ML14350B288
| ML14350B288 | |
| Person / Time | |
|---|---|
| Issue date: | 12/24/2014 |
| From: | Westreich B Office of Nuclear Security and Incident Response |
| To: | Earls C Nuclear Energy Institute |
| References | |
| NEI 13-10, Rev 2 | |
| Download: ML14350B288 (3) | |
Text
December 24, 2014 Mr. Christopher E. Earls, Sr. Director Engineering and Licensing Nuclear Energy Institute 1201 F Street, N.W., Suite 1100 Washington, DC 20004
SUBJECT:
NUCLEAR ENERGY INSTITUTE 13-10, CYBER SECURITY CONTROL ASSESSMENTS, REVISION 2, DATED DECEMBER 2014
Dear Mr. Earls:
In your letter dated December 9, 2014 (Agencywide Document Access and Management System (ADAMS) Accession No. ML14351A287), you requested that the U.S. Nuclear Regulatory Commission (NRC) staff review and endorse the Nuclear Energy Institutes (NEIs) guidance document NEI 13-10, Cyber Security Control Assessments, Revision 2, dated December 2014 (ADAMS Accession No. ML14351A288). NEI revised NEI 13-10 to incorporate a cyber security assessment for technical security controls for a class of critical digital assets (CDAs) that are very simple and are categorized as Class A.1 CDAs.
The revised NEI 13-10 added Appendix D, which provides the detailed description of Class A.1 CDAs and cyber assessment of technical security controls for this device as an example (The Class A.1 CDAs do not have human or machine interface, and communication capabilities and program codes inside the CDAs cannot be revised). Additionally, the revised NEI 13-10 includes the addition of Section 6 Cyber Security Control Assessments of Direct CDAs, to provide a brief explanation of the use and application of Appendix D and minor changes to the main body of NEI 13-10 to reference the new Section 6 and Appendix D.
The NRC staff completed its review of the newly added Section 6 and Appendix D based on the following definition of access, that the industry and the NRC agreed on:
Access - the term access as used in NEI 08-09 Rev. 6 Appendix D is defined as access to data, program code, logic or configuration settings within a CDA through a local or remote, machine or human interface that could result in an adverse impact to an SSEP function.
However, the definition of access was not included in the revision.
C. Earls Based on the above review, the staff concluded that 13-10, Revision 2 is acceptable for use by licensees to perform and document their cyber assessments of those security controls provided in Appendix D provided that the licensees use the term access as defined above. The licensees determinations of a CDA as Class A.1 CDA and their cyber security assessments of the required security controls are subject to NRC inspection after the licensees complete the implementation of their cyber security programs as described in their cyber security plans.
Please contact Eric Lee at (301) 287-3467 if you have any questions.
Sincerely,
/RA/
Barry C, Westreich, Director Cyber Security Directorate Office of Nuclear Security and Incident Response
C. Earls Based on the above review, the staff concluded that 13-10, Revision 2 is acceptable for use by licensees to perform and document their cyber assessments of those security controls provided in Appendix D provided that the licensees use the term access as defined above. The licensees determinations of a CDA as Class A.1 CDA and their cyber security assessments of the required security controls are subject to NRC inspection after the licensees complete the implementation of their cyber security programs as described in their cyber security plans.
Please contact Eric Lee at (301) 287-3467 if you have any questions.
Sincerely,
/RA/
Barry C, Westreich, Director Cyber Security Directorate Office of Nuclear Security and Incident Response Distribution:
E. Lee, NSIR ADAMS Accession No. ML14350B288 OFFICE NSIR/CSD NSIR/CSD/D NAME E. Lee B. Westreich DATE 12/18/14 12/24/14