ML112790442
| ML112790442 | |
| Person / Time | |
|---|---|
| Site: | Oconee, Mcguire, Catawba, McGuire  |
| Issue date: | 10/17/2011 |
| From: | Craig Erlanger NRC/NSIR/DSP/DDRSR/SPLB |
| To: | Glover R Duke Energy Corp |
| Coflin Monika 415-6659 | |
| Shared Package | |
| ML112790456` | List: |
| References | |
| Download: ML112790442 (3) | |
Text
October 17, 2011 Mr. R. Michael Glover General Manager, Nuclear Support Duke Energy Corporation P.O. Box 1006 EC07H Charlotte, NC 28201-1006
SUBJECT:
USE OF ENCRYPTION SOFTWARE FOR ELECTRONIC TRANSMISSION OF SAFEGUARDS INFORMATION
Dear Mr. Glover:
By letter dated February 24, 2011, Duke Energy requested approval for the use of Pretty Good Privacy (PGP) Desktop Email Version 10.0, developed with PGP Software Developers Kit (SDK) 4.0.0 for encryption of Safeguards Information (SGI) for the Oconee Nuclear Station, McGuire Nuclear Station, Catawba Nuclear Station, Nuclear General Office, and William States Lee III Nuclear Station. National Institute of Standards and Technology (NIST) Certificate (Number 1325) shows that this software development tool complies with Federal Information Processing Standards (FIPS) 140-2, Security Requirements for Cryptographic Modules.
The U.S. Nuclear Regulatory Commission (NRC) staff finds the use of PGP Desktop Email Version 10.0 is acceptable for processing and transmitting SGI electronically for your site provided that:
- 1.
The PGP software has been developed using a software development tool, PGP SDK 4.0.0, which has been validated by NIST, Certificate Number 1325 to meet FIPS 140-2.
- 2.
NIST-validated Cryptographic Algorithms are used to encrypt data for electronic transmission. These algorithms are listed in the certificate with algorithm certificate numbers. The NIST website, http://csrc.nist.gov/groups/STM/cmvp/
documents/140-1/140val-all.htm, should be checked to ensure that the Cryptographic Algorithms selected for encrypting data are continuously approved by NIST. The NRC approves only those Cryptographic Algorithms approved by NIST. Thus, if NIST no longer approves certain Cryptographic Algorithms, the NRC also does not approve use of that Cryptographic Algorithm.
- 3.
Addressees may replace the current version of encryption products that were approved by the NRC with a newer version of encryption product without prior approval from the NRC, provided that the addressees document that the newer version of encryption product, (i.e., document that the FIPS validation certificate of the newer version of encryption product), is the same as the current version of encryption product.
R. Glover Title 10 of the Code of Federal Regulations Section 73.22(f)(3) states, in part,
... Safeguards Information shall be transmitted outside an authorized place of use or storage only by NRC approved secure electronic devices, such as facsimiles or telephone devices.
The Secretary of Commerce has made use of Cryptographic Module Validation Program products mandatory and binding for Federal agencies when a Federal agency determines that cryptography is necessary for protecting sensitive information.
The public key should be named according to the following syntax:
LastName_FirstName_Organization.asc. This naming convention represents the organizational point of contact indicated as owning the key. Please provide the public key for transmitting SGI and the point of contact information (name, telephone number and e-mail address) to the NRC point of contact provided below. All SGI holders must employ an appropriate credentialing process to verify that individuals provided with public keys are legitimate users. Private keys must be controlled as SGI.
The NRC technical point of contact regarding the use of mobile telephone devices to transmit SGI is Monika Coflin, Cyber Security Specialist, Division of Security Policy, and can be reached at (301) 415-6659 or via e-mail at Monika.Coflin@nrc.gov.
If you have any questions, please contact me at (301) 415-5374.
Sincerely,
/RA/ A. Shropshire for/
Craig G. Erlanger, Chief Cyber Security and Integrated Response Branch Division of Security Policy Office of Nuclear Security and Incident Response
R. Glover Title 10 of the Code of Federal Regulations Section 73.22(f)(3) states, in part,
... Safeguards Information shall be transmitted outside an authorized place of use or storage only by NRC approved secure electronic devices, such as facsimiles or telephone devices.
The Secretary of Commerce has made use of Cryptographic Module Validation Program products mandatory and binding for Federal agencies when a Federal agency determines that cryptography is necessary for protecting sensitive information.
The public key should be named according to the following syntax:
LastName_FirstName_Organization.asc. This naming convention represents the organizational point of contact indicated as owning the key. Please provide the public key for transmitting SGI and the point of contact information (name, telephone number and e-mail address) to the NRC point of contact provided below. All SGI holders must employ an appropriate credentialing process to verify that individuals provided with public keys are legitimate users. Private keys must be controlled as SGI.
The NRC technical point of contact regarding the use of mobile telephone devices to transmit SGI is Monika Coflin, Cyber Security Specialist, Division of Security Policy, and can be reached at (301) 415-6659 or via e-mail at Monika.Coflin@nrc.gov.
If you have any questions, please contact me at (301) 415-5374.
Sincerely,
/RA/ A. Shropshire for/
Craig G. Erlanger, Chief Cyber Security and Integrated Response Branch Division of Security Policy Office of Nuclear Security and Incident Response DISTRIBUTION:
DSP r/f ADAMS Accession number: ML112790442, Pkg. ML112790456 OFFICE NSIR/DSP NSIR/DSO NSIR/DSP NAME MCoflin BStapleton CErlanger DATE 10/07/2011 10/13/2011 10/17 /2011 OFFICIAL RECORD COPY