Issuance of Amendment 198 Regarding the Cyber Security Plan Implementation Schedule Milestone 8

ML14122A309
Person / Time
Site:	Summer
Issue date:	05/29/2014
From:	Shawn Williams Plant Licensing Branch II
To:	Gatlin T South Carolina Electric & Gas Co
Williams S
References
TAC MF2899
Download: ML14122A309 (16)
v • d • e

Text

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 May 29, 2014 Mr. Thomas D. Gatlin Vice President, Nuclear Operations South Carolina Electric & Gas Company Virgil C. Summer Nuclear Station Post Office Box 88, Mail Code 800

• Jenkinsville, SC 29065

SUBJECT:

VIRGIL C. SUMMER NUCLEAR STATION, UNIT 1 -ISSUANCE OF AMENDMENT 198 REGARDING THE CYBER SECURITY PLAN IMPLEMENENTATION SCHEDULE MILESTONE 8 (TAC NO. MF2899)

Dear Mr. Gatlin:

In response to your letter dated October 3, 2013Property "Letter" (as page type) with input value "RC-13-0134, License Amendment Request (LAR-13-01414) Change of the Completion Date of Implementation Milestone 8" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process., as supplemented on December 20, 2013, the U.S. Nuclear Regulatory Commission has issued the enclosed Amendment No. 198 to Renewed Facility Operating License No. NPF-12 for the Virgil C. Summer Nuclear Station, Unit 1 (VCSNS).

This amendment will revise the date of the Cyber Security Plan implementation schedule for Milestone 8 and the associated license condition in the facility operating license. Milestone 8 requires full implementation of the VCSNS Cyber Security Plan.

A copy of the related Safety Evaluation is enclosed. A Notice of Issuance will be included in the Commission's Biweekly Federal Register notice.

Docket No. 50-395

Enclosures:

1. Amendment No. 198 to NPF-12

2. Safety Evaluation

• cc w/encls: Distribution via Listserv Sincerely, Shawn Williams, Senior Project Manager Plant Licensing Branch 11-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 SOUTH CAROLINA ELECTRIC & GAS COMPANY SOUTH CAROLINA PUBLIC SERVICE AUTHORITY DOCKET NO. 50-395 VIRGIL C. SUMMER NUCLEAR STATION, UNIT 1 AMENDMENT TO RENEWED FACILITY OPERATING LICENSE Amendment No. 198 Renewed License No. NPF-12

1.

The U.S. Nuclear Regulatory Commission (the Commission) has found that:

A.

The application for amendment to the Virgil C. Summer Nuclear Station, Unit 1, (the facility) Renewed Facility Operating License NPF-12 filed by the South Carolina Electric & Gas Company (the licensee), dated October 3, 2013, as supplemented on December 20, 2013, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commission's rules and regulations set forth in 10 CFR Chapter I; B.

The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C.

There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations as set forth in 10 CFR Chapter I; D.

The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E.

The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied.

2.

Accordingly, the license is amended as indicated in the attachment to this license amendment. Paragraph 2.C.(2) and Paragraph 2.E of Renewed Facility Operating License No. NPF-12 is hereby amended to read as follows:

2.C.{2) Technical Specifications and Environmental Protection Plan The Technical Specifications contained in Appendix A, as revised through Amendment No. 198, and the Environmental Protection Plan contained in Appendix B, are hereby incorporated in the license. South Carolina Electric & Gas Company shall operate the facility in accordance with the Technical Specifications and the Environmental Protection Plan.

2.E SCE&G shall fully implement and maintain*in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The SCE&G CSP was approved by License Amendment No. 198.

3.

This amendment is effective as of its date of issuance and shall be implemented within 60 days of issuance.

Attachment:

Changes to Renewed Facility Operating License No. NPF-12 Date of Issuance: May 29, 2014 FOR THE NUCLEAR REGULATORY COMMISSION Robert J. Pascarelli, Chief Plant Licensing Branch 11-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation

ATTACHMENT TO LICENSE AMENDMENT NO. 198 TO RENEWED FACILITY OPERATING LICENSE NO. NPF-12 DOCKET NO. 50-395 Replace the following pages of the Renewed Facility Operating License with the attached revised pages. The revised pages are identified by amendment number and contain marginal lines indicating the areas of change.

Remove Pages License NPF-12, Page 3 NPF-12, Page 11a Insert Pages License NPF-12, Page 3 NPF-12, Page 11a (3)

SCE&G, pursuant to the Act and 10 CFR Part 70, to receive, possess and use at any time special nuclear material as reactor fuel, in accordance with the limitations for storage amounts required for reactor operation, as described in the Final Safety Analysis Report, as amended through Amendment No. 33; (4)

SCE&G, pursuant to the Act and 10 CFR Part 30, 40 and 70 to receive, possess and use at any time byproduct, source and special nuclear material as sealed neutron sources for reactor startup, sealed neutron sources for reactor instrumentation and radiation monitoring equipment calibration, and as fission detectors in amounts as required; (5)

SCE&G, pursuant to the Act and 10 CFR Parts 30, 40, and 70, to receive, possess and use in amounts as required any byproduct source or special nuclear material without restriction to chemical or physical form, for sample analysis or instrument calibration or associated with radioactive apparatus of components; and (6)

SCE&G, pursuant to the Act and 10 CFR Parts 30, 40, and 70, to possess, but not separate, such byproduct and special nuclear materials as my be produced by the operation of the facility.

C.

This renewed license shall be deemed to contain, and is subject to, the conditions specified in the Commission's regulations set forth in 10 CFR Chapter I and is subject to all applicable provisions of the Act and to the rules, regulations, and orders of the commission now or hereafter in effect; and is subject to the additional conditions specified or incorporated below:

(1)

Maximum Power Level SCE&G is authorized to perathe the facility at reactor core power levels not in excess of 2900 megawatts thermal in accordance with the conditions specified herein and in Attachment 1 to this renewed license.

The preoccupation tests, startup tests and other items identified in to this renewed license shall be completed as specified. is hereby incorporated into this renewed license.

(2)

Technical Specifications and Environmental Protection Plant The Technical Specifications contained in Appendix A, as revised through Amendment No. 1.98 and the Environmental Protection Plan contained in Appendix 8, are hereby incorporated in the renewed license. South Carolina Electric & Gas Company shall operate the facility in accordance with the Technical Specifications and the Environmental Protection Plan.

Renewed Facility Operating License No. NPF-12 Amendment No. 198

-11a-D.

An exemption to the requirements of Paragraph 111.8.4 of Appendix G to 10 CFR Part 50 is described in Section 5.3.1 of Supplement No. 1 to the Office of Nuclear Reactor Regulation's Safety Evaluation Report. A limited exemption to the requirements of Section IV.F.1(b) of Appendix E to 10 CFR Part 50 is described in a letter from B. J. Youngblood, NRC to 0. W. Dixon, Jr., dated November 2, 1982. These exemptions are authorized by law and will not endanger life or property or the common defense and security and are otherwise in the public interest. The facility will operate, to the extent authorized herein, in conformity with the application, as amended, the provisions of the Act, and the rules and regulations of the Commission.

E.

SCE&G shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contain Safeguards Information protected under 10 CFR 73.21, is entitled: "Virgil C.

Summer Nuclear Station Security Plan," as updated through May 15, 2006. This document includes the Security Training and Qualification Plan as Appendix B and the Safeguards Contingency Plan as Appendix C.

SCE&G shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The SCE&G CSP was approved by License Amendment No. 198-.

Renewed Facility Operating License No. NPF~ 12 License Amendment No.198

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO AMENDMENT NO. 198 TO RENEWED FACILITY OPERATING LICENSE NO. NPF-12

. SOUTH CAROLINA ELECTRIC & GAS COMPANY SOUTH CAROLINA PUBLIC SERVICE AUTHORITY VIRGIL C. SUMMER NUCLEAR STATION, UNIT 1 DOCKET NO. 50-395

1.0 INTRODUCTION

By application dated October 3, 2013 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML13281A193), as supplemented on December 20, 2013 (ADAMS Accession No. ML13358A308), South Carolina Electric & Gas Company (SCE&G, the licensee) requested a change to the renewed facility operating license for Virgil C. Summer Nuclear Station (VCSNS) Unit 1. The proposed change would revise the date of Cyber Security Plan (CSP) implementation schedule,Milestone 8 and the existing license condition in the facility operating license. Currently, Milestone 8 requires SCE&G to fully implement the CSP by December 31, 2014. In the October 3, 2013, application, SCE&G proposed to change the Milestone 8 completion date to June 30, 2017.

Portions of the letters dated October 3, 2013, and December 20, 2013, contain sensitive unclassified non-safeguards information and, accordingly, those portions are withheld from public disclosure.

2.0 REGULATORY EVALUATION

Background information regarding Cyber Security Implementation Plans and a description of each Milestone can be found in the Nuclear Energy Institute letter dated February 28, 2011, "Template for the Cyber Security Plan Implementation Schedule" (ADAMS Package Accession No. ML110600206}.

Amendment No. 184 dated August 24, 2011, approved the licensees' CSP and implementation schedule and included the following statement: "SCE&G shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p)."

The NRC staff considered the following regulatory requirements and guidance in its review of the current license amendment request to modify the existing CSP implementation schedule:

Enclosure The Code of Federal Regulations 10 CFR 73.54 states: "Each [CSP] submittal must include a proposed implementation schedule. Implementation of the licensee's cyber security program must be consistent with the approved schedule."

NUREG-0800- Chapter 13, Section 13.6.6, Revision 0, "Cyber Security Plan," provides review criteria for cyber security plans.

o In a publicly available NRC memorandum dated October 24, 2013 (ADAMS Accession No. ML13295A467), the NRC staff listed criteria to consider during evaluations of licensees' requests to postpone their cyber security program implementation date (commonly known as Milestone 8).

3.0 TECHNICAL EVLAUATION Amendment No. 184 to Renewed Facility Operating License NPF-12 VCSNS, Unit 1, was issued on August 24, 2011. The NRC staff also approved the licensees' CSP implementation schedule, as discussed in the safety evaluation issued with the amendment. The implementation schedule had been submitted by the licensee based on a template prepared by NEI [Nuclear Energy Institute], which the NRC stafffol!nd acceptable for licensees to use to develop their CSP implementation schedules (ADAMS Accession No. ML110600218). The licensee's proposed implementation schedule for the Cyber Security Program identified completion dates and bases for the following eight milestones:

1) Establish the Cyber Security Assessment Team (CSAT);

2) Identify Critical Systems (CSs) and Critical Digital Assets (CDAs);

3) Install a deterministic one-way device between lower level devices and higher level devices;

4) Implement the security control "Access Control For Portable And Mobile Devices";

5) Implement observation and identification of obvious cyber related tampering to existing insider mitigation rounds;

6) Identify, document, and implement cyber security controls as per "Mitigation of Vulnerabilities and Application of Cyber Security Controls" for CDAs that could adversely impact the design function of physical security target set equipment;

7) Ongoing monitoring and assessment activities for those target set CDAs whose security controls have been implemented;

8) Fully implement the CSP.

3.1 Licensee's Proposed Change The licensee proposed to change the implementation date of Milestone 8 for VCSNS, Unit 1, from December 31, 2014 to June 30, 2017. The licensee stated that there is no change to the cyber security program other than the proposed change to the completion date.

3.2 NRC Staff Evaluation The licensee submitted its application on October 3, 2013, before the NRC staff developed guidance to evaluate requests to postpone Milestone 8 implementation dates on October 24, 2013 (ADAMS Accession No. ML13295A467). As a result, the licensee's application did not address all the criteria in the guidance. Requests for additional information (RAI) were issued on November 21, 2013 (ADAMS Accession No. ML13318A116). The licensee responded on December 20, 2013 (ADAMS Accession No. ML13358A308). The licensee RAI response, along with the original October 3 application addressed all the criteria in the guidance. The criteria in the guidance are:

1) Identification of the specific requirement or requirements of the cyber security plan that the licensee needs additional time to implement.

2) Detailed justification that describes the reason the licensee requires additional time to implement the specific requirement or requirements identified.

3) A proposed completion date for Milestone 8 consistent with the remaining scope of work to be conducted and the resources available.

4) An evaluation of the impact that the additional time to implement the requirements will have on the effectiveness of the licensee's overall cyber security program in the context of milestones already completed.

5) A description of the licensee's methodology for prioritizing completion of work for critical digital assets associated with significant safety consequences and with reactivity effects in the balance of plant.

6) A discussion of the licensee's cyber security program performance up to the date of the license amendment request.

7) A discussion of cyber security issues pending in the licensee's corrective action program.

8) A discussion of modifications completed to support the cyber security program and a discussion of pending cyber security modifications.

The NRC staff reviewed the licensee's application and RAI response. The licensee's response is summarized below, followed by the NRC staff's evaluation, numbered as the criteria above.

1) Identification of the specific requirement or requirements of the cyber security plan that the licensee needs additional time to implement.

The licensee stated that the requirement of the CSP that it needs additional time to implement is CSP Section 3.1, Analyzing Digital Computer Systems and Networks and Applying Cyber Security Controls. It further noted that there are ongoing issues that need resolution prior to completing implementation of Section 3.1. These include NRC and industry discussions about CDAs and security controls; CDA assessment work is resource intensive; remediation activities need to be carefully considered; change management challenges; and training on new programs, processes and procedures.

The NRC staff agrees that implementation of CSP Section 3.1 requires the extensive actions the licensee noted.

2) Detailed justification that describes the reason the licensee requires additional time to implement the specific requirement or requirements identified.

The licensee stated it had a project team of 1 0 to 12 full-time-equivalent staff that are experiencing major challenges with full implementation of Milestone 8. Challenges include the large effort associated with documentation of CDA assessment using deterministic process in CSP Section 3.1 and the uncertainty with respect to interpretation of cyber security controls including 'What good looks like." The licensee then provided detailed justification for additional time to fully implement the CSP per Section 3.1.

a) Resolution of NEI/NRC discussion on CDA scope/security controls The anticipated resolution time frame does support the current Milestone 8 date Resultant GOA/security controls scope changes will impact Milestone 8 completion

i. Changes to newly issued procedures and updated existing procedures ii. Revision of training materials and delivery of training iii. CDA Assessment Tool rework, programming and validation iv. Rework to adjust completed CDA tabletop work

v. Rework of the completed draft Security Controls Implementation Strategy (SCIS) which is on-hold pending the outcome of NEI/NRC discussions concerning NEI 13-10, Cyber Security Control Assessments b) Defining the cyber security controls in NEI 08-09. Cyber Security Plan for Nuclear Power Reactors, Rev 6 NEI 10-09, Addressing Cyber Security Controls for Nuclear Power Reactors, Rev 0, has not been endorsed by the NRC Anticipated issue date of NUREG 7140 (cyber security controls interpretation guidelines) was late 2013, leaving limited time to rework the already completed draft SCIS, including major reprogramming of security controls in the cyber security assessment tool Differing industry interpretation of CDA scope and security controls (no defined criteria of 'What good looks like" for security controls) c) CDA Assessment work is resource intensive VCSNS Unit 1 has approximately 1700 CDAs Assessment tool set-up is challenging due to uncertainty surrounding security controls interpretation VCSNS, Unit 1, underestimated the level of effort necessary to address security controls using the deterministic criteria in CSP 3.1 Rework is a major concern since budgets are approved in advance based on the defined scope that considers a specific amount of rework VCSNS, Unit 1, will need to increase resources to address the magnitude of work involved in each CDA assessment d) Remediation activities need to be carefully considered VCSNS, Unit 1, experience is that security controls are unique and new to the plant and suppliers,

Plant modifications must be carefully implemented to ensure they do not impact plant safety and operation Suppliers are releasing products that have not been adequately documented and tested which results in corrective action investigations and resource drain e) Change management challenges Cyber security is challenging since it integrates into day to day plant operations, maintenance, engineering and procurement activities Integration of cyber security controls is taking longer than expected due to impacts on the work control process and maintenance activities Cyber security for plant CDAs is new, and the security controls being implemented on the plant CDAs are new to Maintenance, System Engineering and Operations. When plant CDA modifications include new products such as application whitelisting, and require operating system parameter changes, the modifications must be implemented cautiously to ensure safe, reliable operation of plant equipment. Before modifications are implemented, significant verification analysis and testing must be performed to minimize or eliminate impacts to plant equipment Maintenance on CDAs is performed by trained and qualified technicians. Training the technicians is a challenge. Maintenance Department training schedules are normally established at least a year in advance Plant modifications that added cyber security controls have created new change management challenges. As cyber security controls are implemented, new tasks are added to normal maintenance activities. The full impact of cyber security controls on the maintenance processes were difficult to predict when plant modifications to add cyber controls were initially scoped and developed f)

Training on new programs, processes and procedures The site training needs and schedules are normally established up to a year in advance and have to be presented to, and approved by *. the VCSNS, Unit 1, Training Review Boards. Cyber security training adds a new burden on training resources that was not fully understood when the new cyber-related processes and procedures were first b~ing developed. VCSNS,Unit 1, initially underestimated the level of effort and coordination needed to meet the requirements of VCSNS, Unit 1 's, systematic

• approach to training process. Cyber security training needs can be accommodated outside of normal training cycles, but this adds an unanticipated burden on training resources.

Based on the information provided by the licensee, the NRC staff agrees that VCSNS, Unit 1, would not be able to fully implement its CSP by December 31, 2014. Staff agrees that additional resources and time is needed for the following reasons provided by the licensee:

To perform the resource intensive CDAassessment work and to work through implementation issues considering the high number of CDAs and the need to address 148 controls for each.

To consider remediation activities. Working with security controls is a new experience for the licensee staff and suppliers, and security modifications must be implemented to not impact safety and operations.

To address change management challenges that have impacted many plant processes including operations, maintenance, engineering, and procurement.

To work through the challenges associated with changing long standing training schedules.

The NRC staff finds the licensee's explanation for the need for additional time to implement CSP Section 3.1 acceptable.

3) A proposed completion date for Milestone 8 consistent with the remaining scope of work to be conducted and the resources available.

The licensee proposed a Milestone 8 completion date of June 30, 2017, and stated that there is no change to the cyber security program other than the change of the completion date of Milestone 8. The licensee also stated that changing the completion date of Milestone 8 will allow two additional refueling outages to methodically plan and schedule the implementation of the required design changes as well as provide more time to prioritize work efforts and schedule resources to help avoid rework and scope change.

The NRC staff finds that the proposed completion date is consistent with the remaining scope of work to be conducted considering the resources available.

4), An evaluation of the impact that the additional time to implement the requirements will have on the effectiveness of the licensee's overall cyber security program in the context of milestones already completed.

The licensee indicated VCSNS, Unit 1, is secure based on the cyber security implementation activities already completed and completion of activities already in progress. It then detailed the activities completed in each of the milestones 1 through 7. The activities address significant cyber attack vectors and applied controls to the most risk significant CDAs.

The NRC staff finds that the impact of the additional time to implement the requirements will not substantially reduce the effectiveness of the licensee's overall cyber security program because the completed activities and the completion of activities in progress will address and mitigate the most significant cyber security vulnerabilities.

5) A description of the licensee's methodology for prioritizing completion of work for critical digital assets associated with significant safety consequences and with reactivity effects in the balance of plant.

The licensee divides its CDA equipment listings into approximately equal quantities of security and non-security CDAs which makes it more efficient to accomplish security and non-security CDA assessments in parallel. The licensee's prioritization of CD As considers safety, important to safety (including BOP) and other criteria. The methodology is based on defense-in-depth, installed configuration of the CDA and susceptibility to five commonly identified threat vectors.

The NRC staff finds the licensee's methodology is appropriate and risk informed.

6) A discussion of the licensee's cyber security program performance up to the date of the license amendment request.

The licensee stated that Miiestone 1 through 7 activities provide a high degree of protection against cyber security related attacks. It noted an effective implementation of the removable media/removable control device program and defense-in-depth and installation of diodes between levels as well as new preventive maintenance tasks that support the cyber security program. There was a Quality Assurance audit in July 2013 that concluded the cyber security program was effective. Issues identified during the audit were placed in the corrective action program for cyber security program improvement. Various types of cyber related training were provided to the plant staff. There have been 29 procedures developed or modified to support the cyber security program.

The NRC staff agrees that Milestone 1 through 7 activities including the removable media/removable device program and defense-in-depth and installation of diodes between levels provide significant protection against cyber attacks. The NRC staff also agrees that implementation of new preventive maintenance tasks, new and modified procedures and cyber security training are evidence of an effective program. The NRC staff concludes that the licensee is using the tools at its disposal to implement and verify an effective cyber security program.

7) A discussion of cyber security issues pending in the licensee's corrective action program.

The December 20, 2013, supplement included cyber security related issues in the licensee's corrective action program. Below are some of the more relevant examples from the list:

Full Program (Milestone 8) implementation tracking Enhanced Guidance for Licensee Near-Term Corrective Actions to address Cyber Security Inspection Findings and Licensee Eligibility for "Good-Faith" Attempt Discretion Industry lessons learned for VCSNS, UNIT 1, cyber security program improvement NRC inspection lessons learned for VCSNS, UNIT 1, cyber security program improvement NRC SFAQ [security frequently asked questions] required dispositions and actions.

Issues and improvement items identified pertaining to implemented portions of the cyber security program Quality Assurance surveillance findings Physical Security Cyber Security program integration Issues documented for program improvement The NRC staff finds that the examples and listing reflect the implementation and evolution of the cyber security program and reinforce the licensee discussions above. The issues in the CAP demonstrate the licensee has an active CSP and is taking external and internal input and working to improve the CSP.

8) A discussion of modifications completed to support the cyber security program and a discussion of pending cyber security modifications.

The staff requested this information to confirm that the licensee completed or has planned to complete the modifications required to implemented their CSP and Milestone 8. The licensee provided a discussion of completed modifications and pending modifications consistent with their CSP and to fully implement Milestone 8.

3.3 Revision to License Condition Paragraph 2.E By letter dated October 3, 2013Property "Letter" (as page type) with input value "RC-13-0134, License Amendment Request (LAR-13-01414) Change of the Completion Date of Implementation Milestone 8" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process., the licensee proposed to modify Paragraph 2.E of Renewed Facility Operating License No. NPF-12, VCSNS, Unit 1, which provides a license condition to require the licensee to fully implement and maintain in effect all provisions of the NRC-approved CSP.

The license condition in Paragraph [2.E] of Renewed Operating License No. NPF-12 for VCSNS, Unit 1, is modified from:

To:

SCE&G shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The SCE&G CSP was approved by License Amendment No. 193.

SCE&G shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The SCE&G CSP was approved by License Amendment No. 198.

3.4 Conclusion The NRC staff concludes that implementation of Milestones 1 through 7 provides significant protection against cyber attacks and that the licensee's submittal provides sufficient basis to justify the requested additional time to implement Milestone 8. The NRC staff concludes that the licensee's request for additional time to complete implementation of Milestone 8, full implementation of the C$P by June 30, 2017, is acceptable for VCSNS, Unit 1. The NRC staff concludes that, upon full implementation of the licensee's cyber s,ecurity program, the requirements of the licensee's CSP and 1 0 CFR 73.54 will be met.

The NRC staff does not regard the CSP milestone implementation dates* as regulatory commitments that can be changed unilaterally by the licensee, particularly in light of the regulatory requirement at 10 CFR 73.54, that "[i]mplementation of the licensee's cyber security program must be consistent with the approved schedule." As the NRC staff explained in its letter to all operating reactor licensees dated May 9, 2011 (ADAMS Accession No. ML110980538), the implementation of the plan, including the key intermediate milestone dates and the full implementation date shall be in accordance with the implementation schedule submitted by the licensee and approved by the NRC. All subsequent changes to the NRC-approved CSP implementation schedule, thus, will require prior NRC approval as required by 10 CFR 50.90.

4.0 STATE CONSULTATION

In accordance with the Commission's regulations, the South Carolina State official was notified of the proposed issuance of the amendments. The State official had no comments.

5.0 ENVIRONMENTAL CONSIDERATION

The amendment changes a requirement with respect to installation or use of a facility component*

located within the restricted area as defined in 10 CFR Part 20. The NRC staff has determined that the amendment involves no significant increase in the amounts, and no significant change in the types, of any effluents that may be released offsite, and that there is no significant increase in individual or cumulative occupational radiation exposure. The Commission has previously issued a proposed finding that the amendment involves no significant hazards consideration, and there has been no public comment on such finding (78 FR 70595, November 26, 2013). Accordingly, the amendment meets the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(9).

Pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the issuance of the amendment.

6.0 CONCLUSION

The Commission has concluded, based on the considerations discussed above, that: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) there is reasonable assurance that such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendments will not

• be inimical to the common defense and security or to the health and safety of the \\public.

Principal Contributors:

John Rycyna, NSI R/CSD D~e: May 29, 2014

ML14122A309

• with comments OFFICE LPL2-1/PM LPL2-1/LA NSIR/CSD/BC OGCINLO NAME SWilliams SFiQueroa RFelts*

BHarris*

DATE 05/06/14 05/13/14 05/14/14 05/19/14 OFFICE LPL2-1/BC LPL2-1/PM NAME RPascarelli SWilliams DATE 05/29/14 05/29/14