Issuance of Amendment to Renewed Facility Operating License Revised Cyber Security Plan Implementation Schedule Milestone 6

ML12251A155
Person / Time
Site:	Point Beach
Issue date:	11/23/2012
From:	Beltz T Plant Licensing Branch III
To:	Meyer L Point Beach
Beltz T
References
TAC ME8914, TAC ME8915
Download: ML12251A155 (19)
v • d • e

Text

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 November 23, 2012 Mr. Larry Meyer Site Vice President NextEra Energy Point Beach, LLC Point Beach Nuclear Plant 6610 Nuclear Road Two Rivers, WI 54241

SUBJECT:

POINT BEACH NUCLEAR PLANT, UNITS 1 AND 2 - ISSUANCE OF AMENDMENTS RE: REVISED CYBER SECURITY PLAN IMPLEMENTATION SCHEDULE MILESTONE 6 (TAC NOS. ME8914 AND ME8915)

Dear Mr. Meyer:

The Nuclear Regulatory Commission has issued the enclosed Amendment Nos. 247 and 251 to Renewed Facility Operating License Nos. DPR-24 and DPR-27, for the Point Beach Nuclear Plant, Units 1 and 2, respectively. The amendments consist of changes to the Renewed Facility Operating Licenses in response to your application dated June 18, 2012, as supplemented by letter dated September 17,2012.

The amendment approves the change in scope of Cyber Security Plan Implementation Schedule Milestone 6, and revises License Condition 4.D of the Renewed Facility Operating Licenses for PBNP Units 1 and 2.

A copy of our related safety evaluation is also enclosed. The Notice of Issuance will be included in the Commission's biweekly Federal Register notice.

Sincerely,

~- Terry A. Beltz, Senior Project Manager Plant Licensing Branch 111-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. 50-266 and 50-301

Enclosures:

1. Amendment No. 247 to DPR-24

2. Amendment No. 251 to DPR-27

3. Safety Evaluation cc w/encls: Distribution via ListServ

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 NEXTERA ENERGY POINT BEACH, LLC DOCKET NO. 50-266 POINT BEACH NUCLEAR PLANT. UNIT 1 AMENDMENT TO RENEWED FACILITY OPERATING LICENSE Amendment No. 247 License No. DPR-24

1. The U.S. Nuclear Regulatory Commission (the Commission) has found that:

A. The application for amendment by NextEra Energy Point Beach, LLC (the licensee) dated June 18,2012, as supplemented by letter dated September 17, 2012, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commission's rules and regulations set forth in 10 CFR Chapter I; B. The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C. There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D. The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public: and E. The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied.

-2

2. Accordingly, paragraph 4.0 of Renewed Facility Operating License No. DPR-24 is hereby amended to read as follows:

D. Physical Protection NextEra Energy Point Beach shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans, including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contain Safeguards Information protected under 10 CFR 73.21, is entitled: "Point Beach Nuclear Plant Physical Security Plan, (Revision 4)," submitted by letter dated May 10, 2006. NextEra Energy Point Beach, LLC shall fully implement and maintain in effect all provisions of the Commission-approved Point Beach Nuclear Plant Cyber Security Plan (CSP),

including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The NextEra Energy Point Beach CSP was approved by License Amendment No. 243 as supplemented by a change approved by License Amendment No. 247.

3. This license amendment is effective as of the date of its issuance and shall be implemented by December 31, 2012.

FOR THE NUCLEAR REGULATORY COMMISSION Robert D. Carlson, Chief Plant Licensing Branch 111-1 Division of Operating Reactor licensing Office of Nuclear Reactor Regulation

Attachment:

Changes to the Renewed Facility Operating License Date of issuance: November 23, 2012

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 NEXTERA ENERGY POINT BEACH, LLC DOCKET NO. 50-301 POINT BEACH NUCLEAR PLANT, UNIT 2 AMENDMENT TO RENEWED FACILITY OPERATING LICENSE Amendment No. 251 License No. DPR-27

1. The U.S. Nuclear Regulatory Commission (the Commission) has found that:

A. The application for amendment by NextEra Energy Point Beach, LLC (the licensee) dated June 18, 2012, as supplemented by letter dated September 17, 2012, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commission's rules and regulations set forth in 10 CFR Chapter I;

8. The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C. There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D. The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E. The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied.

-2

2. Accordingly, paragraph 4.D of Renewed Facility Operating License No. DPR-27 is hereby amended to read as follows:

D. Physical Protection NextEra Energy Point Beach shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans, including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contain Safeguards Information protected under 10 CFR 73.21, is entitled: "Point Beach Nuclear Plant Physical Security Plan, (Revision 4)," submitted by letter dated May 10, 2006. NextEra Energy Point Beach, LLC shall fully implement and maintain in effect all provisions of the Commission-approved Point Beach Nuclear Plant Cyber Security Plan (CSP),

including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The NextEra Energy Point Beach CSP was approved by License Amendment No. 247 as supplemented by a change approved by License Amendment No. 251.

3. This license amendment is effective as of the date of its issuance and shall be implemented by December 31,2012.

FOR THE NUCLEAR REGULATORY COMMISSION Robert D. Carlson, Chief Plant Licensing Branch 111-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation

Attachment:

Changes to the Renewed Facility Operating License Date of issuance: November 23, 2012

ATTACHMENT TO LICENSE AMENDMENT NO. 247 TO RENEWED FACILITY OPERATING LICENSE NO. DPR-24 AND LICENSE AMENDMENT NO. 251 TO RENEWED FACILITY OPERATING LICENSE NO. DPR-27 DOCKET NOS. 50-266 AND 50-301 Replace the following pages of the Renewed Facility Operating Licenses with the attached revised pages. The revised pages are identified by amendment number and contain marginal lines indicating the areas of change.

REMOVE INSERT Unit 1 License Page 4 Unit 1 License Page 4 Unit 1 License Page 5 Unit 1 License Page 5 Unit 1 License Page 6 Unit 1 License Page 6 Unit 2 License Page 4 Unit 2 License Page 4 Unit 2 License Page 5 Unit 2 License Page 5 Unit 2 License Page 6 Unit 2 License Page 6

-4 D. Physical Protection NextEra Energy Point Beach shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans, including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.SS (S1 FR 27817 and 27822) and to the authority of 10 CFR SO.90 and 10 CFR SO.S4(p). The combined set of plans, which contain Safeguards Information protected under 10 CFR 73.21, is entitled: "Point Beach Nuclear Plant Physical Security Plan, (Revision 4)," submitted by letter dated May 10, 2006. NextEra Energy Point Beach, LLC shall fully implement and maintain in effect aU provisions of the Commission-approved Point Beach Nuclear Plant Cyber Security Plan (CSP),

including changes made pursuant to the authority of 10 CFR SO.90 and 10 CFR SO.S4(p). The NextEra Energy Point Beach CSP was approved by License Amendment No. 243 as supplemented by a change approved by License Amendment No. 247.

E. Safety Injection Logic The licensee is authorized to modify the safety injection actuation logic and actuation power supplies and related changes as described in licensee's application for amendment dated April 27, 1979, as supplemented May 7,1979. In the interim period until the power supply modification has been completed, should any DC powered safety injection actuation channel be in a failed condition for greater than one hour, the unit shall thereafter be shutdown using normal procedures and placed in a block-permissive condition for safety injection actuation.

F. NextEra Energy Point Beach shall implement and maintain in effect all provisions of the approved fire protection program as described in the FSAR for the facility and as approved in the Safety Evaluation Report dated August 2, 1979 (and Supplements dated October 21, 1980, January 22, 1981, and July 27, 1988) and the safety evaluation issued January 8, 1997, for Technical Specification Amendment No. 170, subject to the following provision:

NextEra Energy Point Beach may make changes to the approved fire protection program without prior approval of the Commission only if those changes would not adversely affect the ability to achieve and maintain safe shutdown in the event of a fire.

G. Secondary Water Chemistry Monitoring Program NextEra Energy Point Beach shall implement a secondary water chemistry monitoring program to inhibit steam generator tube degradation. This program shall include:

1. Identification of a sampling schedule for the critical parameters and control points for these parameters;

2. Identification of the procedures used to quantify parameters that are critical to control points;

3. Identification of process sampling points;

4. Procedure for the recording and management of data; Renewed License No. DPR-24 Amendment No. 247

-5

5. Procedures defining corrective actions for off control point chemistry condition; and

6. A procedure for identifying the authority responsible for the interpretation of the data. and the sequence and timing of administrative events required to initiate corrective action.

H. The licensee is authorized to repair Unit 1 steam generators by replacement of major components. Repairs shall be conducted in accordance with the licensee's commitments identified in the Commission approved Point Beach Nuclear Plant Unit No.1 Steam Generator Repair Report dated August 9. 1982 and revised March 1. 1983 and additional commitments identified in the staff's related safety evaluation.

I. The FSAR supplement. dated February 25. 2004, as revised, submitted pursuant to 10 CFR 54.21(d), shall be included in the next scheduled update to the FSAR required by 10 CFR 50.71 (e}(4) following the issuance of this renewed operating license. Until that update is complete. FPLE Point Beach 1 may make changes to the programs and activities described in the supplement without prior Commission approval, provided that FPLE Point Beach' evaluates such changes pursuant to the criteria set forth in 10 CFR 50.59 and otherwise complies with the requirements in that section.

J. The FSAR supplement, dated February 25,2004, as revised, describes certain future activities to be completed prior to the period of extended operation. NextEra Energy Point Beach shall complete these activities no later than October 5, 2010, and shall notify the NRC in writing when implementation of these activities is complete and can be verified by NRC inspection.

K. All capsules in the reactor vessel that are removed and tested must meet the test procedures and reporting requirements of American Society for Testing and Materials (ASTM) E 185-82 to the extent practicable for the configuration of the specimens in the capsule. Any changes to the capsule withdrawal schedule, including spare capsules, must be approved by the NRC prior to implementation. All capsules placed in storage must be maintained for future insertion. Any changes to storage requirements must be approved by the NRC, as required by 10 CFR Part 5'0, Appendix H.

L. Mitigation Strategy Strategies shall be developed and maintained for addressing large fires and explosions that include the following key areas:

1. Fire fighting response strategy with the following elements:

a. Pre-defined coordinated fire response strategy and guidance

b. Assessment of mutual aid fire fighting assets 1 On April 16, 2009, the name "FPLE Point Beach, LLC" was changed to "NextEra Energy Point Beach. LLC."

Renewed License No. DPR-24 Amendment No. 247

-6

c. Designated staging areas for equipment and materials

d. Command and control

e. Training of response personnel

2. Operations to mitigate fuel damage considering the following:

a. Protection and use of personnel assets

b. Communications

c. Minimizing fire spread

d. Procedures for implementing integrated fire response strategy

e. Identification of readily-available pre-staged equipment

f. Training on integrated fire response strategy

g. Spent fuel pool mitigation measures

3. Actions to minimize release to include consideration of:

a. Water spray scrubbing

b. Dose to onsite responders M. Additional Conditions The additional conditions contained in Appendix C, as revised through Amendment No. 241, are hereby incorporated into this license. NextEra Energy Point Beach shall operate the facility in accordance with the additional conditions.

5. The issuance of this renewed operating license is without prejudice to subsequent licensing action which may be taken by the Commission with regard to the ongoing rulemaking hearing on the Interim Acceptance Criteria for Emergency Core Cooling Systems (Docket No. RM 50-1).

6. This renewed operating license is effective as of the date of issuance, and shall expire at midnight on October 5,2030.

FOR THE NUCLEAR REGULATORY COMMISSION Original Signed By R. W. Borchardt, Deputy Director Office of Nuclear Reactor Regulation Attachments:

1. Appendix A - Technical Specifications

2. Appendix B - Environmental Technical Specifications

3. Appendix C - Additional Conditions Date of Issuance: December 22, 2005 Renewed License No. DPR-24 Amendment No. 247

-4 D. Physical Protection NextEra Energy Point Beach shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans, including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contain Safeguards Information protected under 10 CFR 73.21, is entitled: "Point Beach Nuclear Plant Physical Security Plan, (Revision 4)," submitted by letter dated May 10, 2006. NextEra Energy Point Beach, LLC shall fully implement and maintain in effect all provisions of the Commission-approved Point Beach Nuclear Plant Cyber Security Plan (CSP),

including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The NextEra Energy Point Beach CSP was approved by License Amendment No. 247 as supplemented by a change approved by License Amendment No. 251.

E. Safety Injection Logic The licensee is authorized to modify the safety injection actuation logic and actuation power supplies and related changes as described in licensee's application for amendment dated April 27, 1979, as supplemented May 7, 1979. In the interim period until the power supply modification has been completed, should any DC powered safety injection actuation channel be in a failed condition for greater than one hour, the unit shall thereafter be shut down using normal procedures and placed in a block-permissive condition for safety injection actuation.

F. NextEra Energy Point Beach shall implement and maintain in effect all provisions of the approved fire protection program as described in the FSAR for the facility and as approved in the Safety Evaluation Report dated August 2, 1979 (and Supplements dated October 21,1980, January 22,1981, and July 27,1988) and the safety evaluation issued January 8, 1997, for Technical Specifications Amendment No.

174, subject to the following provision:

NextEra Energy Point Beach may make changes to the approved fire protection program without prior approval of the Commission only if those changes would not adversely affect the ability to achieve and maintain safe shutdown in the event of a fire.

G. Secondary Water Chemistry Monitoring Program NextEra Energy Point Beach shall implement a secondary water chemistry monitoring program to inhibit steam generator tube degradation. This program shall include:

1. Identification of a sampling schedule for the critical parameters and control pOints for these parameters;

2. Identification of the procedures used to quantify parameters that are critical to control points;

3. Identification of process sampling points; Renewed License No. DPR-27 Amendment No. 251

-5

4. Procedure for the recording and management of data;

5. Procedures defining corrective actions for off control point chemistry condition; and

6. A procedure for identifying the authority responsible for the interpretation of the data, and the sequence and timing of administrative events required to initiate corrective action.

H. The FSAR supplement, dated February 25,2004, as revised, submitted pursuant to 10 CFR 54.21(d), shall be included in the next scheduled update to the FSAR required by 10 CFR 50.71 (e)(4) following the issuance of this renewed operating license. Until that update is complete, FPLE Point Beach' may make changes to the programs and activities described in the supplement without prior Commission approval, provided that FPLE Point Beach' evaluates such changes pursuant to the criteria set forth in 10 CFR 50.59 and otherwise complies with the requirements in that section.

I. The FSAR supplement, dated February 25, 2004, as revised, describes certain future activities to be completed prior to the period of extended operation. NextEra Energy Point Beach shall complete these activities no later than March 8, 2013, and shall notify the NRC in writing when implementation of these activities is complete and can be verified by NRC inspection.

J. All capsules in the reactor vessel that are removed and tested must meet the test procedures and reporting requirements of American Society for Testing and Materials (ASTM) E 185-82 to the extent practicable for the configuration of the specimens in the capsule. Any changes to the capsule withdrawal schedule, including spare capsules, must be approved by the NRC prior to implementation. All capsules placed in storage must be maintained for future insertion. Any changes to storage requirements must be approved by the NRC, as required by 10 CFR Part 50, Appendix H.

K. Mitigation Strategy Strategies shall be developed and maintained for addressing large fires and explosions that include the following key areas:

1. Fire fighting response strategy with the following elements:

a. Pre-defined coordinated fire response strategy and guidance

b. Assessment of mutual aid fire fighting assets

c. Designated staging areas for equipment and materials

d. Command and control

e. Training of response personnel On April 16, 2009, the name "FPLE Point Beach, LLC" was changed to "NextEra Energy Point Beach, LLC."

Renewed License No. DPR-27 Amendment No. 251

-6

2. Operations to mitigate fuel damage considering the following:

a. Protection and use of personnel assets

b. Communications

c. Minimizing fire spread

d. Procedures for implementing integrated fire response strategy

e. Identification of readily-available pre-staged equipment

f. Training on integrated fire response strategy

g. Spent fuel pool mitigation measures

3. Actions to minimize release to include consideration of:

a. Water spray scrubbing

b. Dose to onsite responders L. Additional Conditions The additional conditions contained in Appendix C, as revised through Amendment No. 245, are hereby incorporated into this license. NextEra Energy Point Beach shall operate the facility in accordance with the additional conditions.

5. The issuance of this renewed operating license is without prejudice to subsequent licensing action which may be taken by the Commission with regard to the ongoing rulemaking hearing on the Interim Acceptance Criteria for Emergency Core Cooling Systems (Docket No. RM 50-1).

6. This renewed operating license is effective as of the date of issuance, and shall expire at midnight on March 8, 2033.

FOR THE NUCLEAR REGULATORY COMMISSION Original Signed By R. W. Borchardt, Deputy Director Office of Nuclear Reactor Regulation Attachments:

1. Appendix A -Technical Specifications

2. Appendix B - Environmental Technical Specifications

3. Appendix C - Additional Conditions Date of Issuance: December 22, 2005 Renewed License No. DPR-27 Amendment No. 251

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO AMENDMENT NO. 247 TO RENEWED FACILITY OPERATING LICENSE NO. DPR-24 AND AMENDMENT NO. 251 TO RENEWED FACILITY OPERATING LICENSE NO. DPR-27 NEXTERA ENERGY POINT BEACH, LLC POINT BEACH NUCLEAR PLANT, UNITS 1 AND 2 DOCKET NOS. 50-266 AND 50-301

1.0 INTRODUCTION

By letter dated June 18, 2012 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML12172A386), as supplemented by letter dated September 17,2012 (ADAMS Accession No. ML12261A416), NextEra Energy Point Beach, LLC (NextEra, the licensee) requested changes to the Renewed Facility Operating Licenses for the Point Beach Nuclear Plant (PBNP), Units 1 and 2. The proposed changes would revise the scope of Cyber Security Plan (CSP) Implementation Schedule Milestone 6 and the existing license conditions in the facility operating licenses. Milestone 6 of the CSP implementation schedule concerns the identification, documentation, and implementation of cyber security controls (technical, operational, and management) for critical digital assets (CDAs) related to target set equipment.

NextEra is requesting to modify the scope of Milestone 6 to apply to the technical cyber security controls only. The operational and management controls, as described in Nuclear Energy Institute (NEI) 08-09, Revision 6, would be implemented concurrent with the full implementation of the Cyber Security Program (Milestone 8). Thus, all CSP activities would be fully implemented by the completion date, identified in Milestone 8 of the licensee's CSP implementation schedule.

Portions of the letter dated June 18, 2012, contain sensitive unclassified non-safeguards information and, accordingly, those portions were withheld from public disclosure.

The supplement dated September 17,2012, corrected the original submittal by addressing pagination discrepancies resulting from the change, and thus did not expand the scope of the application as originally noticed, and did not change the U.S. Nuclear Regulatory Commission Enclosure 3

- 2 (NRC or the Commission) staff's original proposed no significant hazards consideration determination as published in the Federal Register on September 11, 2012 (77 FR 55873).

2.0 REGULATORY EVALUATION

In a letter dated July 21,2011 (ADAMS Accession No. ML111740077), the NRC staff reviewed and approved the licensee's existing CSP implementation schedule through License Amendment Nos. 243 and 247, concurrent with the incorporation of the CSP into the facility current licensing basis. The NRC staff considered the following regulatory requirements and guidance in its review of the current license amendment request to modify the existing CSP implementation schedule:

• Title 10 of the Code of Federal Regulations (10 CFR) 73.54, which states: "Each [CSP]

submittal must include a proposed implementation schedule. Implementation of the licensee's cyber security program must be consistent with the approved schedule."

• The licensee's Renewed Facility Operating Licenses includes a license condition that requires the licensee to fully implement and maintain in effect all provisions of the Commission-approved CSP. .

• Amendments Nos. 243 and 247, dated July 21, 2011, which approved the licensee's CSP and implementation schedule, included the following statement: "The implementation of the CSP, including the key intermediate milestone dates and the full implementation date, shall be in accordance with the implementation schedule submitted by the licensee on March 31, 2011, and approved by the NRC staff with this license amendment. All subsequent changes to the NRC-approved CSP implementation schedule will require prior NRC approval pursuant to 10 CFR 50.90."

• In a letter to the Nuclear Energy Institute (NEI) dated March 1,2011 (ADAMS Accession No. ML110070348), the NRC staff acknowledged that the cyber security implementation schedule template was "written generically and licensees that use the template to develop their proposed implementation schedules may need to make changes to ensure the submitted schedule accurately accounts for site-specific activities."

3.0 TECHNICAL EVALUATION

As discussed in Section 2.0, the NRC staff approved amendments to the Renewed Facility Operating Licenses for PBNP, Units 1 and 2, on July 21,2011. The NRC staff also approved the licensee's CSP implementation schedule, as discussed in the safety evaluation issued with the amendments. The implementation schedule had been submitted by the licensee based on a template prepared by NEI, which the NRC staff found acceptable for licensees to use in developing their CSP implementation schedules (ADAMS Accession No. ML110600218). The licensee's proposed implementation schedule for the Cyber Security Program identified completion dates and bases for the following eight milestones:

1) Establish the Cyber Security Assessment Team;

- 3

2) Identify Critical Systems and CDAs;

3) Install a deterministic one-way device between lower level devices and higher level devices;

4) Implement the security control "Access Control For Portable And Mobile Devices";

5) Implement observation and identification of obvious cyber related tampering to eXisting insider mitigation rounds by incorporating the appropriate elements;

6) Identify, document, and implement cyber security controls as per "Mitigation of Vulnerabilities and Application of Cyber Security Controls" for CDAs that could adversely impact the design function of physical security target set equipment;

7) Commence ongoing monitoring and assessment activities for those target set CDAs whose security controls have been implemented;

8) Fully implement the CSP.

3.1 Licensee's Proposed Changes Currently, Milestone 6 of the PBNP CSP requires NextEra to identify, document, and implement cyber security controls for CDAs that could adversely impact the design function of physical security target set equipment by December 31, 2012. These cyber security controls consist of technical, operational and management security controls. In its June 18, 2012, application, NextEra proposed to modify Milestone 6 to change the scope of the cyber security controls due to be implemented on December 31,2012, to include only the NEI 08-09, Revision 6, Appendix D technical security controls. NextEra proposes to amend its CSP to provide that operational and management security controls, identified in Milestone 6, will be fully implemented at a later date, which is the completion date identified in Milestone 8 of the CSP implementation schedule.

The licensee stated that implementing the technical cyber security controls for target set CDAs provides a high degree of protection against cyber-related attacks that could lead to radiological sabotage. The licensee further stated that many of its existing programs are primarily procedure-based and must be implemented in coordination with the comprehensive Cyber Security Program. The licensee also stated that the existing programs (e.g., physical protection, maintenance, configuration management, and operating experience) currently in place at PBNP Units 1 and 2, provide sufficient operational and management of cyber security protection during the interim period until the Cyber Security Program is fully implemented.

3.2 NRC Staff Evaluation The intent of the cyber security implementation schedule was for licensees to demonstrate ongoing implementation of their cyber security program prior to full implementation, which is set for the date specified in Milestone 8. In addition to Milestone 6 and its associated activities, licensees will be completing six other milestones (Milestones 1 through 5, and Milestone 7) by December 31,2012. Activities include establishing a Cyber Security Assessment Team, identifying critical systems and CDAs, installing deterministic one-way devices between defensive levels, implementing access control for portable and mobile devices, implementing

- 4 methods to observe and identify obvious cyber related tampering, and conducting ongoing monitoring and assessment activities for target set CDAs. In their aggregate, the interim milestones demonstrate ongoing implementation of the cyber security program at PBNP, Units 1 and 2.

The NRC staff has reviewed the licensee's evaluation of the proposed changes in its submittal dated June 18, 2012, and finds that by completing Milestones 1 through 5, Milestone 6 with implementation of technical controls to target set CDAs, and Milestone 7, PBNP will have an acceptable level of cyber security protection until full program implementation is achieved.

Technical cyber security controls include access controls, audit and accountability, CDA and communications protection, identification and authentication, and system hardening. These controls are executed by computer systems, as opposed to people, and consist of hardware and software controls that provide automated protection to a system or application. Implementation of technical cyber security controls promotes standardization, trust, interoperability, connectivity, automation, and increased efficiency. For these reasons, the NRC staff concludes that the licensee's approach is acceptable.

The NRC staff also recognizes that full implementation of operational and management cyber security controls in accordance with requirements of the PBNP, Units 1 and 2, CSP will be achieved with full implementation of the Cyber Security Program by the date set in Milestone 8.

That is, all required elements for the operational and management cyber security controls in accordance with the PBNP, Units 1 and 2, CSP will be implemented in their entirety at the time of full CSP implementation.

The NRC staff does not regard the CSP milestone implementation dates as regulatory commitments that can be changed unilaterally by the licensee, particularly in light of the regulatory requirement at 10 CFR 73.54, that U[i]mplementation of the licensee's cyber security program must be consistent with the approved schedule." As the NRC staff explained in its letter to all operating reactor licensees dated May 9, 2011 (ADAMS Accession No. ML110980538), the implementation of the plan, including the key intermediate milestone dates and full implementation date, shall be in accordance with the implementation schedule submitted by the licensee and approved by the NRC. Thus, all subsequent changes to the NRC-approved CSP implementation schedule will require prior NRC approval pursuant in 10 CFR 50.90.

3.3 Revision to License Condition By letter dated June 18, 2012, the licensee proposed to modify ParC\graph 4. D, "Physical Protection," of the Renewed Facility Operating Licenses DPR-24 and DPR-27 for the Point Beach Nuclear Plant, Units 1 and 2, respectively, which provides a license condition to require the licensee to fully implement and maintain in effect all provisions of the NRC-approved CSP.

The license condition for PBNP Unit 1 will be modified (change indicated in bold type) to read as follows:

NextEra Energy Point Beach shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans, including amendments made pursuant to

-5 provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contain Safeguards Information protected under 10 CFR 73.21, is entitled: "Point Beach Nuclear Plant Physical Security Plan, (Revision 4)," submitted by letter dated May 10, 2006. NextEra Energy Point Beach, LLC shall fully implement and maintain in effect all provisions of the Commission-approved Point Beach Nuclear Plant Cyber Security Plan (CSP),

including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The NextEra Energy Point Beach CSP was approved by License Amendment No. 243 as supplemented by a change approved by License Amendment No. 247.

The license condition for PBNP Unit 2 will be modified (change indicated in bold type) to read as follows:

NextEra Energy Point Beach shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans, including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contain Safeguards Information protected under 10 CFR 73.21, is entitled: "Point Beach Nuclear Plant Physical Security Plan, (Revision 4)," submitted by letter dated May 10, 2006. NextEra Energy Point Beach, LLC shall fully implement and maintain in effect all provisions of the Commission-approved Point Beach Nuclear Plant Cyber Security Plan (CSP),

including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The NextEra Energy Point Beach CSP was approved by License Amendment No. 247 as supplemented by a change approved by License Amendment No. 251.

3.4 Summary Based on its review of the licensee's submittals, the NRC staff concludes that the proposed changes to Milestone 6 in the licensee's CSP implementation schedule are acceptable. The NRC staff also concludes that, upon full implementation of the licensee's cyber security program, the requirements of the licensee's CSP and 10 CFR 73.54 will be met. Therefore, the NRC staff finds the proposed changes to be acceptable.

4.0 STATE CONSULTATION

In accordance with the Commission's regulations, the Wisconsin State official was notified of the proposed issuance of the amendments. The State official had no comments.

5.0 ENVIRONMENTAL CONSIDERATION

This amendment relates solely to safeguards matters and does not involve any significant construction impacts. Accordingly. this amendment meets the eligibility criteria for categorical

-6 exclusion setforth in 10 CFR 51.22(c)(12). Pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the issuance of this amendment.

6.0 CONCLUSION

The Commission has concluded, based on the considerations discussed above, that: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) there is reasonable assurance that such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendments will not be inimical to the common defense and security or to the health and safety of the public.

Principal Contributor: Monika Coflin, NSIR Date of issuance: November 23,2012

Mr. Larry Meyer November 23,2012 Site Vice President NextEra Energy Point Beach, LLC Point Beach Nuclear Plant 6610 Nuclear Road Two Rivers, WI 54241

SUBJECT:

POINT BEACH NUCLEAR PLANT, UNITS 1 AND 2 - ISSUANCE OF AMENDMENTS RE: REVISED CYBER SECURITY PLAN IMPLEMENTATION SCHEDULE MILESTONE 6 (TAC NOS. ME8914 AND ME8915)

Dear Mr. Meyer:

The Nuclear Regulatory Commission has issued the enclosed Amendment Nos. 247 and 251 to Renewed Facility Operating License Nos. DPR-24 and DPR-27, for the Point Beach Nuclear Plant, Units 1 and 2, respectively. The amendments consist of changes to the Renewed Facility Operating Licenses in response to your application dated June 18, 2012, as supplemented by letter dated September 17,2012.

The amendment approves the change in scope of Cyber Security Plan Implementation Schedule Milestone 6, and revises License Condition 4.0 of the Renewed Facility Operating Licenses for PBNP Units 1 and 2.

A copy of our related safety evaluation is also enclosed. The Notice of Issuance will be included in the Commission's biweekly Federal Register notice.

Sincerely, IRAJ Terry A Beltz, Senior Project Manager Plant Licensing Branch 111-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. 50-266 and 50-301

Enclosures:

1. Amendment No. 247 to DPR-24

2. Amendment No. 251 to DPR-27

3. Safety Evaluation cc w/encls: Distribution via ListServ DISTRIBUTION PUBLIC RidsOgcRp Resource CErlanger, NSIR LPL3*1 rtf RidsNrrDorlLpl3*1 Resource MCoflin, NSIR RidsNrrPMPointBeach Resource RidsRgn3MailCenter Resource TWengert, NRR RidsNrrLABTully Resource RidsAcrsAcnw_MailCTR Resource BSingal, NRR RidsNrrDssStsb Resource RidsNrrDorlDpr Resource JPoole, NRR P. Pederson, NSIR

• Safe evaluation transmitted b NSIR/DSP/ISCPB/BC OGC (NLO)

BTuily CErlanger

• BMizuno RCarlson TBeitz 09124/12 08/13/12 09/26/12 11/21/12 11/23/12 OFFICIAL RECORDS COpy