Text

December 21, 2015 Christopher E. Earls, Sr. Director Engineering and Licensing Nuclear Energy Institute 1201 F Street NW, Ste 1100 Washington, DC 20004

SUBJECT:

NUCLEAR ENERGY INSTITUTE 13-10, CYBER SECURITY CONTROL ASSESSMENTS, REVISION 4, DATED NOVEMBER 2015

Dear Mr. Earls:

In your letter dated November 30, 2015 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML15338A277), you requested that the U.S. Nuclear Regulatory Commission (NRC) staff review and endorse the Nuclear Energy Institutes (NEIs) guidance document NEI 13-10, Cyber Security Control Assessments, Revision 4, dated November 2015 (ADAMS ML15338A276). The purpose of Revision 4 is to incorporate additional critical digital asset (CDA) classes and assessments into Appendix D, building on the work added in Revision 2.

The NRC found NEI 13-10, Revision 3 acceptable for use in a letter dated September 11, 2015 (ADAMS Accession No. ML15247A148). The primary focus of Revision 3 was to incorporate guidance to address those digital assets associated with balance of plant (BOP) that are not relied upon to mitigate accidents or transients (i.e., equipment and systems that are not used to support the emergency operating procedures); or the BOP CDAs failure or cyber compromise does not prevent safety-related structures, systems, and components from fulfilling their safety-related functions. Any CDAs that are not determined to be BOP CDAs can be evaluated as described in Section 3 of NEI 13-10 to determine whether the CDA is direct or indirect.

The NRC staff completed its review of the additional CDA classes and their assessments were incorporated into Appendix D of NEI 13-10. The staffs review was based on Regulatory Guide 5.71 Cyber Security Programs for Nuclear Facilities, Revision 0, dated January 2010, and NEI 08-09 Cyber Security Plan for Nuclear Power Reactors, Revision 6, dated April 2010, which are the bases for the licensees cyber security plans. Based on the review, the staff concluded that NEI 13-10, Revision 4 is acceptable for use by licensees to address the required security controls provided in their cyber security plans. The security controls provided in Appendix D and certain security controls provided in Appendix E of NEI 08-09 are evaluated for six different classes of direct CDAs in Revision 4 of NEI 13-01. These security controls are determined to be technical security controls.

Therefore, as stated in NEI 13-10, Section 3, any Appendix E security controls not addressed by the cyber assessments for the six different classes of direct CDAs that are incorporated in Revision 4 must be addressed programmatically in accordance with Section 3.1.6 of the cyber

security plan for all CDAs, both direct and indirect. The licensees use of NEI 13-10 to implement cyber security programs to comply with their NRC-approved cyber security plans is subject to NRC inspections.

Please contact Russell Felts at (301) 287-3734 or Eric Lee at (301) 287-3461 if you have any questions.

Sincerely,

/RA/

James Andersen, Director Cyber Security Directorate Office of Nuclear Security and Incident Response

ML15351A065 OFFICE CSD/NSIR DD:CSD/NSIR CSD/NSIR D:CSD/NSIR NAME E. Lee R. Felts C. Pantalo J. Andersen DATE 12/17/15 12/17/15 12/17/15 12/21/15