LTR-15-0424 - San Onofre Nuclear Generating Station, Units 2 and 3 - Issuance of Amendments to Revise the Cyber Security Plan Milestone 8 Completion Date in the Facility Operating Licenses

ML15209A935
Person / Time
Site:	San Onofre
Issue date:	10/01/2015
From:	Vaaler M Reactor Decommissioning Branch
To:	Thomas J. Palmisano Southern California Edison Co
Wengert T
References
LTR-15-0424, TAC MF5191, TAC MF5192
Download: ML15209A935 (20)
v • d • e

Text

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 October 1, 2015 Mr. Thomas J. Palmisano Vice President and Chief Nuclear Officer Southern California Edison Company San Onofre Nuclear Generating Station P.O. Box 128 San Clemente, CA 92674-0128

SUBJECT:

SAN ONOFRE NUCLEAR GENERATING STATION, UNITS 2 AND 3-ISSUANCE OF AMENDMENTS TO REVISE THE CYBER SECURITY PLAN MILESTONE 8 COMPLETION DATE IN THE FACILITY OPERATING LICENSES (TAC NOS. MF5191 AND MF5192)

Dear Mr. Palmisano:

The U.S. Nuclear Regulatory Commission (NRC) has issued the enclosed Amendment No. 231 to Facility Operating License (FOL) No. NPF-10 and Amendment No. 224 to FOL No. NPF-15 for San Onofre Nuclear Generating Station, Units 2 and 3, respectively. The amendments consist of changes to the FOLs in response to your application dated November 12, 2014, as supplemented by letter dated August 27, 2015.

The amendments approve a revised schedule for implementation of the cyber security plan (CSP) Milestone 8 and revises paragraph 2. E for each of the FOLs. The CSP and associated implementation schedule for SONGS, Units 2 and 3, were previously approved by the NRC staff by letter dated July 28, 2011.

The NRC staff has determined that its documented safety evaluation does not contain Sensitive Security-Related information pursuant to Title 10 of the Code of Federal Regulations (10 CFR)

Section 2.390, "Public inspections, exemptions, requests for withholding." By e-mail dated September 18, 2015, the NRC gave Southern California Edison (SCE) the opportunity to comment on any sensitive aspects of the safety evaluation. By e-mail dated September 22, 2015, SCE responded, stating that it concurred with the NRC staff's determination that the safety evaluation does not contain Sensitive Security-related information pursuant to 10 CFR 2.390.

T. Palmisano A copy of our related Safety Evaluation is also enclosed. The Notice of Issuance will be included in the Commission's next biweekly Federal Register notice.

Marlayna G. Vaaler, Project Manager Reactor Decommissioning Branch Division of Decommissioning, Uranium Recovery and Waste Programs Office of Nuclear Material Safety and Safeguards Docket Nos. 50-361 and 50-362

Enclosures:

1. Amendment No. 231 to NPF-10

2. Amendment No. 224 to NPF-15

3. Safety Evaluation cc w/encls: Distribution via Listserv

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 SOUTHERN CALIFORNIA EDISON COMPANY SAN DIEGO GAS AND ELECTRIC COMPANY THE CITY OF RIVERSIDE. CALIFORNIA DOCKET NO. 50-361 SAN ONOFRE NUCLEAR GENERATING STATION, UNIT 2 AMENDMENT TO FACILITY OPERATING LICENSE Amendment No. 231 License No. NPF-10

1. The Nuclear Regulatory Commission (the Commission) has found that:

A. The application for amendment by Southern California Edison Company, et al.

(SCE or the licensee), dated November 12, 2014, as supplemented by letter dated August 27, 2015, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commission's regulations set forth in 10 CFR Chapter I; B. The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C. There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D. The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E. The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied.

Enclosure 1

2. Accordingly, Facility Operating License No. NPF-10 is amended by changing the last sentence of paragraph 2.E to read as follows:

The SONGS CSP was approved by License Amendment No. 225, as supplemented by a change approved by License Amendment 231.

3. This license amendment is effective as of the date of its issuance and shall be implemented within 30 days of issuance but no later than December 31, 2015.

FOR THE NUCLEAR REGULATORY COMMISSION Bruce A. Watson, Chief Reactor Decommissioning Branch Division of Decommissioning, Uranium Recovery and Waste Programs Office of Nuclear Material Safety and Safeguards

Attachment:

Changes to Facility Operating License No. NPF-10 Date of lssuance:0ctober 1 , 2015

ATTACHMENT TO LICENSE AMENDMENT NO. 231 FACILITY OPERATING LICENSE NO. NPF-10 DOCKET NO. 50-361 Replace the following page of the Facility Operating License No. NPF-1 O with the attached revised page. The revised page is identified by amendment number and contains a marginal line indicating the area of change.

Facility Operating License REMOVE INSERT E. SCE shall fully implement and maintain in effect all provisions of the Commission- approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contain Safeguards Information protected under 10 CFR 73.21 is entitled: "San Onofre Nuclear Generating Station Security, Training and Qualification, and Safeguards Contingency Plan, Revision 2" submitted by letter dated May 15, 2006. SCE shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The SONGS CSP was approved by License Amendment No. 225, as supplemented by a change approved by License Amendment No. 231.

F. This license is subject to the following additional condition for the protection of the environment:

Before engaging in activities that may result in a significant adverse environmental impact that was not evaluated or that is significantly greater than that evaluated in the Final Environmental Statement, SCE shall provide a written notification of such activities to the NRC Office of Nuclear Reactor Regulation and receive written approval from that office before proceeding with such activities.

G. DELETED H. SCE shall notify the Commission, as soon as possible but not later than one hour, of any accident at this facility which could result in an unplanned release of quantities of fission products in excess of allowable limits for normal operation established by the Commission.

I. SCE shall have and maintain financial protection of such type and in such amounts as the Commission shall require in accordance with Section 170 of the Atomic Energy Act of 1954, as amended, to cover public liability claims.

J. Deleted

• On September 29, 1983, the Safeguards Contingency Plan was made a separate, companion document to the Physical Security Plan pursuant to the authority of 10 CFR 50.54.

Amendment No. 231

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 SOUTHERN CALIFORNIA EDISON COMPANY SAN DIEGO GAS AND ELECTRIC COMPANY THE CITY OF RIVERSIDE. CALIFORNIA DOCKET NO. 50-362 SAN ONOFRE NUCLEAR GENERATING STATION. UNIT 3 AMENDMENT TO FACILITY OPERATING LICENSE Amendment No. 224 License No. NPF-15

1. The Nuclear Regulatory Commission (the Commission) has found that:

A. The application for amendment by Southern California Edison Company, et al.

(SCE or the licensee), dated November 12, 2014, as supplemented by letter dated August 27, 2015, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commission's regulations set forth in 10 CFR Chapter I; B. The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C. There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D. The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E. The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied.

Enclosure 2

2. Accordingly, Facility Operating License No. NPF-15 is amended by changing the last sentence of paragraph 2.E to read as follows:

The SONGS CSP was approved by License Amendment No. 218, as supplemented by a change approved by License Amendment 224.

3. This license amendment is effective as of the date of its issuance and shall be implemented within 30 days of issuance but no later than December 31, 2015.

FOR THE NUCLEAR REGULATORY COMMISSION Bruce A. Watson, Chief Reactor Decommissioning Branch Division of Decommissioning, Uranium Recovery and Waste Programs Office of Nuclear Material Safety and Safeguards

Attachment:

Changes to the Facility Operating License No. NPF-15 Date of lssuance:October 1 , 2015

ATTACHMENT TO LICENSE AMENDMENT NO. 224 FACILITY OPERATING LICENSE NO. NPF-15 DOCKET NO. 50-362 Replace the following page of the Facility Operating License No. NPF-15 with the attached revised page. The revised page is identified by amendment number and contains a marginal line indicating the area of change.

Facility Operating License REMOVE INSERT Report. These exemptions are authorized by law and will not endanger life or property or the common defense and security and are otherwise in the public interest. Therefore, these exemptions are hereby granted. The facility will operate, to the extent authorized herein, in conformity with the application, as amended, the provisions of the Act, and the regulations of the Commission.

E. SCE shall fully implement and maintain in effect all provisions of the Commission- approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contain Safeguards Information protected under 10 CFR 73.21 is entitled: "San Onofre Nuclear Generating Station Security, Training and Qualification, and Safeguards Contingency Plan, Revision 2" submitted by letter dated May 15, 2006. SCE shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The SONGS CSP was approved by License Amendment No. 218, as supplemented by a change approved by License Amendment No. 224.

F. This license is subject to the following additional condition for the protection of the environment:

Before engaging in activities that may result in a significant adverse environmental impact that was not evaluated or that is significantly greater than that evaluated in the Final Environmental Statement, SCE shall provide a written notification of such activities to the NRC Office of Nuclear Reactor Regulation and receive written approval from that office before proceeding with such activities.

G. DELETED H. SCE shall notify the Commission, as soon as possible but not later than one hour, of any accident at this facility which could result in an unplanned release of quantities of fission products in excess of allowable limits for normal operation established by the Commission.

I. SCE shall have and maintain financial protection of such type and in such amounts as the Commission shall require in accordance with Section 170 of the Atomic Energy Act of 1954, as amended, to cover public liability claims.

• On September 29, 1983, the Safeguards Contingency Plan was made a separate, companion document to the Physical Security Plan pursuant to the authority of 10 CFR 50.54.

Amendment No. 224 Revised by letter dated March 6, 2007

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO AMENDMENT NO. 231 TO FACILITY OPERATING LICENSE NO. NPF-10 AND AMENDMENT NO. 224 TO FACILITY OPERATING LICENSE NO. NPF-15 SOUTHERN CALIFORNIA EDISON COMPANY SAN DIEGO GAS AND ELECTRIC COMPANY THE CITY OF RIVERSIDE. CALIFORNIA SAN ONOFRE NUCLEAR GENERATING STATION. UNITS 2 AND 3 DOCKET NOS. 50-361 AND 50-362

1.0 INTRODUCTION

By letter dated June 12, 2013 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML131640201), Southern California Edison (SCE, the licensee) submitted a certification to the U.S. Nuclear Regulatory Commission (NRC) indicating its intention to permanently cease power operations at San Onofre Nuclear Generating Station (SONGS), Units 2 and 3 as of June 7, 2013, pursuant to Title 10 of the Code of Federal Regulations (10 CFR) paragraph 50.82(a)(1)(i). By letters dated June 28, 2013 (ADAMS Accession No. ML13183A391), and July 22, 2013 (ADAMS Accession No. ML13204A304), SCE submitted certifications of permanent removal of fuel from the Unit 3 and Unit 2 reactor vessels as of October 5, 2012, and July 18, 2013, respectively, pursuant to 10 CFR 50.82(a)(1 )(ii).

Upon docketing of these certifications, and pursuant to 10 CFR 50.82(a)(2), the SONGS Units 2 and 3 facility operating licenses no longer authorize operation of the reactors or emplacement or retention of fuel into the reactor vessels. Spent fuel is currently stored onsite in the spent fuel pools (SFPs) and in the onsite independent spent fuel storage installation (ISFSI).

By application dated November 12, 2014 (ADAMS Accession No. ML14321A015), as supplemented by letter dated August 27, 2015 (ADAMS Accession No. ML15246A465), the licensee requested a change to the facility operating licenses (FOLs) for SONGS, Units 2 and 3.

The proposed change would revise the date of Cyber Security Plan (CSP) Implementation Schedule Milestone 8 and the existing license conditions in the FOLs. Milestone 8 of the CSP implementation schedule concerns the full implementation of the CSP.

Enclosure 3

Portions of the letter dated November 12, 2014, contain sensitive unclassified non-safeguards information and, accordingly, those portions have been withheld from public disclosure in accordance with 10 CFR 2.390(d)(1 ). The accession number above refers to the publicly available redacted version.

The supplement dated August 27, 2015, provided additional information that clarified the application, did not expand the scope of the application as originally noticed, and did not change the staff's original proposed no significant hazards consideration determination as published in the Federal Registeron April 7, 2015 (80 FR 18659).

2.0 REGULATORY EVALUATION

The NRG staff had previously reviewed and approved the licensee's CSP implementation schedule in License Amendment Nos. 225 and 218 to the licenses for SONGS Units 2 and 3, respectively (ADAMS Accession No. ML111960323), concurrently with the incorporation of the CSP into the facilities' current licensing bases.

The NRG staff considered the following regulatory requirements and guidance in its review of the November 12, 2014, application to modify the existing CSP implementation schedule:

(1) The regulations in 10 CFR 73.54, "Protection of digital computer and communication systems and networks, state, in part, that: "Each [CSP] submittal must include a proposed implementation schedule. Implementation of the licensee's cyber security program must be consistent with the approved schedule."

(2) Amendment Nos. 225 and 218 for SONGS Units 2 and 3, respectively, dated July 28, 2011, which approved the licensee's CSP and implementation schedule, added the following text to the operating licenses for SONGS Units 2 and 3: "SCE shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p)."

(3) In a publicly-available NRG memorandum from R. Felts to B. Westreich, dated October 24, 2013 (ADAMS Accession No. ML13295A467), the NRC staff listed criteria to consider during evaluations of licensees' requests to postpone their cyber security program implementation date (commonly known as Milestone 8). See Section 3.1, below, for details of these criteria.

(4) The NRG staff does not regard the CSP milestone implementation dates as regulatory commitments that can be changed unilaterally by the licensee, particularly in light of the regulatory requirement at 10 CFR 73.54, that states, in part, "[i]mplementation of the licensee's cyber security program must be consistent with the approved schedule." As the NRG staff explained in its letter to all operating reactor licensees dated May 9, 2011 (ADAMS Accession No. ML110980538), the implementation of the plan, including the key intermediate milestone dates and the full implementation date shall be in accordance with the implementation schedule submitted by the licensee and approved by the NRG. All subsequent changes to the NRG-approved CSP implementation

schedule, thus, will require prior NRC approval as required by 10 CFR 50.90, "Application for amendment of license, construction permit, or early site permit."

3.0 TECHNICAL EVALUATION

3.1 Licensee's Requested Change By License Amendment Nos. 225 (for Unit 2) and 218 (for Unit 3), the NRC staff approved the licensee's CSP implementation schedule, as discussed in the safety evaluation issued concurrently with the amendment. The implementation schedule had been submitted by the licensee based on a template prepared by the Nuclear Energy Institute (NEI) (ADAMS Accession No. ML110600218), which the NRC staff found acceptable (letter, R. P. Correia to C. E. Earls, March 1, 2011; ADAMS Accession No. ML110070348) for licensees to use to develop their CSP implementation schedules. The licensee's proposed implementation schedule for the SONGS CSP identified completion dates and bases for the following eight milestones:

1) Establish the Cyber Security Assessment Team (CSAT);

2) Identify Critical Systems (CSs) and Critical Digital Assets (CDAs);

3) Install a deterministic one-way device between lower level devices and higher level devices;

4) Implement the security control "Access Control For Portable And Mobile Devices";

5) Implement observation and identification of obvious cyber related tampering to existing insider mitigation rounds;

6) Identify, document, and implement cyber security controls in accordance with "Mitigation of Vulnerabilities and Application of Cyber Security Controls" for CDAs that could adversely impact the design function of physical security target set equipment;

7) Ongoing monitoring and assessment activities for those target set CDAs whose security controls have been implemented; and

8) Fully implement the CSP.

Currently, Milestone 8 of the licensee's CSP requires SCE to fully implement the CSP by December 31, 2015. In its November 12, 2014, application, SCE requested to change the Milestone 8 completion date to December 31, 2017.

The licensee's application addressed each of the criteria identified in the NRC's October 24, 2013, guidance memorandum cited in Section 2.0, above.

1) Identification of the specific requirement or requirements of the cyber security plan that the licensee needs additional time to implement

The licensee stated that the specific CSP requirements requiring additional time to implement is CSP 3.1, "Analyzing Digital Computer Systems and Networks and Applying Cyber Security Controls." The licensee provided a list of major activities required to implement the CSP requirements, including:

• Develop implementing procedures

• Resolution of change management challenges

• Training on new programs, processes, and procedures

2) Detailed justification that describes the reason the licensee requires additional time to implement the specific requirement or requirements identified The licensee stated that it is experiencing challenges with full implementation of Milestone 8, and provided the following details:

• There are currently approximately 3350 CDAs at SONGS. SONGS expects to reduce the number of CDAs to approximately 1350 over the next year as a result of the decision to decommission the plant. Analyzing the changes and completing assessments to determine which CSs/CDAs will remain or need to be removed from the cyber security program adds work that was not considered when SONGS submitted the original Implementation Milestone 8 completion date. Scheduling of the changes to the critical systems adds uncertainty, creating delays in completing assessments of approximately 2000 CDAs that may require removal from the program and regulatory control.

• The large volume of effort associated with documentation of CDA assessment and analysis using the deterministic process in Cyber Security Plan, Section 3.1. More than 600 security controls must be addressed for each of SONGS remaining CDAs (i.e., those remaining after retirement, reconfiguration, and replacement of existing CSs at the plant discussed in the previous bullet). Each CDA assessment package is required to be reviewed and approved by the Cyber Security Assessment Team.

The rate of completion of CDA assessments does not support Implementation Milestone 8 completion by the current completion date.

• Detailed design plans for the changes to the station due to decommissioning are not complete. This lack of detailed design plans presents challenges to the scheduling and performance of cyber security control assessment and implementation work. CSs identified for retirement may not be fully retired by the original Implementation Milestone 8 completion date. Without approval of an extension to the final completion date for Implementation Milestone 8, SONGS would be required to assess and mitigate those CSs planned for retirement that are not fully retired by the original Milestone 8 completion date. Assessment and mitigation of CSs that are planned for retirement do not add to the security of the

station. This would divert cyber security protection activities from the new CSs being installed and from systems that will remain CSs.

• Emergency response facilities and equipment will change significantly to transition to the Permanently Defueled Emergency Plan (PDEP), which was approved by the NRC on June 5, 2015 (ADAMS Accession No. ML15126A461 ).

3) A proposed completion date for Milestone 8 consistent with the remaining scope of work to be conducted and the resources available The licensee proposed a Milestone 8 completion date of December 31, 2017, in order to complete the CDA assessments, implement design modifications based on assessment results, update existing procedures, develop new program procedures, and provide training to complete full implementation of the cyber security program. The licensee stated that the revised completion date will help to avoid the diversion of resources to assess and mitigate those CSs slated for retirement that are not fully retired by the original completion date.

4) An evaluation of the impact that the additional time to implement the requirements will have on the effectiveness of the licensee's overall cyber security program in the context of milestones already completed The licensee stated that, based on the cyber security implementation activities already completed, and completion of activities already in progress, SONGS is secure and SCE will continue to ensure that digital computer and communication systems and networks are adequately protected against cyber attacks during implementation of the remainder of the program by the proposed Milestone 8 date of December 31, 2017. The licensee stated that the implementation of the completed milestones provides a high degree of protection against cyber attacks while SONGS implements the full program. The licensee provided details about the implementation of each milestone.

5) A description of the licensee's methodology for prioritizing completion of work for critical digital assets associated with significant safety security, or emergency preparedness consequences and with reactivity effects in the balance of plant The licensee stated that its methodology for prioritizing the SONGS Milestone 8 activities is based on considerations for safety, security, and emergency preparedness (EP) consequences. The methodology is based on defense-in-depth, installed configuration of the CDA, and susceptibility to commonly identified threat vectors.

Prioritization of CDA assessment begins with safety-related CDAs and continues through the lower priority nonsafety-related and EP CDAs, as follows:

• Safety-related CDAs

• Physical security CDAs

• Important-to-safety CDAs

• Non-safety-related CDAs and EP CDAs

6) A discussion of the licensee's cyber security program performance up to the date of the license amendment request The licensee stated that the Interim Milestones 1 through 7 activities completed by December 31, 2012, provide a high degree of protection against cyber security related attacks during implementation of the full program. The licensee provided discussions concerning the implementation of completed milestones and further discussed the April 15, 2013 (ADAMS Accession No. ML13105A433), inspection report prepared by the NRC concerning the SONGS Implementation of Milestones 1 through 7. A single licensee-identified violation was listed in the inspection report; however, the NRC determined the violation to be of very low security significance and it was treated as a noncited violation. Inspection observations were entered into the SONGS corrective action program (CAP). An independent self-assessment of the program for Implementation Milestones 1 through 7 has been performed; SCE will enter into the SONGS CAP all identified findings and recommendations. On-going monitoring and time-based periodic actions provide continuing program performance monitoring.

7) A discussion of cyber security issues pending in the licensee's corrective action program The licensee stated that the SONGS CAP is used to document cyber issues to trend, correct, and improve the SONGS cyber security program. The CAP database documents and tracks, from initiation through closure, all cyber security required actions, including issues identified during on-going program assessment activities.

Adverse trends are monitored for program improvement and addressed via the CAP process. The licensee also provided examples of issues and activities pending in the CAP.

8) A discussion of modifications completed to support the cyber security program and a discussion of pending cyber security modifications The licensee provided a brief discussion of completed modifications and pending modifications.

3.2 NRC Staff Evaluation The NRC staff evaluated the licensee's application using the regulatory requirements and the guidance cited in Section 2.0 of this safety evaluation.

The licensee stated that the CSP requirement regarding additional time to implement is found in CSP Section 3.1, ':A.nalyzing Digital Computer Systems and Networks Applying Cyber Security Controls." The licensee provided a list of additional activities required to implement the CSP requirement.

The licensee indicated in its application that completed activities associated with the CSP, as described in Milestones 1through7, and completed prior to December 31, 2012, provide a high degree of protection and that the most significant digital computer and communication systems

and networks associated with safety, security, and emergency preparedness systems are already protected against cyber attacks while SONGS implements the full program. The licensee also detailed activities completed for each milestone and provided details about the completed milestones and elements. On such bases, the NRC staff finds that the licensee's site is much more secure after implementation of Milestones 1 through 7, because the activities that the licensee completed will mitigate the most significant cyber attack vectors for the most significant CDAs.

The licensee proposed a Milestone 8 completion date of December 31, 2017. The NRC staff has had extensive interaction with the nuclear industry since licensees first developed their CSP implementation schedules. Based on this interaction, the NRC staff recognizes that CDA assessment work is much more complex and resource-intensive than originally anticipated. In addition, the licensee has a large number of additional tasks that it did not consider when it originally developed its CSP implementation schedule. Based on this, the NRC staff concludes that the licensee's request for additional time to implement Milestone 8 is reasonable, given the unanticipated complexity and scope of the work required to come into full compliance with its CSP.

The licensee stated that its methodology for prioritizing the SONGS CSP Milestone 8 activities is centered on considerations for safety, security, and EP consequences. The methodology is based on defense-in-depth, installed configuration of the CDA, and susceptibility to commonly identified threat vectors. Prioritization of CDA assessments begins with safety-related and EP CDAs and continues through the lower priority non-safety-related CDAs. The NRC staff finds that based on the large number of digital assets described above and the limited resources with the appropriate expertise to perform these activities, the licensee's methodology for prioritizing work on CDAs is appropriate. The NRC staff further finds that the licensee's request to delay final implementation of the CSP until December 31, 2017, is reasonable, given the complexity of the remaining unanticipated work and the need to perform certain work, including design changes, during decommissioning activities.

• 3.3 Revision to License Conditions The licensee proposed to modify part of License Condition 2.E of Facility Operating License No. NPF-10, as follows:

SCE shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The SONGS CSP was approved by License Amendment No. 225, as supplemented by a change approved by License Amendment 231.

The licensee proposed to modify part of License Condition 2.E of Facility Operating License No. NPF-15, as follows:

SCE shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The SONGS

CSP was approved by License Amendment No. 218, as supplemented by a change approved by License Amendment 224.

3.4 Summary of Technical Evaluation The NRC staff has determined that the licensee's request to delay full implementation of its CSP until December 31, 2017, is reasonable for the following reasons: (i) the licensee's implementation of Milestones 1 through 7 already provides mitigation for significant cyber attack vectors for the most significant CDAs, as discussed above; (ii) the scope of the work required to come into full compliance with the CSP implementation schedule was much more complicated than anticipated and not reasonably foreseeable when the CSP implementation schedule was originally developed; and (iii) the licensee is utilizing tools to sufficiently manage the impact of the requested additional implementation time on the overall CSP.

Based on its review of the application, the NRC staff concludes that the licensee's implementation of Milestones 1 through 7 has added additional protection that provides mitigation for significant cyber attack vectors for the most significant CDAs, that the licensee's explanation of the need for additional time is compelling, and that it is acceptable for the licensee to complete implementation of Milestone 8, full implementation of the CSP, by December 31, 2017. The NRC staff also concludes that, upon full implementation of the licensee's cyber security program, the requirements of the licensee's CSP and 10 CFR 73.54 will be met. Therefore, the NRC staff finds the proposed change acceptable.

4.0 STATE CONSULTATION

In accordance with the Commission's regulations, the California State official was notified of the proposed issuance of the amendments. The State official provided general comments in a letter dated August 12, 2015 (ADAMS Accession No. ML15226A543). The State's comments are quoted from the body of the letter:

[California Office of Emergency Services'] Radiological Preparedness Unit reviewed the amendment request for comment and found no nuclear power safety issues for California. They reviewed the NRC staff's analyses on the requested amendments and found no reduction in safety could occur from granting the license amendments. The request is administrative and intended to extend the date of implementing a milestone in their cyber security plan.

5.0 ENVIRONMENTAL CONSIDERATION

These amendments of 10 CFR Part 50 licenses relate solely to safeguards matters and do not involve any significant construction impacts. The amendments are administrative changes to extend the date by which the licensee must have its CSP fully implemented. The Commission has previously issued a proposed finding that the amendments involve no significant hazards consideration, and there have been no public comments on such finding, which was published in the Federal Register on April 7, 2015 (80 FR 18659). Accordingly, the amendments meet the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(12). Pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the issuance of these amendments.

6.0 CONCLUSION

The Commission has concluded, based on the considerations discussed above, that (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) there is reasonable assurance that such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.

Principal Contributor: John Rycyna, NSIR Date:october 1 , 2015

ML15209A935 *via e-mail OFFICE NRR/DORL/LPLIV-2/PM NRR/DORL/LPLIV-2/LA NSIR/CSD/DD* OGC*

NAME TWengert PBlechman RFelts LLondon - NLO DATE 9/29/2015 9/21/2015 6/10/2015 9/25/2015 OFFICE NRR/DORL/LPLIV-2/BC NMSS/DUWP/RDB/BC NMSS/DUWP/RDB/PM .* .**

NAME MKhanna (JParrott for) BWatson MVaaler DATE 9/28/2015 9/30/2015 10/01/2015  :*.