Issuance of Amendments Concerning Extension of Cyber Security Plan Milestone 8

ML15155A539
Person / Time
Site:	Point Beach
Issue date:	07/14/2015
From:	Mahesh Chawla Plant Licensing Branch III
To:	Mccartney E Point Beach
Chawla M
References
TAC MF4488, TAC MF4489
Download: ML15155A539 (18)
v • d • e

Text

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 Mr. Eric McCartney Site Vice President NextEra Energy Point Beach, LLC 6610 Nuclear Road Two Rivers, WI 54241 July 14, 2015

SUBJECT:

POINT BEACH NUCLEAR PLANT, UNITS 1AND2 - ISSUANCE OF AMENDMENTS CONCERNING EXTENSION OF CYBER SECURITY PLAN MILESTONE 8 (TAC NOS. MF4488 AND MF4489)

Dear Mr. McCartney:

The U.S. Nuclear Regulatory Commission has issued the enclosed Amendment Nos.252 and 256 to Renewed Facility Operating License Nos. DPR-24 and DPR-27 for the Point Beach Nuclear Plant (Point Beach), Units 1 and 2, respectively. The amendment consists of changes to the facility operating license in response to your application dated July 18, 2014 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML14202A574).

The application was subsequently amended by letter dated November 7, 2014, (ADAMS Accession No. ML14314A188) to include Enclosure 4, which is a publicly-available version of to the letter dated July 18, 2014. Enclosure 1 to the letter dated July 18, 2014, contained sensitive unclassified, non-safeguards information and is withheld from public disclosure in accordance with Title 10 of the Code of Federal Regulations (10 CFR)

Section 2.390(d)(1 ).

The amendment revises the schedule for full implementation of the cyber security plan and revises Paragraph 4.D of Facility Operating License Nos. DPR-24 and DPR-27 for Point Beach Nuclear Plant, Units 1 and 2, respectively.

A copy of our related safety evaluation is also enclosed. The Notice of Issuance will be included in the Commission's biweekly Federal Register notice.

Docket Nos. 50-266 and 50-301

Enclosures:

1. Amendment No. 252 to DPR-24

2. Amendment No. 256 to DPR-27

3. Safety Evaluation cc w/encls: Distribution via ListServ Sincerely, Mahesh L. Chawla, Project Manager Plant Licensing Branch 111-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 NEXTERA ENERGY POINT BEACH, LLC DOCKET NO. 50-266 POINT BEACH NUCLEAR PLANT, UNIT 1 AMENDMENT TO RENEWED FACILITY OPERATING LICENSE Amendment No. 252 Renewed License No. DPR-24

1.

The U.S. Nuclear Regulatory Commission (the Commission) has found that:

A.

The application for amendment by NextEra Energy Point Beach, LLC (the licensee), dated July 18, 2014, as supplemented by letter dated November 7, 2014, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commission's rules and regulations set forth in 10 CFR Chapter I; B.

The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C.

There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D.

The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E.

The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied.

2.

Accordingly, paragraph 4.D of Renewed Facility Operating License No. DPR-24 is hereby amended to read as follows:

D. Physical Protection NextEra Energy Point Beach shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans, including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contain Safeguards Information protected under 10 CFR 73.21, is entitled: "Point Beach Nuclear Plant Physical Security Plan, (Revision 4),"

submitted by letter dated May 10, 2006. NextEra Energy Point Beach, LLC shall fully implement and maintain in effect all provisions of the Commission-approved Point Beach Nuclear Plant Cyber Security Plan (CSP), including changes made pursuant to the authority of 1 O CFR 50.90 and 10 CFR 50.54(p). The NextEra Energy Point Beach CSP was approved by License Amendment No. 243 as supplemented by changes appr9ved in License Amendment No. 247 and License Amendment No. 252.

3.

This license amendment is effective as of the date of issuance. Full implementation of the CSP shall be in accordance with the implementation schedule submitted by the licensee on July 18, 2014, and approved by the NRC staff with this license amendment.

All subsequent changes to the NRG-approved CSP implementation schedule will require prior NRC approval pursuant to 10 CFR 50.90.

Attachment:

Changes to the Renewed Facility Operating License Date of issuance: Ju 1 y 14, 2015 FOR THE NUCLEAR REGULATORY COMMISSION Da

. Pelton, Chief Plant Licensing Branch 111-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 NEXTERA ENERGY POINT BEACH, LLC DOCKET NO. 50-301 POINT BEACH NUCLEAR PLANT, UNIT 2 AMENDMENT TO RENEWED FACILITY OPERATING LICENSE Amendment No. 256 Renewed License No. DPR-27

1.

The U.S. Nuclear Regulatory Commission (the Commission) has found that:

A.

The application for amendment by NextEra Energy Point Beach, LLC (the licensee), dated July 18, 2014, as supplemented by letter dated November 7, 2014, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commission's rules and regulations set forth in 10 CFR Chapter I; B.

The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C.

There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D.

The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E.

The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied.

2.

Accordingly, paragraph 4.D of Renewed Facility Operating License No. DPR-27 is hereby amended to read as follows:

D. Physical Protection NextEra Energy Point Beach shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans, including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contain Safeguards Information protected under 10 CFR 73.21, is entitled: "Point Beach Nuclear Plant Physical Security Plan, (Revision 4),"

submitted by letter dated May 10, 2006. NextEra Energy Point Beach, LLC shall fully implement and maintain in effect all provisions of the Commission-approved Point Beach Nuclear Plant Cyber Security Plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The NextEra Energy Point Beach CSP was approved by License Amendment No. 247 as supplemented by changes approved in License Amendment No. 251 and License Amendment No. 256.

3.

This license amendment is effective as of the date of issuance. Full implementation of the CSP shall be in accordance with the implementation schedule submitted by the licensee on July 18, 2014, and approved by the NRC staff with this license amendment.

All subsequent changes to the NRG-approved CSP implementation schedule will require prior NRC approval pursuant to 10 CFR 50.90.

Attachment:

Changes to the Renewed Facility Operating License Date of issuance: Ju 1 y 14, 2015 David L. P It n, Chief Plant Licensing Branch 111-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation

ATTACHMENT TO LICENSE AMENDMENT NO. 252 TO RENEWED FACILITY OPERATING LICENSE NO. DPR-24 AND LICENSE AMENDMENT NO. 256 TO RENEWED FACILITY OPERATING LICENSE NO. DPR-27 DOCKET NOS. 50-266 AND 50-301 Replace the following page of Renewed Facility Operating License Nos. DPR-24 and DPR-27 with the attached revised page. The revised page is identified by amendment number and contains marginal lines indicating the area of change.

Renewed Facility Operating License REMOVE INSERT D. Physical Protection NextEra Energy Point Beach shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans, including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contain Safeguards Information protected under 10 CFR 73.21, is entitled: "Point Beach Nuclear Plant Physical Security Plan, (Revision 4)," submitted by letter dated May 10, 2006. NextEra Energy Point Beach, LLC shall fully implement and maintain in effect all provisions of the Commission-approved Point Beach Nuclear Plant Cyber Security Plan (CSP),

including changes made pursuant to the authority of 1 O CFR 50.90 and 10 CFR 50.54(p ). The NextEra Energy Point Beach CSP was approved by License Amendment No. 243 as supplemented by changes approved by License Amendment No. 247 and License Amendment No. 252.

E. Safety Injection Logic The licensee is authorized to modify the safety injection actuation logic and actuation power supplies and related changes as described in licensee's application for amendment dated April 27, 1979, as supplemented May 7, 1979. In the interim period until the power supply modification has been completed, should any DC powered safety injection actuation channel be in a failed condition for greater than one hour, the unit shall thereafter be shutdown using normal procedures and placed in a block-permissive condition for safety injection actuation.

F. NextEra Energy Point Beach shall implement and maintain in effect all provisions of the approved fire protection program as described in the FSAR for the facility and as approved in the Safety Evaluation Report dated August 2, 1979 (and Supplements dated October 21, 1980, January 22, 1981, and July 27, 1988) and the safety evaluation issued January 8, 1997, for Technical Specification Amendment No. 170, subject to the following provision:

NextEra Energy Point Beach may make changes to the approved fire protection program without prior approval of the Commission only if those changes would not adversely affect the ability to achieve and maintain safe shutdown in the event of a fire.

G. Secondary Water Chemistry Monitoring Program NextEra Energy Point Beach shall implement a secondary water chemistry monitoring program to inhibit steam generator tube degradation. This program shall include:

1. Identification of a sampling schedule for the critical parameters and control points for these parameters;

2. Identification of the procedures used to quantify parameters that are critical to control points;

3. Identification of process sampling points;

4. Procedure for the recording and management of data; Renewed License No. DPR-24 Amendment No. 252 D. Physical Protection NextEra Energy Point Beach shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans, including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 1 O CFR 50.54(p ). The combined set of plans, which contain Safeguards Information protected under 10 CFR 73.21, is entitled: "Point Beach Nuclear Plant Physical Security Plan, (Revision 4)," submitted by letter dated May 10, 2006. NextEra Energy Point Beach, LLC shall fully implement and maintain in effect all provisions of the Commission-approved Point Beach Nuclear Plant Cyber Security Plan (CSP),

including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The NextEra Energy Point Beach CSP was approved by License Amendment No. 247 as supplemented by changes approved by License Amendment No. 251 and License Amendment No. 256.

E. Safety Injection Logic The licensee is authorized to modify the safety injection actuation logic and actuation power supplies and related changes as described in licensee's application for amendment dated April 27, 1979, as supplemented May 7, 1979. In the interim period until the power supply modification has been completed, should any DC powered safety injection actuation channel be in a failed condition for greater than one hour, the unit shall thereafter be shut down using normal procedures and placed in a block-permissive condition for safety injection actuation.

F. NextEra Energy Point Beach shall implement and maintain in effect all provisions of the approved fire protection program as described in the FSAR for the facility and as approved in the Safety Evaluation Report dated August 2, 1979 (and Supplements dated October 21, 1980, January 22, 1981, and July 27, 1988) and the safety evaluation issued January 8, 1997, for Technical Specifications Amendment No. 17 4, subject to the following provision:

NextEra Energy Point Beach may make changes to the approved fire protection program without prior approval of the Commission only if those changes would not adversely affect the ability to achieve and maintain safe shutdown in the event of a fire.

G. Secondary Water Chemistry Monitoring Program NextEra Energy Point Beach shall implement a secondary water chemistry monitoring program to inhibit steam generator tube degradation. This program shall include:

1. Identification of a sampling schedule for the critical parameters and control points for these parameters;

2. Identification of the procedures used to quantify parameters that are critical to control points;

3. Identification of process sampling points; Renewed License No. DPR-27 Amendment No. 256

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO AMENDMENT NOS. 252 AND 256 TO RENEWED FACILITY OPERATING LICENSE NOS. DPR-24 AND DPR-27 NEXTERA ENERGY POINT BEACH, LLC POINT BEACH NUCLEAR PLANT, UNITS 1 AND 2 DOCKET NOS. 50-266 AND 50-301

1.0 INTRODUCTION

By application dated July 18, 2014, (Agencywide Documents Access and Management System (ADAMS) Accession No. ML14202A574), as supplemented by letter dated November 7, 2014 (ADAMS Accession No. ML14314A188), NextEra Energy Point Beach, LLC, (the licensee) requested a change to the renewed facility operating license (FOL) for the Point Beach Nuclear Power Plant, Units 1 and 2 (Point Beach or PBNP). The supplement provided a publicly-available (redacted) version of Enclosure 1 to the letter dated July 18, 2014, did not expand the scope of the application as originally noticed, and did not change the staff's original proposed no significant hazards consideration determination as published in the Federal Register on January 6, 2015 (80 FR 536).

The proposed change would revise the date of Cyber Security Plan (CSP) Implementation Schedule Milestone 8 and the existing license conditions in the facility operating license.

Milestone 8 of the CSP implementation schedule concerns the full implementation of the CSP.

2.0 REGULATORY EVALUATION

The U.S. Nuclear Regulatory Commission (NRG) staff reviewed and approved the licensee's existing CSP implementation schedule by License Amendment No. 243 to renewed FOL No.

DPR-24 for Point Beach Nuclear Plant, Unit 1, and License Amendment No. 247 to renewed FOL DPR-27 for Point Beach Nuclear Plant, Unit 2. concurrent with the incorporation of the CSP into the facilities' current licensing bases (ADAMS Accession No. ML111740077). The NRG staff considered the following regulatory requirements and guidance in its review of the current license amendment request to modify the existing CSP implementation schedule:

Title 1 O of the Code of Federal Regulations (CFR) Part 73 54, "Protection of digital computer and communication systems and networks, states, in part:

Each [CSP] submittal must include a proposed implementation schedule.

Implementation of the licensee's cyber security program must be consistent with the approved schedule.

The license condition in the FOL Paragraph 4.D requires the licensee to fully implement and maintain in effect all provisions of the Commission-approved CSP:

NextEra Energy Point Beach, LLC shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p).

Review criteria provided by the NRC staff's internal memorandum, "Review Criteria for Title 10 of the Code of Federal Regulations Part 73.54, Cyber Security Implementation Schedule Milestone 8 License Amendment Requests," dated October 24, 2013 (ADAMS Accession No. ML13295A467), to consider during evaluations of licensees' requests to postpone their cyber security program implementation date (commonly known as Milestone 8).

The NRC staff does not regard the CSP milestone implementation dates as regulatory commitments that can be changed unilaterally by the licensee, particularly in light of the regulatory requirement at 10 CFR 73.54, that "implementation of the licensee's cyber security program must be consistent with the approved schedule." As the NRC staff explained in its letter to all operating reactor licensees dated May 9, 2011 (ADAMS Accession No. ML110980538), the implementation of the plan, including the key intermediate milestone dates and the full implementation date shall be in accordance with the implementation schedule submitted by the licensee and approved by the NRC. All subsequent changes to the NRC-approved CSP implementation schedule, thus, will require prior NRC approval as required by 10 CFR 50.90.

3.0 TECHNICAL EVALUATION

The NRC staff issued Amendment No. 243 to renewed FOL DPR-24 for Point Beach Unit 1, and Amendment No. 247 to renewed FOL DPR-27 for Point Beach Unit 2, on July 21, 2011. The NRC staff also approved the licensee's CSP implementation schedule, as discussed in the safety evaluation issued with the amendment (ADAMS Accession No. ML111740077). The implementation schedule had been submitted by the licensee based on a template prepared by NEI [Nuclear Energy Institute], which the NRC staff found acceptable for licensees to use to develop their CSP implementation schedules (ADAMS Accession No. ML110600218). The licensee's proposed implementation schedule for the Cyber Security Program identified completion dates and bases for the following eight milestones:

1. Establish the Cyber Security Assessment Team (CSAT);

2. Identify Critical Systems (CSs) and Critical Digital Assets (CDAs);

3. Install a deterministic one-way device between lower level devices and a firewall between higher level devices;

4. Implement the security control "Access Control For Portable And Mobile Devices;"

5. Implement observation and identification of obvious cyber-related tampering to existing insider mitigation rounds;

6. Identify, document, and implement cyber security controls in accordance with "Mitigation of Vulnerabilities and Application of Cyber Security Controls" for CDAs that could adversely impact the design function of physical security target set equipment;

7. Ongoing monitoring and assessment activities for those target set CDAs whose security controls have been implemented;

8. Fully implement the CSP.

3.1 Licensee's Requested Change Currently, Milestone 8 of the licensee's CSP requires NextEra Energy Point Beach, LLC to fully implement the CSP by December 31, 2015. In its application dated July 18, 2014, NextEra Energy Point Beach, LLC requested to change the Milestone 8 completion date to December 31, 2017.

The licensee submitted its application on July 18, 2014, after the staff developed guidance to evaluate requests to postpone Milestone 8 implementation dates on October 24, 2013 (ADAMS Accession No. ML13295A467). The licensee provided the following information for each of the criteria identified in the NRC guidance as follows.

1)

Identification of the specific requirement or requirements of the cyber security plan that the licensee needs additional time to implement.

The licensee stated the CSP requirement requiring additional time to implement is CSP 3.1, "Analyzing Digital Computer Systems and Networks and Applying Cyber Security Controls,"

including CDA assessment work, remediation activities, change management, and training on new programs, processes and procedures.

The rate of completion of CDA assessment does not support Milestone 8 completion within the current implementation date.

2)

Detailed justification that describes the reason the licensee requires additional time to implement the specific requirement or requirements identified.

The licensee noted there is a large volume of effort associated with documentation of CDA assessment and analysis. The licensee provided the following details:

a)

CDA assessment work is resource intensive.

Point Beach Nuclear Plant, Units 1 and 2 have approximately 969 CDAs.

Assessment is challenging.

NextEra underestimated the level of effort necessary to address security controls.

Rework is a major concern since resources are allocated in advance, based on the defined scope.

NextEra underestimated the level of effort necessary to address security controls.

b)

Remediation activities need to be carefully considered.

Security controls modifications are unique and new to the plant and suppliers.

Plant modifications must be carefully implemented to ensure they do not impact plant safety and operation.

c)

Change Management Challenges Cyber security is challenging because it integrates into day-to-day plant operations, maintenance, engineering, and procurement activities.

Integration of cyber security controls is taking longer than expected due to impacts on the work control process and maintenance activities.

There is added burden on maintenance to address security control integrity during maintenance work on CDAs.

Cyber security for plant CDAs is new, and the security controls being implemented on the plant CDAs are new to Maintenance, System Engineering, and Operations.

The Work Control Planners are challenged by the nuances associated with cyber security controls.

Modifications must be implemented cautiously to ensure safe, reliable operation of plant equipment Training and qualifications of maintenance technicians is a challenge.

Plant modifications that added cyber security controls have created new change management challenges.

d)

Training on new programs, processes and procedures The site training needs and schedules need to be revised and training resources need to be addressed.

3)

A proposed completion date for Milestone 8 consistent with the remaining scope of work to be conducted and the resources available.

NextEra is requesting a change to the PBNP CSP Milestone 8 completion date from December 31, 2015, to December 31, 2017. The licensee is requesting the extension in order to complete CDA assessments, implement design modifications for mitigations based on assessment analysis results, update existing procedures, and develop new procedures to complete full implementation of the CSP. The licensee did not request any other change to the CSP other than date change for Milestone 8.

The revised Milestone 8 date will encompass five refueling outages (two for Unit 2 and three for Unit 1 ), which will provide adequate time to plan and schedule implementation of design changes identified as the result of CDA assessments.

4)

An evaluation of the impact that the additional time to implement the requirements will have on the effectiveness of the licensee's overall cyber security program in the context of milestones already completed.

NextEra indicated that, based on the CSP program implementation activities already completed, and activities currently in progress, it "is secure and will.continue to ensure that digital computer and communications systems and networks are adequately protected against cyber-attacks during implementation of the remainder of the program by the proposed Milestone 8 date of December 31, 2017." The licensee stated that "completed activities provide a high degree of protection against cyber-attacks while NextEra implements the full CSP." The licensee provided details about implementation of each milestone.

5)

A description of the licensee's methodology for prioritizing completion of work for critical digital assets associated with significant safety consequences and with reactivity effects in the balance of plant.

The licensee stated that its methodology for prioritizing Milestone 8 activities is centered on considerations for safety, security, EP [emergency preparedness], and BOP [balance of plant]

(continuity of power) consequences. The methodology is based on defense in depth, installed configuration of the CDA, and susceptibility of the five commonly identified threat vectors listed in the NRC Security Significance Determination Process (SDP). Prioritization of CDA assessments begins with safety-related CDAs and continues through the lower priority non-safety-related and EP CDAs as follows:

Safety Related CDAs Security CDAs Important to safety CDAs (including BOP CDAs that directly impact continuity of power and control system CDAs),

Non-safety related and EP CDAs.

6)

A discussion of the licensee's cyber security program performance up to the date of the license amendment request.

The licensee stated that Milestones 1 through 7 were completed by December 31, 2012, and any identified discrepancies are being addressed through the corrective action program (CAP).

These actions provide a high degree of protection against cyber-attacks until the full program is implemented.

The licensee stated that it completed a comprehensive self-assessment for Milestones 1 through 7 to ensure completeness and effectiveness. The self-assessment issues were placed in the CAP and addressed for program improvement. It also stated that ongoing monitoring and periodic actions provide continuing program performance monitoring.

7)

A discussion of cyber security issues pending in the licensee's corrective action program.

The licensee stated that it uses the site CAP to document cyber issues in order to trend, correct, and improve NextEra's cyber security program. The CAP database documents and tracks from initiation through closure, all cyber security required actions including issues identified during on-going program assessment activities. Adverse trends are monitored for program improvement and addressed via the CAP process. The licensee provided examples of issues and activities in the CAP.

8)

A discussion of modifications completed to support the cyber security program and a discussion of pending cyber security modifications.

The licensee provided a brief discussion of a completed modification and pending modifications. These are consistent with the discussions about the other criteria provided above and the licensee CSP.

3.2

NRC Staff Evaluation

The NRC staff has evaluated the licensee's application using the regulatory requirements and guidance discussed in Section 2.0 of this safety evaluation. The NRC staff's evaluation is below.

The licensee stated in its application that the large number of CDAs (969) is a primary reason that an extension is needed for the Milestone 8 implementation date. The NRC staff has had extensive interaction with the nuclear industry since licensees first developed their CSP implementation schedules. Based on this interaction, the NRC staff recognizes that CDA assessment work is much more complex and resource intensive than originally anticipated and that the licensee has a large number of additional tasks not originally considered when developing its CSP implementation schedule. There are implementation challenges caused by the need to address security controls for each CDA. Thus, the NRC staff concludes that the licensee will not be able to fully implement its CSP by December 31, 2015. Delaying final implementation of the CSP will provide the time required to complete the implementation safely and thoroughly.

The licensee indicated in its application that completed activities associated with the CSP, as described in Milestones 1 through 7, provide a high degree of protection and that the most significant digital computer and communication systems and networks associated with safety, security, and emergency preparedness systems are already protected against cyber-attacks.

The licensee described activities completed for each milestone. As a result, the NRC staff finds that the licensee's sites are more secure after implementation of Milestones 1 through 7, because the activities the licensee completed will mitigate the most significant cyber-attack vectors for the most significant CDAs.

In addition, the NRC staff finds that the licensee is using the tools at its disposal to implement and verify and improve the CSP. The licensee's application describes a functioning CAP and the examples provided therein reflect the implementation and evolution of the CSP. The NRC staff finds that the licensee's progress toward full implementation is reasonable and that impact of the requested additional implementation time on the effectiveness of the overall CSP is being effectively managed. Therefore, the NRC staff finds that the proposed change is acceptable.

3.3 Technical Evaluation Conclusion

The NRC staff concludes that the licensee's request to delay full implementation of its CSP until December 31, 2017, is acceptable for the following reasons: (1) implementation of Milestones 1 through 7 provides significant protection against cyber-attacks; (2) the scope of the work required to come into full compliance with the CSP implementation schedule was much more complex and resource intensive than anticipated and not reasonably foreseeable when the CSP implementation schedule was originally developed; and (3) the licensee is utilizing tools to sufficiently manage the impact of the requested additional implementation time on the overall CSP. The NRC staff also concludes that, upon full implementation of the licensee's cyber security program, the requirements of the licensee's CSP and 10 CFR 73.54 will be met.

3.4 Revision to License Condition 4. D By letter dated July 18, 2014, the licensee proposed to modify Paragraph 4.0 of renewed FOL Nos. DPR-24 and DPR-27, which provide license conditions to require the licensee to fully implement and maintain in effect all provisions of the NRC-approved CSP.

The current license condition in Paragraph 4.D of renewed FOL No. DPR-24 for Point Beach Nuclear Plant, Unit 1 states, in part:

NextEra Energy Point Beach, LLC shall fully implement and maintain in effect all provisions of the Commission-approved Point Beach Nuclear Plant Cyber Security Plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The NextEra Energy Point Beach CSP was approved by License Amendment No. 243 as supplemented by a change approved by License Amendment No. 247.

The license condition in Paragraph 4. D of renewed FOL No. DPR-24 for Point Beach Nuclear Plant, Unit 1 is modified, in part as follows:

NextEra Energy Point Beach, LLC shall fully implement and maintain in effect all provisions of the Commission-approved Point Beach Nuclear Plant Cyber Security Plan (CSP), including changes made pursuant to the authority of 1 O CFR 50.90 and 10 CFR 50.54(p). The NextEra Energy Point Beach CSP was approved by License Amendment No. 243 as supplemented by changes approved in License Amendment No. 247 and License Amendment No. 252.

The current license condition in Paragraph 4. D of renewed FOL No. DPR-27 for Point Beach Nuclear Plant, Unit 2 states, in part:

NextEra Energy Point Beach, LLC shall fully implement and maintain in effect all provisions of the Commission-approved Point Beach Nuclear Plant Cyber Security Plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The NextEra Energy Point Beach CSP was approved by License Amendment No. 247 as supplemented by a change approved by License Amendment No. 251.

The license condition in Paragraph 4. D of renewed FOL No. DPR-27 for Point Beach Nuclear Plant, Unit 2 is modified, in part as follows:

NextEra Energy Point Beach, LLC shall fully implement and maintain in effect all provisions of the Commission-approved Point Beach Nuclear Plant Cyber Security Plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The NextEra Energy Point Beach CSP was approved by License Amendment No. 247 as supplemented by changes approved in License Amendment No. 251 and License Amendment No. 256.

4.0 STATE CONSULTATION

In accordance with the Commission's regulations, the Wisconsin State official was notified of the proposed issuance of the amendments. The State official had no comments.

5.0 ENVIRONMENTAL CONSIDERATION

These amendments relate solely to safeguards matters and do not involve any significant construction impacts. These amendments are an administrative change to extend the date by which the licensee must have its CSP fully implemented. The Commission has previously published a proposed finding that these amendments involve no significant hazards consideration and there has been no public comment on such finding (80 FR 536). Accordingly, these amendments meet the eligibility criterion for categorical exclusion set forth in 10 CFR 51.22(c)(12). Pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the issuance of this amendment.

6.0 CONCLUSION

The Commission has concluded, based on the considerations discussed above, that: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) there is reasonable assurance that such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendments will not be inimical to the common defense and security or to the health and safety of the public.

Principal Contributor: J. Rycyna, NSIR Date: July 14, 2015

ML15155A539

• via email OFFICE DORL/LPL3-1 /PM DORL/LPL3-1 /LA NSIR/CSD*

NAME MChawla (ABaxter for) MHenderson BWestreich DATE 6/11 /2015 6/09/2015 5/18/2015 OFFICE OGC DORL/LPL3-1 /BC DORL/LPL3-1 /PM NAME Dlenehan DPelton MChawla DATE 6/30/2015 7/14/2015 7/14/2015