approval of the Commission only if those changes would not adversely affect the ability to achieve and maintain safe shutdown in the event of a fire.
F.
At the time of the next scheduled update to the FSAR required pursuant to 10 CFR 50.71 (e)(4) following the issuance of this renewed license, the licensee shall update the FSAR to include the FSAR supplement submitted pursuant to 10 CFR 54.21 (d), as amended and supplemented by the program descriptions in Appendix E to the Safety Evaluation Report, NUREG-1705. Until that FSAR update is complete, the licensee may make changes to the programs described in Appendix E without prior Commission approval, provided that the licensee evaluates each such change pursuant to the criteria set forth in 10 CFR 50.59 and otherwise complies with the requirements in that section.
G.
Any future actions listed in Appendix E to the Safety Evaluation Report, NUREG-1705, shall be included in the FSAR. The licensee shall complete these actions by August 13, 2016.
Amendment No. 275
UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 NINE MILE POINT NUCLEAR STATION, LLC DOCKET NO. 50-220 NINE MILE POINT NUCLEAR STATION UNIT NO.1 AMENDMENT TO RENEWED FACILITY OPERATING LICENSE Amendment No. 209 Renewed License No. DPR-63
- 1. The Nuclear Regulatory Commission (the Commission) has found that:
A.
The application for amendment by Constellation Energy Nuclear Group, LLC on behalf of Nine Mile Point Nuclear Station, LLC (the licensee), dated July 16, 2010, as supplemented by letters dated April 4, and July 1, 2011, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act) and the Commission's rules and regulations set forth in 10 CFR Chapter I; B.
The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C.
There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D.
The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E.
The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied.
- 2
- 2.
Accordingly, the license is amended as indicated in the attachment to this license amendment, and paragraph 2.C.(2) of Renewed Facility Operating License No. DPR-63 is hereby amended to read as follows:
(2)
Technical Specifications and Environmental Protection Plan The Technical Specifications contained in Appendices A and B, as revised through Amendment No. 209, are hereby incorporated in the license. The licensee shall operate the facility in accordance with the Technical Specifications.
Further, the following paragraph is added to the existing License Condition 2.D(4):
'The licensee shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The licensee's CSP was approved by License Amendment No. 209."
- 3.
This license amendment is effective as of the date of its issuance. The implementation of the CSP, including the key intermediate milestone dates and the full implementation date, shall be in accordance with the implementation schedule submitted by the licensee by letter July 16, 2010, as supplemented by letters dated April 4, and July 1, 2011, and approved by the NRC staff with this license amendment. All subsequent changes to the NRC-approved CSP implementation schedule will require prior NRC approval pursuant to 10 CFR 50.90.
FOR THE NUCLEAR REGULATORY COMMISSION 4~~~/, ~~~-l.~t:
Nancy L.ialgado, Chief Plant Licensing Branch 1-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation
Attachment:
Changes to the License Date of Issuance:
August 19, 2011
ATTACHMENT TO LICENSE AMENDMENT NO. 209 TO RENEWED FACILITY OPERATING LICENSE NO. DPR-63 DOCKET NO. 50-220 Replace the following pages of the Facility Operating License with the attached revised pages.
The revised pages are identified by amendment number and contain marginal lines indicating the areas of change.
Remove Pages Insert Pages 3
4 3
4
-3 (3)
Pursuant to the Act and 10 CFR Parts 30, 40, and 70 to receive, possess and use at any time any byproduct, source and special nuclear material as sealed neutron sources for reactor startup, sealed sources for reactor instrumentation and radiation monitoring equipment calbration, and as fission detectors in amounts as required; (4)
Pursuant to the Act and 10 CFR Parts 30,40 and 70, to receive, possess and use in amounts as required any byproduct, source or special nuclear material without restriction to chemical or physical form, for sample analysis or instrument and equipment calibration or associated with radioactive apparatus or components.
(5)
Pursuant to the Act and 10 CFR Parts 30 and 70, to possess, but not separate, such byproduct and special nuclear materials as may be produced by the operation of the facility.
C.
This renewed operating license shall be deemed to contain and is subject to the conditions specified in the following Commission regulations in 10 CFR Chapter I:
Part 20, Section 30.34 of Part 30; Section 40.41 of Part 40; Section 50.54 and 50.59 of Part 50; and Section 70.32 of Part 70. This renewed license is subject to all applicable proviSions of the Act and to the rules, regulations. and orders of the Commission now or hereafter in effect and is also subject to the additional conditions specified or incorporated below:
(1)
Maximum Power Level The licensee is authorized to operate the facility at steady state reactor core power levels not in excess of 1850 megawatts (thermal).
(2)
Technical Specifications The Technical Specifications contained in Appendix A, which is attached hereto, as revised through Amendment No. 209, is hereby incorporated into this license. Nine Mile Point Nuclear Station, LLC shall operate the facility in accordance with the Technical Specifications.
(3)
Deleted Renewed license No. DPR 63 Amendment No. 191 to 207, 209
-4 D.
This license is subject to the following additional conditions:
(1)
The licensee will complete construction of a new radwaste facility in conformance with the design defined and evaluated in the FES, to be operational no later than June 1976.
(2)
Deleted by License Amendment No. 51 (3)
Deleted by License Amendment No. 51 (4)
Security, Training and Qualification and Safeguards Contingency Plans The licensee shall fully implement and maintain in effect aU provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans, including amendments made pursuant to the provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.S4(p). The combined set of plans, which contain Safeguards Information protected under 10 CFR 73.21 is entitled "Nine Mile Point Nuclear Station, LLC Physical Security, Safeguards Contingency, and Security Training and Qualification Plan, Revision 1," and was submitted by letter dated April 26, 2006.
The licensee shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p).
The licensee's CSP was approved by License Amendment No. 209.
(5)
Paragraph 2.D(S) of the license has been combined with paragraph 2.D(4) as amended above into a single paragraph.
(6)
Recirculation System Safe-end Replacement The recirculation system and safe-end replacement program including the cutting and welding of the replacement components and the dose mitigation program (ALARA) is approved, subject to the following conditions:
- a.
The licensee shall complete the recirculation piping stress reanalysis prior to restart of Nine Mile Point Nuclear Power Station, Unit No.1. The results of this analysis for selected representative portions of the recirculation system shall be submitted to the NRC prior to restart of the facility.
- b.
All fuel and control rods shall be removed from the reactor pressure vessel and stored in the spent fuel pool during the period that work on the safe-end and recirculation system replacement program is in progress.
Renewed License No. DPR 63 Revised by letter dated February 21, 2007 Amendment No. ger 209
UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 NINE MILE POINT NUCLEAR STATION, LLC DOCKET NO. 50-410 NINE MILE POINT NUCLEAR STATION, UNIT 2 AMENDMENT TO RENEWED FACILITY OPERATING LICENSE Amendment No. 137 Renewed License No. NPF-69
- 1.
The Nuclear Regulatory Commission (the Commission) has found that:
A.
The application for amendment by Constellation Energy Nuclear Group, LLC on behalf of Nine Mile Point Nuclear Station, LLC (the licensee), dated July 16, 2010, as supplemented by letters dated April 4, and July 1,2011, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act) and the Commission's rules and regulations set forth in 10 CFR Chapter I; B.
The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C.
There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D.
The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E.
The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied.
- 2
- 2.
Accordingly, the license is amended as indicated in the attachment to this license amendment, and paragraph 2.C.(2) of Renewed Facility Operating License No. NPF-69 is hereby amended to read as follows:
(2)
Technical Specifications and Environmental Protection Plan The Technical Specifications contained in Appendix A and the Environmental Protection Plan contained in Appendix B, both of which are attached hereto, as revised through Amendment No. 137 are hereby incorporated into this license.
Nine Mile Point Nuclear Station, LLC shall operate the facility in accordance with the Technical Specifications and the Environmental Protection Plan.
Further, the following paragraph is added to the existing License Condition 2.E:
"Nine Mile Point Nuclear Station, LLC shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The Nine Mile Point Nuclear Station's CSP was approved by License Amendment No. 137."
- 3.
This license amendment is effective as of the date of its issuance. The implementation of the CSP, including the key intermediate milestone dates and the full implementation date, shall be in accordance with the implementation schedule submitted by the licensee by letter July 16, 2010, as supplemented by letters dated April 4, and July 1, 2011, and approved by the NRC staff with this license amendment. All subsequent changes to the NRC-approved CSP implementation schedule will require prior NRC approval pursuant to 10 CFR 50.90.
FOR THE NUCLEAR REGULATORY COMMISSION
/,
~~~l-:r /~
~
~/;ar£'
Nancy L. Salgado, Chief Plant Licensing Branch 1-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation
Attachment:
Changes to the License Date of Issuance:
August 19, 2011
ATTACHMENT TO LICENSE AMENDMENT NO. 137 TO RENEWED FACILITY OPERATING LICENSE NO. NPF-69 DOCKET NO. 50-410 Replace the following pages of the Facility Operating License with the attached revised pages.
The revised pages are identified by amendment number and contain marginal lines indicating the areas of change.
Remove Pages Insert Pages 4
4 11 11
-4 (1)
Maximum Power Level Nine Mile Point Nuclear Station. LLC is authorized to operate the facility at reactor core power levels not in excess of 3467 megawatts thermal (100 percent rated power) in accordance with the conditions specified herein.
(2)
Technical Specifications and Environmental Protection Plan The Technical Specifications contained in Appendix A and the Environmental Protection Plan contained in Appendix B. both of which are attached hereto, as revised through Amendment No. 137 are hereby incorporated into this license. Nine Mile Point Nuclear Station. LLC shall operate the facility in accordance with the Technical Specifications and the Environmental Protection Plan.
(3)
Fuel Storage and Handling (Section 9.1. SSER 4)*
- a.
Fuel assemblies, when stored in their shipping containers, shall be stacked no more than three containers high.
- b.
When not in the reactor vessel, no more than three fuel assemblies shall be allowed outside of their shipping containers or storage racks in the New Fuel Vault or Spent Fuel Storage Facility.
- c.
The above three fuel assemblies shall maintain a minimum edge to-edge spacing of twelve (12) inches from the shipping container array and approved storage rack locations.
- d.
The New Fuel Storage Vault shall have no more than ten fresh fuel assemblies uncovered at anyone time.
(4)
Turbine System Maintenance Program (Section 3.5.1.3.10. SER)
The operating licensee shall submit for NRC approval by October 31, 1989, a turbine system maintenance program based on the manufacturer's calculations of missile generation probabilities.
(Submitted by NMPC letter dated October 30. 1989 from C.D. Terry and approved by NRC letter dated March 15, 1990 from Robert Martin to Mr. Lawrence Burkhardt, III).
The parenthetical notation following the title of many license conditions denotes the section of the Safety Evaluation Report (SER) andJor its supplements wherein the license condition is discussed.
Renewed License No. NPF 69 Amendment 117 through 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137
~ 11~
vi)
A schedular exemption to 10 CFR 50.55a(h) for the Neutron Monitoring System until completion of the first refueling outage to allow the operating licensee to provide qualified isolation devices for Class 1 E/non-1 E interfaces described in their letters of June 23, 1987 (NMP2L 1057) and June 25,1987 (NMP2L 1058). (Section 7.2.2.10, SSER 6).
For the schedular exemptions in iv), v), and vi), above, the operating licensee, in accordance with its letter of October 31, 1986, shall certify that all systems, components, and modifications have been completed to meet the requirements of the regulations for which the exemptions have been granted and shall provide a summary description of actions taken to ensure that the regulations have been met. This certification and summary shall be provided 10 days prior to the expiration of each exemption period as described above.
The exemptions set forth in this Section 2.0 are authorized by law, will not present an undue risk to public health and safety, and are consistent with the common defense and security. These exemptions are hereby granted. The special circumstances regarding each exemption are identified in the referenced section of the Safety Evaluation Report and the supplements thereto. The exemptions in ii) through vi) are granted pursuant to 10 CFR 50.12.
With these exemptions, the facility will operate to the extent authorized herein, in conformity with the application, as amended, the provisions of the Act, and the rules and regulations of the Commission.
E.
Nine Mile Point Nuclear Station, LLC shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans, including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contain Safeguards Information protected under 10 CFR 73.21 is entitled "Nine Mile Point Nuclear Station, LLC Physical Security, Safeguards Contingency, and Security Training and Qualification Plan, Revision 1," and was submitted by letter dated April 26, 2006. Changes made in accordance with 10 CFR 73.55 shall be implemented in accordance with the schedule set forth therein.
Nine Mile Point Nuclear Station, LLC shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p).
The Nine Mile Point Nuclear Station's CSP was approved by License Amendment No. 137.
F.
Nine Mile Point Nuclear Station, LLC shall implement and maintain in effect all provisions of the approved fire protection program as described in the Final Safety Analysis Report for the facility through Amendment No. 27 and as described in submittals dated March 25, May 7 and 9, June 10 and 25, July 11 and 16, August 19 and 22, September 5, 12, and 23, October 10, 21, and 22, and December 9, 1986, and April 10 and May 20, 1987, and as approved in the SER dated February 1985 (and Supplements 1 through 6) subject to the following provision:
Renewed lioense No. ~JPF as Revised by letter dated August 23, 2007 Amendment No. ~ 137
UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 RE. GINNA NUCLEAR POWER PLANT, LLC DOCKET NO. 50-244 R E. GINNA NUCLEAR POWER PLANT AMENDMENT TO RENEWED FACILITY OPERATING LICENSE Amendment No. 113 Renewed License No. DPR-18
- 1.
The Nuclear Regulatory Commission (the Commission or the NRC) has found that:
A.
The application for amendment filed by Constellation Energy Nuclear Group, LLC on behalf of RE. Ginna Nuclear Power Plant, LLC (the licensee) dated July 16, 2010, as supplemented by letters dated April 4, and July 1, 2011, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commission's rules and regulations set forth in 10 CFR Chapter I; B.
The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C.
There is reasonable assurance: (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D.
The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E.
The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied.
- 2
- 2.
Accordingly, the license is amended as indicated in the attachment to this license amendment, and paragraph 2.C.(2) of Renewed Facility Operating License No. DPR-18 is hereby amended to read as follows:
(2)
Technical Specifications The Technical Specifications contained in Appendix A, as revised through Amendment No. 113, are hereby incorporated in the renewed license. The licensee shall operate the facility in accordance with the Technical Specifications.
Further, the following paragraph is added to the existing License Condition 2.E:
"The licensee shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The licensee's CSP was approved by License Amendment No. 113."
- 3.
This license amendment is effective as of the date of its issuance. The implementation of the CSP, including the key intermediate milestone dates and the full implementation date, shall be in accordance with the implementation schedule submitted by the licensee by letter July 16, 2010, as supplemented by letters dated April 4, and July 1, 2011, and approved by the NRC staff with this license amendment. All subsequent changes to the NRC-approved CSP implementation schedule will require prior NRC approval pursuant to 10 CFR 50.90.
FOR THE NUCLEAR REGULATORY COMMISSION 4;~LY :/. ~~
Nancy L. ~algado, Chief Plant Licensing Branch 1-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation
Attachment:
Changes to the License Date of Issuance:
August 19, 2011
ATTACHMENT TO LICENSE AMENDMENT NO. 113 RENEWED FACILITY OPERATING LICENSE NO. DPR-18 DOCKET NO. 50-244 Replace the following pages of the Facility Operating License with the attached revised pages.
The revised pages are identified by amendment number and contain marginal lines indicating the areas of change.
Remove Pages Insert Pages 3
6 3
6
- 3 (b)
Pursuant to the Act and 10 CFR Part 70. to possess and use four (4) mixed oxide fuel assemblies in accordance with the RG&E's application dated December 14. 1979 (transmitted by letter dated December 20. 1979). as supplemented February 20.1980. and March S. 1980; (3)
Pursuant to the Act and 10 CFR Parts 30, 40, and 70 to receive, possess, and use at any time any byproduct, source, and special nuclear material as sealed neutron sources for reactor startup, sealed sources for reactor instrumentation and radiation monitoring equipment calibration, and as fission detectors in amounts as required; (4)
Pursuant to the Act and 10 CFR Parts 30, 40, and 70. to receive, possess, and use in amounts as required any byproduct, source, or special nuclear material without restriction to chemical or physical form, for sample analysis or instrument calibration or associated with radioactive apparatus or components; and (S)
Pursuant to the Act and 10 CFR Parts 30 and 70, to possess, but not separate, such byproduct and special nuclear materials as may be produced by the operation of the facility.
C.
This renewed license shall be deemed to contain and is subject to the conditions specified in the following Commission regulations in 10 CFR Part 20.
Section 30.34 of Part 30, Section 40.41 of Part 40, Sections SO.S4 and SO.S9 of Part SO, and Section 70.32 of Part 70; and is subject to all applicable provisions of the Act and rules, regulations and orders of the Commission now or hereafter in effect; and is subject to the additional conditions specified below:
(1)
Maximum Power Level Ginna LLC is authorized to operate the facility at steady-state power levels up to a maximum of 177S megawatts (thermal).
(2)
Technical Specifications The Technical Specifications contained in Appendix A, as revised through Amendment No. 113, are hereby incorporated in the renewed license.
The licensee shall operate the facility in accordance with the Technical Specifications.
(3)
Fire Protection (a)
The licensee shall implement and maintain in effect all fire protection features described in the licensee's submittals referenced in and as approved or modified by the NRC's Fire Protection Safety Evaluation (SE) dated February 14, 1979, and Amendment No. 113
- 6 accordance with an acceptable calculational model which conforms to the provisions in Appendix K (SER dated April 18, 1978). The exemption will expire upon receipt and approval of revised ECCS calculations. The aforementioned exemption is authorized by law and will not endanger life property or the common defense and security and is otherwise in the public interest. Therefore, the exemption is hereby granted pursuant to 10 CFR 50.12.
E.
The licensee shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27827 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contains Safeguards Information protected under 10 CFR 73.21, is entitled: "R. E. Ginna Nuclear Power Plant Security Plan, Training and Qualification Plan, and Safeguards Contingency Plan," submitted by letter dated May 15, 2006.
The licensee shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The licensee's CSP was approved by License Amendment No. 113.
F.
The Updated Final Safety Analysis Report supplement, submitted pursuant to 10 CFR 54.21 (d), describes certain future activities to be completed prior to the period of extended operation. Ginna LLC shall complete these activities no later than September 18, 2009, and shall notify the Commission in writing when implementation of these activities is complete and can be verified by NRC inspection.
The Updated Final Safety Analysis Report supplement, as revised, shall be included in the next scheduled update to the Updated Final Safety Analysis Report required by 10 CFR 50.71 (e)(4) following issuance of this renewed license. Until that update is complete, Ginna LLC may make changes to the programs and activities described in the supplement without prior Commission approval, provided that Ginna LLC evaluates each such change pursuant to the criteria set forth in 10 CFR 50.59 and otherwise complies with the requirements in that section.
G.
All capsules in the reactor vessel that are removed and tested must meet the test procedures and reporting requirements of ASTM E 185-82 to the extent practicable for the configuration of the specimens in the capsule. Any changes to the capsule withdrawal schedule, including spare capsules, must be approved by the NRC prior to implementation. Any capsules placed in storage must be maintained for future insertion, unless approved by the NRC.
Amendment No. 113
UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555*0001 SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION CONSTELLATION ENERGY NUCLEAR GROUP, LLC RELATED TO AMENDMENT NO. 298 TO RENEWED FACILITY OPERATING LICENSE NO.
DPR-53 AND AMENDMENT NO. 275 TO RENEWED FACILITY OPERATING LICENSE NO.
DPR-69 (CALVERT CLIFFS NUCLEAR POWER PLANT, LLC, CALVERT CLIFFS NUCLEAR POWER PLANT, UNIT NOS. 1 AND 2),
DOCKET NOS. 50-317, 50-318, RELATED TO AMENDMENT NO. 209 TO RENEWED FACILITY OPERATING LICENSE NO.
DPR-63 AND AMENDMENT NO. 137 TO RENEWED FACILITY OPERATING LICENSE NO.
NPF-69 (NINE MILE POINT NUCLEAR STATION, LLC, NINE MILE POINT NUCLEAR STATION, UNIT NOS. 1 AND 2),
DOCKET NOS. 50-220, 50-410, AND RELATED TO AMENDMENT NO. 113 TO RENEWED FACILITY OPERATING LICENSE NO.
DPR-18 (R E. GINNA NUCLEAR POWER PLANT, LLC, R E. GINNA NUCLEAR POWER PLANT),
DOCKET NO. 50-244
1.0 INTRODUCTION
By application dated July 16, 2010 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML102040473), as supplemented by letters dated April 4, and July 1, 2011 (ADAMS Accession Nos. ML110950664 and ML11189A064, respectively), Constellation Energy Nuclear Group, LLC (CENG, hereafter referred to as the licensee), requested changes to the Renewed Facility Operating Licenses (FOLs) for the following facilities for approval of the licensee's Cyber Security Plan (CSP) and Implementation Schedule as required by Title 10 of the Code of Federal Regulations (10 CFR) 73.54, "Protection of digital computer and communication systems and networks," (Reference 1):
(1) Calvert Cliffs Nuclear Power Plant, Unit Nos. 1 and 2 (CCNPP-1 and -2),
(2) Nine Mile Point Nuclear Station, Unit Nos. 1 and 2 (NMPNS-1 and -2), and (3) RE. Ginna Nuclear Power Plant (Ginna).
By letter dated April 4, 2011, the licensee supplemented their CSP to address: 1) scope of systems in response to Commission direction as described in SRM-COMWCO-1 0-0001, "Regulation of Cyber Security at Nuclear Power Plants," October 21,2010 (ADAMS Accession No. ML102940009) (Reference 2); 2) records retention; and 3) implementation schedule.
- 2 The supplements dated April 4, and July 1, 2011,provided additional information that clarified the application, did not expand the scope of the application as originally noticed, and did not change the staff's original proposed no significant hazards consideration determination as published in the Federal Register on October 12, 2010 (75 FR 62594).
The amendments would approve the CSP and associated implementation schedule, and revise (1) Paragraph 2.D of FOL No. DPR-53 for CCNPP-1, (2) Paragraph 2.0 of FOL No. DPR-69 for CCNPP-2, (3) Paragraph 2.D(4) of FOL No. DPR-63 for NMPNS-1, (4) Paragraph 2.E of FOL No. NPF-69 for NMPNS-2, and (5) Paragraph 2.E of FOL No. DPR-18 for Ginna, respectively, to provide license conditions to require the licensee to fully implement and maintain in effect all provisions of the NRC-approved CSP. The proposed change is generally consistent with Nuclear Energy Institute (NEI) 08-09, Revision 6, "Cyber Security Plan for Nuclear Power Reactors."
2.0 REGULATORY EVALUATION
2.1 General Requirements Consistent with 1 0 CFR 73.54(a), the licensee must provide high assurance that digital computer and communication systems, and networks are adequately protected against cyber attacks, up to and including the design basis threat (DBT), as described in 10 CFR 73.1. The licensee shall protect digital computer and communication systems and networks associated with: (i) safety-related and important-to-safety functions; (ii) security functions; (iii) emergency preparedness functions, including offsite communications; and (iv) support systems and equipment which, if compromised, would adversely impact safety, security, or emergency preparedness (SSEP) functions. The rule specifies that digital computer and communication systems and networks associated with these functions must be protected from cyber attacks that would adversely impact the integrity or confidentiality of data and software; deny access to systems, services, or data; or provide an adverse impact to the operations of systems, networks, and associated equipment.
In the October 21,2010, Staff Requirements Memorandum (SRM)-COMWCO-10-0001, the Commission stated that the NRC's cyber security rule at 10 CFR 73.54 should be interpreted to include structures, systems, and components (SSCs) in the balance of plant (BOP) that have a nexus to radiological health and safety. The staff determined that SSCs in the BOP that have a nexus to radiological health and safety are those that could directly or indirectly affect reactivity of a nuclear power plant (NPP), and are, therefore, within the scope of important-to-safety functions described in 10 CFR 73.54(a)(1).
2.2 Elements of a CSP As stated in 10 CFR 73.54(e), the licensee must establish, implement, and maintain a CSP that satisfies the Cyber Security Program requirements of this regulation. In addition, the CSP must describe how the licensee will implement the requirements of the regulation and must account for the site-specific conditions that affect implementation. One method of complying with this regulation is to describe within the CSP how the licensee will achieve high assurance that all SSEP functions are protected from cyber attacks.
-3 2.3 Regulatory Guide (RG) 5.71 and Nuclear Energy Institute (NEI) 08-09, Revision 6 RG 5.71, "Cyber Security Programs for Nuclear Facilities," (Reference 3) describes a regulatory position that promotes a defensive strategy consisting of a defensive architecture and a set of security controls based on standards provided in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, "Recommended Security Controls for Federal Information Systems and Organizations" and NIST SP 800-82, "Guide to Industrial Control Systems Security," dated September 29, 2008. NIST SP 800-53 and NIST SP 800-82 are based on well-understood cyber threats, risks, and vulnerabilities, coupled with equally well understood countermeasures and protective techniques. RG 5.71 divides the above-noted security controls into three broad categories: technical, operational, and management.
RG 5.71 provides a framework to aid in the identification of those digital assets that licensees must protect from cyber attacks. These identified digital assets are referred to as "critical digital assets" (CDAs). Licensees should address the potential cyber security risks to CDAs by applying the defensive architecture and addressing the collection of security controls identified in RG 5.71. RG 5.71 includes a CSP template that provides one method for preparing an acceptable CSP.
The organization of RG 5.71 reflects the steps necessary to meet the requirements of 10 CFR 73.54. Section C.3 of RG 5.71 describes an acceptable method for implementing the security controls, as detailed in Appendix B, "Technical Controls," and Appendix C, "Operational and Management Controls." Section C.4 of RG 5.71 discusses the need to maintain the established Cyber Security Program, including comprehensive monitoring of the CDAs and the effectiveness of their security protection measures, ensuring that changes to the CDAs or the environment are controlled, coordinated, and periodically reviewed for continued protection from cyber attacks. Section C.5 of RG 5.71 provides licensees and applicants with guidance for retaining records associated with their Cyber Security Programs. Appendix A to RG 5.71 provides a template for a generic CSP which licensees may use to comply with the licensing requirements of 10 CFR 73.54. Appendices Band C provide an acceptable set of security controls, which are based on well-understood threats, vulnerabilities, and attacks, coupled with equally well-understood and vetted countermeasures and protective techniques.
NEI 08-09, Revision 6 closely maps with RG 5.71; Appendix A of NEI 08-09, Revision 6 contains a CSP template that is comparable to Appendix A of RG 5.71. Appendix D of NEI 08-09, Revision 6 contains technical cyber security controls that are comparable to Appendix B of RG 5.71. Appendix E of NEI 08-09, Revision 6 contains operational and management cyber security controls that are comparable to Appendix C of RG 5.71.
The NRC staff stated in a letter (
Subject:
Nuclear Energy Institute [NEI] 08-09, "Cyber Security Plan Template, Revision 6), dated May 5,2010 (ADAMS Accession No. ML101190371), that the licensee may use the template in NEI 08-09, Revision 6, to prepare an acceptable CSP, with the exception of the definition of "cyber attack." The NRC staff subsequently reviewed and approved by letter dated June 7,2010 (ADAMS Accession No. ML101550052), a definition for "cyber attack" to be used in submissions based on NEI 08-09, Revision 6. The licensee submitted a CSP for CCNPP-1 and -2, NMPNS-1 and -2, and Ginna that was based on the template provided in NEI 08-09, Revision 6 and included a definition of "cyber attack" acceptable to the NRC staff. Additionally, the licensee submitted supplements to their CSP on
-4 April 4, 2011, and July 1, 2011, to include information on SSCs in the BOP that, if compromised, could affect NPP reactivity.
RG 5.71 and NEI 08-09, Revision 6 are comparable documents; both are based on essentially the same general approach and same set of technical, operational, and management security controls. The submitted CSP was reviewed against the corresponding sections in RG 5.71.
3.0 TECHNICAL EVALUATION
The NRC staff performed a technical evaluation of the licensee's submittal. The licensee's submittal, with the exceptions of deviations described in Section 3.24, generally conformed to the guidance in NEI 08-09, Revision 6, which was found to be acceptable by the NRC staff and comparable to RG 5.71 to satisfy the requirements contained in 10 CFR 73.54. The staff reviewed the licensee's submittal against the requirements of 10 CFR 73.54 following the guidance contained in RG 5.71. The staff's evaluation of each section of their submittal is discussed below.
3.1 Scope and Purpose The licensee's CSP establishes a means to achieve high assurance that digital computer and communication systems and networks associated with the following functions are adequately protected against cyber attacks up to and including the DBT:
- 1.
Safety-related and important-to-safety functions;
- 2.
Security functions;
- 3.
Emergency preparedness functions, including offsite communications; and
- 4.
Support systems and equipment which, if compromised, would adversely impact SSEP functions.
The submitted CSP describes achievement of high assurance of adequate protection of systems associated with the above functions from cyber attacks by:
Implementing and documenting the "baseline" security controls as described in Section 3.1.6 of NEI 08-09, Revision 6, which is comparable to Regulatory Position C.3.3 described in RG 5.71; and Implementing and documenting a Cyber Security Program to maintain the established cyber security controls through a comprehensive life cycle approach as described in Section 4 of NEI 08-09, Revision 6, which is comparable to Appendix A. Section A.2.1 of RG 5.71.
Thus, the licensee's CSP, as originally submitted, is comparable to the CSP in NEI-08-09, Revision 6. However, in its submittal dated April 4, 2011, the licensee clarified its original submission and indicated that the scope of systems includes those BOP SSCs that have an impact on NPP reactivity if compromised. This is in response to and consistent with Reference 2 in which the Commission stated that the NRC's cyber security rule at 10 CFR 73.54 should be interpreted to include SSCs in the BOP that have a nexus to radiological health and safety. The NRC staff determined that the systems that have a nexus to radiological health and safety could directly or indirectly affect reactivity of a NPP, and are, therefore, within the scope of important-to-safety functions described in 10 CFR 73.54(a)(1).
- 5 The NRC staff reviewed the CSP and the supplemental information submitted by the licensee and found no deviation from Regulatory Position C.3.3 in RG 5.71 and Appendix A, Section A.2.1 of RG 5.71. The NRC staff finds that the licensee established adequate measures to implement and document the Cyber Security Program, including baseline security controls.
Based on the above, the NRC staff finds that the CSP adequately establishes the Cyber Security Program, including baseline security controls.
3.2 Analyzing Digital Computer Systems and Networks and Applying Cyber Security Controls The licensee's CSP describes that the Cyber Security Program is established, implemented, and maintained as described in Section 3.1 of NEI 08-09, Revision 6, which is comparable to Regulatory Position C.3.1 described in RG 5.71 to:
Analyze digital computer and communications systems and networks; and Identify those assets that must be protected against cyber attacks to satisfy 10 CFR 73.54(a).
The submitted CSP describes how the cyber security controls in Appendices D and E of NEI 08-09, Revision 6, which are comparable to Appendices Band C in RG 5.71, are addressed to protect CDAs from cyber attacks.
This section of the CSP submitted by the licensee is comparable to Regulatory Position C.3.1 in RG 5.71 without deviation.
Based on the above, the NRC staff finds that the CSP adequately addresses security controls.
3.3 Cyber Security Assessment and Authorization The licensee provided information addressing the creation of a formal, documented, cyber security assessment and authorization policy. This included a description concerning the creation of a formal, documented procedure comparable to Section 3.1.1 of NEI 08-09, Revision 6.
The NRC staff finds that the licensee established adequate measures to define and address the purpose, scope, roles, responsibilities, management commitment, and coordination, and facilitates the implementation of the cyber security assessment and authorization policy.
The NRC staff reviewed the above information and found no deviation from Section 3.1.1 of NEI 08-09, Revision 6, which is comparable to Regulatory Position C.3.1.1 and Appendix A, Section A.3.1.1 of RG 5.71.
Based on the above, the NRC staff finds that the CSP adequately established controls to develop, disseminate, and periodically update the cyber security assessment and authorization policy and implementing procedure.
-6 3.4 Cyber Security Assessment Team (CSAT)
The CSAT responsibilities include conducting the cyber security assessment, documenting key findings during the assessment, and evaluating assumptions and conclusions about cyber security threats. The submitted CSP outlines the requirements, roles and responsibilities of the CSAT comparable to Section 3.1.2 of NEI 08-09, Revision 6. It also describes that the CSAT has the authority to conduct an independent assessment.
The submitted CSP describes that the CSAT will consist of individuals with knowledge about information and digital systems technology; NPP operations, engineering, and plant technical specifications; and physical security and emergency preparedness systems and programs. The CSAT description in the CSP is comparable to Regulatory Position C.3.1.2 in RG 5.71.
The submitted CSP lists the roles and responsibilities for the CSAT which included performing and overseeing the cyber security assessment process; documenting key observations; evaluating information about cyber security threats and vulnerabilities; confirming information obtained during tabletop reviews, walk-downs, or electronic validation of CDAs; and identifying potential new cyber security controls.
This section of the CSP submitted by the licensee is comparable to Regulatory Position C.3.1.2 in RG 5.71 without deviation.
Based on the above, the NRC staff finds that the CSP adequately establishes the requirements, roles and responsibilities of the CSA T.
3.5 Identification of CDAs The submitted CSP describes that the licensee will identify and document CDAs and critical systems (CSs), including a general description, the overall function, the overall consequences if a compromise were to occur, and the security functional requirements or specifications as described in Section 3.1.3 of NEI 08-09, Revision 6, which is comparable to Regulatory Position C.3.1.3 of RG 5.71.
Based on the above, the NRC staff finds that the CSP adequately describes the process to identify CDAs.
3.6 Examination of Cyber Security Practices The submitted CSP describes how the CSAT will examine and document the existing cyber security policies, procedures, and practices; existing cyber security controls; detailed descriptions of network and communication architectures (or network/communication architecture drawings); information on security devices; and any other information that may be helpful during the cyber security assessment process as described in Section 3.1.4 of NEI 08-09, Revision 6, which is comparable to Regulatory Position C.3.1.2 of RG 5.71. The examinations will include an analysis of the effectiveness of the existing Cyber Security Program and cyber security controls. The CSAT will document the collected cyber security information and the results of their examination of the collected information.
- 7 This section of the CSP submitted by the licensee is comparable to Regulatory Position C.3.1.2 in RG 5.71 without deviation.
Based on the above, the NRC staff 'finds that the CSP adequately describes the examination of cyber security practices.
3.7 Tabletop Reviews and Validation Testing The submitted CSP describes tabletop reviews and validation testing, which confirm the direct and indirect connectivity of each COA. The CSP states that validation testing will be performed electronically or by physical walkdowns. The licensee's plan for tabletop reviews and validation testing is comparable to Section 3.1.5 of NEI 08-09, Revision 6, which is comparable to Regulatory Position C.3.1.4 of RG 5.71.
Based on the above, the NRC staff finds that the CSP adequately describes tabletop reviews and validation testing.
3.8 Mitigation of Vulnerabilities and Application of Cyber Security Controls The submitted CSP describes the use of information collected during the cyber security assessment process (e.g., disposition of cyber security controls, defensive models, defensive strategy measures, site and corporate network architectures) to implement security controls in accordance with Section 3.1.6 of NEI 08-09, Revision 6, which is comparable to Regulatory Position C.3.3 and Appendix A.3.1.6 to RG 5.71. The CSP describes the process that will be applied in cases where security controls cannot be implemented.
The submitted CSP notes that before the licensee can implement security controls on a COA, it will assess the potential for adverse impact in accordance with Section 3.1.6 of NEI 08-09, Revision 6, which is comparable to Regulatory Position C.3.3 of RG 5.71.
Based on the above, the NRC staff finds that the CSP adequately describes mitigation of vulnerabilities and application of security controls.
3.9 Incorporating the Cyber Security Program into the Physical Protection Program The submitted CSP states that the Cyber Security Program will be reviewed as a component of the Physical Security Program in accordance with the requirements of 10 CFR 73.55(m). This is comparable to Section 4.1 of NEI 08-09, Revision 6, which is comparable to Regulatory Position C.3.4 of RG 5.71.
This section of the CSP submitted by the licensee is comparable to Appendix A, Section A.3.2 in RG 5.71 without deviation.
Based on the above, the NRC staff finds that the CSP adequately describes the review of the CSP as a component of the physical security program.
- 8 3.10 Cyber Security Controls The submitted CSP describes how the technical, operational and management cyber security controls contained in Appendices D and E of NEI 08-09, Revision 6, that are comparable to Appendices Band C in RG 5.71, are evaluated and dispositioned based on site-specific conditions during all phases of the Cyber Security Program. The CSP describes that many security controls have actions that are required to be performed on specific frequencies and that the frequency of a security control is satisfied if the action is performed within 1.25 times the frequency specified in the control, as applied, and as measured from the previous performance of the action as described in Section 4.2 of NEI 08-09, Revision 6.
This section of the CSP submitted by the licensee is comparable to Appendix A, Section A3.1.6 in RG 5.71 without deviation.
Based on the above, the NRC staff finds that the CSP adequately describes implementation of cyber security controls.
3.11 Defense-in-Depth Protective Strategies The submitted CSP describes the implementation of defensive strategies that ensure the capability to detect, respond to, and recover from a cyber attack. The CSP specifies that the defensive strategies consist of security controls, defense-in-depth measures, and the defensive architecture. The submitted CSP notes that the defensive architecture establishes the logical and physical boundaries to control the data transfer between these boundaries.
The licensee established defense-in-depth strategies by: implementing and documenting a defensive architecture as described in Section 4.3 of NEI 08-09, Revision 6, which is comparable to Regulatory Position C.3.2 in RG 5.71; a physical security program, including physical barriers; the operational and management controls described in Appendix E of NEI 08-09, Revision 6, which is comparable to Appendix C to RG 5.71; and the technical controls described in Appendix D of NEI 08-09, Revision 6, which is comparable to Appendix B to RG 5.71.
The licensee stated in the submitted CSP that, except for Security CDAs, a deterministic device would be used between Levels 2 and 3 and a firewall and network-based intrusion detection systems would be used between Levels 3 and 4. The licensee further stated that Security CDAs would be isolated from all other CDAs by one or more deterministic devices and that information flows between Security CDAs in one level and Security CDAs in another level are restricted through the use of a firewall and network-based intrusion detection system. Safety CDAs are in Level 4; Security CDAs are in Levels 3 and 4. This description is consistent with the defense-in-depth protective strategies described in NEI 08-09, Revision 6. The NRC staff finds this clarification to be acceptable based on the statement in the CSP that firewalls for both Security CDAs and non-Security CDAs implement the Information Flow Enforcement cyber security control in NEI 08-09, Revision 6, Appendix D, Section 1.4.
This section of the CSP submitted by the licensee is comparable to Regulatory Position C.3.2 and Appendix A, Section A3.1.5 in RG 5.71.
- 9 Based on the above, the NRC staff finds that the CSP adequately describes implementation of defense-in-depth protective strategies.
3.12 Ongoing Monitoring and Assessment The submitted CSP describes how ongoing monitoring of cyber security controls to support CDAs is implemented comparable to Appendix E of NEI 08-09, Revision 6, which is comparable to Regulatory Positions C.4.1 and C.4.2 of RG 5.71. The ongoing monitoring program includes configuration management and change control; cyber security impact analysis of changes and changed environments; ongoing assessments of cyber security controls; effectiveness analysis (to monitor and confirm that the cyber security controls are implemented correctly, operating as intended, and achieving the desired outcome) and vulnerability scans to identify new vulnerabilities that could affect the security posture of CDAs.
This section of the CSP submitted by the licensee is comparable to Regulatory Positions C.4.1 and C.4.2 of RG 5.71 without deviation.
Based on the above, the NRC staff finds that the CSP adequately describes ongoing monitoring and assessment.
3.13 Modification of Digital Assets The submitted CSP describes how cyber security controls are established, implemented, and maintained to protect CDAs. These security controls ensure that modifications to CDAs are evaluated before implementation, that the cyber security performance objectives are maintained, and that acquired CDAs have cyber security requirements in place to achieve the site's Cyber Security Program objectives. This is comparable to Section 4.5 of NEI 08-09, Revision 6, which is comparable to Appendices A.4.2.5 and A.4.2.6 of RG 5.71.
Based on the above, the NRC staff finds that the CSP adequately describes modification of digital assets.
3.14 Attack Mitigation and Incident Response The submitted CSP describes the process to ensure that SSEP functions are not adversely impacted due to cyber attacks in accordance with Section 4.6 of NEI 08-09, Revision 6, which is comparable to Appendix C, Section C.8 of RG 5.71. The CSP includes a discussion about creating incident response policy and procedures, and addresses training, testing and drills, incident handling, incident monitoring, and incident response assistance. It also describes identification, detection, response, containment, eradication, and recovery activities comparable to Section 4.6 of NEt 08-09, Revision 6.
This section of the CSP submitted by the licensee is comparable to Appendix C, Section C.8 of RG 5.71 without deviation.
Based on the above, the NRC staff finds that the CSP adequately describes attack mitigation and incident response.
- 10 3.15 Cyber Security Contingency Plan The submitted CSP describes creation of a Cyber Security Contingency Plan and policy that protects CDAs from the adverse impacts of a cyber attack described in Section 4.7 of NEI OB-09, Revision 6, which is comparable to Regulatory Position C.3.3.2.7 and Appendix C.9 of RG 5.71. The licensee describes the Cyber Security Contingency Plan that would include the response to events. The plan includes procedures for (a) operating CDAs in a contingency, (b) roles and responsibilities of responders, (c) processes and procedures for backup and storage of information, (c) logical diagrams of network connectivity, (d) current configuration information, and (e) personnel lists for authorized access to CDAs.
This section of CSP submitted by the licensee is comparable to Regulatory Position C.3.3.2.7 of RG 5.71 without deviation.
Based on the above, the NRC staff finds that the CSP adequately describes the cyber security contingency plan.
3.16 Cyber Security Training and Awareness The submitted CSP describes a program that establishes the training requirements necessary for the licensee's personnel and contractors to perform their assigned duties and responsibilities in implementing the Cyber Security Program in accordance with Section 4.B of NEI OB-09, Revision 6, which is comparable to Regulatory Position C.3,3,2,B of RG 5.71, The CSP states that individuals will be trained with a level of cyber security knowledge commensurate with their assigned responsibilities in order to provide high assurance that individuals are able to perform their job functions in accordance with Appendix E of NEI OB-09, Revision 6, which is comparable to Regulatory Position C,3.3.2.B of RG 5.71 and describes three levels of training: awareness training, technical training, and specialized cyber security
- training, Based on the above, the NRC staff finds that the CSP adequately describes the cyber security training and awareness.
3.17 Evaluate and Manage Cyber Risk The submitted CSP describes how cyber risk is evaluated and managed utilizing site programs and procedures comparable to Section 4.9 of NEI OB-09, Revision 6, which is comparable to Regulatory Position C.4 and Appendix C, Section C.13 of RG 5.71. The CSP describes Threat and Vulnerability Management, Risk Mitigation, the Operational Experience Program; and the Corrective Action Program and how each will be used to evaluate and manage risk.
This section of the CSP submitted by the licensee is comparable to Regulatory Position C.4 and Appendix C, Section C.13 of RG 5,71 without deviation.
Based on the above, the NRC staff finds that the CSP adequately describes evaluation and management of cyber risk.
- 11 3.18 Policies and Implementing Procedures The CSP describes development and implementation of policies and procedures to meet security control objectives in accordance with Section 4.10 of NEI 08-09, Revision 6, which is comparable to Regulatory Position C.3.5 and Appendix A, Section A.3.3 of RG 5.71. This includes the process to document, review, approve, issue, use, and revise policies and procedures.
The CSP also describes the licensee's procedures to establish specific responsibilities for positions described in Section 4.11 of NEI 08-09, Revision 6, which is comparable to Appendix C, Section C.10.10 of RG 5.71.
This section of the CSP submitted by the licensee is comparable to Regulatory Position C.3.5, Appendix A, Section A.3.3, and Appendix C, Section C.10.10 of RG 5.71 without deviation.
Based on the above, the NRC staff finds that the CSP adequately describes cyber security policies and implementing procedures.
3.19 Roles and Responsibilities The submitted CSP describes the roles and responsibilities for the qualified and experienced personnel, including the Cyber Security Program Sponsor, the Cyber Security Program Manager, Cyber Security Specialists, the Cyber Security Incident Response Team (CSIRT), and other positions as needed. The CSIRT initiates in accordance with the Incident Response Plan and initiates emergency action when required to safeguard CDAs from cyber security compromise and to assist with the eventual recovery of compromised systems. Implementing procedures establish roles and responsibilities for each of the cyber security positions in accordance with Section 4.11 of NEI 08-09, Revision 6, which is comparable to Regulatory Position C.3.1.2, Appendix A, Section A.3.1.2, and Appendix C, Section C.10.10 of RG 5.71.
Based on the above, the NRC staff finds that the CSP adequately describes cyber security roles and responsibilities.
3.20 Cyber Security Program Review The submitted CSP describes how the Cyber Security Program establishes the necessary procedures to implement reviews of applicable program elements in accordance with Section 4.12 of NEI 08-09, Revision 6, which is comparable to Regulatory Position C.4.3 and Appendix A. Section A.4.3 of RG 5.71.
Based on the above, the NRC staff finds that the CSP adequately describes Cyber Security Program review.
3.21 Document Control and Records Retention and Handling The submitted CSP describes that the licensee has established the necessary measures and governing procedures to ensure that sufficient records of items and activities affecting cyber security are developed, reviewed, approved, issued, used, and revised to reflect completed work. The CSP described that superseded portions of certain records will be retained for at
- 12 least 3 years after the record is superseded, while audit records will be retained for no less than 12 months in accordance with Section 4.13 of NEI 08-09, Revision 6. However, this guidance provided by industry to licensees did not fully comply with the requirements of 10 CFR 73.54.
In a letter dated February 28,2011 (ADAMS Accession No. ML110600204), NEI sent to the NRC proposed language for licensees' use to respond to the generic records retention issue, to which the NRC had no technical objection (
Reference:
Letter from NRC dated March 1, 2011, ADAMS Accession No. ML110490337). The proposed language clarified the requirement by providing examples (without providing an all-inclusive list) of the records and supporting technical documentation that are needed to satisfy the requirements of 10 CFR 73.54. All records will be retained until the Commission terminates the license, and the licensee shall maintain superseded portions of these records for at least 3 years after the record is superseded, unless otherwise specified by the Commission. By retaining accurate and complete records and technical documentation until the license is terminated, inspectors, auditors, or assessors will have the ability to evaluate incidents, events, and other activities that are related to any of the cyber security elements described, referenced, and contained within the licensee's NRC-approved CSP. It will also allow the licensee to maintain the ability to detect and respond to cyber attacks in a timely manner, in the case of an event. In a letter dated April 4, 2011 (ADAMS Accession No. ML110950664), the licensee responded to the records retention issue using the language proposed by NEI in its letter dated February 28, 2011.
This section of the CSP submitted by the licensee is comparable to Regulatory Position C.5 and Appendix A, Section A.5 of RG 5.71 without deviation.
Based on the above, the NRC staff finds that the language the licensee proposes to adopt provides for adequate records retention and will support the licensee's ability to detect and respond to cyber attacks. The NRC staff further finds that this section is comparable to Regulatory Position C.5 and Appendix A, Section A.5 of RG 5.71 without deviation.
Accordingly, the NRC staff finds that the CSP adequately describes cyber security document control and records retention and handling.
3.22 Implementation Schedule The submitted CSP provides a proposed implementation schedule for the Cyber Security Program. In a letter dated February 28, 2011 (ADAMS Accession No. ML110600206), NEI sent to the NRC a template for licensees to use to submit their CSP implementation schedules, to which the NRC had no technical objection (
Reference:
Letter from NRC dated March 1,2011, ADAMS Accession No. ML110070348). These key milestones include:
Establish the CSAT; Identify CSs and CDAs; Install a deterministic one-way device between lower level devices and higher level devices; Implement the security control "Access Control For portable And Mobile Devices,"
Implement observation and identification of obvious cyber related tampering to existing insider mitigation rounds by incorporating the appropriate elements;
- 13 Identify, document, and implement cyber security controls as per "Mitigation of Vulnerabilities and Application of Cyber Security Controls" for CDAs that could adversely impact the design function of target set equipment; and Commence ongoing monitoring and assessment activities for those target set CDAs for which security controls have been implemented.
In a letter dated April 4, 2011, (ADAMS Accession No. ML 1109S0664), the licensee provided a revised implementation schedule using the NEI template. The NRC staff considers this April 4, 2011, submission with the revised implementation schedule using the NEI template, the approved schedule as required by 10 CFR 73.S4. Based on the provided schedule ensuring timely implementation of those protective measures that provide a higher degree of protection against radiological sabotage, the NRC staff finds the Cyber Security Program implementation schedule is satisfactory.
The NRC staff acknowledges that, in its letter dated July 16, 2010, as supplemented by letters dated April 4, and July 1, 2011, the licensee proposed several CSP milestone implementation dates as regulatory commitments. The NRC staff does not regard the CSP milestone implementation dates as regulatory commitments that can be changed unilaterally by the licensee, particularly in light of the regulatory requirement at 10 CFR 73.S4, that U[i]mplementation of the licensee's cyber security program must be consistent with the approved schedule." As the NRC staff explained in its letter to all operating reactor licensees dated May 9,2011 (ADAMS Accession No. ML 110980S38), the implementation of the plan, including the key intermediate milestone dates and the full implementation date, shall be in accordance with the implementation schedule submitted by the licensee and approved by the NRC. All subsequent changes to the NRC-approved CSP implementation schedule thus will require prior NRC approval pursuant in 10 CFR SO.90.
3.23 Revision of the License Conditions In its submittal dated July 1, 2011, the licensee proposed to add a paragraph to each of the existing license conditions related to the respective physical security, training and qualification, and safeguards contingency plans in each license.
The following paragraph is added to the existing license condition related to the respective physical security, training and qualification, and safeguards contingency plans in each license:
(1) For CCNPP-1 (License Condition 2.D): "The licensee shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR SO.90 and 10 CFR SO.S4(p). The licensee's CSP was approved by License Amendment No. 298."
(2) For CCNPP -2 (License Condition 2.D): "The licensee shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR SO.90and 10 CFR SO.54(p). The licensee's CSP was approved by License Amendment No. 27S."
(3) For NMPNS-1 (License Condition 2.D.(4)): "The licensee shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP),
including changes made pursuant to the authority of 10 CFR SO.90 and 10 CFR SO.S4(p). The licensee's CSP was approved by License Amendment No. 209."
- 14 (4) For NMPNS-2 (License Condition 2.E): "Nine Mile Point Nuclear Station, LLC shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR SO.90 and 10 CFR SO.S4(p). The Nine Mile Point Nuclear Station's CSP was approved by License Amendment No. 137."
(S) For Ginna (License Condition 2.E): "The licensee shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR SO.90 and 10 CFR SO.S4(p). The licensee's CSP was approved by License Amendment No. 113."
4.0 DIFFERENCES FROM NEI 08-09, REVISION 6 The NRC staff notes the following additional differences between the licensee's submittal and NEI 08-09, Revision 6:
In Section 3.1, "Scope and Purpose," the licensee clarified the definition of important-to-safety functions, consistent with Reference 2.
In Section 3.21, "Document Control and Records Retention and Handling," the licensee clarified the definition of records and supporting documentation that will be retained to conform to the requirements of 10 CFR 73.S4.
In Section 3.22, "Implementation Schedule," the licensee submitted a revised implementation schedule, specifying the interim milestones and the final implementation date, including supporting rationale.
The NRC staff finds all of these deviations to be acceptable as discussed in the respective sections.
S.O STATE CONSULTATION In accordance with the Commission's regulations, the New York State and Maryland State officials were notified of the proposed issuance of the amendment. The Maryland State officials had no comments. The New York State officials provided comments bye-mail dated June 1S, 2011 (ADAMS Package Accession No. ML111730139) from the New York State Office of Cyber Security (OCS) following their review of the CENG CSP, implementation schedule, and CENG responses to NRC requests for additional information. The discussion of the comments received from the New York State is provided below:
In accordance with the Commission's regulations, the New York State Energy Research and Development Authority (NYSERDA) was notified of the proposed issuance of a license amendments in response to the application by the licensee dated July 16, 2010, as supplemented by letters dated April 4, and July 1, 2011, for the subject facilities in order to implement the CSP (ADAMS Package Accession No. ML11189A064) as required by 10 CFR Section 73.S4, "Protection of digital computer and communication systems and networks. On June 1S, 2011 NYSERDA responded by email (ADAMSPackageAccessionNo.ML111730139) to the NRC Office of Nuclear Regulatory Regulation (NRR). The response contained comments from the New York State Office of Cyber Security (OCS) following its review of the licensee's CSP, implementation schedule, and the licensee's responses to NRC requests for additional information. The OCS comments were based on a comparison of the licensee's CSP to the New York State Information Security Policy (PS03-002) and Information Classification and
- 15 Control Policy and Standard (PS08-001). In these comments, OCS stated the PS03-002 and PS08-001 policies and standards are generic documents applicable to State agencies and do not include provisions for industrial facilities such as nuclear power plants.
5.1 Discussion The licensee used the Nuclear Energy Institute (NEI) 08-09, Revision 6, cyber security plan template, which on May 5, 2010 the Nuclear Regulatory Commission (NRC) deemed acceptable for use in meeting the requirements of 10 CFR 73.54. The NEI 08-09, Revision 6, cyber security plan template is similar to the template provided in Appendix A of RG 5.71. The templates are based on cyber security standards put forth by the National Institute of Standards and Technology (NIST) and Department of Homeland Security (DHS), which were tailored by experts in cyber security, commercial nuclear power regulation, licensing and plant operations (including representatives from the NRC), the NEI, the nuclear power industry, and the private sector. The tailoring process focused on determining measures necessary to provide high assurance that critical plant functions at a nuclear power plant (NPP) are adequately protected against cyber attacks, up to and including the DBT. As a result, the cyber security policies and standards put forth by the NRC will differ from those developed by New York State. Once the licensee's cyber security plan is approved by the NRC, elements within this plan become a condition of its license. Furthermore, the plan requires the licensee to implement additional or more restrictive security controls if it is determined that further measures are necessary to successfully defend critical plant functions from cyber attacks (see Section C.3.3 Security Controls of RG 5.71).
The assets that fall within the scope of 10 CFR 73.54 include those digital computer and communication systems and networks associated with the following functions: safety and important-to-safety; security; emergency preparedness; and support systems and equipment which, if compromised, would adversely impact safety, security, or emergency preparedness functions. With regards to levels of specificity within the licensee's CSP, 10 CFR 73.54 is a performance-based regulation that focuses on desired, measurable outcomes, rather than prescriptive processes, techniques, or procedures. The level of specificity within the licensee's cyber security plan is sufficient for licensing. Additional specificity will be contained in site specific policies and procedures, and supporting documentation associated with the implementation of security controls, which will be made available to NRC inspectors during on site inspections and in the course of performing regulatory oversight activities.
For reasons specified in the OCS comments, implementation timeframes are a result of a variety of factors. Implementation of the cyber security controls specified within the respective cyber security plans requires detailed planning and time. The milestone provided in the schedule represents the timeframe necessary for the licensee to determine the most effective approach for establishing the defensive architecture outlined in the cyber security plan without affecting the function of critical plant systems or the performance capability of SSCs relied upon to mitigate the consequences of postulated accidents. The actual approach taken will vary by licensee. In addition, security control implementation may require a plant outage before modifications to a CDA are performed in an effort to avoid the disruption of critical plant functions, including safety. security, and emergency preparedness. Plant outages can further affect the implementation timeframe.
- 16 During the implementation period, the NRC continues to provide regulatory oversight while establishing its cyber security inspection program. Moreover, the NRC Cyber Assessment Team (CAT) is in place to coordinate with industry on security-related incidents, and to communicate to NPPs the vulnerability information necessary to aid in the development of protective strategies for defending against cyber attacks.
The NRC continuously seeks to improve the level of openness and transparency associated with its regulatory processes. Ensuring appropriate openness explicitly recognizes that the public must be informed about, and have a reasonable opportunity to participate meaningfully in, the NRC's regulatory processes. This openness and transparency is further supported through regular public meetings held by the NRC for the purpose of discussing topics such as cyber security. Information on public meetings is available on the NRC website (http://www.nrc.gov/public-involve/public-meetings/meeting-schedule.html).
- 17 5.2 NRC Staff Technical Responses Although the responses provided below refer to sections within RG 5.71, the licensee used NEI 08-09 Revision 6 for their CSP. For regulatory consistency, the NRC technical staff has referred to sections within RG 5.71, however, there is in all cases a comparable section in NEI 08-09 Revision 6.
More detailed NRC staff technical responses to OCS comments are provided in Table 1 below.
Table 1 D t e ale "I d C omment Responses Reeort Toeic/Subject NY State Comment Reseonse Page No.
Page 3 Contrast between Licensees are not NYS correctly observes that licensees are not required to "Cyber Security required to submit submit this material for prior approval and that it will be Plan" and "Cyber
- policies, made available for inspection by NRC staff. This is Security Program" implementing acceptable to the NRC staff because 1 0 CFR 73.54 is a procedures, site performance-based rule, which affords licensees specific analyses, or necessary flexibility in determining which measures will be other supporting taken to comply with the regulation. The detailed technical information technical documentation resulting from the implementation to the NRC for prior of the licensees' cyber security program is maintained on-review and approval site by the licensee, and is available to the NRC during as part of the cyber inspections. In other words, the cyber security plan security plan. Such outlines how the cyber security program will be information will only implemented and the program details will be maintained at be made available the licensee's site.
for inspection by the NRC staff.
Page 4 Comparison of New York State has The scope of NY State's information security policy is very NRC cyber no existing cyber different from NRC's cyber regulation under 10 CFR security security 73.54, and associated guidance. Industrial control requirements to requirements systems (ICS) have different risks, priorities, reliability, comparable applicable to and performance requirements than traditional information requirements set industrial facilities technology (IT) systems. The NRC cyber security forth by NY State such as nuclear gUidance (RG 5.71) includes a tailored security control OCS power plants. As a baseline in accordance with guidance outlined in Section result, comparison 3.3 of NIST SP 800-53, to include participation of experts was made to the from industry, NRC, and the private sector. Comparison New York State of RG 5.71, which addresses cyber security at nuclear information security power plants, with other standards, such as NYS' policies and standards, which were not intended to address industrial standards.
situations, will reveal substantial differences. These differences are justified by the difference between commercial or corporate needs and the needs of nuclear I
power plants.
- 18 Page 4 Principles of PS08-001 states Confidentiality, each information Integrity, and asset must be Availability classified using three principles (confidentiality, integrity, and availability) and, based on this classification, certain controls must be implemented to secure the information asset.
Page 4 Frequency of PS08-001 Controls Access Control No.1 and No. 47 Policies and require that agencies Procedures review all security Reviews procedures and controls, including the access control policy and procedures at least annually to ensure their effectiveness in the face of changing threats. 10 CFR 73.55(m) requires a review only every 24 months.
The NRC staff agrees that information must be managed based on confidentiality, integrity and availability and that appropriate controls must be implemented to secure information assets. 10 CFR 73.54(a)(2) and RG 5.71 Section C.2, Elements of a Cyber Security Plan, state licensees must protect critical plant systems within the scope of 10 CFR 73.54 from cyber attacks that would have the following effects:
- adversely impact the integrity or confidentiality of data or software
- deny access to or adversely impact the availability of systems, services, or data
- adversely impact the operation of systems, networks, and associated equipment These three elements align with the principles of confidentiality, integrity, and availability as described by
. NY State.
The NRC staff agrees that periodic cyber security program reviews are important in the face of changing threats. RG 5.71 Appendix C Section 4 states that continuous and ongoing monitoring and assessment of the complete security life cycle for CDAs provides a means to evaluate and manage cyber risk. This security lifecycle includes the following elements:
- continuous monitoring and assessment,
- configuration management,
- change management,
- security impact analysis of changes and environment,
- effectiveness analysis,
- ongoing assessment of security controls and programs effectiveness,
- vulnerability scans/assessments,
- change control, and security program review.
Based on a review of NIST, IEEE, DHS, and ISA standards, a multi-disciplinary team of industry, NRC, and private sector experts determined that twenty-four months represents an acceptable frequency for a complete program review, although, as stated above, there are continuous and ongoing monitoring and assessment activities focused on each of the CDAs at a licensee's facility.
I Furthermore, RG 5.71 states that a complete program review is required at least every 24 months, but also sets
- 19 conditions for when such reviews would occur on a more frequent basis in Section C.4.3 Cyber Security Program Review.
Page 4 Adequate Resources With Access to CDAs PS08-001 Control NO.6 requires agencies to ensure that more than one person has access to the CDA to ensure business continuity.
This control could not be readily identified in the guidance, but may be part of the contingency plans that are part of the licensees' detailed cyber security programs.
The NRC staff agrees that having more than one person with access to a CDA (Le., continuity) is an important part of a cyber security plan. Continuity is addressed by security control C.9.2 Contingency Plan in Appendix C of RG 5.71, which states that the licensee must document as part of the contingency plan the resources (in other words the people) needed for a potential crisis situation. In addition, security control C.9.3 Contingency Plan Testing states licensees will use realistic test/exercise scenarios and environments, including unscheduled system maintenance activities, such as responding to CDA components and system failures, as an opportunity to test or exercise the contingency plan. All of these aforementioned controls require that multiple people have access to all critical systems to include CDAs.
Page 5 Media Control PS08-001 Control NO.9 requires that electronic storage media and devices be issued, owned, controlled, or approved by the agency. This includes media used to record and store data, but not limited to tapes, hard drives, USB flash drives, memory cards/chips, CDs, and diskettes.
This requirement is not specifically laid out in the media protection processes found in the guidance.
The NRC staff agrees that controlling electronic media is critical to maintaining high assurance against cyber attacks. Security Control C.1.1 Media Protection Policy and Procedures, Appendix C of RG 5.71, addresses control and protection of electronic storage media and devices. That security control states that the licensee must implement procedures for all associated media protection controls, including procedures for media receipt, storage, handling, sanitization, removal, use, and disposal. These procedures pertain to both digital and non-digital media.
Page 5 Alternate Storage Sites PS08-001 Control No. 10 requires that agencies ensure the security of alternate storage sites. The guidance does not clearly provide for The NRC staff agrees that the security of off-site storage is important and addresses alternate storage site security by security control C.9.5 Alternate Storage Site and Location for Backups in Appendix C of RG 5.71. The description of this security control can be compared to the CP-6 Alternate Storage Site security control in NIST SP 800-53, Revision 3.
I
- 20 the review and approval of physicallcyber controls at alternate storage sites.
Page 5 Transportation of Storage Media PS08-00 1 Control No. 56 requires that executive management designate the level of management who can give written approval for transportation or storage of information outside of an approved storage facility and for transmission of information outside the agency. All such approvals must be documented by designated management. The guidance does not appear to require management review and/or approval of external systems used for storage/transmission.
While this control could not be readily identified in the guidance, it may be part of the licensees' detailed cyber security programs.
Policies and procedures governing transportation or storage of information outside of an approved storage facility and for transmission of that information are part of the licensee's detailed cyber security program and will be available for NRC inspection on-site at the licensee facility.
Page 5 Media Protection PS08-001 Control No. 13 requires the creation and implementation of written procedures to keep track of individual documents, files, devices, or media which contain The NRC staff agrees that written procedures are important to maintaining a cyber security program and outlines the establishment of policies and procedures governing media protection in security control C.1.1 Media Protection Policy and Procedures, Appendix C, of RG 5.71. Media protection is part of the licensee's detailed cyber security program and will be available for NRC inspection on-site at the licensee facility.
- 21 sensitive data and the individuals who have possession of them. This control could not be readily identified in the guidance, but may be part of the licensees' detailed cyber security programs.
Page 5 Environmental PS08-001 Control Because the environmental systems (e.g., HVAC) are not No. 21 requires critical to the proper functioning of any of the safety information systems, they are not addressed specifically by 10 CFR custodians to 73.54 or the RG 5.71. Nonetheless, the security control monitor C.5.1 Physical and Environmental Protection Policies and environmental Procedures in Appendix C of RG 5.71 does state that the protection measures licensees will develop procedures to facilitate the (e.g., HVAC, fire implementation of environmental protection pOlicies and suppression) for associated controls. This includes the security control problems and correct C.5.3 Physical and Environmental Protection in that same as needed. While section. In addition, continuous monitoring of all security the guidance controls is addressed in security control CA.1 Continuous includes Monitoring and Assessment in Appendix C of RG 5.71.
implementation of environmental protection security controls (e.g.,
temperature, humidity), there is no mention of monitoring those controls to ensure they are functioning properly.
Page 61 Password Guidance indicates The NRC staff agrees that password management must
- Complexity that the length, balance security and operational considerations.
strength, and However, password management represents a complexity of fundamental difference between IT systems and ICS at a passwords balance nuclear power plant. In some cases, CDA passwords are security and hard coded into the system to meet process control operational ease of (timing) requirements.
access within the capabilities of the However, in all cases, CDAs are protected by multiple CDA. Given that levels of security (defense in depth), physical isolation, these are CDAs, a access control, and continuous monitoring. Furthermore, minimum length the RG 5.71 security control BA.7 Authenticator should be specified.
Management in Appendix B provides guidance on Under New York's password complexity and details will be documented in
Cyber Security Standard S10-004, User Password Management, the password length minimum is eight characters.
Page 6 Structures, To avoid confusion, Systems, and the cyber security Components plans should be (SSCs) clarified to indicate that the controls apply to both COAs and SSCs.
Page 6 Scope of Systems It is the view of New York State that the cyber security plans should be clarified to encompass all digital assets within the facilities, not just critical systems, to ensure the licensees address as many potential pathways for attack as possible.
Page 6 Training Training should be provided to all employees and contractors, not just designated appropriate personnel.
the licensees' on-site policies and procedures and made available to the NRC for inspections.
The NRC staff agrees that clarity is critical in a document as important as the licensee's cyber security plan and the plans have been clarified to indicate that systems, structures, and components (SSCs), are within the scope of 10 CFR 73.54. This clarification was in response to a letter dated November 26, 2010, wherein the NRC notified the North American Reliability Corporation (NERC) of a policy decision to include SSCs within the scope of 10 CFR 73.54. (See htt!;rIIQbaduQws.nrc.gov/docs/ML 1 031/ML103140394.Qdf).
However, not all SSCs are digital and would not be treated as a COA. In other words, all SSCs are considered as input to the process to determine if a given device is a COA. Controls are then applied to all COAs, but not necessarily all SSCs.
The NRC staff agrees that COA connectivity and all potential pathways (wired, wireless, or physical) should be addressed. 10 CFR 73.54(b)(1) requires licensees to analyze digital computer and communication systems and networks and identify those assets that must be protected against cyber attacks. Section C.3.1.4 Review and Validation in RG 5.71 states licensees will "confirm the direct and indirect connectivity of each COA, and identify pathways to COAs." This is to be accomplished by either physical walk down inspection of each COA's configuration and connections, or an electronic walkdown "if it is impractical to trace a communication pathway fully to its conclusion by means of a physical walkdown inspection."
10 CFR 73.54(d)(1) requires licensees to ensure that all appropriate facility personnel are aware of cyber security requirements and receive training necessary to perform their assigned duties and responsibilities. Section C.1 0.2 Awareness Training, Appendix C, of RG 5.71 outlines additional role-based training that should be provided based on assigned roles and responsibilities, specific requirements identified by the defensive strategy, and COAs to which personnel have authorized access. In addition, training activities are coordinated, and interdependent, with physical security training.
- 23 Page 7 Protection of Non-Digital Media Cyber security plans should include the protection of information assets that can be used in a cyber attack.
I nformation security controls should be applied to these information assets regardless of form or format. For example, paper documents containing blueprints for the plant should have confidentiality, availability, and integrity controls applied. It is possible that these controls are included in the licensees' physical protection programs and were, consequently, outside the scope of this review.
The NRC staff agrees that all information assets should be managed in accordance with the content contained therein. However, as noted in the NYS comment, the myriad other programs, policies, and procedures extant at all NPPs already address information assets in their various forms. Nonetheless, within the cyber security program the licensee is required to establish policies and procedures governing media protection as defined in security control C.1.1 Media Protection Policy and Procedures, Appendix C, of RG 5.71. Security control C.1.2 Media Access in this same section goes on to clarify that these procedures pertain to both digital and non-digital media. In addition to the protections outlined in RG 5.71, all licensee's must also comply with the requirement of 10 CFR 73.21 and 10 CFR 73.22 for the protection of Safeguards Information.
Page 7 Licensee Project Planning While it is clear that the implementation of cyber security plans and programs at the facilities in question represents a large and complex undertaking, implementation schedules that identify the latest possible dates for the completion of all milestones are not indicative of a rational approach to project management.
Establishing an implementation schedule that includes reasonable risk, effort, and The NRC agrees that it is in the best interest of the licensees to ensure that project plans address those items outlined in the comment. Detailed project plans with a greater level of specificity will be developed by the licensees for completion of milestones identified in the implementation schedules. Any deviation from the implementation schedule requires the licensee to request and receive approval from the NRC, under 10 CFR 50.90.
The NRC staff believes that setting deadlines for implementation of the various facets of the CSP is essential to achieving full implementation in a timely fashion. Licensees' implementation schedules also serve a practical licensing purpose; the NRC obtains assurance from licensees as to when certain cyber security program elements will be in place and the NRC can then schedule on-site inspection activities.
- 24 resource based dates for the completion of individual key intermediate milestones would appear to be essential to managing such an undertaking.
Page Implementation It is our view that full The NRC agrees that full implementation of the cyber dates implementation of security program should be completed as soon as the cyber security 7/8 possible. The intent of the implementation schedule is to plans should be complete a majority of the cyber-significant work by the completed sooner end of 2012. The first seven milestones are:
than the dates
- building the Cyber Security Assessment Team identified in the (CSAT),
current identifying the Critical Systems (CSs) and Critical implementation Digital Assets (CDAs),
schedules. These
- isolating Levels 3 & 4 (where the most important dates, which are systems are located),
three to four years in
- controlling portable and mobile devices, the future, do not looking for obvious cyber tampering, appropriately reflect
- applying security controls to at least the CDAs, the gravity of the
- implementation of continuous monitoring of those cyber security risks CDAs and their respective controls.
that confront these critical facilities.
The three to four years for full implementation of the cyber security program reflects the complexity of the issues involved. Furthermore, some of the cyber security program elements will require work that can only be accomplished during a shut-down or refueling outage. For multi-unit (multi-reactor) sites this may require several
. years to fully implement an cyber security program
! elements.
Page In their No Significant As stated in 10 CFR 73.54, licensees are required to 8/9 Hazard implementation protect critical plant systems from cyber attacks, up to and Determ ination schedules, all including the DBT. Isolation of critical plant systems from licensees state that the Internet and corporate IT systems is part of the
"[i]solating the plant security defensive architecture and defense-in-depth systems from the strategies described in RG 5.71.
internet, as well as from the corporate Isolating plant systems from the Internet and corporate business systems is
. business systems will not interfere with the ability of an important
! engineers in the control room to monitor the core or other milestone in critical safety functions.
I defending against
- 25 external threats.
Implementation of a detailed change management plan as While the an alternative control for allowing remote maintenance deployment of the access to CDAs is acceptable, as long as the alternative barriers is critical to control does not adversely impact SSEP functions.
protection from external cyber threats, it also prevents remote access to core monitoring and plant data systems for reactor engineers, plant operations, and other plant staff. This elimination of remote access to reactor core monitoring systems may require the development and execution of a detailed change management plan to ensure continued safe operation of the plants." This statement appears to be inconsistent with the NRC's finding that the amendment will not involve a significant increase in the probability or consequences of an accident previously evaluated; or (2) create the possibility of a new or different kind of accident from any accident previously evaluated; or (3) involve a
! significant reduction i in a margin of safety.
Page 9 General It is imperative that The NRC staff agrees that cyber security is a priority, that Recommendations cyber security be plans must be created and implemented at an appropriate made a priority.
! pace and must be followed and inspected, and that
- While the creation of transparency should be promoted so long as it does not
! cyber security plans jeopardize safety or security.
I is an important first
- 26 step, programs need Every NPP has its own implementation schedule, but to be in place to there are unifying elements across the operating fleet's ensure that these documentation. The intent of the implementation plans are schedule is to complete a majority of the cyber-significant implemented at an work by the end of 2012 and the final milestone includes appropriate pace, the completion of all remaining actions that result in the and once full implementation of the cyber security program for all implemented are applicable safety, security, and emergency preparedness followed. In addition, functions.
it is also important for the licensees to While the NRC completes the reviews of the licensee's provide transparency cyber security plans, the NRC Oversight and Inspection for their efforts to program is preparing for on-site inspections.
mitigate cyber security vulnerabilities while they are progressing toward full implementation of the required cyber security plans.
Finally,OCS recommends that the implementation of the cyber security plans be substantiated by NRC inspections.
6.0 ENVIRONMENTAL CONSIDERATION
The amendments, by incorporation of the NRC-approved CSP and the NRC-approved CSP implementation schedule in the licensing basis, involve (1) changes in a requirement with respect to installation or use of a facility component located within the restricted area as defined in 10 CFR Part 20 and changes surveillance requirements, (2) changes in record keeping, reporting, or administrative procedures or requirements, and (3) solely related to safeguards matters (protection against sabotage) involving (a) Organizational and Procedural matters, (b)
Modifications to systems used for security, and (c). Administrative changes.
The NRC staff has determined that the amendments involve no significant increase in amounts, and no significant change in the types of any effluents that may be released offsite, and that there is no significant increase in individual or cumulative occupational radiation exposure. On October 12, 2010, the Commission published its proposed finding that the amendments involve no significant hazards consideration (75 FR 62594). There were no public comments on that proposed finding within thirty days of publication. While New York State filed a number of comments on the CSP approximately nine months later, on June 15, 2011, it did not comment on the proposed no significant hazards consideration within thirty days of publication of the proposed finding in the Federal Register. Also, these amendments do not involve any significant construction impacts. Accordingly, the amendments thus meet the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(9), (10), and (12). Pursuant to 10 CFR
- 27 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the issuance of the amendment.
7.0 CONCLUSION
The NRC staff's review and evaluation of the licensee's CSP was conducted using the staff positions established in the relevant sections of RG 5.71. Based on the NRC staff's review, the NRC finds that the licensee addressed the relevant information necessary to satisfy the requirements of 10 CFR 73.54, 10 CFR 73.55(a)(1), 10 CFR 73.55(b)(8), and 10 CFR 73.55(m),
as applicable and that the licensee's Cyber Security Program provides high assurance that CDAs are adequately protected against cyber attacks, up to and including the DBT as described in 10 CFR 73.1. This includes protecting digital computer and communication systems and networks associated with: (i) safety-related and important to safety functions; (ii) security functions; emergency preparedness functions; and (iv) support systems and equipment which, if compromised, would adversely impact SSEP functions.
The Commission has concluded, based on the considerations discussed above that (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.
8.0 REFERENCES
- 1.
Section 73.54 of 10 CFR, "Protection of Digital Computer and Communication Systems and Networks," U.S. Nuclear Regulatory Commission, Washington, DC, March 27,2009.
- 2.
SRM-COMWCO-1 0-0001, "Regulation of Cyber Security at Nuclear Power Plants,"
October 21,2010. (ADAMS Accession No. ML102940009)
- 3.
Regulatory Guide 5.71, "Cyber Security Programs for Nuclear Facilities," U.S. Nuclear Regulatory Commission, Washington, DC, January 2010. (ADAMS Accession No. ML090340159)
Principal Contributor: J. Rycyna, NSIRIDSP/CSIRB Date: August 19, 2011
M. Korsnick
- 2 addressed by the NRC Notice of Availability, Federal Register Notice, Final Rule 10 CFR Part 73, Power Reactor Security Requirements, published on March 27, 2009 (74 FR 13926).
These license amendments are effective as of the date of its issuance. The implementation of the CSP, including the key intermediate milestone dates and the full implementation date, shall be in accordance with the implementation schedule submitted by the licensee on July 16, 2010, as supplemented by letters dated April 4, and July 1,2011, and approved by the NRC staff by these license amendments. All subsequent changes to the NRC-approved CSP implementation schedule will require prior NRC approval pursuant to 10 CFR 50.90.
A copy of the related Safety Evaluation is also enclosed. A Notice of Issuance will be included in the Commission's biweekly Federal Register notice.
Sincerely, Ira!
Douglas Pickett, Senior Project Manager Plant Licensing Branch 1-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. 50-220, 50-410, 50-317, 50-318, and 50-244
Enclosures:
- 6. Safety Evaluation cc w/encls: Distribution via Listserv DISTRIBUTION PUBLIC LPL1-1 r/f RidsNrrDorlLpl1-1 RidsAcrsAcnw_MailCTR RidsRgn1 MailCenter RidsOgcMailCenter RidsNrrLASLittle RidsNrrPMCalvertCliffs RidsNrrPMNineMilePoint RidsNrrPMGinna RidsNsirDsplscpb G. Dentel, RI J. Rycyna, NSIR/DSP/CSIRB P. Pederson, NSIR/DSP/CSIRB NAME BVaid a SUttle CErlan er
- r OFFICE DORULPL 1-1/PM 08/01 111 08/02 111 06/08/11 and 07/09/11 DORULPL 1-1/PM DORULPL1-1/PM DPickett 08/12/11 OFFICIAL RECORD COPY