ML14269A388

From kanterella
Jump to navigation Jump to search
Reg Guide 5-83 Cyber Security Event Notifications
ML14269A388
Person / Time
Issue date: 07/17/2015
From: Brad Bergemann
NRC/RES/DE
To:
Bayssie M
Shared Package
ML15188A548 List:
References
RIN 3150-AJ37 RG 5.83, Rev. 2
Download: ML14269A388 (40)


Text

U.S. NUCLEAR REGULATORY COMMISSION July 2015 OFFICE OF NUCLEAR REGULATORY RESEARCH Division 5 REGULATORY GUIDE Technical Lead Brad Bergemann REGULATORY GUIDE 5.83 (Draft was issued as part of DG-5019, Revision 2 of Regulatory Guide 5.62, dated January 2011)

CYBER SECURITY EVENT NOTIFICATIONS A. INTRODUCTION Purpose This regulatory guide (RG) describes approaches and methodologies that the staff of the U.S.

Nuclear Regulatory Commission (NRC) considers acceptable for use by nuclear power reactor licensees when categorizing certain cyber security events, and the process for conducting notifications and submitting written security follow-up reports to the NRC for cyber security events.

Applicable Rules and Regulations The regulations in Title 10, of the Code of Federal Regulations (10 CFR), Physical Protection of Plants and Materials, Part 73, (Ref. 1). Section 73.77, Cyber Security Event Notifications requires licensees subject to the provisions of 10 CFR 73.54, Protection of Digital Computer and Communication Systems and Networks to notify the NRC Headquarters Operations Center via the Emergency Notification System (ENS) as described below.

  • Section 73.77(a)(1) requires licensees to notify the NRC within one hour after discovery of a cyber attack that adversely impacted safety-related or important-to-safety functions, security functions, or emergency preparedness functions (including offsite communications); or that compromised support systems and equipment resulting in adverse impacts to safety, security, or emergency preparedness functions within the scope of 10 CFR 73.54.
  • Section 73.77(a)(2) requires licensees to notify the NRC within four hours:

(i) After discovery of a cyber attack that could have caused an adverse impact to safety-related or important-to-safety functions, security functions, or emergency preparedness functions (including offsite communications); or that could have compromised support systems and equipment, which if compromised, could have adversely impacted safety, security, or emergency preparedness functions within the scope of 10 CFR 73.54.

Written suggestions regarding this guide or development of new guides may be submitted through the NRCs public Web site under the Regulatory Guides document collection of the NRC Library at http://www.nrc.gov/reading-rm/doc-collections/reg-guides/contactus.html.

Electronic copies of this regulatory guide, previous versions of this guide, and other recently issued guides are available through the NRCs public Web site under the Regulatory Guides document collection of the NRC Library at http://www.nrc.gov/reading-rm/doc-collections/. The regulatory guide is also available through the NRCs Agencywide Documents Access and Management System (ADAMS) at http://www.nrc.gov/reading-rm/adams.html, under ADAMS Accession No. ML14269A388. The regulatory analysis may be found in ADAMS under Accession No. ML14170B076 and the staff responses to the public comments on DG-5019 may be found under ADAMS Accession No. ML14136A214.

(ii) After discovery of a suspected or actual cyber attack initiated by personnel with physical or electronic access to digital computer and communication systems and networks within the scope of 10 CFR 73.54.

(iii) After notification of a local, State, or other Federal agency of an event related to implementation of the licensees cyber security program for digital computer and communication systems and networks within the scope of 10 CFR 73.54 that does not otherwise meet a notification under 10 CFR 73.77(a).

  • Section 73.77(a)(3) requires licensees to notify the NRC within eight hours after receipt or collection of information regarding observed behavior, activities, or statements that may indicate intelligence gathering or pre-operational planning related to a cyber attack against digital computer and communication systems and networks within the scope of 10 CFR 73.54.
  • Section 73.77(b) requires licensees to use their site corrective action program (CAP) to record vulnerabilities, weaknesses, failures and deficiencies in their cyber security program as well as record notifications made under paragraph (a) of 10 CFR 73.77 within twenty four hours of their discovery.
  • Section 73.77(c) provides the process for conducting cyber security event notifications to the NRC.
  • Section 73.77(d) provides the process for submitting written security follow-up reports to the NRC for cyber security event notifications.
  • Section 73.77(d)(3) requires licensees to prepare written security follow-up reports on NRC Form 366.
  • Appendix A to 10 CFR Part 73, U.S. Nuclear Regulatory Commission Offices and Classified Mailing Addresses, contains contact information for the NRC Headquarters Operations Center and directions on communicating classified events to the NRC.

Related Guidance

  • Regulatory Guide 5.69, Guidance for the Application of Radiological Sabotage Design-Basis Threat in the Design, Development and Implementation of a Physical Security Program that Meets 10 CFR 73.55 Requirements (SGI) provides background on cyber attacks, up to and including the design basis threat (DBT) of radiological sabotage as described in 10 CFR 73.1 (Ref. 3).
  • U.S. Department of Homeland Security, Terrorist Threats to the U.S. Homeland: Reporting Guide for Critical Infrastructure and Key Resource Owners and Operators, (OUO) provides additional guidance and examples of suspicious events (including events related to cyber activity)

(Ref. 4).

Purpose of Regulatory Guides The NRC issues regulatory guides to describe to the public methods that the staff considers acceptable for use in implementing specific parts of the agencys regulations, to explain techniques that the staff uses in evaluating specific problems or postulated accidents, and to provide guidance to RG 5.83, Rev. 2, Page 2

applicants. Regulatory guides are not substitutes for regulations and compliance with them is not required.

Methods and solutions that differ from those set forth in regulatory guides will be deemed acceptable if they provide a basis for the findings required for the issuance or continuance of a permit or license by the Commission.

Paperwork Reduction Act This regulatory guide contains information collection requirements covered by 10 CFR Part 73 that the Office of Management and Budget (OMB) approved under OMB control number 3150-0002. The NRC may neither conduct nor sponsor, and a person is not required to respond to, an information collection request or requirement unless the requesting document displays a currently valid OMB control number.

B. DISCUSSION This new guide addresses cyber security event notification requirements. These notification requirements contribute to the NRCs analysis of the reliability and effectiveness of licensees cyber security programs. Furthermore, they will play an important role in the NRCs continuing effort to provide high assurance that digital computer communication systems and networks are adequately protected against cyber attacks up to and including the design basis threat.

Background

Prompt notification of a cyber attack could be vital to the NRCs ability to take immediate action in response to a cyber attack and, if necessary, notify other NRC licensees, Government agencies and critical infrastructure facilities, to defend against a multiple sector cyber attack. Notifications conducted and written reports submitted by licensees will be used by the NRC to respond to emergencies, monitor ongoing events, assess trends and patterns and identify precursors of more significant events. Timely notifications assist the NRC in achieving its strategic communication mission by enabling NRC to inform the U.S. Department of Homeland Security (DHS) and federal intelligence and law enforcement agencies of cyber security-related events that could (1) endanger public health and safety or the common defense and security, (2) provide information for threat-assessment processes, or (3) generate public or media inquiries.

In accordance with 10 CFR 73.54, licensees cyber security programs are required to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat of radiological sabotage as described in 10 CFR 73.1. Further, licensees are required to protect digital computer and communication systems and networks associated with safety-related and important-to-safety functions; security functions; emergency preparedness functions, including offsite communications; and support systems and equipment which, if compromised, would adversely impact safety, security, or emergency preparedness (SSEP) functions.

Additionally, in accordance with 10 CFR 73.54(a)(2) licensees are required to protect the systems and networks associated with SSEP functions against cyber attacks that would adversely impact the integrity or confidentiality of data and/or software; deny access to systems, services, and/or data; and adversely impact the operation of systems, networks, and associated equipment. Furthermore, in staff requirements memorandum (SRM), COMWCO-10-0001 Regulation of Cyber Security at Nuclear Power Plants (Ref. 5), the Commission determined that, as a matter of policy, 10 CFR 73.54 should be interpreted to include structures, systems and components (SSC) in the balance of plant (BOP) that have a nexus to radiological health and safety at NRC-licensed nuclear power plants. Therefore, cyber security RG 5.83, Rev. 2, Page 3

events related to BOP SSCs that could directly or indirectly affect reactivity of a nuclear power plant are also required to be reported or recorded in accordance with the requirements of 10 CFR 73.77.

The NRC has established notification requirements for certain cyber security activities because they may be indicative of preoperational malevolent activities, and malevolent actors have demonstrated the capability to simultaneously attack multiple independent targets. The NRC forwards appropriate reports of these cyber security activities to DHS, federal law enforcement agencies and the intelligence community as part of the national threat assessment process as outlined in the National Cyber Incident Response Plan. Analysis of individual cyber security events (at separate facilities or activities) may reveal to the NRC, law enforcement authorities, or the intelligence community potential threats or patterns that warrant increasing the security posture for NRC-regulated facilities and activities, other government facilities and activities, and other national critical-infrastructure facilities. The DHS considers licensees to be key resource owners and operators. Licensees can find additional guidance and examples of suspicious events (to include events related to cyber activity) in the U.S. Department of Homeland Securitys, Terrorist Threats to the U.S. Homeland: Reporting Guide for Critical Infrastructure and Key Resource Owners and Operators.

Consistent with 10 CFR 73.77, a cyber security event must be reported within the time specified in 10 CFR 73.77(a). These timeframes are within specified hours after, for example, discovery of a cyber attack or suspected attack. The NRC understands that the licensee may conduct a preliminary assessment if signs of a cyber attack are not obvious (e.g., antivirus protection alert, intrusion detection system alert) in order to rule out other common degradations or failures such as mechanical or electrical. The NRC staff encourages licensees to report cyber security events and subsequently retract them, if appropriate (e.g., not meeting the threshold of a reportable event) rather than delaying the initial notification to gather more information and thus have greater confidence in whether or not to make a notification. If a licensee has questions about whether to report or record a cyber security event, the licensee can, if time permits, discuss the cyber security event with their appropriate NRC regional or Headquarters security staff before making an official report or record. However, if the questions cannot be resolved, licensees should report all cyber security events within the most appropriate timeframe specified in 10 CFR 73.77, rather than waiting for confirmation that the event is one that must be reported.

The NRC staff has developed this guide based on examples taken from prior experience with cyber security events and interactions between NRC staff and licensees. This guide is intended to provide assistance to licensees in evaluating whether a broad range of potential cyber security events should be reported or recorded under the provisions of 10 CFR 73.77. The specific cyber security events listed in this guide are examples of reportable or recordable cyber security events. As such, the NRC staff does not consider these lists to be exhaustive or exclusive. Many of the examples listed herein have been created from actual cyber security events at NRC-regulated facilities or from licensee discussions with NRC staff on whether a particular cyber security event was reportable, recordable, or neither. The NRC staff notes that the evaluation of cyber security events is very fact specific. Therefore, for virtually every example provided, the addition or subtraction of a single aspect not explicitly detailed in this guide could easily move it into a higher or lower reporting timeframe. Accordingly, licensees should always consider their particular circumstances before determining how to comply with 10 CFR 73.77.

Licensees should report suspected or actual cyber security events, including those substantiated by observations by staff or law enforcement personnel, evidence of the presence of unknown personnel, unauthorized access or modification of critical digital assets (CDAs), telephone and other electronic contacts, suspicious documents and files, and testimony of credible witnesses. Licensees corporate and contractor personnel may also be sources of this information. Licensees should consider obtaining access to the NRCs Protected Web Server (PWS) to obtain routine threat bulletins and analyses the NRC receives from the Federal Bureau of Investigation (FBI) and the DHS on critical national infrastructure RG 5.83, Rev. 2, Page 4

and key resources. Licensees desiring access to the NRCs PWS should make their request through the security staff in their applicable NRC regional office.

Notifications conducted under 10 CFR 73.77 should focus on the occurring or suspected cyber security event, not the resolution, final analysis, suspected motivation of any participants, or technical evaluations. While those actions should be considered part of the response function and should eventually be reported, they should not affect the timely notification of the occurring event.

Harmonization with International Standards The NRC staff reviewed guidance from the International Atomic Energy Agency (IAEA),

International Organization for Standardization (ISO), and International Electrotechnical Commission (IEC) and did not identify any standards that provided useful guidance to NRC staff, applicants, or licensees.

C. STAFF REGULATORY GUIDANCE

1. Cyber Security Event Notifications Licensees subject to the provisions of 10 CFR 73.54 are required to notify the NRC Headquarters Operations Center of the below events via the ENS in accordance with the requirements of 10 CFR 73.77(c).

1.1 One-hour Notifications As stated in 10 CFR 73.77(a)(1) licensees are required to notify the NRC within one hour after discovery of a cyber attack that adversely impacted safety-related or important-to-safety functions, security functions, or emergency preparedness functions (including offsite communications); or that compromised support systems and equipment resulting in adverse impacts to safety, security, or emergency preparedness functions within the scope of 10 CFR 73.54.

Licensees should evaluate events that are not reportable under this requirement for reporting or recording under the other provisions of 10 CFR 73.77.

One-hour Notification Examples:

a. A cyber attack that adversely impacted (e.g., interruption) the normal operation of the facility through the unauthorized use of, or tampering with, digital computer and communication systems and networks.
b. A cyber attack that adversely impacted the capability to shut down the reactor and maintain it in a safe shutdown condition, remove residual heat, control the release of radioactive material or mitigate the consequences of an accident, even if the affected system was not required to perform its function during the period of impact.
c. A cyber attack that adversely impacted the capability to detect, delay, assess, or respond to malevolent activities. For example, a cyber attack that disrupts a security function responsible for the implementation of the sites physical protection program and/or protective strategy such as, an intrusion detection and assessment system, a physical barrier (e.g., active vehicle barrier, delay barrier), an access control system, an alarm station, or a communication system.

RG 5.83, Rev. 2, Page 5

d. A cyber attack that adversely impacted the capability to call for, or communicate with, offsite assistance.
e. A cyber attack that adversely impacted emergency response capabilities to implement appropriate protective measures in the event of a radiological emergency.
f. A cyber attack that adversely impacted a support system that falls within the scope of 10 CFR 73.54, even if the affected system was not required to perform its function during the period of impact.

1.2 Four-hour Notifications As stated in 10 CFR 73.77(a)(2)(i) licensees are required to notify the NRC within four hours after discovery of a cyber attack that could have caused an adverse impact to safety-related or important-to-safety functions, security functions, or emergency preparedness functions (including offsite communications); or that could have compromised support systems and equipment, which if compromised, could have adversely impacted safety, security, or emergency preparedness functions within the scope of § 73.54. These could be attacks that exploit a CDA, critical system (CS) or a protected network (i.e., a network that is isolated (air gapped) or behind a data diode that contains one or more CDAs), that could have but did not cause an adverse impact to SSEP functions. For example, activity logs, antivirus protection or an intrusion detection system indicated the presence of malware or unauthorized access/activity occurred on a CDA, CS or protected network. For cyber attacks that reach unprotected networks (i.e., not isolated or behind a data diode containing CDAs), or that are mitigated by boundary and/or CDA cyber security controls and no exploitation of a CDA occurs, notification to the NRC would not be needed under 10 CFR 73.77(a)(2)(i).

As stated in 10 CFR 73.77(a)(2)(ii) licensees are required to notify the NRC within four hours after discovery of a suspected or actual cyber attack initiated by personnel with physical or electronic access to digital computer and communication systems and networks within the scope of 10 CFR 73.54.

These are attacks that are initiated by employees, contractors, or vendors that have physical or electronic access to a CDA, CS or a protected network. This could include corporate Information Technology (IT) personnel that may not have unescorted access to the plant, but do have electronic access to digital computer and communication systems and networks within the scope of 10 CFR 73.54. It could also include personnel that do have unescorted access to the plant, but may not have electronic access to digital computer and communication systems and networks within the scope of 10 CFR 73.54. These attacks should be reported within four hours regardless of their impact on SSEP functions.

As stated in 10 CFR 73.77(a)(2)(iii) licensees are required to notify the NRC within four hours after notification of a local, state, or other federal agency (e.g., law enforcement, Federal Bureau of Investigation) of an event related to the licensees implementation of their cyber security program for digital computer and communication systems and networks within the scope of 10 CFR 73.54 that does not otherwise require a notification under 10 CFR 73.77(a).

Licensees should evaluate events that are not reportable under this requirement for reporting or recording under the other provisions of 10 CFR 73.77.

Four-hour Notification Examples:

a. A CDA that was isolated or on a protected network was found to be connected to an unprotected network (wired or wireless) and cyber security controls (e.g., activity logs, antivirus protection, RG 5.83, Rev. 2, Page 6

an intrusion detection system, etc.) indicated the presence of malware or unauthorized access/activity had occurred.

b. An unauthorized transmitter (e.g., wireless router, modem) or unauthorized portable media (e.g.,

memory stick, smart phone) was attached or connected to a CDA, and cyber security controls (e.g., activity logs, antivirus protection, an intrusion detection system, etc.) indicated the presence of malware or unauthorized access/activity had occurred to the CDA.

c. The degradation or failure of a CDA or of the cyber security controls that protect CDAs that is indicative of unauthorized activity (e.g., cyber attack, physical tampering), and could have but does not have an immediate or adverse impact on SSEP functions because, for example, the CDA has an analog backup. This does not include common degradations or failures such as mechanical or electrical.
d. An active cyber attack, (e.g., virus, or worm logic bomb) on a CDA, CS or protected network that could have, but did not cause an adverse impact to SSEP functions or that could have compromised support systems and equipment, which if compromised, could have adversely impacted SSEP functions.
e. A cyber attack that caused an adverse impact to a CDAs and/or CSs confidentiality, integrity or availability, could have but did not cause an adverse impact to SSEP functions or that could have compromised support systems and equipment, which if compromised, could have adversely impacted SSEP functions.. For example, if a remote digital control to an active vehicle barrier has been disabled (e.g., loss of communications), but the barrier is in the denial position and has not and will not allow unauthorized access as a result of the cyber attack.
f. Control of a mobile or portable CDA is lost or misplaced and there are signs of exploitation. For example, a CDA used for maintenance and testing is misplaced or lost, if the CDA is recovered and shows signs of tampering (e.g., physical tampering, malware installed, etc.) or CDAs that are maintained and tested by the lost or misplaced CDA show signs of exploitation (malware, unauthorized access/activity, etc.).

1.3 Eight-hour Notifications As stated in 10 CFR 73.77(a)(3) licensees are required to notify the NRC within eight hours after receipt or collection of information regarding observed behavior, activities, or statements that may indicate intelligence gathering or pre-operational planning related to a cyber attack against digital computer, and communication systems and networks that fall within the scope of 10 CFR 73.54.

Generally, eight-hour notifications should include behavior, activities, or statements that are coordinated and/or targeted.

Additionally, licensees should evaluate events that are not reportable under this requirement for reporting or recording under the other provisions of 10 CFR 73.77.

Eight-hour Notification Examples:

a. Personnel or persons with an uncommon level of interest or making abnormal inquiries related to specific attributes of the licensees cyber security program (e.g., CDAs, CSs, cyber security controls) or vulnerabilities associated with the cyber security program. Such interests or inquiries could occur onsite or offsite (e.g., cyber security symposium) by personnel, vendors, or contractors, or non-employees that do not have a need-to-know (e.g., are not part of, or support, RG 5.83, Rev. 2, Page 7

the licensees cyber security program). This does not include generic public or media inquiries related to plant operations, safety, etc. (i.e., these inquiries are targeted).

b. Unauthorized personnel in a static position in vicinity of the plant (protected area) that are in possession and operating equipment (e.g., laptop, Yagi antenna) capable of scanning for wireless networks. This does not include devices such as personal electronic devices (e.g., smartphones) carried by visitors that are configured to search or join wireless networks (i.e., these activities are targeted).
c. The recognition of the theft or suspicious loss of smart cards, tokens, or other two factor authentication devices required for accessing a CDA or CS.
d. The detection of forged or fabricated smart cards, tokens or other two factor authentication devices required for accessing a CDA/CS or performing authorization activities.
e. The detection of falsified identification badges, key cards, or other access-control devices that allow unauthorized individuals access to a CDA or CS.
f. A targeted spear phishing email (payload) followed-up with a telephone call to the targeted individual attempting to trigger the spear phishing email (social engineering).
g. The recognition of the exfiltration of data (intelligence gathering) from an unprotected network from an unknown source, in conjunction with malware (payload) that was surreptitiously delivered and executed by the unknown source without licensee knowledge.
h. A website posting or notification indicating a planned cyber attack against the plant.
2. 24-hour Recordable Events As stated in 10 CFR 73.77(b) licensees are required to use their site CAP to record vulnerabilities, weaknesses, failures and deficiencies in their 10 CFR 73.54 cyber security program as well as record notifications made under paragraph (a) of 10 CFR 73.77 within twenty-four hours of their discovery.

This includes items or events such as: (1) when a system, component or cyber security control has been reduced to the degree that it is rendered ineffective for the intended purpose (e.g., cessation of proper functioning); (2) a defect in equipment, personnel, or procedure that degrades the function or performance of the cyber security program necessary to meet the requirements of 10 CFR 73.54; (3) a feature or attribute in a systems design, implementation, operation, or management that could render a CDA open to exploitation, or an SSEP function susceptible to adverse impact.

Licensees should utilize the site CAP to perform periodic evaluations to identify any noticeable trends and/or increases in failures and deficiencies in their cyber security program (e.g., equipment vulnerabilities and failures, procedural and/or training weaknesses and deficiencies) to assist in identifying and developing program improvements.

24-hour Recordable Event Examples:

a. A cyber vulnerability assessment that was not performed within the period specified in the licensees Cyber Security Plan (e.g., quarterly).

RG 5.83, Rev. 2, Page 8

b. Improper usage of digital computer and communication systems and networks associated with SSEP functions; or support systems and equipment, which if compromised, could adversely impact SSEP functions. This could include training and procedure deficiencies involving a CDA, cyber security controls or SSEP functions without an adverse impact to their function (e.g.,

connection of unauthorized portable media to a CDA which resulted in no exploitation (e.g., no malware transferred, no unauthorized activity/access occurred).

c. A design flaw or vulnerability in an implemented cyber security control that could have allowed unauthorized access to a CDA, or substantively eliminated or significantly reduced the licensees response capabilities. This is not intended to capture vendor discovered issues that are immediately fixed/patched/corrected. However, flaws or vulnerabilities discovered by a licensee should be recorded (e.g., a licensee scan discovers a vulnerability in cyber security hardware or software that has not been previously identified). Note: If a licensee believes the vulnerability or design flaw could pose an industry-wide risk the licensee should consider immediate notification using the voluntary notification process so the NRC can notify other licensees of the vulnerability or design flaw.
d. A cyber security event that could have allowed undetected or unauthorized access or modification to a CDA, but was not exploited in an attack. For example, a cyber security control or alarm was temporarily disabled or accessed for maintenance and not enabled or secured immediately upon completion of the activity.
3. Notification Process As stated in 10 CFR 73.77(c), each licensee is required to make notifications required by 10 CFR 73.77(a) to the NRC Headquarters Operations Center via the ENS. If the ENS is inoperative or unavailable, the licensee shall make the notification via commercial telephone service or other dedicated telephonic system or any other methods that will ensure a report is received by the NRC Headquarters Operations Center within the specified timeframe. Commercial telephone numbers for the NRC Headquarters Operations Center are specified in appendix A to Part 73, U.S. Nuclear Regulatory Commission Offices and Classified Mailing Addresses. Notifications can be annotated on an Event Notification Worksheet (NRC Form 361). Licensees may obtain an event number and time during notifications. If an LER is required, the licensee may include this information in the LER to provide a cross-reference to the notification, making the event easier to trace.

The individual responsible for conducting the notification should be properly trained and sufficiently knowledgeable of the event to report it correctly.

The NRC records all conversations with the NRC Operations Center. The recordings are saved for one month in case there is a public or private inquiry.

Additionally, if needed, licensees should conduct additional notifications describing substantive changes, additions, or modifications to the initial notification in a timely manner after taking immediate actions to protect the facility or stabilize operations, in accordance with emergency and contingency response procedures.

More than one event can be reported in a single ENS or LER if (1) the events are related (i.e.,

they have the same general cause or consequence) and (2) they occurred as a single activity over a reasonably short time (e.g., within four or eight hours for ENS notifications, or within 60 days for a LER).

Generally, a LER is intended to address a specific event and unrelated events should not be reported in one LER. However, multiple notifications may be addressed in a single telephone call.

RG 5.83, Rev. 2, Page 9

Discussion of an event requiring notification under 10 CFR 73.77 with the NRC staff (e.g.,

resident inspector) does not constitute the required notification to the NRC Headquarters Operations Center. Nor does identification or discovery of events by the NRC staff relieve a licensee from the requirements to notify the NRC Headquarters Operations Center within the timeframes specified in 10 CFR 73.77(a).

3.1 Notifications Containing Safeguards Information Under 10 CFR 73.22(f)(3), licensees may make notifications of cyber security events specified in 10 CFR 73.77, which are considered to be extraordinary conditions, containing Safeguards Information to the NRC Headquarters Operations Center without using a secure communications system. Licensees should not delay notification of such events beyond one-hour after discovery to wait for secure communications. However, if available, a licensee should use a secure communications system to make the notification and protect the Safeguards Information contained in the report from unintentional or inadvertent disclosure. Additionally, licensees should apply this exception to actual events only. As such, it should not be applied to simulated events communicated as part of a drill or exercise, or to routine events (e.g., the retraction of a previous security report as invalid).

3.2 Notifications Containing Classified Information Licensees making notifications under 10 CFR 73.77 that contain classified National Security Information (NSI) or Restricted Data (RD) should notify the NRC Headquarters Operations Center using a secure communications system equivalent (at a minimum) to the classification level of the notification.

Licensees making classified notifications should contact the NRC Headquarters Operations Center at the commercial telephone numbers specified in appendix A to Part 73 and request a number to a secure telephone. If the licensees secure communications capability is unavailable (e.g., because of the nature of the event), the licensee should provide as much information to the NRC as is required by 10 CFR 73.77, without revealing or discussing any classified information. The licensee should also indicate to the NRC at the beginning of the notification that its secure communications capability is unavailable, in order to prevent the inadvertent disclosure of classified information.

If the nature of the cyber security event warrants, NRC Emergency Response Management may direct the licensee to use any available non-secure communications method to immediately communicate classified information to the NRC (regarding cyber security event notifications required by 10 CFR 73.77). If so directed, the licensee should provide the classified information to the NRC over the best available non-secure system (i.e., the NRC staff considers using an available non-secure land-line as preferable to using an available non-secure cellular or satellite system).

In the written security follow-up report for the classified cyber security event notification over non-secure communications, the licensee should document the direction given by the NRC, the reason for the unavailability of a secure communications capability, and the specific classified information that was communicated to or from the NRC over the non-secure communications. The written security follow-up report should be appropriately marked and classified by the licensee. The NRC will use the information in the written security follow-up report to assess the level of impact of the compromise of classified information communicated by the licensee, or the NRC over non-secure communications, in accordance with Executive Order 13526, Classified National Security Information (Ref. 6).

3.3 Continuous Communications For some cyber security events notifications conducted under 10 CFR 73.77(a)(1), the NRC may request that the licensee maintain an open and continuous communication channel with the NRC RG 5.83, Rev. 2, Page 10

Headquarters Operation Center. Human-to-human communication may be beneficial in order to provide for follow-up questions and clarifications, requests for information or actions, and to facilitate NRC response activities. Note: Because notifications have specified timeframes and are based on after discovery of an event, the NRC realizes that the initial notification may be conducted by an individual not knowledgeable about cyber-related activities. However, a cyber security event requiring notification to the NRC should prompt activation of the Cyber Security Incident Response Team (CSIRT). After ensuring safe and secure operations of the plant, a member of the CSIRT (i.e., knowledgeable about cyber-related activities as well as the current cyber security event) should follow-up the initial notification if there are any additions or modifications to the initial notification.

3.4 Retraction of Notifications Licensees desiring to retract a previous cyber security event notification that they have determined (through analysis or investigation) to be non-reportable (e.g., does not meet the threshold of a one, four or eight hour notification) must notify the NRC Headquarters Operations Center by telephone, in accordance with 10 CFR 73.77(c)(5), and indicate the notification being retracted and the basis for the retraction.

Cyber security events may be retracted at any time following the notification to the NRC.

However, if a written security follow-up report has already been submitted licensees should refer to the additional guidance in Section 4.3 below on documenting retractions.

3.5 Declaration of Emergencies Licensees reporting cyber security events under 10 CFR 73.77 that also involve the declaration of an Emergency Classification (e.g., Notification of Unusual Event (NOUE), Alert, Site Area Emergency, or General Emergency), in accordance with their NRC-approved Emergency Response Plan, should follow the appropriate regulations regarding the declaration of an emergency. In other words, emergency declarations have primacy over cyber security event notifications. Consequently, to reduce unnecessary burden and duplication, licensees should make a single report of the events that are subject to both emergency response and cyber security event notifications. Licensees should indicate in their notification all of the applicable reporting requirements for the event. However, a licensee may need to report additional information regarding a cyber security event that would not be included in an emergency response notification.

3.6 Elimination of Duplication Licensees are not required to make separate notifications for cyber security events that also result in the declaration of an emergency. In such circumstances, licensees should make the emergency notifications in accordance with existing regulations (e.g., 10 CFR 50.72). Duplicate notifications are not required for other types of events (e.g., notification of a local, state or other federal agency) that meet the threshold of more than one of NRCs reporting regulations. However, when making such a notification, the licensee should indicate to the NRC that the notification is also to report a cyber security event under a specific paragraph of 10 CFR 73.77.

3.7 Content of Notifications Licensees should be prepared to provide following information, if available at the time of the notification:

a. caller name and callback number, RG 5.83, Rev. 2, Page 11
b. facility name and location,
c. emergency classification (if declared),
d. current event status (e.g., in progress, recovered),
e. event date and time (discovery of, and actual occurrence if known),
f. event description including the following information if available or known:

(1) cyber security controls involved/affected (if any)

(2) system(s) involved/affected (SSEP functions, BOP functions, CDAs, CS)

(3) method used to identify the event (e.g., security controls, audit, failed equipment)

(4) what occurred during the event (5) why the event occurred, if known (6) how the event occurred, if known

g. safety, security, EP responses and corrective actions taken,
h. offsite assistance (e.g., requested or not requested, arrived, status),
i. media interest, if any, including licensee issued press releases,
j. source of information (e.g., U.S. Computer Emergency Readiness Team, law enforcement) if a law enforcement agency, provide contact telephone number.

3.8 Voluntary Notifications Licensees are permitted and encouraged to report any cyber-related event or condition that does not meet the criteria for required reporting, if the licensee believes that the event or condition might be of safety or security significance or of generic interest or concern to the NRC or other licensees. Assurance of safe operation of all plants depends on accurate and complete reporting by each licensee and of all events having potential safety/security significance. For example, a cyber-related event or condition identified and mitigated outside the plant network with no impact on SSEP functions may be indicative of a recently identified or known cyber threat. Such activities should be voluntarily reported to the NRC to support Federal situational awareness activities.

Licensees may make voluntary ENS notifications about cyber-related events or conditions that the licensee believes might be of interest to the NRC. The NRC responds to any voluntary notification of an event or condition as its safety or security significance warrants, regardless of the licensees classification of the reporting requirement. If it is determined later that the event is reportable, the licensee can change the ENS notification to a required notification under the appropriate 10 CFR 73.77 reporting criterion without adverse consequences as long as the voluntary report met the appropriate timeframe and information required of the required notification. Voluntary notifications do not require a written security follow-up report unless later it is determined the event was reportable under 10 CFR 73.77 reporting criteria.

RG 5.83, Rev. 2, Page 12

4. Written Security Follow-up Reports Telephonic notifications to the NRC Headquarters Operations Center for cyber security events specified in paragraphs (a)(1), (a)(2)(i) and (a)(2)(ii) of 10 CFR 73.77 require submission of a written security follow-up report to the NRC within 60 days of the notification in accordance with 10 CFR 73.77(d). Licensees should follow the procedures set forth in 10 CFR 73.4 when submitting their follow-up report. The NRC does not require licensees who have made a notification to the NRC Headquarters Operations Center for cyber security events specified in 10 CFR 73.77(a)(2)(iii), and (a)(3) to submit written security follow-up reports. In addition, cyber security events recorded in the site CAP under 10 CFR 73.77(b) do not require written security follow-up reports.

Written security follow-up reports submitted should be of a format and quality to allow legible reproduction and processing. The written security follow-up reports should contain sufficient details, information, and analysis to allow a knowledgeable individual to understand what occurred during the event. For example, whether any administrative or technical errors occurred, what equipment was involved and/or malfunctioned, what CDAs and/or SSEP functions were affected, if the event involved new hardware and/or software being installed to include patches and updates, or from changes in system settings or configuration. Additionally, the licensee should indicate whether any immediate corrective actions were taken (to include compensatory measures if applicable) and any long-term corrective actions that are planned to prevent recurrence. In accordance with 10 CFR 73.77(d)(12), licensees must retain a copy of any written security follow-up reports submitted to the NRC for at least three years or until the termination of the license, whichever comes first.

4.1 NRC Form 366 and 366A Nuclear power reactor licensees should submit any written security follow-up reports to the NRC required by 10 CFR 73.77 using NRC Form 366, Licensee Event Report (LER) and NRC Form 366A, Licensee Event Report Continuation Sheet if additional pages are needed.

For licensees utilizing the NRC Form 366, items 1 through 15 should be completed as labeled (if known or applicable). For example, the first item 1. Facility Name enter the name of the facility (e.g.,

Indian Point, Unit 1) at which the event occurred. For item 11, check the block that indicates the appropriate requirement (e.g., 10 CFR 73.77(a)(1)). If it is a voluntary LER, check the Other block and indicate voluntary report in the space below. For item 16, Abstract provide a brief description of the cyber event including any failures or degradations that contributed to the event (e.g., user error, procedure violation, cyber security controls) include any CDAs and/or SSEP functions that were impacted by the occurrence and to what extent (e.g., temporarily lost remote (digital) control of the Protected Area Active Vehicle Barrier System due to bad firmware update, barriers were in the up position, and were controlled manually until previous firmware was re-loaded, no unauthorized accesses occurred during this event.).

The NRC Form 366A should be used to provide additional details about the cyber security event to include the content requested from section 4.6 below.

Generally, licensee submitted LERs will be made publically available by the NRC. However, information that is designated by the licensee as, for example, proprietary, safeguards, or classified information, will be withheld (redacted) from the public, as appropriate. Licensees should create, store, mark, label, handle and transmit LERs in accordance with applicable NRC regulations (e.g., 10 CFR 2.390, 73.21, 73.22, part 95). When designated information (e.g., proprietary, safeguards, classified) is included with the LER it should only be entered in item 17, Narrative of NRC Form 366A and not included on the NRC Form 366. In addition, the text should clearly indicate what information is designated as proprietary, safeguards classified, etc.

RG 5.83, Rev. 2, Page 13

4.2 Significant Supplemental Information and Correction of Errors Licensees who discover significant supplemental information after the submission of a written security follow-up report to the NRC should submit a revised written report, in accordance with the same process as used to submit the initial written report. Additionally, licensees who discover errors in a written report previously submitted to the NRC should submit a revised written report, in accordance with the same process as used to submit the initial written report. A revised written report should replace the previous written report (i.e., the updated report should be complete and should not be limited to only the supplementary or revised information). The revised report should indicate the revision number with revision bars to assist the reader.

4.3 Retraction of Previous Written Security Follow-up Reports If a licensee subsequently retracts a notification made under 10 CFR 73.77 and has not yet submitted the written security follow-up report required by 10 CFR 73.77(d), the NRC does not require the licensee to submit the written security follow-up report. However, if the licensee has already submitted a written security follow-up report to the NRC before it retracts the notification, the licensee should then submit a revised written report to the NRC indicating the initial event has been retracted and the basis for that conclusion. This supplemental written security follow-up report is necessary because without the supplemental report (retracting the notification), the only official agency record on the notification would be the initial written security follow-up report, which would not include the retraction.

4.4 Written Security Follow-up Reports Containing Safeguards Information Licensees who submit written security follow-up reports to the NRC containing Safeguards Information should create, store, mark, label, handle, and transmit these written reports in accordance with the requirements in 10 CFR 73.21 and 73.22. Licensees should perform a safeguards designation of such reports. Written security follow-up reports should be portion marked to indicate the designation level of the reports information.

4.5 Written Security Follow-up Reports Containing Classified Information Licensees who submit written security follow-up reports to the NRC containing classified NSI or RD should create, store, mark, label, handle, and transmit these reports in accordance with the requirements of 10 CFR Part 95, Facility Security Clearance and Safeguarding of National Security Information and Restricted Data (Ref. 7). Licensees should perform a derivative classification of such reports in accordance with the classification guide(s) applicable to their facility or activity. Written security follow-up reports should be portion marked to indicate the classification level of the reports information. If the written security follow-up report requires an original classification determination, then the licensee should make a provisional classification decision; mark, handle, store, and transmit the document according to that provisional decision; and forward the document to the NRC for an original classification determination.

4.6 Content of Written Security Follow-up Reports Licensees preparing written security follow-up reports should include sufficient information for the NRC to analyze the cyber security event. The NRC staff recommends that written security follow-up reports contain, at a minimum, the following information, as applicable:

a. date and time of the event, including chronological timeline, if applicable, RG 5.83, Rev. 2, Page 14
b. date and time of notification to the NRC, and/or local, State and Federal agencies,
c. the reactors operating mode at time of event (e.g., shut down, operating),
d. SSEP functions directly or indirectly affected by the event (e.g., compromised, failed, degraded),
e. support systems or equipment directly or indirectly affected that could have compromised SSEP functions (e.g., compromised, failed, degraded),
f. CDAs and/or CS affected by the event (compromised, failed, degraded),
g. security controls involved in the event (e.g., compromised, performed as intended),
h. personnel involved or contacted, such as contractors; security personnel; visitors; plant staff; perpetrators or attackers; NRC personnel; local, State, or Federal responders; and other personnel (specify),
i. method of discovery of the event, or information, such as routine patrol or inspection, test, maintenance, alarm annunciation, audit, communicated threat, unusual circumstances (include details),
j. immediate actions taken in response to the event and any compensatory measures established,
k. description of media interest and press releases,
l. indications or records of previous similar events,
m. procedural or human errors or equipment failures, as applicable,
n. cause of the event, or the licensees analysis of the event (including a brief summary in the report and references to any ongoing or completed detailed investigations, assessments, analyses, or evaluations),
o. corrective actions taken or planned, including dates of completion,
p. name and phone number of a licensees point of contact,
q. For failures, degradations, or discovered vulnerabilities of the cyber security program, licensees should also provide the following information, as applicable, in addition to items a. through p.

above:

(1) description of failed, degraded, or vulnerable equipment, systems or controls (e.g., manufacturer and model number, procedure number),

(2) unusual conditions that may have contributed to the failures, degradations, or discovered vulnerabilities of the equipment, systems or controls (e.g., environmental conditions, plant outage, software update),

(3) security settings/configuration of the components, systems or controls that failed, or became degraded or vulnerable, (4) apparent cause of component, system or control failure, degradation, or vulnerability.

RG 5.83, Rev. 2, Page 15

5. Training of Non-security Staff on Reporting and Recording Requirements The discovery or identification of reportable or recordable events is not limited to members of the licensees security organization. Employees, contractors, and vendors with physical or electronic access to digital computer and communications systems and networks within the scope of 10 CFR 73.54 should receive training on cyber security event notifications to foster awareness and to understand their responsibility to immediately notify site-security or management personnel of anomalies, failures, degradations, or vulnerabilities in the cyber security program to include activities that may indicate intelligence gathering or preoperational planning related to cyber attacks. Licensees may provide this training during general plant training and periodic refresher training. The NRC staff notes that some licensees have also found it beneficial to include training tips or elements of the training program in recurring plant publications, such as newsletters, electronic signs, or other organizational reminders.

RG 5.83, Rev. 2, Page 16

D. IMPLEMENTATION The purpose of this section is to provide information on how applicants and licensees1 may use this guide and information regarding the NRCs plans for using this regulatory guide. In addition, it describes how the NRC staff complies with 10 CFR 50.109, Backfitting and any applicable finality provisions in 10 CFR Part 52, Licenses, Certifications, and Approvals for Nuclear Power Plants.

Use by Applicants and Licensees Applicants and licensees may voluntarily2 use the guidance in this document to demonstrate compliance with the underlying NRC regulations. Methods or solutions that differ from those described in this regulatory guide may be deemed acceptable if they provide sufficient basis and information for the NRC staff to verify that the proposed alternative demonstrates compliance with the appropriate NRC regulations. Current licensees may continue to use guidance the NRC found acceptable for complying with the identified regulations as long as their current licensing basis remains unchanged.

Licensees may use the information in this regulatory guide for actions which do not require NRC review and approval such as changes to a facility design under 10 CFR 50.59, Changes, Tests, and Experiments. Licensees may use the information in this regulatory guide or applicable parts to resolve regulatory or inspection issues.

Use by NRC Staff The NRC staff does not intend or approve any imposition or backfitting of the guidance in this regulatory guide. The NRC staff does not expect any existing licensee to use or commit to using the guidance in this regulatory guide, unless the licensee makes a change to its licensing basis. The NRC staff does not expect or plan to request licensees to voluntarily adopt this regulatory guide to resolve a generic regulatory issue. The NRC staff does not expect or plan to initiate NRC regulatory action which would require the use of this regulatory guide. Examples of such unplanned NRC regulatory actions include issuance of an order requiring the use of the regulatory guide, requests for information under 10 CFR 50.54(f) as to whether a licensee intends to commit to use of this regulatory guide, generic communication, or promulgation of a rule requiring the use of this regulatory guide without further backfit consideration.

During regulatory discussions on plant specific operational issues, the staff may discuss with licensees various actions consistent with staff positions in this regulatory guide, as one acceptable means of meeting the underlying NRC regulatory requirement. Such discussions would not ordinarily be considered backfitting even if prior versions of this regulatory guide are part of the licensing basis of the facility. However, unless this regulatory guide is part of the licensing basis for a facility, the staff may not represent to the licensee that the licensees failure to comply with the positions in this regulatory guide constitutes a violation.

If an existing licensee voluntarily seeks a license amendment or change and (1) the NRC staffs consideration of the request involves a regulatory issue directly relevant to this new or revised regulatory guide and (2) the specific subject matter of this regulatory guide is an essential consideration in the staffs 1

In this section, licensees refers to licensees of nuclear power plants under 10 CFR Parts 50 and 52; and the term applicants, refers to applicants for licenses and permits for (or relating to) nuclear power plants under 10 CFR Parts 50 and 52, and applicants for standard design approvals and standard design certifications under 10 CFR Part 52.

2 In this section, voluntary and voluntarily means that the licensee is seeking the action of its own accord, without the force of a legally binding requirement or an NRC representation of further licensing or enforcement action.

RG 5.83, Rev. 2, Page 17

determination of the acceptability of the licensees request, then the staff may request that the licensee either follow the guidance in this regulatory guide or provide an equivalent alternative process that demonstrates compliance with the underlying NRC regulatory requirements. This is not considered backfitting as defined in 10 CFR 50.109(a)(1) or a violation of any of the issue finality provisions in 10 CFR Part 52.

Additionally, an existing applicant may be required to comply with new rules, orders, or guidance if 10 CFR 50.109(a)(3) applies.

If a licensee believes that the NRC is either using this regulatory guide or requesting or requiring the licensee to implement the methods or processes in this regulatory guide in a manner inconsistent with the discussion in this Implementation section, then the licensee may file a backfit appeal with the NRC in accordance with the guidance in NUREG-1409, Backfitting Guidelines, (Ref. 8) and the NRC Management Directive 8.4, Management of Facility-Specific Backfitting and Information Collection (Ref. 9).

RG 5.83, Rev. 2, Page 18

GLOSSARY This glossary is intended to aid the reader in implementing this guide to meet the requirements set forth in 10 CFR 73.77. Definitions for certain security terms are also found in 10 CFR 73.2, Definitions.

Access control The control of entry or use, to all or part, of any physical, functional, or logical component of a CDA.

Adverse impact A direct deleterious effect on a CDA (e.g., loss or impairment of function, reduction in reliability, reduction in the ability to detect, delay, assess or respond to malevolent activities, reduction of ability to call for or communicate with offsite assistance, and the reduction in emergency response ability to implement appropriate protective measures in the event of a radiological emergency). In the case where the direct or indirect compromise of a support system causes a safety-related, important-to-safety, security or emergency preparedness system or support system to actuate or fail safe and not result in radiological sabotage (i.e., causes the system to actuate properly in response to established parameters and thresholds), this is not considered to be an adverse impact in the context of 10 CFR 73.54(a).

Compromise Loss of confidentiality, integrity, or availability of data or system function.

Critical digital A subcomponent of a critical system that consists of or contains a digital device, asset (CDA) computer or communication system or network.

Critical system An analog or digital technology based system in or outside of the plant that performs (CS) or is associated with a safety-related, important-to-safety, security, or emergency preparedness function. These critical systems include, but are not limited to, plant systems, equipment, communication systems, networks, offsite communications, or support systems or equipment, that perform or are associated with a safety-related, important-to-safety, security, or emergency preparedness function.

Cyber attack The manifestation of either physical or logical (i.e., electronic or digital) threats against computers, communication systems, or networks that may (1) originate from either inside or outside the licensees facility, (2) have internal and external components, (3) involve physical or logical threats, (4) be directed or non-directed in nature, (5) be conducted by threat agents having either malicious or non-malicious intent, and (6) have the potential to result in direct or indirect adverse effects or consequences to critical digital assets or critical systems. This includes attempts to gain unauthorized access to a CDA and/or CSs services, resources, or information, the attempt to compromise a CDA and/or CSs integrity, availability, or confidentiality or the attempt to cause an adverse impact to a SSEP function. Further background on cyber attacks which are up to and including DBT can be found in Sections 1.1(c), 1.2, and 1.5 of Regulatory Guide 5.69, and the cyber attack may occur individually or in any combination.

Integrity Quality of a system reflecting the logical correctness and reliability of the operation of the system; the logical completeness of the hardware and software implementing the protection mechanisms; and the consistency of the data structures and occurrence of the stored data. Additionally, integrity includes protection against unauthorized modification or destruction of information.

Interruption of A departure from normal operations or conditions that, if accomplished, would result RG 5.83, Rev. 2, Page 19

normal operation in a challenge to the facilitys safety, security, or emergency response systems. This may also include an event that causes a significant redistribution of security, safety, or emergency response resources. This could include intentional tampering with systems or equipment that is normally in a standby mode, but would need to operate if called upon in an abnormal or emergency situation. Section 236 of the AEA (42 U.S.C. Section 2284) treats as sabotage the knowing interruption of normal operation of any such facility through the unauthorized use of, or tampering with, the machinery, components, or controls of any such facility, or attempting or conspiring to carry out such an act.

Malware Malicious software designed to infiltrate or damage a CDA, CS or protected network without licensee consent. Malware includes computer viruses, worms, Trojan horses, Root kits, spyware, adware and other potentially unwanted programs.

Mobile code Programs or parts of programs obtained from remote control systems, transmitted across a network, and executed on a local system without explicit installation or execution by the recipient.

Patch A fix for a CDA or software program where the actual binary executable and related files are modified.

Protected network A network that is air gapped or behind a data diode that contains one or more CDAs.

Recovery Steps taken to restore a system, function, or device to its original state of operation following a catastrophic or partial loss of functionality or when an original state of operation is challenged by either an event (such as a cyber attack) or anomaly (behavior not expected from normal operation).

Social engineering Attempts by unauthorized individuals to gain physical or electronic (e.g., password) techniques access to systems via impersonation of authorized functions or personnel.

Tampering Altering, disabling, or damaging digital computer and communications systems and (Cyber) networks or cyber security controls for improper purposes or in an improper manner.

RG 5.83, Rev. 2, Page 20

REFERENCES3

1. U.S Code of Federal Regulations (CFR), Physical Protection of Plants and Materials, Part 73, Chapter 1, Title 10, Energy.
2. CFR, Domestic Licensing of Production and Utilization Facilities, Part 50, Chapter 1, Title 10, Energy.
3. NRC, Regulatory Guide (RG) 5.69, Guidance for the Application of Radiological Sabotage Design-Basis Threat in the Design, Development and Implementation of a Physical Security Program that Meets 10 CFR 73.55 Requirements, Washington, DC.
4. U.S. Homeland Securitys, Terrorist Threats to the U.S. Homeland Reporting Guide for Critical Infrastructure and Key Resource Owners and Operators, dated January 24, 2005. (ADAMS No.

ML112280232).

5. NRC, SRM-10-0001, "Regulation of Cyber Security at Nuclear Power Plants," Washington, DC, October 21, 2010. (ADAMS No. ML102940009).
6. Executive Order 13526, Classified National Security Information, dated December 29, 2009 published December 29, 2009. (75 FR 707).
7. CFR, Facility Security Clearance and Safeguarding of National Security Information and Restricted Data, Part 95, Chapter 1, Title 10, Energy.
8. U.S. Nuclear Regulatory Commission, "Backfitting Guidelines," NUREG-1409, Washington, DC, June 1990. (ADAMS No. ML032230247).
9. NRC Management Directive 8.4, "Management of Facility Specific Backfitting and Information Collection," U.S. Nuclear Regulatory Commission, Washington, DC.

3 Publicly available NRC published documents are available electronically through the NRC Library on the NRCs public Web site at http://www.nrc.gov/reading-rm/doc-collections/ and through the NRCs Agencywide Documents Access and Management System (ADAMS) at http://www.nrc.gov/reading-rm/adams.html The documents can also be viewed online or printed for a fee in the NRCs Public Document Room (PDR) at 11555 Rockville Pike, Rockville, MD. For problems with ADAMS, contact the PDR staff at 301-415-4737 or (800) 397-4209; fax (301) 415-3548; or e-mail pdr.resource@nrc.gov.

RG 5.83, Rev. 2, Page 21