Issuance of Amendment Nos. 255 and 303 Cyber Security Plan Implementation Schedule

ML16027A109
Person / Time
Site:	Arkansas Nuclear   (DPR-051, NPF-006)
Issue date:	02/24/2016
From:	Andrea George Plant Licensing Branch IV
To:	Entergy Operations
George A, NRR-DORL 415-1081
References
CAC MF6258, CAC MF6259
Download: ML16027A109 (18)
v • d • e

Text

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 Vice President, Operations Arkansas Nuclear One Entergy Operations, Inc.

1448 S.R. 333 Russellville, AR 72802 R:bn.my 24, 2016

SUBJECT:

ARKANSAS NUCLEAR ONE, UNITS 1 AND 2 - ISSUANCE OF AMENDMENTS RE: CYBER SECURITY PLAN IMPLEMENTATION SCHEDULE (CAC NOS. MF6258 AND MF6259)

Dear Sir or Madam:

The U.S. Nuclear Regulatory Commission has issued the enclosed Amendment Nos. 255 and 303 to Renewed Facility Operating License Nos. DPR-51 and NPF-6, respectively, for Arkansas Nuclear One (ANO), Units 1 and 2. The amendments consist of changes to the facility operating licenses in response to your application dated May 20, 2015. The amendments approve the revised schedule for full implementation of the ANO Cyber Security Plan.

A copy of our related Safety Evaluation is also enclosed. The Notice of Issuance will be included in the Commission's next biweekly Federal Register notice.

Docket Nos. 50-313 and 50-368

Enclosures:

1. Amendment No. 255 to DPR-51

2. Amendment No. 303 to NPF-6

3. Safety Evaluation cc w/encls: Distribution via Listserv Sincerely, Andrea E. George, Project Manager Plant Licensing IV-2 and Decommissioning Transition Branch Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 ENTERGY OPERATIONS. INC.

DOCKET NO. 50-313 ARKANSAS NUCLEAR ONE. UNIT 1 AMENDMENT TO RENEWED FACILITY OPERATING LICENSE Amendment No. 255 Renewed License No. DPR-51

1.

The Nuclear Regulatory Commission (the Commission) has found that:

A.

The application for amendment by Entergy Operations, Inc. (the licensee), dated May 20, 2015, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commission's rules and regulations set forth in 10 CFR Chapter I; B.

The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission;.

C.

There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D.

The issuance of this license amendment will not be inimical to the common defense and security or to the health and safety of the public; and E.

The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied.

2.

Accordingly, the license is amended as indicated in the attachment to this license amendment, and paragraph 2.c.(4) of Renewed Facility Operating License No. DPR-51 is hereby amended to read, in part, as follows:

EOI shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p).

The EOI CSP was approved by License Amendment No. 244 as supplemented by changes approved by License Amendment Nos. 247, 251, and 255.

3.

The license amendment is effective as of its date of issuance and shall be implemented within 30 days from the date of issuance. The full implementation of the CSP shall be in accordance with the implementation schedule submitted by the licensee on May 20, 2015, and approved by the NRC staff with this license amendment. All subsequent changes to the NRG-approved CSP implementation schedule will require NRC approval pursuant to 10 CFR 50.90.

Attachment:

Changes to the Renewed Facility Operating License No. DPR-51 Date of Issuance: R:h.t.ary 24, 2016 FOR THE NUCLEAR REGULATORY COMMISSION

/-"'\\

~)~

Meena K. Khanna, Chief Plant Licensing IV-2 and Decommissioning Transition Branch Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation

ATTACHMENT TO LICENSE AMENDMENT NO. 255 RENEWED FACILITY OPERATING LICENSE NO. DPR-51 DOCKET NO. 50-313 Replace the following page of the Renewed Facility Operating License No. DPR-51 with the attached revised page. The revised page is identified by amendment number and contains marginal lines indicating the areas of change.

Operating License REMOVE INSERT EOI shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 1 O CFR 50.90 and 10 CFR 50.54(p).

The EOI CSP was approved by License Amendment No. 244 as supplemented by changes approved by License Amendment Nos. 247, 251, and 255.

(5)

Implementation of the Improved Technical Specifications (ITS)

The licensee is authorized to relocate certain Technical Specification requirements previously included in Appendix A to licensee controlled documents, as described in Table R, Relocated Specifications, and Table LA, Removal of Details, attached to the Safety Evaluation for Amendment No. 215. These requirements shall be relocated to the appropriate documents as part of the implementation of the ITS.

The schedule for performing Surveillance Requirements (SRs) that are new or revised in Amendment No. 215 shall be as follows:

1.

For SRs that are new in this amendment, the first performance shall be due at the end of the first surveillance interval, which begins on the date of implementation of this amendment.

2.

For SRs that existed prior to this amendment whose intervals of performance are being reduced, the first reduced surveillance interval shall begin upon completion of the first surveillance performed after implementation of this amendment.

3.

For SRs that existed prior to this amendment that contained modified acceptance criteria, the performance shall be due at the end of the first surveillance interval that began on the date the surveillance was last performed prior to the implementation of this amendment.

4.

For SRs that existed prior to this amendment whose interval of performance are being extended, the first extended surveillance interval shall begin upon completion of the last surveillance performed prior to the implementation of this amendment.

(6)

Deleted (7)

Deleted Renewed License No. DPR-51 Amendment No. 215, 244, 247, 251 255

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 ENTERGY OPERATIONS. INC.

DOCKET NO. 50-368 ARKANSAS NUCLEAR ONE. UNIT 2 AMENDMENT TO RENEWED FACILITY OPERATING LICENSE Amendment No. 303 Renewed License No. NPF-6

1.

The Nuclear Regulatory Commission (the Commission) has found that:

A.

The application for amendment by Entergy Operations, Inc. (the licensee), dated May 20, 2015, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commission's rules and regulations set forth in 10 CFR Chapter I; B.

The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C.

There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D.

The issuance of this license amendment will not be inimical to the common defense and security or to the health and safety of the public; and E.

The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied.

2.

Accordingly, the license is amended as indicated in the attachment to this license amendment, and paragraph 2.D of Renewed Facility Operating License No. NPF-6 is hereby amended to read, in part, as follows:

EOI shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p).

The EOI CSP was approved by License Amendment No. 294 as supplemented by changes approved by License Amendment Nos. 295, 298, and 303.

3.

The license amendment is effective as of its date of issuance and shall be implemented within 30 days from the date of issuance. The full implementation of the CSP shall be in accordance with the implementation schedule submitted by the licensee on May 20, 2015, and approved by the NRC staff with this license amendment. All subsequent changes to the NRG-approved CSP implementation schedule will require NRC approval pursuant to 10 CFR 50.90.

Attachment:

Changes to the Renewed Facility Operating License No. NPF-6 Date of Issuance: FEbnmy 24, 2016 FOR THE NUCLEAR REGULA TORY COMMISSION LYYI~

Meena K. Khanna, Chief Plant Licensing IV-2 and Decommissioning Transition Branch Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation

ATTACHMENT TO LICENSE AMENDMENT NO. 303 RENEWED FACILITY OPERATING LICENSE NO. NPF-6 DOCKET NO. 50-368 Replace the following page of the Renewed Facility Operating License No. NPF-6 with the attached revised page. The revised page is identified by amendment number and contains marginal lines indicating the areas of change.

Operating License REMOVE INSERT 8

(iii)

Actions to minimize release to include consideration of:

1.

Water spray scrubbing

2.

Dose to onsite responders (11)

Upon implementation of Amendment 288 adopting TSTF-448, Revision 3, the determination of control room envelope (CRE) unfiltered air inleakage as required by SR 4.7.6.1.2.d, in accordance with Specifications 6.5.12.c.(i),

6.5.12.c.(ii), and 6.5.12.d, shall be considered met. Following implementation:

(i)

The first performance of SR 4.7.6.1.2.d, in accordance with Specification 6.5.12.c.(i), shall be within 15 months of the approval of TSTF-448. SR 4.0.2 will not be applicable to this first performance.

(ii)

The first performance of the periodic assessment of CRE habitability, Specification 6.5.12.c.(ii), shall be within 15 months of the approval of TSTF-448. SR 4.0.2 will not be applicable to this first performance.

(iii)

The first performance of the periodic measurement of CRE pressure, Specification 6.5.12.d, shall be within 15 months of the approval of TSTF-448. SR 4.0.2 will not be applicable to this first performance.

D.

Physical Protection EOI shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans, including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contains Safeguards Information protected under 10 CFR 73.21, is entitled: "Arkansas Nuclear One Physical Security, Safeguards Contingency and Training & Qualification Plan," as submitted on May 4, 2006.

EOI shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The EOI CSP was approved by License Amendment No. 294 as supplemented by changes approved by License Amendment Nos. 295, 298, and 303.

E.

This renewed license is subject to the following additional condition for the protection of the environment:

Before engaging in additional construction or operational activities which may result in an environmental impact that was not evaluated by the Commission, EOI will prepare and record an environmental evaluation for such activity. When the evaluation indicates that such activity may result in a significant adverse Renewed License No. NPF-6 Amendment No. 288, 294, 295, 298, 300 303

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO AMENDMENT NOS. 255 AND 303. RESPECTIVELY. TO RENEWED FACILITY OPERATING LICENSE NOS. DPR-51 AND NPF-6

1.0 INTRODUCTION

ENTERGY OPERATIONS. INC.

ARKANSAS NUCLEAR ONE. UNITS 1 AND 2 DOCKET NOS. 50-313 AND 50-368 By letter dated May 20, 2015 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML15140A611 ), Entergy Operations, Inc. (Entergy, the licensee) requested a change to the renewed facility operating license for Arkansas Nuclear One (ANO),

Units 1 and 2.

The proposed change would revise the date of Cyber Security Plan (CSP) Implementation Schedule Milestone 8 and paragraphs 2.c.(4) and 2.D, respectively, in the renewed facility operating licenses (FOLs) for ANO, Units 1 and 2. Milestone 8 of the CSP implementation schedule concerns the full implementation of the CSP.

2.0 REGULATORY EVALUATION

The U.S. Nuclear Regulatory Commission (NRC) staff reviewed and approved the licensee's existing CSP implementation schedule for ANO, Units 1 and 2, by letter dated December 8, 2014, Amendment Nos. 251 and 298, respectively (ADAMS Accession No. ML14322A206),

concurrent with the incorporation of the CSP into the facility's current licensing basis. The NRC staff considered the following regulatory requirements and guidance in its review of the license amendment request to modify the existing CSP implementation schedule:

Title 10 of the Code of Federal Regulations (10 CFR), Section 73.54, "Protection of digital computer and communication systems and networks," which states, in part:

Each [CSP] submittal must include a proposed implementation schedule.

Implementation of the licensee's cyber security program must be consistent with the approved schedule.

The licensee's renewed FOL includes a license condition that requires the licensee to fully implement and maintain in effect all provisions of the Commission-approved CSP.

Review criteria provided by the NRC staff's internal memorandum, "Review Criteria for Title 10 of the Code of Federal Regulations Part 73.54, Cyber Security Implementation Schedule Milestone 8 License Amendment Requests," dated October 24, 2013 (ADAMS Accession No. ML13295A467), to be considered for evaluating licensees' requests to postpone their cyber security program implementation date (commonly known as Milestone 8).

The NRC staff does not regard the CSP milestone implementation dates as regulatory commitments that can be changed unilaterally by the licensee, particularly in light of the regulatory requirement at 10 CFR 73.54, that states, "[i]mplementation of the licensee's cyber security program must be consistent with the approved schedule." As the NRC staff explained in its letter to all operating reactor licensees dated May 9, 2011 (ADAMS Accession No. ML110980538), the implementation of the plan, including the key intermediate milestone dates and the full implementation date shall be in accordance with the implementation schedule submitted by the licensee and approved by the NRC. All subsequent changes to the NRC-approved CSP implementation schedule, thus, will require prior NRC approval as required by 10 CFR 50.90.

3.0 TECHNICAL EVALUATION

3.1 Licensee's Requested Change The NRC staff issued Amendment Nos. 251 and 298 to renewed FOLs DPR-51 and NPF-6, respectively for ANO, Units 1 and 2, by letter dated December 8, 2014. These amendments approved the CSP and associated implementation schedule, and added a license condition to each respective renewed FOL requiring the licensee to fully implement and maintain the Commission-approved CSP. The implementation schedule was based on a template prepared by the Nuclear Energy Institute (NEI), which was transmitted to the NRC by letter dated February 28, 2011 (ADAMS Accession No. ML110600206). By letter dated March 1, 2011, the NRC staff found the NEI template acceptable for licensees to use to develop their CSP implementation schedules (ADAMS Accession No. ML110070348). The licensee's proposed implementation schedule for the Cyber Security Program identified completion dates and bases for the following eight milestones:

1) Establish the Cyber Security Assessment Team (CSAT);

2) Identify Critical Systems (CSs) and Critical Digital Assets (CDAs);

3) Install deterministic one-way devices between lower level devices and higher level devices;

4) Implement the security control "Access Control For Portable And Mobile Devices";

5) Implement observation and identification of obvious cyber related tampering to existing insider mitigation rounds by incorporating the appropriate elements;

6) Identify, document, and implement technical cyber security controls in accordance with Mitigation of Vulnerabilities and Application of Cyber Security Controls for CDAs that could adversely impact the design function of physical security target set equipment;

7) Ongoing monitoring and assessment activities for those target set CDAs whose security controls have been implemented;

8) Fully implement the CSP.

Currently, Milestone 8 of the ANO, Units 1 and 2, CSP requires the licensee to fully implement the CSP by June 30, 2016. By letter dated May 20, 2015, the licensee proposed to modify the Milestone 8 completion date to December 15, 2017.

The licensee provided the following information pertinent to each of the criteria identified in the NRC guidance memorandum dated October 24, 2013.

1.

Identification of the specific requirement or requirements of the cyber security plan that the licensee needs additional time to implement.

The licensee stated that the requirements of the CSP that needed additional time to implement are: Section 3, "Analyzing Digital Computer Systems and Networks," and Section 4, "Establishing, Implementing, and Maintaining the Cyber Security Program." These CSP requirements are listed in Nuclear Energy Institute (NEI) 08-09, Revision 6, "Cyber Security Plan for Nuclear Power Reactors" (ADAMS Accession No. ML101180437), Appendices D and E. It further noted that these sections describe requirements for application and maintenance of cyber security controls and described the process of addressing security controls.

2.

Detailed justification that describes the reason the licensee requires additional time to implement the specific requirement or requirements identified.

In its letter dated May 20, 2015, the licensee stated, in part:

Entergy hosted a "pilot" Milestone 8 inspection at the Indian Point site in March 2014. During the pilot, insight was gained into the NRC [staff's position]

on how to apply the cyber security controls listed in NEI 08-09, Revision 6....

During the pilot inspection, the NRC team reviewed several examples of critical digital assets (CDAs) with Entergy and indicated the level of detail and depth expected for the technical analyses against the cyber security controls referenced in NEI 08-09. Based on this review, it is evident to Entergy that the detail and depth of the technical analysis exceeds Entergy's prior understanding and requires a considerably greater effort to achieve than initially anticipated.

During 2015, each operating Entergy licensee [underwent] an inspection of compliance with interim Milestones 1 through 7. The preparation for and support of these inspections has required a significant commitment of time from Entergy's most knowledgeable subject matter experts on nuclear cyber security, exceeding the estimate previously developed, and therefore, drawing those resources away from the Milestone 8 implementation activities.

3.

A proposed completion date for Milestone 8 consistent with the remaining scope of work to be conducted and the resources available.

The licensee proposed a Milestone 8 completion date of December 15, 2017.

4.

An evaluation of the impact that the additional time to implement the requirements will have on the effectiveness of the licensee's overall cyber security program in the context of milestones already completed.

In its letter dated May 20, 2015, the licensee stated, in part:

The impact of the requested additional implementation time on the effectiveness of the overall cyber security program is considered to be very low, because the Interim Milestones already completed have resulted in a high degree of protection of safety-related, important-to-safety, and security CDAs against

[common] threat vectors.... Additionally, extensive physical and administrative measures are already in place for CDAs [because they are plant components],

pursuant to the Physical Security Plan and Technical Specification requirements.

The licensee also included a discussion regarding the actions already taken to implement Milestones 1 through 7 at ANO.

5.

A description of the licensee's methodology for prioritizing completion of work for critical digital assets associated with significant safety consequences and with reactivity effects in the balance of plant.

In its letter dated May 20, 2015, the licensee stated, in part:

Because CDAs are plant components, prioritization follows the normal work management process that places the highest priority on apparent conditions adverse to quality in system, structure, and component design function and related factors such as safety risk and nuclear defense-in-depth, as well as threats to continuity of electric power generation in the balance of plant (BOP).

The licensee also stated that it has maintained a high level of focus on prompt attention to any emergent issue with those CDAs (encompassing those associated with physical security target sets) that would potentially challenge the established cyber protective barriers.

6.

A discussion of the licensee's cyber security program performance up to the date of the license amendment request.

The licensee stated that there has been no identified compromise of a safety, security, and emergency preparedness (SSEP) function. The licensee also stated that a quality assurance (QA) audit was conducted in the fourth quarter of 2014 that included a review of the cyber security program implementation. The licensee stated that there were no significant findings related to overall cyber security program performance and effectiveness.

7.

A discussion of cyber security issues pending in the licensee's corrective action program (CAP).

In its letter dated May 20, 2015, the licensee stated, in part:

No significant (with 'significant' meaning constituting a threat to a CDA via cyber means or calling into question program effectiveness) nuclear cyber security issues are currently pending in the CAP. Several non-significant issues identified during the QA audit described above and identified during NRC inspections of compliance with nuclear cyber security Interim Milestones 1 through 7 have been entered into CAP. However, when the Reference 4 internal NRC memorandum was shared with Entergy, the actions described regarding cyber security Interim Milestone 4 were entered into CAP for evaluation by the CSA T.

8.

A discussion of modifications completed to support the cyber security program and a discussion of pending cyber security modifications.

The licensee discussed completed modifications and pending modifications.

3.2

NRC Staff Evaluation

The NRC staff has evaluated the licensee's application using the regulatory requirements and guidance above. The NRC staff's evaluation is below. The NRC staff finds that the actions the licensee noted as being required to implement the CSP, Section 3, "Analyzing Digital Computer Systems and Networks" and Section 4, "Establishing, Implementing and Maintaining the Cyber Security Program," are reasonable as discussed below.

The licensee indicated that completion of the activities associated with the CSP, as described in Milestones 1 through 7 was prior to December 31, 2012, and provide a high degree of protection to ensure that the most significant digital computer and communication systems and networks associated with SSEP functions are protected against cyber attacks. The NRC staff concludes that the licensee's site is more secure after the implementation of Milestones 1 through 7 because the activities the licensee has completed mitigate the most significant cyber attack vectors for the most significant CDAs. Therefore, the NRC has reasonable assurance that full implementation of the CSP by December 15, 2017, will provide adequate protection of the public health and safety and the common defense and security.

The licensee stated that the detail and depth of the technical analysis needed for full implementation of the CSP exceeds its prior understanding and requires a considerably greater effort to achieve than initially anticipated. The NRC staff recognizes that CDA assessment work to include application of controls is much more complex and resource intensive than originally anticipated, in part, due to the NRC expanding the scope of the cyber security requirements to include BOP. As a result, the licensee has a large number of additional tasks not originally considered when developing its CSP implementation schedule. The NRG staff concludes that the licensee's request for additional time to implement Milestone 8 is reasonable given the unanticipated complexity and scope of the work required to fully implement the CSP.

The licensee proposed a Milestone 8 completion date of December 15, 2017. The licensee stated that changing the completion date of Milestone 8 allows for the considerably greater effort required to fully implement the CSP than initially anticipated. The licensee stated its methodology for prioritizing Milestone 8 activities is centered on considerations for SSEP and BOP (continuity of power) consequences. The NRC staff concludes that based on the large number of additional tasks described above and the limited resources with the appropriate expertise to perform these activities, that the licensee's methodology for prioritizing work on CDAs is appropriate. The NRC staff further concludes that the licensee's request to delay final implementation of the CSP until December 15, 2017, is reasonable given the complexity of the remaining unanticipated work.

3.3 Technical Evaluation Conclusion

The NRC staff concludes that the licensee's request to delay full implementation of its CSP until December 15, 2017, is reasonable for the following reasons: (i) the licensee's implementation of Milestones 1 through 7 provides mitigation for significant cyber attack vectors for the most significant CDAs as discussed in the staff evaluation above; (ii) the scope of the work required to come into full compliance with the CSP implementation schedule was much more complicated than anticipated and not reasonably foreseeable when the CSP implementation schedule was originally developed; and (iii) the licensee has reasonably prioritized and scheduled the work required to come into full compliance with its CSP implementation schedule.

3.4 Revision to License Conditions By letter dated May 20, 2015, the licensee proposed to modify paragraph 2.c.(4) of Renewed FOL No. DPR-51 for ANO, Unit 1, and to modify paragraph 2. D of Renewed FOL No. NFP-6 for ANO, Unit 2, which provide license conditions to require the licensee to fully implement and maintain in effect all provisions of the Commission-approved CSP.

The current license condition in paragraph 2.c.(4) of Renewed FOL No. DPR-51 for ANO, Unit 1, states, in part:

EOI shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 1 O CFR 50.90 and 10 CFR 50.54(p). The EOI CSP was approved by License Amendment No. 244 as supplemented by changes approved by License Amendment Nos. 247 and 251.

The revised license condition in paragraph 2.c.(4) of Renewed FOL No. DPR-51 for ANO, Unit 1, is modified as follows:

EOI shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The EOI CSP was approved by License Amendment No. 244 as supplemented by changes approved by License Amendment Nos. 247, 251, and 255.

The current license condition in paragraph 2.0 of Renewed FOL No. NPF-6 for ANO, Unit 2, states, in part:

EOI shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The EOI CSP was approved by License Amendment Nos. 295 and 298.

The revised license condition in paragraph 2.D of Renewed FOL No. NPF-6 for ANO, Unit 2, is modified as follows:

EOI shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The EOI CSP was approved by License Amendment Nos. 295, 298, and 303.

Based on the information in Section 3.0 of this safety evaluation and the modified license conditions described above, the NRC staff concludes these changes are acceptable.

4.0 REGULATORY COMMITMENTS By letter dated May 20, 2015, the licensee made the following regulatory commitment:

Full implementation of Arkansas Nuclear One Cyber Security Plan for all safety, security, and emergency preparedness functions will be achieved.

Scheduled Completion Date: December 15, 2017 The above stated commitment is consistent with the revised Milestone 8 implementation date proposed by the licensee and evaluated by the NRC staff.

5.0 STATE CONSULTATION

In accordance with the Commission's regulations, the Arkansas State official was notified of the proposed issuance of the amendments. The State official had no comments.

6.0 ENVIRONMENTAL CONSIDERATION

These amendments to 1 O CFR Part 50 licenses relate solely to safeguards matters and do not involve any significant construction impacts. These amendments are administrative changes to extend the date by which the licensee must have its CSP fully implemented.

Accordingly, the amendments meet the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(12). Pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the issuance of the amendments.

7.0 CONCLUSION

The Commission has concluded, based on the considerations discussed above, that: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) there is reasonable assurance that such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendments will not be inimical to the common defense and security or to the health and safety of the public.

Principal Contributor: J. Rycyna, NSIR/CSD Date: FEi:nmy 24, 2016

ML16027A109 OFFICE NRR/DORL/LPL4-2/PM NAME A George DATE 2/1/16 OFFICE OGC NAME JBielecki DATE 2/16/16 Sincerely, IRA/

Andrea E. George, Project Manager Plant Licensing IV-2 and Decommissioning Transition Branch Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation RidsNrrLAPBlechman Resource RidsNrrPMANO Resource RidsRgn4MailCenter Resource RidsNsirCsd Resource JRycyna, NSIR/CSD

• via email NRR/DORL/LPL4-2/LA PBlechman 1/29/16 NSIR/CSD*

JAndersen 12/9/15 NRR/DORL/LPL4-2/BC NRR/DORL/LPL4-2/PM MKhanna A George 2/24/16 2/24/16