Issuance of Amendment Nos. 251 and 298, Revise Operating License Conditions Related to Cyber Security Plan Milestone 8 Full Implementation Date

ML14322A206
Person / Time
Site:	Arkansas Nuclear
Issue date:	12/08/2014
From:	Andrea George Plant Licensing Branch IV
To:	Entergy Operations
George A
References
TAC MF3277, TAC MF3278
Download: ML14322A206 (18)
v • d • e

Text

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 December 8, 2014 Vice President, Operations Arkansas Nuclear One Entergy Operations, Inc.

1448 S.R. 333 Russellville, AR 72802

SUBJECT:

ARKANSAS NUCLEAR ONE, UNIT NOS. 1 AND 2 - ISSUANCE OF AMENDMENTS RE: CYBER SECURITY PLAN IMPLEMENTATION SCHEDULE REVISION (TAC NOS. MF3277 AND MF3278)

Dear Sir or Madam:

The Commission has issued the enclosed Amendment Nos. 251 and 298 to Renewed Facility Operating License Nos. DPR-51 and NPF-6, respectively, for Arkansas Nuclear One, Unit Nos. 1 and 2. The amendments consist of changes to the physical protection license condition in response to your application dated December 17, 2013, as supplemented by letter dated May 13, 2014. The amendments revise the full implementation date (Milestone 8) of the Cyber Security Plan.

A copy of our related Safety Evaluation is also enclosed. The Notice of Issuance will be included in the Commission's next biweekly Federal Register notice.

Sincerely, Andrea E. George, Project Manager Plant Licensing Branch IV-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. 50-313 and 50-368

Enclosures:

1. Amendment No. 251 to DPR-51

2. Amendment No. 298 to NPF-6

3. Safety Evaluation cc w/encls: Distribution via Listserv

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 ENTERGY OPERATIONS, INC.

DOCKET NO. 50-313 ARKANSAS NUCLEAR ONE, UNIT NO. 1 AMENDMENT TO RENEWED FACILITY OPERATING LICENSE Amendment No. 251 Renewed License No. DPR-51

1. The Nuclear Regulatory Commission (the Commission) has found that:

A. The application for amendment by Entergy Operations, Inc. (the licensee), dated December 17, 2013, as supplemented by letter dated May 13, 2014, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commission's rules and regulations set forth in 10 CFR Chapter I; B. The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C. There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D. The issuance of this license amendment will not be inimical to the common defense and security or to the health and safety of the public; and E. The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied.

Enclosure 1

2. Accordingly, the license is amended as indicated in the attachment to this license amendment, and Paragraph 2.c.(4) of Renewed Facility Operating License No. DPR-51 is hereby amended to read as follows:

(4) EOI shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The EOI CSP was approved by License Amendment No. 244 as supplemented by changes approved by License Amendment Nos. 247 and 251.

3. The license amendment is effective as of its date of issuance and shall be implemented immediately upon issuance.

FOR THE NUCLEAR REGULATORY COMMISSION Eric R. Oesterle, Acting Chief Plant Licensing Branch IV-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation

Attachment:

Changes to the Renewed Facility Operating License No. DPR-51 Dateoflssuance: December 8, 2014

ATTACHMENT TO LICENSE AMENDMENT NO. 251 RENEWED FACILITY OPERATING LICENSE NO. DPR-51 DOCKET NO. 50-313 Replace the following page of the Renewed Facility Operating License No. DPR-51 with the attached revised page. The revised page is identified by amendment number and contains marginal lines indicating the areas of change.

Operating License REMOVE INSERT 4 4

EOI shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p).

The EOI CSP was approved by License Amendment No. 244 as supplemented by changes approved by License Amendment Nos. 247 and 251.

(5) Implementation of the Improved Technical Specifications (ITS)

The licensee is authorized to relocate certain Technical Specification requirements previously included in Appendix A to licensee controlled documents, as described in TableR, Relocated Specifications, and Table LA, Removal of Details, attached to the Safety Evaluation for Amendment No. 215. These requirements shall be relocated to the appropriate documents as part of the implementation of the ITS.

The schedule for performing Surveillance Requirements (SRs) that are new or revised in Amendment No. 215 shall be as follows:

1. For SRs that are new in this amendment, the first performance shall be due at the end of the first surveillance interval, which begins on the date of implementation of this amendment.

2. For SRs that existed prior to this amendment whose intervals of performance are being reduced, the first reduced surveillance interval shall begin upon completion of the first surveillance performed after implementation of this amendment.

3. For SRs that existed prior to this amendment that contained modified acceptance criteria, the performance shall be due at the end of the first surveillance interval that began on the date the surveillance was last performed prior to the implementation of this amendment.

4. For SRs that existed prior to this amendment whose interval of performance are being extended, the first extended surveillance interval shall begin upon completion of the last surveillance performed prior to the implementation of this amendment.

(6) Deleted (7) Deleted Renewed License No. DPR-51 Amendment No. 215, 244, 247, 251

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 ENTERGY OPERATIONS, INC.

DOCKET NO. 50-368 ARKANSAS NUCLEAR ONE. UNIT NO. 2 AMENDMENT TO RENEWED FACILITY OPERATING LICENSE Amendment No. 298 Renewed License No. NPF-6

1. The Nuclear Regulatory Commission (the Commission) has found that:

A. The application for amendment by Entergy Operations, Inc. (the licensee), dated December 17, 2013, as supplemented by letter dated May 13, 2014, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commission's rules and regulations set forth in 10 CFR Chapter I; B. The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C. There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D. The issuance of this license amendment will not be inimical to the common defense and security or to the health and safety of the public; and E. The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied.

Enclosure 2

2. Accordingly, the license is amended as indicated in the attachment to this license amendment, and Paragraph 2.D of Renewed Facility Operating License No. NPF-6 is hereby amended to read as follows:

D. EOI shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The EOI CSP was approved by License Amendment No. 294 as supplemented by changes approved by License Amendment Nos. 295 and 298.

3. The license amendment is effective as of its date of issuance and shall be implemented immediately upon issuance.

FOR THE NUCLEAR REGULATORY COMMISSION Eric R. Oesterle, Acting Chief Plant Licensing Branch IV-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation

Attachment:

Changes to the Renewed Facility Operating License No. NPF-6 Date of Issuance: December 8, 2014

ATTACHMENT TO LICENSE AMENDMENT NO. 298 RENEWED FACILITY OPERATING LICENSE NO. NPF-6 DOCKET NO. 50-368 Replace the following page of the Renewed Facility Operating License No. NPF-6 with the attached revised page. The revised page is identified by amendment number and contains marginal lines indicating the areas of change.

Operating License REMOVE INSERT 8

D. Physical Protection EOI shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans, including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contains Safeguards Information protected under 10 CFR 73.21, is entitled: "Arkansas Nuclear One Physical Security, Safeguards Contingency and Training & Qualification Plan," as submitted on May 4, 2006.

EOI shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The EOI CSP was approved by License Amendment No. 294 as supplemented by changes approved by License Amendment Nos. 295 and 298.

E. This renewed license is subject to the following additional condition for the protection of the environment:

Before engaging in additional construction or operational activities which may result in an environmental impact that was not evaluated by the Commission, EOI will prepare and record an environmental evaluation for such activity. When the evaluation indicates that such activity may result in a significant adverse environmental impact that was not evaluated, or that is significantly greater than that evaluated, in the Final Environmental Statement (NUREG-0254) or any addendum thereto, and other NRC environmental impact assessments, EOI shall provide a written evaluation of such activities and obtain prior approval from the Director, Office of Nuclear Reactor Regulation.

F. Updated Final Safety Analysis Report Supplement The Final Safety Analysis Report supplement, as revised, shall be included in the next scheduled update to the Final Safety Analysis Report required by 10 CFR 50.71(e)(4) following issuance of this renewed license. Until that update is complete, AN0-2 may make changes to the programs and activities described in the supplement without prior Commission approval, provided that AN0-2 evaluates each such change pursuant to the criteria set forth in 10 CFR 50.59 and otherwise complies with the requirements of that section.

The AN0-2 Final Safety Analysis Report supplement, submitted pursuant to 10 CFR 54.21 (d), describes certain future activities to be completed prior to the period of extended operation. AN0-2 shall complete these activities no later than July 17, 2018, and shall notify the NRC in writing when implementation of these activities is complete and can be verified by NRC inspection.

Renewed License No. NPF-6 Amendment No. ~. 2-94, 2-9e, 298

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO AMENDMENT NOS. 251 AND 298. RESPECTIVELY. TO RENEWED FACILITY OPERATING LICENSE NOS. DPR-51 AND NPF-6 ENTERGY OPERATIONS. INC.

ARKANSAS NUCLEAR ONE. UNIT NOS. 1 AND 2 DOCKET NOS. 50-313 AND 50-368

1.0 INTRODUCTION

By application dated December 17, 2013 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML13357A749), as supplemented by letter dated May 13, 2014 (ADAMS Accession No. ML14133A227), Entergy Operations Inc. (Entergy, the licensee),

requested a change to the Renewed Facility Operating Licenses (FOLs) for Arkansas Nuclear One (ANO), Unit Nos. 1 and 2. The proposed change would revise the date of Cyber Security Plan (CSP) Implementation Schedule Milestone 8 and the existing license physical protection license conditions in the Renewed FOLs. Milestone 8 of the CSP implementation schedule concerns the full implementation of the CSP.

Portions of the letter dated December 17, 2013, contain sensitive unclassified non-safeguards information and, accordingly, those portions are withheld from public disclosure in accordance with the provisions of paragraph 2.390(d)(1) of Title 10 of the Code of Federal Regulations (10 CFR).

The supplemental letter dated May 13, 2014, provided additional information that clarified the application, did not expand the scope of the application as originally noticed, and did not change the U.S. Nuclear Regulatory Commission (NRC) staff's original proposed no significant hazards consideration determination as published in the Federal Register on June 6, 2014 (79 FR 32763).

2.0 REGULATORY EVALUATION

The NRC staff reviewed and approved the licensee's existing CSP implementation schedule by License Amendment Nos. 244 and 294, for ANO, Unit Nos. 1 and 2, respectively, dated July 27, 2011 (ADAMS Accession No. ML111861394). The approved amendments incorporated the CSP into the facilities' current licensing bases via revisions to the physical protection license condition. The NRC staff considered the following regulatory requirements Enclosure 3

and guidance in its review of the current license amendment request to modify the existing CSP implementation schedule:

• Section 73.54, "Protection of digital computer and communication systems and networks," of 10 CFR states, in part, that: "Each [CSP] submittal must include a proposed implementation schedule. Implementation of the licensee's cyber security program must be consistent with the approved schedule."

• The licensee's Renewed FOLs include a license condition that requires the licensee to fully implement and maintain in effect all provisions of the Commission-approved CSP.

• In a publically available NRC memorandum dated October 24, 2013 (ADAMS Accession No. ML13295A467), "Review Criteria for Title 10 of the Code of Federal Regulations Part 73.54, Cyber Security Implementation Schedule Milestone 8 License Amendment Requests," the NRC staff listed criteria to consider during evaluations of licensees' requests to postpone their cyber security program implementation date (commonly known as Milestone 8).

The NRC staff does not regard the CSP milestone implementation dates as regulatory commitments that can be changed unilaterally by the licensee, particularly in light of the regulatory requirement at 10 CFR 73.54, that "[i]mplementation of the licensee's cyber security program must be consistent with the approved schedule." As the NRC staff explained in its letter to all operating reactor licensees dated May 9, 2011 (ADAMS Accession No. ML110980538), the implementation of the plan, including the key intermediate milestone dates and the full implementation date, shall be in accordance with the implementation schedule submitted by the licensee and approved by the NRC. All subsequent changes to the NRC-approved CSP implementation schedule, therefore, will require prior NRC approval as required by 10 CFR 50.90.

3.0 TECHNICAL EVALUATION

Background information regarding Cyber Security Implementation Plans and a description of each Milestone can be found in the Nuclear Energy Institute (NEI) letter dated February 28, 2011, 'Template for the Cyber Security Plan Implementation Schedule" (ADAMS Package Accession No. ML110600206).

3.1 Licensee's Requested Change Amendment Nos. 244 and 294 to Renewed FOLs for ANO, Unit Nos. 1 and 2, were issued on July 27, 2011. The NRC staff also approved the licensee's CSP implementation schedule, as discussed in the safety evaluation issued with the amendments. The implementation schedule had been submitted by the licensee based on the template discussed above. The NRC staff determined that the NEI template was acceptable for licensees to use to develop their CSP implementation schedules. The licensee's proposed implementation schedule for the Cyber Security Program identified completion dates and bases for the following eight milestones:

1) Establish the Cyber Security Assessment Team (CSAT);

2) Identify Critical Systems and Critical Digital Assets (CDAs);

3) Implement installation of a deterministic one-way device between lower level devices and higher level devices;

4) Implement the security control "Access Control For Portable And Mobile Devices";

5) Implement observation and identification of obvious cyber related tampering to existing insider mitigation rounds by incorporating the appropriate elements;

6) Identify, document, and implement technical cyber security controls in accordance with Mitigation of Vulnerabilities and Application of Cyber Security Controls for CDAs that could adversely impact the design function of physical security target set equipment;

7) Commence ongoing monitoring and assessment activities for those target set CDAs whose security controls have been implemented; and

8) Fully implement the CSP.

Currently, Milestone 8 of the CSP for ANO, Unit Nos. 1 and 2, requires the licensee to fully implement the CSP by December 15, 2014. In its December 17, 2013, application, the licensee proposed to change the Milestone 8 completion date to June 30, 2016.

The licensee provided the following information pertinent to each of the criteria identified in the NRC memorandum dated October 24, 2013, regarding guidance for submitting CSP Milestone 8 implementation date revision license amendment requests (see Section 2 of this Safety Evaluation for more information):

1) Identification of the specific requirement or requirements of the cyber security plan that the licensee needs additional time to implement.

The licensee stated that the specific requirements of the CSP that it needed additional time to implement are: Section 3, Analyzing Digital Computer Systems and Networks, and Section 4, Establishing, Implementing and Maintaining the Cyber Security Program. The licensee described specific requirements needing additional time including determining the need for a specific security feature which would provide for auditing and accountability; monitoring tools and techniques; analyzing security alerts and advisories; and would assist personnel performing maintenance and testing activities. The licensee also described a need for additional physical security controls for CDAs outside the protected area and significant programmatic management changes associated with approximately 40 procedure revisions related to operational and management cyber security controls.

2) Detailed justification that describes the reason the licensee requires additional time to implement the specific requirement or requirements identified.

The licensee stated it had a project team of approximately 20 personnel to perform and document the cyber security assessment process. The licensee further stated that even with

those personnel resources, the analysis, which began in 2011, was projected to be completed by the second quarter of 2014. In its letter dated December 31, 2013, the licensee stated, in part, that Since the number of CDAs and existing procedures is in the hundreds and the number of individual cyber security control attributes is also in the hundreds, the total of physical, logical, and programmatic changes required constitutes a significant project involving plant components and systems, and substantial planning. Additionally, changes to CDAs and procedures must be integrated into the plant operational schedule including on-line operations, maintenance and testing, as well as planning and execution of refueling outages. With this analysis concluding in the second quarter of 2014, it is expected that insufficient time will remain in 2014 to conduct modification and change management planning activities and execution.

Further, the licensee intends to complete planning for the specific security features mentioned in item 1 above in 2014, and implement them within the next 18 months.

3) A proposed completion date for Milestone 8 consistent with the remaining scope of work to be conducted and the resources available.

The licensee proposed a Milestone 8 completion date of June 30, 2016 and stated that the revised Milestone 8 date will provide a 6-month contingency for implementation of the security features mentioned in item 1 above.

4) An evaluation of the impact that the additional time to implement the requirements will have on the effectiveness of the licensee's overall cyber security program in the context of milestones already completed.

In its letter dated December 13, 2013, the licensee stated, in part, that The impact of the requested additional implementation time on the effectiveness of the overall cyber security program is considered to be very low because the milestones already completed have resulted in a high degree of protection of safety-related, important-to-safety, and security CDAs against [common] threat vectors .... Additionally, extensive physical and administrative measures are already in place for CDAs because they are plant components pursuant to the Physical Security Plan and Technical Specification requirements.

In an NRC staff request for additional information (RAI) dated April 30, 2014 (ADAMS Accession No. ML14113A495), the staff requested further details regarding implementation of CSP Milestone 5. In its letter dated May 13, 2014, the licensee responded to this RAI, stating that the milestone of concern had been completed and that the extension request currently under review had no effect on the implementation of Milestones 5, 6, or 7.

5) A description of the licensee's methodology for prioritizing completion of work for critical digital assets associated with significant safety, security, or emergency preparedness consequences and with reactivity effects in the balance of plant.

In its letter dated December 13, 2013, the licensee stated the following regarding this criterion:

Because CDAs are plant components, prioritization follows the normal work management process that places the highest priority on apparent conditions adverse to quality in system, structure, and component design function and related factors such as safety risk and nuclear defense-in-depth, as well as threats to continuity of electric power generation in the Balance-of-Plant. Further, in regard to deterministic isolation and control of portable media devices (PMD) for safety-related, important-to-safety (including Balance-of-Plant) and security CDAs, maintenance of one-way or air gapped configurations and implementation of control of PMD remains high priority. This prioritization enabled completion of cyber security Interim Milestones 3 and 4 in 2012. High focus continues to be maintained on prompt attention to any emergent issue with these CDAs that would potentially challenge the established cyber protective barriers. Additionally it should be noted that these CDAs encompass those associated with physical security target sets.

6) A discussion of the licensee's cyber security program performance up to the date of the license amendment request.

The licensee stated there has been no identified compromise of safety, security, and emergency preparedness (SSEP) functions by cyber means at any Entergy plant. The licensee noted its experience with the scanning of portable devices, as well as the performance of a formal Quality Assurance (QA) audit in the last quarter of 2013 that included review of the CSP implementation. The licensee stated that there were no significant findings related to overall cyber security program performance and effectiveness.

7) A discussion of cyber security issues pending in the licensee's corrective action program.

The licensee stated there are presently no significant nuclear cyber security issues (constituting a threat to a CDA via cyber means or calling into question program effectiveness) pending in the licensee's corrective action program (CAP). Several non-significant issues identified during the aforementioned QA audit have been entered into the licensee's CAP.

Final actions regarding some program activities are pending.

8) A discussion of modifications completed to support the cyber security program and a discussion of pending cyber security modifications.

The licensee provided a brief discussion of a completed modification and pending modifications.

3.2 NRC Staff Evaluation

The NRC staff has evaluated the licensee's application using the regulatory requirements and guidance above. The NRC staff's evaluation is below.

The NRC staff concludes that the actions the licensee noted as being required to implement the CSP, Section 3, Analyzing Digital Computer Systems and Networks, and Section 4, Establishing, Implementing and Maintaining the Cyber Security Program, are reasonable as discussed below.

The licensee indicated that the activities associated with the CSP, as described in Milestones 1 through 7, were completed prior to December 31, 2012, and that these activities provide a high degree of protection to ensure that the most significant digital computer and communication systems and networks associated with SSEP functions are protected against cyber attacks.

The NRC staff concludes that the Entergy's ANO, Unit Nos. 1 and 2, are more secure after the implementation of Milestones 1 through 7 because the activities the licensee has completed, such as deterministic isolation and control of portable media devices, mitigate the most significant cyber attack vectors for the most significant CDAs. Therefore, the NRC has reasonable assurance that full implementation of the CSP by June 30, 2016 will provide adequate protection of the public health and safety and the common defense and security.

The licensee has stated that the scope of actions and resources required to fully implement its CSP were not anticipated when the implementation schedule was originally determined. The NRC staff recognizes that CDA assessment work, to include application of controls, is much more complex and resource-intensive than originally anticipated, in part due to the NRC expanding the scope of the cyber security requirements to include Balance-of-Plant. As a result, the licensee has a large number of additional tasks not originally considered when developing its CSP implementation schedule. The NRC staff concludes that the licensee's request for additional time to implement Milestone 8 is reasonable given the unanticipated complexity, volume, and scope of the work required to come into full compliance with its CSP.

The licensee proposed a Milestone 8 completion date of June 30, 2016. Revising the completion date of Milestone 8 allows additional time for the licensee to implement changes to CDAs, procedures, and cyber security controls. Additionally, the Milestone 8 implementation date revision provides the necessary time for the licensee to methodically plan, implement, and test the required additions or changes and allows those additions or changes that require a design change to be performed. The licensee stated that its methodology for prioritizing Milestone 8 activities is centered on considerations for SSEP and Balance-of-Plant (continuity of power) consequences. The licensee's methodology is based on defense-in-depth, installed configuration of the CDA, and susceptibility to the five commonly identified threat vectors.

Prioritization for CDA assessment begins with safety-related CDAs and continues through lower priority, non-safety, and emergency preparedness CDAs. The NRC staff concludes that based on the large number of digital assets described above and the limited number of resources with the appropriate expertise to perform these activities, that the licensee's methodology for prioritizing work on CDAs is appropriate. The NRC staff further concludes that the licensees request to delay final implementation of the CSP until June 30, 2016, is reasonable given the complexity of the remaining work.

3.3 Revision to License Conditions By letter dated December 17, 2013, the licensee proposed to modify Paragraph 2.c.(4) of Renewed FOL No. DPR-51 for ANO Unit No. 1, and to modify Paragraph 2.D of Renewed FOL No. NFP-6 for ANO Unit No. 2, which provide license conditions to require the licensee to fully implement and maintain in effect all provisions of the NRC-approved CSP.

The license condition in Paragraph 2.c.(4) of Renewed FOL No. DPR-51 for ANO Unit No. 1 is modified as follows:

(4) EOI shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p).

The EOI CSP was approved by License Amendment No. 244 as supplemented by changes approved by License Amendment Nos. 24 7 and 251.

The license condition in Paragraph 2.D of Renewed FOL No. NPF-6 for ANO Unit No.2 is modified as follows:

2. D EOI shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p).

The EOI CSP was approved by License Amendment No. 294 as supplemented by changes approved by License Amendment Nos. 295 and 298.

3.4 Conclusion Based on the information provided by the licensee, the NRC staff concludes that implementation of Milestones 1 through 7 provides significant protection against cyber attacks and that the licensee provided a sufficient basis to justify the need for additional time to implement Milestone 8. The NRC staff concludes that it is acceptable for the licensee to complete implementation of Milestone 8, full implementation of the CSP, by June 30, 2016. The NRC staff also concludes that, upon full implementation of the licensee's cyber security program, the requirements of the licensee's CSP and 10 CFR 73.54 will be met.

4.0 STATE CONSULTATION

In accordance with the Commission's regulations, the Arkansas State official was notified of the proposed issuance of the amendments. The State official had no comments.

5.0 ENVIRONMENTAL CONSIDERATION

These amendments to 10 CFR Part 50 licenses relate solely to safeguards matters, do not involve any significant construction impacts, and are administrative changes to extend the date by which the licensee must have its cyber security plan fully implemented. The Commission has previously issued a proposed finding that the amendments involve no significant hazards

consideration, and there has been no public comment on such finding published in the Federal Register on June 6, 2014 (79 FR 32763). Accordingly, the amendments meet the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(12). Pursuant to 10 CFR 51.22(b),

no environmental impact statement or environmental assessment need be prepared in connection with the issuance of the amendments.

6.0 CONCLUSION

The Commission has concluded, based on the considerations discussed above, that: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) there is reasonable assurance that such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendments will not be inimical to the common defense and security or to the health and safety of the public.

Principal Contributor: J. Rycyna, NSIR/CSD D~e:December 8, 2014

ML14322A206 *via email OFFICE NRR/DORL/LPL4-1/PM NRR/DORL/LPL4-1/LA NSIR/CSD*

NAME A George JBurkhardt RFelts DATE 11/24/14 11/24/14 11/5/14 OFFICE OGC NLO NRR/DORLILPL4-1/BC (A) NRR/DORLILPL4-1/PM NAME SCI ark* EOesterle A George DATE 12/4/14 12/8/14 12/8/14