ML112360439
| ML112360439 | |
| Person / Time | |
|---|---|
| Site: | San Onofre  |
| Issue date: | 10/03/2011 |
| From: | Craig Erlanger NRC/NSIR/DSP/DDRSR/SPLB |
| To: | Bauder D Southern California Edison Co |
| Stella Opara, NSIR/DSP 301-415-5969 | |
| References | |
| Download: ML112360439 (2) | |
Text
October 4, 2011 Mr. Douglas R. Bauder Site Vice President & Station Manager San Onofre Nuclear Generating Station P.O. Box 128 San Clemente, CA 92672
SUBJECT:
USE OF MOBILE TELEPHONE DEVICES FOR ELECTRONIC TRANSMISSION OF SAFEGUARDS INFORMATION
Dear Mr. Bauder:
By letter dated June 10, 2011, San Onofre Nuclear Generating Station requested approval to utilize mobile telephone devices to transmit Safeguards Information (SGI) with the Cellcrypt Mobile application and the CCORE Cryptographic Module by Cellcrypt Limited. National Institute of Standards and Technology (NIST) Certificate (Number 1310) shows that this software development tool complies with Federal Information Processing Standards (FIPS) 140-2, Security Requirements for Cryptographic Modules."
The U.S. Nuclear Regulatory Commission (NRC) staff finds the use of Cellcrypt Mobile application and the CCORE Cryptographic Module by Cellcrypt Limited is acceptable for processing and transmitting SGI electronically for your site provided that:
- 1.
Cellcrypt has been developed using CCORE version 0.6.0-rc3 (hereafter CCORE or CCORE Module) by Cellcrypt Limited, which has been validated by NIST, Certificate Number 1310 to meet FIPS 140-2.
- 2.
NIST-validated Cryptographic Algorithms are used to encrypt data for electronic transmission. These algorithms are listed in the certificate with algorithm certificate numbers. The NIST website, http://csrc.nist.gov/groups/STM/cmvp/
documents/140-1/140val-all.htm, should be checked to ensure that the Cryptographic Algorithms selected for encrypting data are continuously approved by NIST. The NRC approves only those Cryptographic Algorithms approved by NIST. Thus, if NIST no longer approves certain Cryptographic Algorithms, the NRC also does not approve use of that Cryptographic Algorithm.
- 3.
Addressees may replace the current version of encryption products that were approved by the NRC with a newer version of encryption product without prior approval from the NRC, provided that the addressees document that the newer version of encryption product, i.e., document that the FIPS validation certificate of the newer version of encryption product is the same as the current version of encryption product.
Title 10 of the Code of Federal Regulations (10 CFR) Section 73.22(f)(3) states, in part,
... Safeguards Information shall be transmitted outside an authorized place of use or storage only by NRC approved secure electronic devices, such as facsimiles or telephone devices.
The Secretary of Commerce has made use of Cryptographic Module Validation Program products mandatory and binding for Federal agencies when a Federal agency determines that cryptography is necessary for protecting sensitive information.
The public key should be named according to the following syntax:
LastName_FirstName_Organization.asc. This naming convention represents the organizational point of contact indicated as owning the key. Please provide the public key for transmitting SGI and the point of contact information (name, telephone number and e-mail address) to the NRC point of contact provided below. All SGI holders must employ an appropriate credentialing process to verify that individuals provided with public keys are legitimate users. Private keys must be controlled as SGI.
The NRC technical point of contact regarding the use of mobile telephone devices to transmit SGI is Monika Coflin, Cyber Security Specialist, Division of Security Policy, and can be reached at (301) 415-6659 or via e-mail at Monika.Coflin@nrc.gov.
If you have any questions, please contact me at (301) 415-5374.
Sincerely,
/RA/ A. Shropshire for/
Craig G. Erlanger, Chief Cyber Security and Integrated Response Branch Division of Security Policy Office of Nuclear Security and Incident Response
The Secretary of Commerce has made use of Cryptographic Module Validation Program products mandatory and binding for Federal agencies when a Federal agency determines that cryptography is necessary for protecting sensitive information.
The public key should be named according to the following syntax:
LastName_FirstName_Organization.asc. This naming convention represents the organizational point of contact indicated as owning the key. Please provide the public key for transmitting SGI and the point of contact information (name, telephone number and e-mail address) to the NRC point of contact provided below. All SGI holders must employ an appropriate credentialing process to verify that individuals provided with public keys are legitimate users. Private keys must be controlled as SGI.
The NRC technical point of contact regarding the use of mobile telephone devices to transmit SGI is Monika Coflin, Cyber Security Specialist, Division of Security Policy, and can be reached at (301) 415-6659 or via e-mail at Monika.Coflin@nrc.gov.
If you have any questions, please contact me at (301) 415-5374.
Sincerely,
/RA/ A. Shropshire for/
Craig G. Erlanger, Chief Cyber Security and Integrated Response Branch Division of Security Policy Office of Nuclear Security and Incident Response DISTRIBUTION:
DSP r/f ADAMS Accession number: ML112360439 OFFICE NSIR/DSP NSIR/DSO NSIR/DSP NAME MCoflin BStapleton AShropshire for/CErlanger DATE 9/01/11 10/03/2011 10/03/2011 OFFICIAL RECORD COPY