ML16221A084

From kanterella
Jump to navigation Jump to search
Draft Regulatory Guide DG-5062 - Cyber Security Programs for Nuclear Fuel Cycle Facilities
ML16221A084
Person / Time
Issue date: 08/10/2016
From:
Office of Nuclear Material Safety and Safeguards
To:
Office of Nuclear Material Safety and Safeguards, Office of Nuclear Security and Incident Response
Bartlett M
Shared Package
ML16221A078 List:
References
DG-5062
Download: ML16221A084 (164)


Text

U.S. NUCLEAR REGULATORY COMMISSION August 2016 OFFICE OF NUCLEAR REGULATORY RESEARCH Division 5 DRAFT REGULATORY GUIDE Technical Lead James Downs DRAFT REGULATORY GUIDE DG-5062 (Proposed New Regulatory Guide)

Cyber Security Programs for Nuclear Fuel Cycle Facilities A. INTRODUCTION

`

Purpose This regulatory guide (RG) describes methods and procedures that the staff of the U.S. Nuclear Regulatory Commission (NRC) considers acceptable for establishing, implementing, and maintaining a cyber security program at a nuclear fuel cycle facility (FCF) subject to the requirements in Title 10 of the Code of Federal Regulations (10 CFR), Section 73.53, Requirements for cyber security at nuclear fuel cycle facilities. This RG describes an acceptable approach for meeting the cyber security performance objectives to detect, protect against, and respond to a cyber attack capable of causing a consequence of concern, as well as the development of a cyber security plan and examples for establishing consequence of concern specific cyber security controls. A FCF may use methods and standards other than those described within this RG to meet the Commissions regulations if the chosen measures and standards satisfy the stated regulatory requirements.

Applicability This RG provides guidance for establishing, implementing, and maintaining a cyber security program at a nuclear fuel cycle facility under 10 CFR, Section 73.53, Requirements for cyber security at nuclear fuel cycle facilities.

Applicable Regulations The regulations in 10 CFR Part 73, Physical Protection of Plants and Materials, (Ref. 1),

Section 73.53, Requirements for cyber security at nuclear fuel cycle facilities apply to each applicant or licensee (hereinafter, the applicant and the licensee will be referred to collectively as the licensee) subject to the requirements of 10 CFR 70.60, Applicability, and licensees for conversion or deconversion of uranium hexafluoride licensed under 10 CFR Part 40, Domestic Licensing of Source Material.

  • Section 40.31(n) requires each application for a license to possess source material at a facility for the production, conversion, or deconversion of uranium hexafluoride under 10 CFR Part 40 to include a cyber security plan that demonstrates how the licensee will meet the requirements of 10 CFR 73.53.
  • Section 40.32(h) requires that the licensee shall make no change which would result in a decrease in the effectiveness of the cyber security plan prepared pursuant to 10 CFR 40.31(n) without the DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE prior approval of the Commission. A licensee desiring to make such a change shall submit an application for an amendment to its license pursuant to 10 CFR 40.44.

  • Section 70.32(f) requires that the licensee shall make no change which would result in a decrease in the effectiveness of the cyber security plan prepared pursuant to 10 CFR 70.22(o) without the prior approval of the Commission. A licensee desiring to make such a change shall submit an application for an amendment to its license pursuant to 10 CFR 70.34.
  • Section 73.53 requires licensees to establish, implement, and maintain a cyber security program that shall detect, protect against, and respond to a cyber attack capable of causing a consequence of concern.

Related Guidance RG 5.70, Guidance for the Application of the Theft and Diversion Design-Basis Threat in the Design, Development and Implementation of a Physical Security Program that Meets 10 CFR 73.45 and 73.46 (not in the agencywide documents access and management system (ADAMS) and not publicly available because it contains classified information), further describes the adversary characteristics, tactics, techniques, and procedures to assist Category I FCF licensees to further develop their protective strategies against the design basis threat (DBT). RG 5.70 provides guidance on how site-specific security plans should consider the DBT but does not provide specific countermeasures to a cyber attack (i.e., cyber security controls) for licensees to implement.

Purpose of Regulatory Guides The NRC issues RGs to describe to the public methods that the staff considers acceptable for use in implementing specific parts of the agencys regulations, to explain techniques that the staff uses in evaluating specific problems or postulated accidents, and to provide guidance to licensees. RGs are not substitutes for regulations and compliance with them is not required. Methods and solutions that differ from those set forth in RGs will be deemed acceptable if they provide a basis for the findings required for the issuance or continuance of a permit or license by the Commission.

Paperwork Reduction Act This RG contains and references information collections covered by 10 CFR Sections 40.31(n),

40.32(h), 70.22(o), 70.32(f), 73.53(a), 73.53(e), and 73.53(h) that are subject to the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.). These information collections were approved by the Office of Management and Budget (OMB), control numbers 3150-0020, 3150-0009 and 3150-0002.

DG-5062, Page 2 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE Public Protection Notification The NRC may not conduct or sponsor, and a person is not required to respond to, a request for information or an information collection requirement unless the requesting document displays a currently valid OMB control number.

DG-5062, Page 3 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE TABLE OF CONTENTS A. INTRODUCTION .........................................................................................................1 Purpose .....................................................................................................................1 Applicability ............................................................................................................1 Applicable Regulations ............................................................................................1 Related Guidance .....................................................................................................2 Purpose of Regulatory Guides .................................................................................2 Paperwork Reduction Act ........................................................................................2 Public Protection Notification..................................................................................3 B. DISCUSSION ................................................................................................................6 Reason for Development..........................................................................................6 Background ..............................................................................................................6 Harmonization with International Standards .........................................................10 Documents Discussed in Staff Regulatory Guidance ............................................10 C. STAFF REGULATORY GUIDANCE........................................................................11 1 General Requirements ................................................................................11 2 Cyber Security Program Performance Objectives .....................................13 3 Cyber Security Team .................................................................................15 4 Cyber Security Plan ...................................................................................18 5 Consequences of Concern ..........................................................................22 6 Identification of Digital Assets and Support Systems ...............................25 7 Cyber Security Controls .............................................................................29 8 Implementing Procedures and Interim Compensatory Measures ..............33 9 Configuration Management .......................................................................37 10 Biennial Review .........................................................................................39 11 Event Reporting and Tracking ...................................................................40 12 Recordkeeping ...........................................................................................41 D. IMPLEMENTATION ..................................................................................................42 Use by Licensees....................................................................................................42 Use by the NRC Staff ............................................................................................42 GLOSSARY ......................................................................................................................44 REFERENCES ..................................................................................................................45 BIBLIOGRAPHY ..............................................................................................................48 CYBER SECURITY PLAN TEMPLATE............................................ A-1 CYBER SECURITY CONTROLS FOR VITAL DIGITAL ASSETS ASSOCIATED WITH ANY CONSEQUENCE OF CONCERN ....................B-1 ADDITIONAL CYBER SECURITY CONTROLS FOR VITAL DIGITAL ASSETS ASSOCIATED WITH LATENT CONSEQUENCES OF CONCERN - DESIGN BASIS THREAT (CATEGORY I FACILITIES ONLY) ..............................................................................................................C-1 DG-5062, Page 4 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE ADDITIONAL CYBER SECURITY CONTROLS FOR VITAL DIGITAL ASSETS ASSOCIATED WITH LATENT CONSEQUENCES OF CONCERN - SAFEGUARDS (CATEGORY II FACILITIES ONLY) ......... D-1 ADDITIONAL CYBER SECURITY CONTROLS FOR VITAL DIGITAL ASSETS ASSOCIATED WITH ACTIVE CONSEQUENCES OF CONCERN - SAFETY .................................................................................... E-1 ADDITIONAL CYBER SECURITY CONTROLS FOR VITAL DIGITAL ASSETS ASSOCIATED WITH LATENT CONSEQUENCES OF CONCERN - SAFETY & SECURITY............................................................ F-1 DG-5062, Page 5 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE B. DISCUSSION Reason for Development This new RG provides FCFs with an acceptable approach for meeting the requirements of 10 CFR 73.53. It also provides a methodology that licensees may use to establish, implement, and maintain a cyber security program that shall detect, protect against, and respond to a cyber attack capable of causing a consequence of concern. In addition, it provides guidance on how to conduct an analysis to identify digital assets1 associated with a consequence of concern and a process to determine which of those digital assets require protection from cyber attacks. Finally, this RG describes the elements required in a cyber security plan, includes a cyber security plan template (Appendix A), and contains cyber security controls applicable to each type of consequence of concern (Appendices B - F).

Background

In recent years, the threat of cyber attacks has steadily risen, both globally and nationally. The U.S. Government has observed an increase in: 1) the number of cyber attacks; 2) the level of sophistication of such attacks; and 3) the potential for these attacks to impact numerous digital assets, including digital assets used at nuclear FCFs. Additionally, these attacks can be conducted anonymously from remote locations throughout the world.

In response to the terrorist attacks of September 11, 2001, the NRC issued a series of security orders to prevent certain potential consequences from occurring due to a physical attack on FCF licensees.

These orders addressed the threat environment at that time by imposing additional security requirements beyond those in 10 CFR 73.20, 73.40, 73.45, 73.46, and 73.67. The NRC also issued a separate security order to certain FCF licensees governing the protection of certain radiological and hazardous chemicals at their facilities. In addition to physical security requirements, the Interim Compensatory Measures Orders issued to FCF licensees in 2002 and 2003 contained a generic cyber security measure directing licensed facilities to evaluate and address cyber security vulnerabilities. This generic cyber security requirement did not specify or provide guidance on the type of countermeasures to a cyber attack to employ or provide direction or guidance on the establishment of a formal cyber security program at FCF licensees.

Furthermore, the orders provided limited guidance on the implementation of cyber security for safety and security digital assets, focusing on computer systems that conduct and maintain communications during emergency response actions.

In 2007, the Commission promulgated a rulemaking entitled Design Basis Threat (72 Federal Register [FR] 12705), revising 10 CFR 73.1 to explicitly include a cyber attack as an element of the DBT.

The DBT is used by certain licensees to form the basis for site-specific defensive strategies. RG 5.70, Guidance for the Application of the Theft and Diversion Design-Basis Threat in the Design, Development and Implementation of a Physical Security Program that Meets 10 CFR 73.45 and 73.46 (not in ADAMS and not publicly available because it contains classified information), was developed to further describe the adversary characteristics, tactics, techniques, and procedures to assist Category I FCF licensees to further develop their protective strategies against the DBT. This RG provides guidance on how site-specific security plans should consider the DBT but does not provide specific countermeasures to a cyber attack (i.e., cyber security controls) for licensees to implement.

1 For the purposes of this guidance, digital assets are defined as electronic devices or organized collections of devices that either process information, communicate data, or are programmed to manipulate licensee site machinery.

DG-5062, Page 6 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE In March 2009, the NRC further addressed cyber security during publication of the Power Reactor Security Requirements final rule (74 FR 13926). The cyber security requirements for power reactors were placed into a stand-alone section in 10 CFR 73.54. The cyber security rule requires power reactor licensees to provide high assurance that digital computer and communication systems and networks associated with nuclear power reactor safety, security, and emergency preparedness functions are protected from cyber attacks. The development of associated guidance for implementing the requirements in 10 CFR 73.54 resulted in the publication of RG 5.71, Cyber Security Programs for Nuclear Facilities (ADAMS Accession No.: ML090340159).

In June 2012, the NRC staff completed SECY-12-0088, The Nuclear Regulatory Commission Cyber Security Roadmap, which established the NRC staffs approach for evaluating the need for cyber security requirements for the following four categories of NRC licensees and facilities: 1) FCFs; 2) non-power reactors; 3) independent spent fuel storage installations; and 4) byproduct materials licensees. The roadmap reflects a graded approach to developing cyber security requirements commensurate with the inherent nuclear safety and security risks associated with the different types of licensees and facilities.

In 2014, the NRC staff issued SECY-14-0147, Cyber Security for Fuel Cycle Facilities (not publicly available because it contains security-related information, ADAMS Accession No.:

ML14177A264). In SECY-14-0147, the NRC staff concluded that cyber security requirements for FCF licensees need to be addressed because of: 1) an increasing and persistent cyber security threat; 2) the potential exploitation of vulnerabilities through a variety of attack vectors; 3) the inherent difficulty of detecting the compromise of digital assets; and 4) the potential consequences associated with a cyber attack. In the Staff Requirements Memorandum to SECY-14-0147, the Commission directed the NRC staff to proceed directly with a cyber security rulemaking to apply a disciplined, graded approach to the identification of digital assets and a graded, consequence-based approach to their protection. For systems within the scope of 10 CFR 73.53, this RG provides a comprehensive approach to meeting the requirements of 10 CFR 73.53 for cyber security.

This RG provides guidance to assist in the identification of digital assets associated with each type of identified consequence of concern and a process for determining which digital assets must be protected from cyber attacks. Digital assets that must be protected are referred to as vital digital assets (VDAs). In accordance with 10 CFR 73.53(d)(5), FCF licensees must protect VDAs by applying cyber security controls specific to each of the applicable types of consequences of concern. FCF licensees may use the cyber security controls provided in the appendices to this RG or develop their own sets of cyber security controls. Cyber security controls must satisfy the stated regulatory requirements and should be based off industry accepted standards (e.g., National Institute of Standards and Technology (NIST), the joint technical committee of the International Organization for Standardization and the International Electrotechnical Commission (ISO/IEC), Control Objectives for Information and Related Technologies, or International Society of Automation).

The RG offers a licensee guidance on addressing the necessary cyber security controls for an existing or new digital asset. This RG was informed by well-known and well-understood sets of cyber security controls from the NIST computer security standards. Application of cyber security controls addresses the cyber security program performance objectives as described in 10 CFR 73.53(b). The RG provides a flexible programmatic approach with which the licensee can successfully establish, maintain, and implement a cyber security program.

This RG provides guidance on the requirements of 10 CFR 73.53. The major sections of the RG are summarized below.

DG-5062, Page 7 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

  • Chapter C, Section 1, General Requirements, provides an overview of the regulatory requirements relevant to cyber security.
  • Chapter C, Section 2, Cyber Security Program Performance Objectives, describes the purpose of the cyber security program. This section explains why the objectives are necessary for FCFs and how the objectives are achieved through implementation of the requirements in 10 CFR 73.53. Additional guidance is provided in Chapter C, Section 2 that describes the detection of a cyber attack capable of causing a consequence of concern. To meet the detection requirement in 10 CFR 73.53(b), the licensee should create a robust detection process that integrates into the management of the cyber security program.

The training and qualifications of the Cyber Security Team (CST) are also provided.

  • Chapter C, Section 4, Cyber Security Plan, describes the documentation licensees must develop to describe the cyber security program and submit to the NRC for review and approval. The cyber security plan references cyber security controls, specific to each type of consequence of concern, which the licensee shall address to protect VDAs.
  • Chapter C, Section 5, Consequences of Concern, describes the minimum thresholds for each type of consequence of concern. A digital asset is vital if its compromise by a cyber attack would result in a consequence of concern. Consequences of concern that are directly caused by a cyber attack are active consequences of concern; consequences of concern that result from a secondary event that exploits the compromise of a digital asset are latent consequences of concern. The four types of consequences of concern are: 1) latent - safety and security; 2) active

- safety; 3) latent - safeguards; and 4) latent - design basis threat. The consequences of concern and their minimum thresholds are defined in 10 CFR 73.53(c).

  • Chapter C, Section 6, Identification of Digital Assets and Support Systems, describes a methodology in which licensees:

o Conduct an analysis to identify digital assets that are associated with a type of consequence of concern; o Evaluate each identified consequence of concern digital asset to determine if an alternate means (which is itself protected from cyber attack) is available to prevent the consequence of concern--if not, the digital asset is considered vital and requires cyber security controls; and o Conduct an additional analysis on each VDA to determine if it is associated with any support systems that, if compromised by a cyber attack, could lead to a consequence of concern. If so, then the associated support system requires cyber security controls.

DG-5062, Page 8 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

  • Chapter C, Section 8, Implementing Procedures and Interim Compensatory Measures, describes the procedures and documentation that must be developed for each VDA. Guidance is provided on the type of information that should be included within the implementing procedures, its intended uses, and the need to maintain them for NRC inspections. This section also describes aspects of interim compensatory measures, including documenting a degraded cyber security control, tracking the interim compensatory measure to completion, and restoring and testing the cyber security control.
  • Chapter C, Section 9, Configuration Management, describes cyber security configuration management and some of the site-wide elements that should be considered.
  • Chapter C, Section 10, Biennial Review, describes the requirements for the biennial review of the cyber security program. The periodic review serves to evaluate the overall effectiveness of the cyber security program.
  • Chapter C, Section 11, Event Reporting and Tracking, describes the event reporting and tracking requirements of 10 CFR 73.53(h).
  • Chapter C, Section 12, Recordkeeping, describes the retention of all records and supporting technical documentation required to satisfy the requirements of the regulation until the Commission terminates the license for which the records were developed.
  • Appendix A, Cyber Security Plan Template, contains a template demonstrating an example of acceptable format and content for the cyber security plan, required to be submitted to the NRC in accordance with 10 CFR 73.53(a). The template can be used by FCF licensees to assist with formatting and capturing the regulatory requirements and to assist the NRC staff with the review process.
  • Appendices B, C, D, E, and F, contain cyber security controls acceptable to the NRC staff for applying to VDAs, specific to each of the types of consequence of concern. A licensee may use these lists of cyber security controls or develop their own using another standard as long as the regulatory requirements of 10 CFR 73.53 are met.

The requirements of 10 CFR 73.53(a) and the template provided in Appendix A of this document, outline timeframes for completing specific milestones associated with this rulemaking. These timeframes are summarized below, in Table B-1.

DG-5062, Page 9 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE TABLE B-1 Milestone Timeframe Licensee submits the cyber security plan, through Within 180 days of publication of the final rule an application for amendment of its license, to the NRC for review The NRC reviews and approves the license Typically within 150 days of submission amendment request and cyber security plan Licensee conducts analyses to identify and Within 4 months of NRC approval of the cyber document each digital asset associated with a security plan consequence of concern and determines: (1)

VDAs and (2) digital assets with an acceptable alternate means Full implementation of the NRC approved cyber Within 12 months of NRC approval of the cyber security plan security plan Harmonization with International Standards The International Atomic Energy Agency (IAEA) established a series of security guides, standards, and technical reports addressing concepts and considerations for achieving a high level of security for protecting people and the environment. IAEA security guides present international good practices and increasingly reflect best practices to help users striving to achieve high levels of security.

Pertinent to this RG, IAEA Nuclear Security Series No.: 17 Computer Security at Nuclear Facilities, issued in December 2011, addresses concepts and considerations for cyber security at nuclear facilities.

IAEA Nuclear Security Series No.: 23-G Implementing Guide Security of Nuclear Information, issued February 2015, addresses steps required to effectively execute an information security plan including cyber security issues. More specifically, the IAEA Nuclear Energy Series Technical Report NP-T-1.13 Technical Challenges in the Application and Licensing of Digital Instrumentation and Control Systems in Nuclear Power Plants, issued November 2015, discusses the challenges of addressing cyber security protections in the context of implementing and maintaining digital instrumentation and control. While these documents do discuss cyber security at length, they are primarily designed for use with nuclear power reactors rather than FCFs. As such, this RG incorporates similar general concepts and is consistent with the basic cyber security principles provided in IAEA Security Guide 17, 23-G, and NP-T-1.13.

The NRC staff also reviewed guidance from ISO/IEC and identified the ISO/IEC 27000 series Information Security Management System (ISMS), Family of Standards. This body of knowledge and guidance, revised in 2016, is designed to provide comprehensive guidance and controls for cyber security and the management of information security risk. ISO/IEC 15408, The Common Criteria for Information Technology Security Evaluation, revised in 2012, is an international standard for cyber security certification for information technology products. Because both standards are designed for organizations and vendors of varying sizes and disciplines they are deliberately broad in scope and not specifically related to the nuclear fuel cycle industry. As a result, this RG incorporates related basic guidance and provides mapping to specific controls and other informative references where appropriate.

Documents Discussed in Staff Regulatory Guidance This RG draws information, in part, from one or more standards and guidance documents developed by the NIST. These standards and guidance documents contain information on the cyber security risk management framework and cyber security controls that a licensee may wish to reference for additional information.

DG-5062, Page 10 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE C. STAFF REGULATORY GUIDANCE 1 General Requirements The regulations in 10 CFR 73.53 identify the requirements needed to meet the cyber security program performance objectives for FCFs. The cyber security program performance objectives are identified in 10 CFR 73.53(b), which requires a licensee to establish, implement, and maintain a cyber security program that shall detect, protect against, and respond to a cyber attack capable of causing a consequence of concern. The rule identifies four types of consequences of concern that establish minimum thresholds for potential events involving radiological and chemical exposures, classified information or matter, special nuclear material (SNM) of moderate strategic significance, and a formula quantity of strategic SNM. These events must be prevented to protect public health and safety and promote the common defense and security. The cyber security program consists of: 1) establishing a CST; 2) developing a site-specific cyber security plan which is submitted to the NRC for review and approval; 3) conducting an analysis to identify digital assets associated with a consequence of concern and evaluating the digital assets to determine if they require protection (i.e., if they are VDAs); 4) applying cyber security controls to VDAs to protect against a consequence of concern; 5) developing implementing procedures for the VDAs and interim compensatory measures (if needed); and 6) managing the cyber security program to detect, protect against, and respond to cyber attacks capable of causing a consequence of concern.

1.1 Cyber Security Team In accordance with 10 CFR 73.53(d)(1), licensees must establish and maintain an adequately structured CST consisting of competently trained and qualified staff. The team should include members who have expertise in cyber security and draw upon staff with safety, security, and safeguards knowledge.

The team must have the appropriate resources available to be effective. The team is responsible for implementing a cyber security program that meets the requirements of 10 CFR 73.53. Additional guidance on the CST is provided in Chapter C, Section 3 of this document.

1.2 Cyber security plan In accordance with 10 CFR 73.53(e), licensees must establish, implement, and maintain a site-specific cyber security plan. Current licensees are required by 10 CFR 73.53(a) to submit, through an application for amendment of their license, a cyber security plan for NRC review and approval. Future applicants are required by 10 CFR 40.31(n) or 70.22(o), as appropriate, to submit a cyber security plan for NRC review and approval as part of their application for license. The cyber security plan should describe the facilitys cyber security program with sufficient detail for the NRC to determine compliance with the regulations in 10 CFR 73.53. To meet the requirements of 10 CFR 73.53(e)(1), the cyber security plan must, at a minimum: 1) document that the CST is adequately structured, staffed, trained, qualified, and equipped to manage the cyber security program and 2) specify the cyber security controls that the licensee will use to protect VDAs from cyber attacks and prevent consequences of concern. Also, in accordance with 10 CFR 73.53(e)(2), the cyber security plan must describe the licensees measures for: 1) management and performance of the cyber security program; and 2) incident response (IR) to a cyber attack affecting VDAs. Upon implementation of the licensees approved cyber security plan, the cyber security program will be inspectable by the NRC for compliance with 10 CFR 73.53. Additional guidance on the cyber security plan is provided in Chapter C, Section 4 of this document. Appendix A of this document, contains a template demonstrating an example of acceptable format and content for the cyber security plan, required to be submitted to the NRC in accordance with 10 CFR 73.53(a).

DG-5062, Page 11 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE 1.3 Identifying digital assets In accordance with 10 CFR 73.53(d)(3) and (4), licensees must identify digital assets associated with a type of consequence of concern and further evaluate whether an alternate means (protected from a cyber attack) is available that will prevent the consequence of concern in the event that a cyber attack compromises the digital asset. Additional guidance on the identification of digital assets is provided in Chapter C, Section 6 of this document.

In accordance with 10 CFR 73.53(d)(4), licensees must determine which of the identified digital assets are vital. A digital asset is not considered vital if an alternate means is available to prevent the consequence of concern and that alternate means cannot be compromised by a cyber attack. Only VDAs are required to be protected against a cyber attack by 10 CFR 73.53(d)(5). As part of this analysis, licensees will also identify associated support systems for VDAs that, if compromised by a cyber attack, could lead to a consequence of concern. The term VDA is inclusive of all components necessary to perform the function needed to prevent, mitigate, or respond, to the consequence of concern. Additional guidance on the identification of VDAs is provided in Chapter C, Section 6 of this document.

1.4 Applying cyber security controls In accordance with 10 CFR 73.53(d)(2) and (5)(i), licensees must apply the applicable cyber security controls to each VDA based on the type of consequence of concern. Licensees may elect to group similar types of VDAs together. This gives licensees the opportunity to develop a common control or sets of common controls for multiple VDAs. The licensee is responsible for applying the appropriate controls and related parameters to ensure that the consequence of concern associated with a VDA will be prevented. Additional guidance on cyber security controls is provided in Chapter C, Section 7 of this document. Appendices B, C, D, E, and F of this document contain cyber security controls that the NRC staff finds acceptable for applying to VDAs specific to each of the four types of consequence of concern.

A licensee may use these cyber security controls or develop their own using another recognized standard as long as the regulatory requirements of 10 CFR 73.53 are met.

1.5 Implementing procedures and interim compensatory measures In accordance with 10 CFR 73.53(5)(ii) the licensee must establish and maintain written implementing procedures documenting the countermeasures to a cyber attack taken to address the cyber security controls for VDAs. Acceptable implementing procedures document the cyber security controls, based on the type of consequence of concern. Note that similar VDAs with common controls may also have implementing procedures in common. Additional guidance on implementing procedures is provided in Chapter C, Section 8 of this document.

In accordance with 10 CFR 73.53(d)(6), the licensee is required to apply interim compensatory measures when the countermeasures to a cyber attack taken to address the cyber security controls are degraded. When implemented, interim compensatory measures must be documented, tracked to completion, and available for inspection by the NRC staff. These interim compensatory measures may be captured in the implementing procedures, or they could be part of other site-specific documentation.

Additional guidance on interim compensatory measures is provided in Chapter C, Section 8 of this document.

DG-5062, Page 12 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE 1.6 Managing the cyber security program A licensees cyber security plan is required by 10 CFR 73.53(e)(2) to describe the measures for management and performance of the cyber security program. The cyber security program performance objectives in 10 CFR 73.53(b) establish critical program elements that address the evolving cyber security threat, which is likely to become more prevalent and sophisticated over time. As such, measures are needed for the management and performance of the cyber security program. Associated with these measures, the remainder of the requirements in 10 CFR 73.53(f) through (i) are: configuration management; biennial review of the cyber security program; event reporting and tracking; and recordkeeping. The requirements in 10 CFR 73.53(f) through (i) establish measures for the management and performance of cyber security program over the life of the facility. These elements of the cyber security program should be incorporated and conducted as part of the licensees standard operations.

Additional guidance is provided on: configuration management in Chapter C, Section 10; biennial review of the cyber security program in Chapter C, Section 11; event reporting and tracking in Chapter C, Section 12; and recordkeeping in Chapter C, Section 13 of this document.

2 Cyber Security Program Performance Objectives In accordance with 10 CFR 73.53(b), a licensee shall establish, implement, and maintain a cyber security program that shall detect, protect against, and respond to a cyber attack capable of causing a consequence of concern. The cyber security requirements set forth in 10 CFR 73.53 are intended to be performance based to allow licensees flexibility with implementation while protecting public health and safety and promoting common defense and security. The performance objectives to detect, protect against, and respond to cyber attacks are critical program elements for addressing the evolving cyber security threat, which is likely to become more prevalent and sophisticated over time.

2.1 Detect a cyber attack capable of causing a consequence of concern As required by 10 CFR 73.53(b), the licensee must detect a cyber attack capable of causing a consequence of concern. To meet this requirement, the licensee should create a robust detection process that includes multiple data collection points, in-depth analysis mechanisms, and appropriate gathering of threat intelligence. The detection process should integrate into the cyber security program. The process should also use the identification of cyber attacks as a basis to gain lessons learned and update the facilitys protection and response capabilities.

While protective technology and countermeasures to a cyber attack can deal with established threats and known attack pathways, licensees must also detect when they are under cyber attack. To accomplish this, licensees are expected to define and differentiate between normal and abnormal electronic activity associated with a VDA. The licensee should develop a baseline understanding of the facilitys normal data communications and network system behavior related to VDAs and consequences of concern. This should provide a reference point for comparison as the facility operates over time to refine identification and analysis techniques for cyber attacks. Any unusual activity or communications should be identified and analyzed for impact in a timely manner. The licensee should also seek to understand the potential characteristics of cyber attacks associated with a consequence of concern (e.g.,

specific devices or machines that would be affected, what a consequence of concern sequence of events would look like). Furthermore, VDAs should be monitored to identify significant cyber security issues and to confirm the effectiveness of the countermeasures to a cyber attack taken to address the cyber security controls.

Detection of new cyber security threats or attacks, relevant to a consequence of concern, should be used to improve the response capabilities of the licensee and inform the licensees countermeasures to DG-5062, Page 13 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE a cyber attack. In keeping with the life cycle concept, any lessons learned or information gathered with respect to attacks or attackers should be incorporated into the countermeasures to a cyber attack.

Detection supports defense-in-depth because new threats or vulnerabilities are identified and protected against before they can be exploited. Detection allows identification of abnormal activity on VDAs in a timely manner so the CST and/or site-specific IR resources can respond, evaluate the potential impacts, and take protective measures, if needed. Detection also provides the CST and IR resources information on the type of attacks occurring against the facility so the licensee can implement additional protective measures, if needed. Compliance with the detection objective provides awareness of the ongoing cyber security threat and supports understanding of the effectiveness of the cyber security program.

Compliance with the detection objective provides cyber threat intelligence that supports maintaining the effectiveness of the cyber security program.

The licensee should utilize outside threat intelligence sources to inform the detection process.

These sources can be Government agencies, private cyber security organizations, or similar facilities in the nuclear fuel cycle or chemical processing sectors. Licensees should review the cyber security detection data and external intelligence information on a quarterly basis for trends that could be used to improve the detection process.

The detection process should have the necessary equipment, materials, programs, and sensors for the licensee to analyze anomalous activity. Both the detection and the analysis should be completed in a timely manner and useful information communicated to the appropriate internal organizations to support IR. When a cyber security event is identified, the licensee should analyze its characteristics (e.g. source, attack type, threat vector) and compare it to the facilitys knowledgebase of previous events.

The detection process should be reviewed, as part of the biennial review, to confirm its function.

Analysis efforts should be reviewed for accuracy. Overall, the licensee should seek to continuously improve its detection processes and efforts.

2.2 Protect against a cyber attack capable of causing a consequence of concern As required by 10 CFR 73.53(b), the licensee must protect against a cyber attack capable of causing a consequence of concern. This performance objective is necessary to maintain safety, security, and safeguards at a FCF. FCF licensees rely on digital assets to perform safety, security, and safeguards functions. Unprotected VDAs could be compromised by a cyber attack that either: 1) causes a consequence of concern (active); or 2) causes the digital asset to not perform its intended function when called upon (latent consequence of concern). Cyber attacks may have various attack vectors (wired, wireless, hand carried) to exploit unprotected VDAs. In addition, cyber attacks can be launched remotely, occur over a broad timeframe, and compromise multiple digital assets simultaneously with an immediate or delayed impact (i.e., an active or latent consequence of concern). Analysis of digital assets associated with a consequence of concern is needed to determine which safety, security, and safeguards digital assets, if any, require protection against cyber attacks.

Licensees are expected to ensure that appropriate cyber security controls are maintained to protect the associated VDAs, in accordance with 10 CFR 73.53(d)(5). Licensees are also expected to use proper configuration and change management techniques when making alterations or updates to VDAs, in accordance with 10 CFR 73.53(f). All licensees should assess plant changes to determine if cyber security associated with a consequence of concern is affected and if additional protection efforts are needed. This activity forms the basis of the protection objective and should be conducted throughout the life cycle of the facility. When properly implemented in compliance with requirements in 10 CFR 73.53, configuration management supports assurance of protection against a cyber attack that could result in a consequence of concern.

DG-5062, Page 14 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE Additional guidance regarding the cyber security protection required by 10 CFR 73.53 is provided by this document in Chapter C: Section 3 for the CST; Section 4 for the cyber security plan; Section 5 for consequences of concern; Section 6 for identification of digital assets and support systems; Section 7 for cyber security controls; Section 8 for implementing procedures and interim compensatory measures; Section 9 for configuration management; Section 10 for the biennial review; Section 11 for event reporting and tracking; and Section 12 for recordkeeping.

2.3 Respond to a cyber attack capable of causing a consequence of concern As required by 10 CFR 73.53(b), the licensee must respond to a cyber attack capable of causing a consequence of concern. While the cyber security program is designed to protect against cyber attacks, impenetrable cyber security is not achievable. Therefore, effective and timely response to cyber attacks is important to minimize potential impacts. Given the nature of the cyber threat, licensees should establish procedures and resources for response to cyber attacks that may exploit a VDA.

The response effort by the licensee to a successful attack on a VDA should be to first place the digital asset into a safe condition and eliminate the potential for a consequence of concern. Once the potential compromise is prevented, the next effort should be to stop the attack. This removes the threat of cyber attack toward other VDAs and allows for eradication of any potential malware. Finally, the licensee should preserve, where possible, all evidence of the attack for investigation. Additional guidance on recordkeeping is provided in Chapter C, Section 12 of this document.

The response to a cyber attack should be coordinated with existing safety and security programs required by NRC regulations (i.e., 10 CFR Parts 70 and 73). In addition, IR should be tested regularly.

The results of any response exercise should be incorporated into the facilitys corrective actions, as well as the evolution of both protective strategies and detection methods. Overall, these response exercises should improve the licensees ability to effectively respond to a cyber attack. Guidance on the CSTs involvement with responding to a cyber attack is provided in Chapter C, Section 3 of this document.

Additional guidance on IR is provided in Chapter C, Section 4.3 of this document.

After a licensee responds to a cyber attack and the resulting impacts of that attack, 10 CFR 73.53(h) has specific event reporting and tracking requirements. Guidance on event reporting and tracking is provided in Chapter C, Section 11 of this document.

3 Cyber Security Team As required by 10 CFR 73.53(d)(1), the licensee must establish and maintain a CST that is adequately structured, staffed, trained, qualified, and equipped to implement the cyber security program.

The CST is responsible for meeting the performance objectives of 10 CFR 73.53 through the implementation of the cyber security program. The specific responsibilities of the CST are to: establish and maintain cyber security controls capable of preventing a cyber attack from causing a consequence of concern, identify digital assets that if compromised could result in a consequence of concern, and determine which digital assets are vital. To accomplish this, the CST should:

  • Protect VDAs and associated support systems from cyber attacks capable of causing a consequence of concern;
  • Configure, operate, and maintain cyber security equipment to both detect and protect against a cyber attack capable of causing a consequence of concern; DG-5062, Page 15 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

  • Understand the cyber security aspects of the facility network architecture, hardware platforms, software platforms, operating systems, process-specific applications of digital assets, and the services and protocols upon which those applications rely;
  • Conduct security audits, vulnerability assessments, network scans, and penetration tests against VDAs;
  • Authorize VDAs for use by the licensee, assign individuals to fulfill specific roles and responsibilities for this authorization process;
  • Manage, document, and report the security state of VDAs;
  • Assess cyber threat intelligence and new vulnerability information;
  • Conduct cyber security investigations following the compromise of VDAs;
  • Preserve forensic evidence collected during cyber security investigations to prevent loss of evidentiary value;
  • Create a trained and qualified cyber security workforce through ongoing professional development;
  • Perform duties with independence from the facilitys operations, using well-defined responsibilities and sufficient authority to carry out those responsibilities;
  • Perform, in part, as an IR team;
  • Provide role-related IR training and awareness to licensee staff members associated with VDAs; and

The CST is a permanent organizational unit within the licensees facility. While team members can have responsibilities outside those of the CST, these responsibilities should not interfere with the individuals cyber security duties. The team can also include corporate or contract personnel provided these individuals are appropriately qualified for the role and authorized for a position on the team.

The CST should be the licensees internal resource for cyber security threat information. It should implement threat awareness that includes cross-organization information-sharing. It should also coordinate with the existing physical security and emergency preparedness programs when addressing cross-cutting issues.

The CST should be the licensees liaison with outside information resources for cyber security. It establishes and institutionalizes contacts with appropriate groups and associations within the security DG-5062, Page 16 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE community to facilitate ongoing security education and training for team members. The team is responsible for maintaining recommended security practices, techniques, and technologies up to date.

3.1 Structure and staffing The CST should consist of individuals that include management, cyber security experts, and technical experts with knowledge of the facilitys safety, security, and safeguards functions. A licensee can form a CST by defining and documenting roles, responsibilities, authorities, and functional relationships. These roles should be clearly communicated to the appropriate site organizations and individuals (e.g., employees, subcontractors, temporary employees, visiting researchers, and vendor representatives). A group of personnel administering the cyber security program that the NRC would find acceptable includes the following four categories of individuals:

  • A cyber security program sponsor who is a member of senior site management (executive level) and provides oversight and accountability for the cyber security program. The senior manager provides oversight for the cyber security program that is independent from operations and has adequate resources and stop work authority.
  • A cyber security program manager who is responsible for coordinating, developing, implementing, and maintaining the cyber security program. This individual provides oversight and direction to the CST. The individual serves as the single point of contact between upper management and the CST, responsible for implementing the commitments in the cyber security plan.

These individuals conduct the day-to-day operations of the cyber security program. They are responsible for providing technical expertise to the operational staff for implementation of the cyber security program. They ensure digital assets are protected consistent with the cyber security plan and monitor digital assets for indicators of a cyber attack. They keep knowledgeable of the evolving threat environment. These individuals maintain the cyber security program over time.

  • Technical staff from facility organizations including security, operations, engineering, emergency preparedness, and other support organizations, as required, who are responsible for maintaining alternate means to address digital assets associated with a consequence of concern as well as implementing controls for protection of VDAs. These members may or may not be part of the CST, but they provide technical input on the analysis of digital assets.

The teams organizational structure should be summarized in the cyber security plan consistent with the requirements of 10 CFR 73.53(i).

3.2 Training and qualification The licensee shall ensure that the CST members are appropriately trained and qualified to effectively implement and maintain the cyber security program.

Training The CST is responsible for developing and maintaining the facilitys cyber security training. The CST is responsible for determining the appropriate level of basic cyber security awareness training DG-5062, Page 17 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE commensurate with an each individuals assigned roles and responsibilities. The training requirements and records can be maintained as part of the facilitys overall training program.

A minimum level of training should also be provided for each position on the CST depending on the roles and responsibilities of that position. Training for the CST should be identified in the cyber security plan. In addition, the actual training should be documented in procedures. The licensee should keep records to indicate that training is up-to-date. Additional training requirements may be necessary to ensure familiarity with the controls applied to VDAs.

Qualification Minimum qualification requirements should be established for each key position on the CST and the individuals compliance with the qualification should be documented and available for review. The cyber security program sponsor should have a minimum of five years experience in working with digital assets or network systems. The cyber security program manager should have an industry recognized certification in a cyber security related field (e.g., Certified Information Systems Security Professional) and seven years experience working in the cyber security field. The cyber security specialists should have two years experience in networking, systems administration, database management, vulnerability scanning, penetration testing, or web applications. The technical staff that support the CST should have a working knowledge of the digital assets used throughout their area of operations. The individuals should not assume their assigned positions until the licensee has documented the individuals qualifications through previous experience, certification, or educational degree that meets the pre-established qualification criteria for the positions as documented in plant procedures.

3.3 Equipment The CST should be appropriately provided with the necessary software, tools and devices to analyze networks and related traffic, scan devices for vulnerabilities and test VDA defenses. This equipment should be routinely updated or replaced to reflect the current operating environment as well as known vulnerabilities identified by the U.S. Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and other informed resources.

4 Cyber Security Plan As required by 10 CFR 73.53(e), licensees must establish, implement, and maintain a site-specific cyber security plan that describes how the licensee will implement the cyber security program to meet the requirements of this regulation. The cyber security plan should provide an overview of the policies and procedures that support the development and implementation of the cyber security plan, as well as the management commitment to this effort. In accordance with 10 CFR 73.53(e)(1), the cyber security plan documents the cyber security controls that will be used to protect against cyber attacks capable of causing the consequences of concern. Under 10 CFR 73.53(a), the cyber security plan is incorporated into the license as a license condition. The plan describes the licensees cyber security program and how the program complies with the requirements in 10 CFR 73.53. The plan should addresses technical (network infrastructure), physical (digital assets used at the facility), and personnel (staff training and responsibilities) components of the program. The cyber security plan should demonstrate the licensees commitment to maintain cyber security policies and procedures up to date and applicable among organization entities.

Licensees should include in their cyber security plan their goals for addressing cyber security in their daily operations for protection of VDAs. Licensees should also describe how cyber security is integrated into the design architecture of their site. At each step of the cyber security plans development, DG-5062, Page 18 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE site-specific considerations should be addressed to ensure the resulting document accurately depicts the commitments and conditions specific to the licensee.

The cyber security plan should describe or reference the written policies and procedures maintained on site for the implementation of the cyber security program. In addition, the cyber security plan should describe how the licensee will identify, evaluate, and protect against emergent cyber security threats that develop over time. The cyber security plan should reference the procedures for maintaining this analysis capability throughout the life of the facility.

4.1 Elements of a cyber security plan To further guide licensees, Appendix A to this RG provides a generic cyber security plan template that can be used to develop a cyber security plan and to establish and maintain a cyber security program that will comply with this regulation.

A cyber security plan describes the measures and governing procedures to ensure that the cyber security plan, associated records, and implementing policies and procedures are protected in accordance with the requirements of 10 CFR 73.21 and 73.22 for protection of safeguards information, and the requirements of 10 CFR Part 25 for protection of classified information. Revisions to the cyber security plan must be processed in accordance with 10 CFR 40.32(h) or 10 CFR 70.32(f), whichever is applicable to the specific FCF. A licensee must submit changes that would result in a decrease in the effectiveness of the cyber security plan to the NRC for review and approval prior to implementation.

As required by 10 CFR 73.53(e), the cyber security plan must describe how the licensee will detect, protect against, and respond to a cyber attack capable of causing a consequence of concern as identified in 10 CFR 73.53(c). The cyber security plan must address the following discrete elements:

  • Documentation that the CST is established and maintained in accordance with 10 CFR 73.53(d)(1). This would include sufficient detail to demonstrate the CST is adequately structured, staffed, trained, qualified, and equipped to implement the cyber security program as required by 10 CFR 73.53(d)(1).
  • Description of the identification process for digital assets as required in 10 CFR 73.53(d)(3).
  • Description of the identification process for alternate means, VDAs, and associated support systems as required in 10 CFR 73.53(d)(4).

o Applying cyber security controls from those controls identified through 10 CFR 73.53(d)(2) are applied to VDAs (10 CFR 73.53(d)(5)(i)); and o Establishing and maintaining written implementing procedures describing how cyber security controls are established and maintained (10 CFR 73.53(d)(5)(ii)).

  • Description of how interim compensatory measures are applied, documented, and tracked to completion when the countermeasures to a cyber attack taken to address the cyber security DG-5062, Page 19 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE controls are degraded in order to meet the cyber security program performance objectives (10 CFR 73.53(d)(6)).

  • Description of measures for IR to a cyber attack affecting VDAs or that may cause a consequence of concern. In part, these requirements include event reporting and tracking as required by 10 CFR 73.53(h).
  • Summary descriptions regarding cyber detection activities planned for use by the licensee.

The cyber security plan is subject to the biennial review requirement in 10 CFR 73.53(g) and should be updated as needed. Updates that would result in a decrease in the effectiveness of the cyber security plan will require NRC review and approval consistent with 10 CFR 40.32(h) or 10 CFR 70.32(f),

whichever is applicable to the specific FCF, prior to implementation of the change.

Consistent with 10 CFR 73.53(e)(3), policies, implementing procedures, site-specific analysis, and other supporting technical information used by the licensee to support the development and implementation of the cyber security plan need not be submitted for Commission review and approval as part of the cyber security plan but are subject to inspection by the NRC staff.

The CST should review and update the cyber security plan as a part of the biennial review process, as required by 10 CFR 73.53(g), or as necessary due to changes in the VDA as a part of overall configuration management, as required by 10 CFR 73.53(f). The team CST should communicates the cyber security plan and its requirements to appropriate staff and contractors. Licensees should protect the cyber security plan from unauthorized disclosure and modification given the sensitivity of the information.

4.2 Incident response In accordance with 10 CFR 73.53(b), a licensee is required to respond to a cyber attack capable of causing a consequence of concern. To address this requirement, licensees should form a cyber security incident response team (CSIRT) using members of the CST. This CSIRT should have experience in digital forensics, malicious code analysis, tool development, and facility engineering. The CSIRT should be allocated sufficient resources to effectively assess and respond to a cyber security incident. Members of the CSIRT should receive role-specific IR training.

A licensees cyber security plan is required to describe the measures for IR to a cyber attack affecting VDAs, consistent with 10 CFR 73.53(e)(2)(ii). It is recommended that the cyber security plan reference a separate IR or emergency plan that considers a cyber attack capable of causing a consequence of concern. The IR or emergency plan should document roles, responsibilities, management commitment, and coordination among physical security and emergency preparedness entities. The IR or emergency plan should be referenced in the overall cyber security plan and available for inspection by the NRC.

The CST and appropriate personnel associated with VDAs should be trained on appropriate IR measures for VDAs. In addition, the CSIRT should also be trained on how to respond to cyber attacks and incidents. For both subjects, all affected personnel should be educated on the necessary actions required to maintain any contingencies to support the response effort as well as maintain safety and security under existing regulations.

The IR or emergency plan should provide a roadmap for implementing the cyber security IR capability; describe the structure and organization of the cyber security IR capability; and define the resources and management support committed to effectively maintain this capability. The IR or DG-5062, Page 20 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE emergency plan should include, directly or by reference, the specific steps and actions taken to respond to a cyber security incident. Specific characteristics of the VDAs and plant systems important to IR should be discussed in the documentation. The cyber security IR documentation should be reviewed and approved by the CST at least every 12 months, with updated copies distributed to all personnel with an IR role and other appropriate personnel. Updates to the IR or emergency plan may address system or organizational changes, or problems encountered during plan implementation, execution, or testing.

Licensees are encouraged to treat IR-related documents as sensitive and protect them from unauthorized disclosure and modification.

The response may include an analysis to determine the extent and impact of a cyber attack and if compensatory measures need to be implemented. Mitigation strategies should be available for response to a cyber attack, to prevent expansion of an event, limit its effects, and eradicate the incident. The response should include identification and application of lessons learned. Compliance with the response performance objective serves to mitigate the consequences from a successful cyber attack and supports improvement of the cyber security program through implementation of lessons learned over time.

The licensee should test the IR capabilities on a regular basis in conjunction with other security response or emergency preparedness drills. The licensee should conduct an exercise to simulate a cyber security event and allow for IR testing and training at least once during each biennial review cycle. The exercise itself should be as realistic as practicable in order to most effectively evaluate the capabilities of the cyber security program. The results of the exercises should be integrated into the training materials through regular updates as well as the overall IR or emergency plan and related procedures.

IR should involve the use of cyber security capabilities to complete detection and analysis, containment, eradication of malware and other related cyber intrusions, and lead to safe shutdown of the VDA. This effort should be coordinated with existing physical security and emergency preparedness activities. Following the event, lessons learned should be incorporated into IR procedures, training, and testing along with the overall IR or emergency plan, and the resulting changes implemented accordingly.

Once actions are taken to respond to the attack and avert the compromise of a VDA, the licensees response capabilities should include communications with internal and external stakeholders to alert plant staff to monitor their systems for compromise, manufacturers to be aware of potential vulnerabilities, law enforcement to investigate the attacks when feasible, and industry to be knowledgeable of the threat. The licensee should plan for the continuance of essential safety and security functions while conducting response activities, with no loss of continuity due to a cyber security attack or incident. This continuity should be sustained until all affected VDAs and systems associated with a consequence of concern enter a safe mode of operation or shutdown. The licensee should also ensure that the necessary capacity for information processing, telecommunications, and environmental support exists during the time necessary to respond to a cyber security incident and enter a safe mode of operation for all affected VDAs and systems associated with a consequence of concern.

After a licensee responds to a cyber attack and the resulting consequences, the license must comply with the specific event reporting and tracking requirements set forth in 10 CFR 73.53(h).

Guidance on event reporting and tracking is provided in Chapter C, Section 11 of this document.

DG-5062, Page 21 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE 5 Consequences of Concern In accordance with 10 CFR 73.53(c), a licensees cyber security program shall be designed to protect against the specified consequences of concern. The regulatory thresholds for consequences of concern at FCFs have been compiled in Table C-1, Consequence of Concern and Related References, of this section. The consequence of concern thresholds were informed by the safety regulations in Part 70, security requirements in Part 73, and material control and accounting requirements in Part 74, as specified in Table C-1.

The NRC is seeking to protect licensed activities that have the potential to either cause or result in radiological or chemical exposure or release; the loss or unauthorized disclosure of classified information or matter; the theft, diversion, or the loss of material control and accounting of nuclear material of moderate strategic significance; radiological sabotage, as specified in 10 CFR 73.1(a)(1); or the theft, diversion, or the loss of material control and accounting of a formula quantity of strategic special nuclear material. By targeting these consequences, the NRC intends for a licensee to focus their cyber security efforts to effectively protect against cyber threats associated with risk-significant impacts.

TABLE C CONSEQUENCE OF CONCERN AND RELATED REFERENCES SECTION 1 LATENT - DESIGN BASIS THREAT The compromise, as a result of a cyber attack at a licensee authorized to possess or use a formula quantity of strategic special nuclear material, of a function needed to prevent, mitigate, or respond to one or more of the following:

  • Theft or diversion of formula quantities of strategic special nuclear References material; or 10 CFR 73.1(a)(2)
  • Loss of nuclear material control and accounting for strategic special 10 CFR 73.20 nuclear material. 10 CFR 74.51(a) and 10 CFR 74.51 SECTION 2 LATENT - SAFEGUARDS The compromise, as a result of a cyber attack at a licensee authorized to possess or use special nuclear material of moderate strategic significance, of a function needed to prevent, mitigate, or respond to one or more of the following:

References

  • Loss of nuclear material control and accounting for special nuclear 10 CFR 74.41(a) and material of moderate strategic significance.

10 CFR 74.41 SECTION 3 ACTIVE - SAFETY One or more of the following that directly results from a cyber attack:

  • Radiological exposure of 25 rem or greater for any individual; References
  • An acute chemical exposure that could lead to irreversible or other 10 CFR 40.31 and serious, long lasting health effects for any individual. 10 CFR 70.22 DG-5062, Page 22 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE SECTION 4 LATENT - SAFETY AND SECURITY The compromise, as a result of a cyber attack, of a function needed to prevent, mitigate, or respond to:

  • Radiological exposure of 25 rem or greater for any individual; References
  • An acute chemical exposure that could lead to irreversible or other serious, long lasting health effects for any individual; or
  • Loss or unauthorized disclosure of classified information or classified Reference matter. 10 CFR Part 95 The NRC has identified and developed four types of consequences of concern that are within the scope of 10 CFR 73.53, that the licensee must address through their cyber security program: latent -

design basis threat (Category I FCF only); latent - safeguards (Category II FCF only); active - safety; and latent - safety and security.

  • A latent consequence of concern for design basis threat can only occur at a licensee authorized to possess or use a formula quantity of strategic special nuclear material (i.e., Category I FCF).

Similar to the latent consequence of concern for safeguards, this concern involves the compromise of a security or safeguards function as a result of a cyber attack. The end result is that the function is compromised such that it cannot prevent, mitigate, or respond to radiological sabotage; theft or diversion of formula quantities of strategic special nuclear material; or the loss of nuclear material control and accounting for the aforementioned nuclear material. A latent consequence of concern for design basis threat potentially prevents a licensee from meeting the requirements of 10 CFR 73.1(a) or 74.51(a) during a secondary event.

  • A latent consequence of concern for safeguards can only occur at a licensee authorized to possess or use special nuclear material of moderate strategic significance (i.e., Category II FCF). This concern involves the compromise of a digital asset performing a security function - prevention, mitigation, or response - as a result of a cyber attack. This situation would in turn allow a malicious actor to exploit the degraded security function to accomplish either the unauthorized removal of or the loss of nuclear material control and accounting for special nuclear material of moderate strategic significance.
  • An active consequence of concern for safety is directly caused by a cyber attack. In this situation, the cyber attack compromises a given digital asset. The function of that digital asset is manipulated, leading to the occurrence of one or more of the specified safety related results in Table C-1, Section 3. This manipulation can be intentional on the part of the attacker or unintentional.
  • A latent consequence of concern is the compromise of a safety or security function by a cyber attack. The attack renders one or more digital assets incapable of performing its intended safety or security function. When called upon to respond due to a secondary event, separate from the cyber attack, the safety or security function does not operate as expected and in turn one or more of the consequence of concern in Table C-1, Section 4 occurs.

There are distinct differences between active and latent consequences of concern. For the active case, the compromise of the digital asset directly results in a radiological or chemical exposure exceeding the values in Table C-1, Section 3. In the latent case, a function is compromised, but there is no impact on safety, security, or safeguards until a secondary event occurs (i.e., an initiating event separate from the DG-5062, Page 23 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE cyber attack). For the latent case, the compromised digital asset is no longer able to provide the function needed to prevent, mitigate, or respond to an initiating event. The combination of the compromise from the cyber attack, the resulting latent consequence of concern, and the secondary (i.e., initiating) event, must all be present for there to be a significant impact on public health and safety or the common defense and security.

Another difference between an active and latent consequence of concern is the time that typically elapses between the compromise of the digital asset and the event. An active consequence of concern leads directly to an event (e.g., radiological or chemical exposure). However, a latent consequence of concern requires a secondary event, separate from the effects of the cyber attack, before there is a consequence of concern. Therefore, the licensee may have the opportunity to identify the compromise caused by a latent consequence of concern and implement countermeasures to a cyber attack before there is an impact on safety, security, or safeguards. For this reason, robust detection and response capabilities are important aspects of an adequate cyber security program. Conversely, for digital assets related to active consequences of concern, the cyber security controls and response efforts should account for the direct relationship between a compromise and a consequence of concern, and the short time needed for a consequence of concern to result following the compromise.

Licensees should use the types of consequences of concern listed in Table C-1, Sections 1-4 as the starting point to determine what VDAs could be affected by a cyber attack and lead to a consequence of concern. The applicable types of consequence of concern depend on the facility classification as follows:

  • Conversion and deconversion FCFs would consider:

o Active - safety; and o Latent - safety and security.

  • Category III FCFs would consider:

o Active - safety; and o Latent - safety and security.

  • Category II FCFs would consider:

o Active - safety; o Latent - safety and security; and o Latent - safeguards.

  • Category I FCFs would consider:

o Active - safety; o Latent - safety and security; and o Latent - design basis threat.

In the case where a digital asset is associated with more than one consequence of concern, the licensee is expected to analyze the asset to determine if it is considered a VDA in regard to any of the associated types of consequence of concern. Additional guidance on the identification of digital assets and VDAs is provided in Chapter C, Section 6 of this document. Also, additional guidance on applying cyber security controls is provided in Chapter C, Section 7 of this document.

DG-5062, Page 24 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE 6 Identification of Digital Assets and Support Systems The regulations in 10 CFR 73.53 require licensees to identify and protect digital assets susceptible to cyber attacks to prevent a consequence of concern. Not all digital assets at a facility require protection. Therefore this guidance provides one acceptable approach licensees may use to determine which assets need cyber security controls, which can be protected by alternate means, and which assets do not require any additional protections.

6.1 Identifying digital assets associated with a consequence of concern Consistent with 10 CFR 73.53(d)(3), fuel cycle facilities are required to identify digital assets that, if compromised by a cyber attack, would result in a consequence of concern. As defined in footnote 1 to this document, digital assets are electronic devices or organized collections of devices that either process information, communicate data, or are programmed to manipulate licensee site machinery.

Examples of digital assets include, but are not limited to, computers and databases, switches and networks, programmable logic controllers and industrial control systems. Additionally, as stated in 10 CFR 73.53(d)(3), licensees do not have to identify digital assets that are a part of a classified system accredited or authorized by another Federal agency under a formal security agreement with the NRC.

In order to develop an effective protection strategy, licensees must have in-depth knowledge of how digital assets affect their site operations that are associated with a consequence of concern. To gain this knowledge, licensees should:

  • Identify site areas and processes associated with a consequence of concern.
  • Examine those site areas and processes for 1) functions that could be compromised to directly cause a safety consequence of concern (i.e., active) or 2) functions needed to prevent, mitigate, or respond to a consequence of concern (i.e., latent).
  • Examine those functions and identify the role of any digital assets.
  • Determine if the compromise of the digital asset could directly lead to a consequence of concern (active-safety). Additionally, if compromised, would it lead to a consequence of concern if a secondary event occurred (latent-safety, security, safeguards, DBT)? To make these determinations, licensees should:

o Review software platforms and applications related to those functions or processes.

o Map organizational communication and data flows involving the digital assets.

If the answer to either of the above questions is yes, then the digital asset is within the scope of 10 CFR 73.53 and must be further analyzed to determine if it is vital.

Licensees should, at a minimum, use the following resources to support the identification process:

  • Integrated Safety Analyses (ISAs) and/or process hazards analyses;
  • Physical Security Plan;
  • Material Control and Accounting Plan;
  • Security Orders; DG-5062, Page 25 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

  • Any site or system vulnerability analyses; or
  • Other safety or security information.

Potential digital assets associated with a consequence of concern are likely to exist as part of a number of safety and security programs through the facility. Examples of systems that may contain digital assets related to a consequence of concern include:

  • Items Relied on for Safety - active and latent safety consequences of concern;
  • Identified Plant Features and Procedures - active and latent safety consequences of concern;
  • Intrusion Detection Systems - latent security (for protection of classified information or matter),

safeguards, and DBT consequences of concern;

  • Material Control and Accounting Database - latent safety (as a potential support system),

safeguards, and DBT consequences of concern.

In accordance with 10 CFR 73.53(i), a licensee must retain supporting documentation demonstrating compliance with the requirements of 10 CFR 73.53 as a record. Licensees should document the following information for all digital assets associated with a consequence of concern:

  • A general description of each application, device, system, or network identified as a digital asset.
  • A brief description of the overall function provided by the digital asset.
  • An analysis that describes which of the four consequences of concern are applicable if a compromise of the digital asset were to occur.

In accordance with 10 CFR 73.53(e)(3), site-specific analysis and other supporting technical information used by the licensee to support the development and implementation of the cyber security plan need not be submitted for Commission review and approval as part of the cyber security plan but are subject to inspection by the NRC staff.

6.2 Alternate means analysis Once the licensee has identified those digital assets associated with a consequence of concern, the licensee is required by 10 CFR 73.53(d)(4) to determine which of those digital assets are vital. This analysis will determine if cyber security controls are required for the digital asset. In accordance with 10 CFR 73.53(d)(4), a digital asset is vital if no alternate means that is protected from a cyber attack can be credited to prevent the active consequence of concern or maintain the function needed to prevent, mitigate, or respond to the latent consequence of concern.

For this rule, the availability and usage of an alternate means is an equivalent substitute for implementing the countermeasures to a cyber attack taken to address the cyber security controls for DG-5062, Page 26 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE digital assets associated with a consequence of concern. Licensees should look at the function of the digital asset to determine if any alternate means exist that could be credited or implemented to protect against a cyber attack associated with a consequence of concern.

When considering options during this detailed analysis, licensees should remember that an acceptable alternate means:

  • Is sufficiently reliable and adequately implemented consistent with other safety features.
  • Is properly maintained.
  • Prevents the identified consequence of concern.
  • Can be activated in a timely manner to prevent the identified consequence of concern.
  • Would be implemented with appropriate and adequate resources.
  • Would not be adversely impacted by the potential multi-node and cumulative effects from a cyber attack. A licensee should consider whether a cyber attack could simultaneously compromise multiple digital assets before crediting a shared alternate means. A shared alternate means may be credited by multiple digital assets to prevent, mitigate, or respond to a consequence of concern if the alternate means remains adequate to perform its credited function(s) after taking into account the potential cumulative effects from simultaneously compromised digital assets.
  • Does not contribute to other vulnerabilities or lead to a consequence of concern.

Examples of alternate means can include, but are not limited to:

  • Physical barriers;
  • Material holding tanks;
  • Temperature, pressure and volume regulators or sensors;
  • Flow control of material through the production process;
  • Items relied on for safety [similar to plant features and procedures at some FCF licensees];
  • Process monitoring equipment and procedures;
  • Manual or automatic failsafe features or processes;
  • Process stoppage in a timely manner before the consequence of concern can occur; or
  • Other VDAs.

VDAs can be considered for use as an alternate means so long as they are protected from a cyber attack in accordance with 10 CFR 73.53(d)(5). Licensees should develop and document a detailed DG-5062, Page 27 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE analysis of the determination that an item can be credited as an alternate means of protection. The licensee should be able to demonstrate to the NRC that the alternate means prevents the consequence of concern. The documentation associated with alternate means accreditation is subject to inspection by the NRC.

6.3 Vital digital assets In accordance with 10 CFR 73.53(d)(4), any digital asset identified through 10 CFR 73.53(d)(3) that does not have an alternate means to prevent the consequence of concern is considered vital. As stated in 10 CFR 73.53(d)(5), VDAs are those devices or collections of devices that must be protected from cyber attack by applying cyber security controls and establishing and maintaining written implementing procedures documenting the countermeasures to a cyber attack taken to address the cyber security controls.

The term VDA is inclusive of all components necessary to perform the function needed to prevent, mitigate, or respond, to the consequence of concern. Multiple components may be considered a single VDA when a logical connection exists between their related equipment, technology, function, general operating environment, process, and direct operational and management control. Additionally, support systems (i.e., devices, utilities, or services) may contribute to the functionality of the VDA.

Examples of support systems include, but are not limited to, electrical power; heating, ventilation, and air conditioning; communications; and fire suppression. Additional guidance on VDA boundaries and support systems is provided in Chapter C, Sections 6.3.1 and 6.3.2 of this document.

In the case where a VDA is associated with more than one consequence of concern, it is expected that the licensee would apply the most comprehensive cyber security controls (i.e., those associated with the consequence of concern having the most comprehensive cyber security controls). The consequences of concern, ranked in order of highest to lowest comprehensiveness of cyber security controls, are: 1) latent - design basis threat; 2) latent - safeguards; 3) active - safety; and 4) latent - safety and security.

Additional guidance on applying cyber security controls is provided in Chapter C, Section 7 of this document.

In accordance with 10 CFR 73.53(i), a licensee must retain supporting documentation demonstrating compliance with 10 CFR 73.53 as a record. Licensees should document the following information for all VDAs in written implementing procedures:

  • A general description of each application, device, system, or network identified as a VDA;
  • A brief description of the overall function provided by the VDA;
  • Identification of any support systems for the VDA; and
  • An analysis that describes which of the four consequences of concern are applicable if a compromise of the VDA were to occur.

Additional guidance on VDA documentation and the associated cyber security control implementing procedures is provided in Chapter C, Section 8 of this document.

DG-5062, Page 28 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE Boundaries for vital digital assets The term VDA is inclusive of all components necessary to perform the function needed to prevent, mitigate, or respond, to the consequence of concern. Multiple components may be considered a single VDA when a logical connection exists between their related equipment, technology, function, general operating environment, process, and direct operational and management control. This activity is referred to as defining the VDAs boundary. The boundary should be established to allow the licensee to apply cyber security controls to protect the entire VDA. The establishment of the VDAs boundary will aid the licensee in establishing the scope of what the control needs to protect. The combination of VDAs should be documented and include an appropriate justification. In accordance with 10 CFR 73.53(e)(3),

this documentation is subject to inspection by the NRC.

Support systems for vital digital assets The term VDA is inclusive of all components necessary to perform the function needed to prevent, mitigate, or respond, to the consequence of concern. Support systems may provide resources necessary for the VDA to function properly (e.g., power, HVAC, communications, data). Licensees should determine the level of dependence that exists between the VDA and all of its support systems.

Support systems must be considered if their compromise by a cyber attack:

  • Could provide an input to a VDA that causes a consequence of concern;
  • Could directly cause a consequence of concern; or
  • Precludes the VDA from performing the function needed to prevent, mitigate, or respond to a consequence of concern.

In these situations, in accordance with 10 CFR 73.53(d)(5), the identified support system would require the application of cyber security controls. To facilitate the application of cyber security controls, a licensee may document the support system as either, 1) a separate VDA or 2) a component within the boundary of the associated VDA. If a support system is used by more than one VDA, it is expected that the licensee would apply the most comprehensive cyber security controls (i.e., those associated with the consequence of concern having the most comprehensive cyber security controls). The consequences of concern, ranked in order of highest to lowest comprehensiveness of cyber security controls, are: 1) latent

- design basis threat; 2) latent - safeguards; 3) active - safety; and 4) latent - safety and security.

Additional guidance on applying cyber security controls is provided in Chapter C, Section 7 of this document.

Grouping of vital digital assets VDAs may be defined individually; alternatively, similar VDAs used multiple times throughout the facility may be addressed as a group, so long as controls can be applied equally to address the associated consequences of concern. Under these conditions, one implementing procedure may be applied to the entire group to facilitate the application of cyber security controls. Any grouping of VDAs should be noted in the documentation associated with the digital asset identification process. In accordance with 10 CFR 73.53(e)(3), this documentation is subject to inspection by the NRC.

7 Cyber Security Controls A cyber security control is a performance specification established to provide an element of protection against specific cyber attack vectors. The requirements of a cyber security control are addressed by applying countermeasures for the cyber attack vector(s). In order to effectively protect DG-5062, Page 29 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE VDAs against cyber attacks associated with a consequence of concern, FCF licensees are required to establish, maintain, and apply cyber security controls in accordance with 10 CFR 73.53(d)(2) and (5).

Cyber security controls for the specific types of consequences of concern are required by 10 CFR 73.53(e)(1) to be included in the licensees cyber security plan.

In the case where a VDA is associated with more than one consequence of concern, it is expected that the licensee would apply the most comprehensive cyber security controls (i.e., those associated with the consequence of concern having the most comprehensive cyber security controls). The consequences of concern, ranked in order of highest to lowest comprehensiveness of cyber security controls, are: 1) latent - design basis threat; 2) latent - safeguards; 3) active - safety; and 4) latent - safety and security.

Additional guidance on the identification of digital assets and VDAs is provided in Chapter C, Section 6 of this document.

7.1 Standards and applicable cyber security controls The NRC has developed the technical cyber security controls in Appendices B through F of this RG, which may be used by licensees to meet the requirements of 10 CFR 73.53(d)(2). These cyber security controls are primarily informed by the NIST controls for information systems and guide to industrial control system security (NIST SP 800-53 and 800-82 respectively). In addition, the NRC used its own cyber security guidance for nuclear power reactors (RG 5.71) as a source of reference for FCF controls. Further, the NRC has modeled its expectations for FCF licensees after NISTs Core Framework for Critical Infrastructure and its draft Manufacturing Target Profile.

The licensees cyber security plan should identify the guidance or standard(s) (e.g., this RG, NIST, ISO/IEC) that the licensee will use to inform compliance with the requirements of 10 CFR 73.53.

The cyber security controls should be documented in the cyber security plan, similar to the template in Appendix A, Cyber Security Template.

7.2 Applying cyber security controls The NRC has developed technical cyber security controls grouped based on the type of consequence of concern:

  • Appendix B, Cyber Security Controls for Vital Digital Assets Associated with all Consequences of Concern;
  • Appendix C, Additional Cyber Security Controls for Vital Digital Assets Associated with Latent Consequences of Concern - Design Basis Threat (Category I Facilities Only);
  • Appendix D, Additional Cyber Security Controls for Vital Digital Assets Associated with Latent Consequences of Concern - Safeguards (Category II Facilities Only);
  • Appendix E, Additional Cyber Security Controls for Vital Digital Assets Associated with Active Consequences of Concern - Safety; and
  • Appendix F, Additional Cyber Security Controls for Vital Digital Assets Associated with Latent Consequences of Concern - Safety & Security.

If a licensee adopts the NRC cyber security controls, the NRC expects that the licensee will address each of the applicable cyber security controls for each VDA. If the licensee elects to use a DG-5062, Page 30 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE different set of controls, the licensee will be responsible for developing cyber security controls specific to the applicable types of consequence of concern, documenting them in the cyber security plan, and addressing them for each VDA in a measurable way.

In accordance with 10 CFR 73.53(d)(3) and (4), the licensee shall determine the type of consequence of concern that could result if each VDA is compromised. The application of cyber security controls to VDAs and documentation of the associated implementing procedures is required by 73.53(d)(5). To satisfy this requirement, the licensee can apply the controls listed in the appendices provided as part of this RG for each applicable consequence of concern (i.e., apply the controls that are associated with all consequences of concern and the controls associated with a specific type of consequence of concern) or equivalent controls. The licensee should document in the VDAs implementing procedure for how these controls are addressed. The documentation should demonstrate that the controls are adequate to prevent the consequence of concern. Additional guidance on implementing procedures is provided in Chapter C, Section 8 of this document.

A cyber security control is a performance specification established to provide an element of protection against specific cyber attack vectors. The requirements of a cyber security control are addressed by applying countermeasures for the cyber attack vector(s). A single countermeasure may not be sufficiently robust to adequately protect against the specific cyber attack vector in its entirety, therefore different cyber security controls may apply various countermeasures that are needed in combination to adequately protect against the cyber attack vector. Because of this, it is important to recognize that a specific cyber security control should not be considered adequately addressed by the countermeasures taken to address another cyber security control (i.e., one control should not credit another).

The specific cyber security controls applicable to a VDA are derived from the controls established through 73.54(d)(2) and documented in the cyber security plan. The cyber security controls that should be applied are determined by the type(s) of consequence of concern(s) associated with the VDA under consideration. Licensees should document how each cyber security control was addressed in the implementing procedure associated with the VDA and have those records available for inspection by the NRC.

Licensees may determine that one or more of the cyber security controls documented in the cyber security plan for a given type of consequence of concern should not be applied to a VDA associated with that consequence of concern, or to the cyber security program as a whole. In this case, licensees should document the justification for not applying the control(s). Justifications can include site-specific issues (e.g., the technical control cannot be adopted by a particular VDA because the asset cannot support it physically) as well as operational choices by the licensee (e.g., media protection is not required as all media access points for VDAs have been removed). The justification should demonstrate how the equivalent protection of a VDA or effective operation of the cyber security program is achieved without the application of the particular cyber security control.

Cyber security control parameters The controls provided in the Appendices to this RG were developed by specifying parameters (i.e., assignment and selection statements) that define certain requirements of controls and enhancements to support application to VDAs. Licensees developing their own technical controls should define similar parameters in their written procedures. Licensees developing their own technical controls should clearly define and record the control parameters in the VDA specific procedures and be available for inspection by the NRC.

DG-5062, Page 31 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE Tailoring cyber security controls for specific vital digital assets Tailoring is defined as modifying a control, its requirements, or its parameters to fit a given condition for a given VDA. Controls should not be tailored solely for operational convenience. Tailoring decisions regarding controls should be defensible based on attributes of the VDA under consideration.

Decisions can also be based on timing and applicability of selected controls under certain defined conditions. That is, controls may not apply in every situation or the controls parameter values may need to be changed based on VDA specific conditions. Tailoring decisions, including the specific rationale for those decisions, should be documented in the implementing procedures. Every control established for the applicable consequence of concern should be accounted for and addressed. If certain security controls are tailored out, then the associated rationale is recorded in the implementing procedures (or references/pointers to other relevant documentation are provided) for the digital assets under consideration and is subject to inspection by the NRC staff.

Common cyber security controls When addressing controls for a VDA, it is possible for licensees to take credit for controls already in place for related assets or to group assets under the protection of a given established control. This is defined as a common control. The use of common controls may reduce the number of controls specifically implemented for that VDA. This in turn reduces the administrative effort in applying controls as well as developing implementing procedures. Common controls can be used for all VDAs or certain groups of VDAs. It is up to the licensee to determine, based on site characteristics, where common controls and their associated countermeasures to a cyber attack can be utilized. It is expected that the use of common controls would be documented in the appropriate implementing procedures, which should provide traceability to the source document in which the controls are originally referenced.

Inherited cyber security controls If a particular VDA uses a security feature from another VDA to address a particular control then the licensee can consider this an inherited control. Like common controls, if the VDA inherits a control, then that asset does not need to explicitly implement that control. Unlike common controls, this refers to a specific one-to-one relationship between two VDAs. Again, it is expected that inherited controls would be documented in the appropriate implementing procedures. This will provide traceability to the VDA where the control is originally applied.

7.3 Verifying cyber security controls A cyber security control is a performance specification established to protect against a specific cyber attack vector. Some cyber security controls protect against multiple cyber attack vectors. The requirements of a cyber security control are addressed by applying countermeasures for the specific cyber attack vector(s). In addressing cyber security controls, the licensee should perform an assessment of the controls for each VDA and its environment of operation to determine the extent to which the associated countermeasures are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements. The procedure for each VDA should describe the conditions under which this assessment will be conducted, the frequency, and roles and responsibilities for the team conducting the assessment. Licensees should document the results and keep them available for inspection by the NRC.

As with the CST, the assessors of the controls should have independence from site operations to conduct the assessments. Assessments should include as needed: unannounced tests, in-depth monitoring; vulnerability scanning; malicious actor testing; and performance/load testing.

DG-5062, Page 32 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE In conjunction with the controls assessment, the licensee should review the interconnections between a VDA and other systems, devices or networks. At a minimum it is expected that the licensee through its cyber security program would analyze and document for each interconnection the interface characteristics, security requirements, and the nature of the information communicated. These considerations would prohibit unauthorized interconnections to VDAs and assist in confirming that all support systems have been properly identified.

The results of the VDA assessment should be reviewed by the CST. Should the assessment show that all controls have been effectively implemented, then the CST Program Manager or Program Sponsor should document that the controls applied to the VDA are acceptable to protect against a consequence of concern. However, for those solutions or features that do not effectively address one or more controls, the licensee should remediate the weaknesses of the controls or deficiencies noted during the assessment. At this point, the licensee can choose to not operate the VDA and rework its solution for protecting against a consequence of concern until it can be successfully confirmed though assessment. Otherwise the licensee can also choose to utilize an interim compensatory measure to operate the VDA until the required solution can be reworked and assessed.

7.4 Cyber security control maintenance Licensees should maintain their controls up to date as a part of their overall cyber security program so they remain applicable to existing conditions at the facility. New security controls, control enhancements, or modifications to existing controls should be developed as needed based on latest state-of-the-practice information from national-level threat and vulnerability databases as well as information on the tactics, techniques, and procedures employed by adversaries in launching cyber attacks. Cyber security controls are part of the cyber security plan, therefore additions, modifications, or changes that would result in a decrease in the effectiveness of a cyber security control must be submitted to the NRC in accordance with 10 CFR 40.32(h) or 10 CFR 70.32(f), whichever is applicable to the specific FCF, for review and approval prior to implementation.

8 Implementing Procedures and Interim Compensatory Measures In accordance with 10 CFR 73.53(d)(5)(ii) licensees must establish and maintain written implementing procedures documenting the countermeasures to a cyber attack taken to address the cyber security controls. The procedures should:

  • Explicitly define the identified boundary for the VDA;
  • Describe the operational context of the asset in terms of the consequence of concern;
  • Describe the operational environment for the VDA and relationships with or connections to other assets;
  • Describe the controls in place or planned for meeting the cyber security requirements;
  • Detail what actions or features will be employed to address the control; and DG-5062, Page 33 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

  • Describe the verification scheme for the solutions used to meet the controls.

Implementing procedures should document each VDA and their applicable cyber security controls. The procedures for similar cyber security controls may be addressed together, in the same documentation, if they are applicable to multiple VDAs (e.g., common controls). Also, if a cyber security control (or equivalent control) is captured in an existing procedure it can be referenced as long as each VDAs cyber security controls are addressed and traceable.

The licensee should apply all the cyber security controls to the VDA for the type of consequence of concern being addressed (i.e., the controls applicable to all VDAs and consequence-specific controls).

The licensee should analyze each cyber security control to determine and document how the controls are applied to the VDA using one of the following approaches:

  • Directly completing the countermeasures to the cyber attack as outlined in the control;
  • Indirectly meeting the intent of the control through an equivalent approach; and
  • Providing a justification that the control is not applicable to the VDA (e.g., controls applied, controls not applied or alternate equivalent control exists or was applied).

The documentation needs to address each control including a justification if controls are determined not to be applicable, (e.g., specific cyber security control X-XX was not applied because the VDA is in a locked and alarmed room and no attack path exists).

The implementing procedures for cyber security controls should identify the VDA and the countermeasures implemented to address the cyber security controls. At a minimum the implementing procedures should document the following information:

  • Identification of the VDA and boundary;
  • Type of consequence of concern;
  • Function, general description, and purpose of the VDA;
  • Individual(s) or organization responsible for the VDA;
  • Location, interconnections, and environment;
  • Support systems for the VDA;
  • Inventory (hardware, software, versions);

Additional guidance is provided below on the type of information that should be provided to address these bulleted items. Some examples are provided.

8.1 Identification of the vital digital asset and boundary DG-5062, Page 34 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE The procedure should identify the VDA and major components within its boundary. For example, a description of a single access control VDA would include the following:

  • Computer system (name and model);
  • Computer monitor (name and model);
  • Printer (name and model);
  • Access control and alarm cabinet (name and model);
  • Card readers (name and model); and
  • Door alarm contacts (name and model).

For VDAs that are combined into a group, the procedure should identify each of the VDAs and describe their major components.

8.2 Consequence of concern type The procedure should identify the type(s) of consequence of concern associated with the VDA based on the analysis performed by the licensee (e.g., latent - safeguards). In addition, the procedure should reference the document(s) detailing the analysis.

8.3 Function, general description, and purpose of the vital digital asset The procedure should identify if the VDA is performing a safety, security, or safeguards function.

It should also include a general description of the device and its purpose. For example, the description of an access control and alarm system could read as follows:

The access control and alarm system performs a security function and is responsible for maintaining and monitoring access control to a controlled access area (CAA) storing special nuclear material. In addition, the system monitors door alarm contacts leading into and exiting the CAA. The alarm contacts generate intrusion, tamper, or trouble alarms that are displayed and annunciated on the computer system in the event of an alarm condition. The computer system is continuously monitored by a security officer and is located in a manned station. The access control and alarm cabinet is locked and alarmed (tamper) and is located within the manned station with the computer system. The data lines to and from the card readers and the alarm contacts to the access control and alarm cabinet are supervised.

In the event of a device or system failure compensatory measures are implemented in accordance with site procedures [reference the procedure].

8.4 Individual(s) or organization responsible for the vital digital asset The procedure should identify the individual(s) or organization responsible for the VDA. The individual(s) can be identified by job title or role (e.g., Security Manager). The procedure could also be assigned to a facility defined organization (e.g., Security Department). If several VDAs are combined into a group or single VDA boundary and the responsibilities are spread among several individuals or organizations, the procedure should list which individual(s) or organization(s) are responsible for which VDA, for example:

DG-5062, Page 35 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE For the access control and alarm system, the following parties are responsible for the various major components:

  • Access Control and Alarm System (Security Department);
  • Computer system (Information Technology (IT) Department);
  • Computer monitor (IT Department);
  • Printer (IT Department);
  • Access control and alarm cabinet (Security Department);
  • Card readers (Security Department); and
  • Door alarm contacts (Security Department).

8.5 Location, interconnections, and environment The procedure should identify the location(s) (i.e., physical, or on the network) and environment of the VDA. If VDAs are grouped by similar type but have several different locations (e.g., buildings, rooms) and environments (CAAs, Data Center) they should all be listed. In addition, the VDA(s) should, if applicable, be identified on a network diagram along with its interconnections and defined boundaries.

A procedure may reference another procedure that contains the appropriate network diagram(s) identifying the VDAs interconnections and boundaries.

8.6 Support systems The procedures should identify the support systems for the VDA(s), if applicable, based on the analysis performed by the licensee - see Chapter C, Section 6.3.2 of this document for additional guidance. The procedure should describe the importance of the support system to the VDA, identify if the support systems is a VDA, and if it is, reference the supports systems procedure.

For example:

The access control and alarm system relies on a number of support systems including:

  • Electrical power supply (not a VDA because the system fails safe); and
  • Communications between the detectors and alarm system (VDA, see procedure [LICENSEE SPECIFIED PROCEDURE NUMBER]).

8.7 Inventory The procedure should list the VDA(s) inventory to include hardware, peripherals, firmware, and software. Firmware and software should specify the latest versions, updates, and patches. For example, and inventory for the access control and alarm system VDA may include the following:

DG-5062, Page 36 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

  • Computer system - [LICENSEE SPECIFIED LIST OF SOFTWARE AND PROGRAMS INSTALLED (E.G., OPERATING SYSTEM, ACCESS CONTROL AND ALARM SOFTWARE) ALONG WITH LATEST VERSIONS, UPDATES AND PATCHES].
  • [LICENSEE SPECIFIED LIST OF PERIPHERALS ATTACHED TO OR USED WITH THE COMPUTER SYSTEM AS WELL.]
  • Access control and alarm cabinet - [LICENSEE SPECIFIED LIST OF THE TYPES OF CARDS, CONTROLLERS OR MODULES INSTALLED ALONG WITH THE LATEST SOFTWARE AND FIRMWARE INSTALLED.]

8.8 Interim compensatory measures An interim compensatory measure (ICM) is defined as a temporary solution to address a countermeasure to a cyber attack taken to address one or more cyber security controls. These are time limited solutions that allow the VDA to be operated while the long term method to address the control is properly implemented and verified. As identified in 10 CFR 73.53(d)(6), the ICM must be documented and tracked to completion. The licensee should document what the ICM is, how it functions, how it will address the control effectively, and the timetable for the rework or replacement of the original planned solution. The licensee should document at regular intervals progress on implementing a long term solution and note when the ICM is no longer needed, to ensure the issue is tracked to completion.

Licensees should document the additional justification and appropriate management approval for any ICM that would be kept in use for more than one calendar year from the date of adoption.

9 Configuration Management Configuration management, in accordance with 10 CFR 73.53(f), requires the evaluation of additions, modifications, and removal of devices and equipment associated with a consequence of concern for any cyber security implications. It also includes establishing the appropriate procedures for controlling modifications to hardware, firmware, software, and documentation associated with existing digital assets as well as VDAs. Configuration management should protect against improper or unintended changes to the cyber security program.

9.1 Cyber security impact analysis An acceptable way for licensees to address configuration management for cyber security is to conduct a cyber security impact analysis as a part of any proposed change to facility capability, digital asset functions, or VDAs. This impact analysis would examine the proposed changes to determine if they could potentially introduce vulnerabilities into the facility that could allow a cyber attack to result in a consequence of concern. The effort would also determine if any existing countermeasures to a cyber attack (e.g., cyber security controls for VDAs or alternate means) would be affected or degraded by the change or if any adjustments would be required to maintain the effectiveness of the detection process or existing procedures. The impact analysis would consider impacts on the cyber security plan, IR procedures, other documentation, or processes. At the same time, licensees should determine if the proposed design change would improve countermeasures, detection schemes, or availability of alternate means to protect against consequences of concern.

The cyber security impact analysis should identify the need to develop or revise the appropriate implementing procedures to reflect any adjustments to the cyber security program as a result of facility changes. These adjustments or actions can include:

DG-5062, Page 37 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

  • The creation or deletion of one or more VDAs;
  • A change in the location of a VDA or associated support system;
  • An update to connectivity pathways to a VDA (direct and indirect);
  • The change in status of an existing digital asset into a VDA due to identification of vulnerabilities or the removal of an existing alternate means of protection against a consequence of concern;
  • The use of different controls based on the vulnerabilities identified;
  • The implementation of new or modified detection measures for cyber attacks;
  • An update to infrastructure interdependencies;
  • An update to the application of defensive strategies, including defensive architectures, security controls, and other defensive strategy countermeasures to a cyber attack;
  • An update to the documentation of plant wide physical and cyber security policies and procedures, including attack mitigation and IR and recovery;
  • An update to procedures for screening, evaluating, mitigating, and dispositioning threat and vulnerability notifications received from credible sources;
  • The degradation of existing controls and the use of interim compensatory measures to compensate until appropriate controls can be implemented, as required under 10 CFR 73.53(d)(6); and
  • The amendment of existing IR procedures, VDA control procedures, or the cyber security plan.

A cyber security impact analysis assists in managing potential vulnerabilities, weaknesses, and risks introduced by changes in the system, network, environment, or emerging threats. A security impact analysis should be performed before making a design or configuration change to a VDA or when changes to the environment occur. An effective program includes a cyber security impact analyses as part of the configuration management process to assess the impacts of the changes on the security posture of VDAs.

At the completion of the analysis, a licensee would implement new security controls to mitigate any gaps identified in the analysis, as required by 10 CFR 73.53(g).

9.2 Site-wide considerations The results of the impact analysis, revisions to implementing procedures, and any other considerations developed by the CST should be shared with the appropriate facility design and operations functions. The CST should work with their counterparts throughout facility operations to ensure that the implementing procedure is properly executed. The CST should also consider how VDAs are authorized to operate after controls are applied a verified due to changes to the licensees environment or digital assets. This would include incorporating and verifying changes to documentation or other implementing procedures to reflect adjustments to cyber security controls or their associated countermeasures.

Consistent with 10 CFR 40.32(h) or 10 CFR 70.32(f), whichever is applicable to the specific FCF, amendments to the cyber security plan that would result in a decrease in the effectiveness must be submitted to the NRC for review and approval prior to implementation of the change.

DG-5062, Page 38 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE Any changes as a result of the procedure should be tested and verified before use in the licensees production environment. The overall process, digital asset, or VDA cannot operate until the implementing procedure has been completed and validated. Interim compensatory measures can be employed as needed should the new procedure fail in implementation or verification.

Through configuration management, the licensee should implement a process for ensuring that cyber security testing, training, and monitoring activities associated with VDAs are properly developed and maintained. The CST should confirm that these actions continue to be executed in a timely manner.

The team should also review testing, training, and monitoring for consistency with the cyber security plan as changes occur to the facility, digital assets, and VDAs.

The licensee should include cyber security considerations into future design plans for the facility.

To that end, the licensee should conduct cyber security impact analyses regarding changes to facility throughout the life of the facility as well as the operational life cycle for any identified VDAs. Cyber security configuration management can be integrated into existing licensee processes or programs. Some licensees current utilize an operational maintenance, site-wide configuration management, corrective action, or facility life cycle development program that can be expanded to meet the requirements of 10 CFR 73.53(f).

10 Biennial Review In accordance with 10 CFR 73.53(g), the licensee should perform a biennial review of the cyber security program. The periodic review serves to evaluate the overall effectiveness of the cyber security program. An acceptable approach to a cyber security program review includes the following:

  • Review the effectiveness of the purpose, scope, roles, responsibilities, requirements, and management commitments of the cyber security program;
  • Review any measures of performance established through cyber security controls and develop, monitor, and report on the results these measures of performance;
  • Review the configuration management of the cyber security program for effectiveness;
  • Develop and implement procedures to facilitate and maintain the biennial review;
  • Review the effectiveness of the controls addressed for any VDA;
  • Verify the facilitys IR capability;
  • Document the results and recommendations of the cyber security program reviews, managements findings regarding cyber security program effectiveness, and any actions taken as a result of recommendations from prior cyber security program reviews in a report, which should be reviewed by an individual at least one level higher than those having responsibility for day-to-day plant operation; and
  • Maintain the reports in an auditable form and make them available, upon request, for inspection by the NRC.

DG-5062, Page 39 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE Licensees should complete a cyber security program review at least every 24 months. In addition, licensees should:

  • Initiate the biennial review within 12 months after initial implementation of the cyber security program;
  • Review, as part of cyber security configuration management, specific changes made to the operating environment that could have an adverse impact on security; and
  • Review assessments, or other performance indicators using individuals independent of those personnel responsible for cyber security program management or implementation.

The results of the biennial review may trigger the following actions on the part of the licensee:

whichever is applicable to the specific FCF, a change to the cyber security plan that would result in a decrease in the effectiveness must be submitted to the NRC for review and approval prior to implementation of the change.

Proposed changes that would result in a decrease in the effectiveness of the approved emergency plan may not be implemented without prior application to and prior approval by the Commission, in accordance with NRC license conditions or 10 CFR 73.32(i).

  • Changes to implementing procedures for VDA. Any changes to the implementing procedures for a VDA may trigger a review and reassessment of the controls addressed. Should an assessment be required, the program sponsor or cyber security program manager should re-approve the VDA for operation.

11 Event Reporting and Tracking The reporting requirements located in 10 CFR 73.53(h) have two distinct concepts. First, licensees are required to inform the NRC upon discovery that an event requiring notification under existing regulations is the result of a cyber attack. This would not necessarily require licensees to initiate a separate report to the NRC; rather, licensees could add cyber security information to reports required in compliance with other regulations, if applicable. However, a second (or updated) report would be required if the licensee discovers later (i.e., after the initial reporting) that the reported event was the result of a cyber attack. Secondly, 10 CFR 73.53(h) requires that the following events need to be recorded within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> of discovery and tracked to resolution:

  • A failure, compromise, degradation, or discovered vulnerability in a cyber security control implemented through 10 CFR 73.53(d)(5); or DG-5062, Page 40 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

Although these events need to be recorded and tracked to resolution, the documentation is maintained by the licensee on site. No report need be submitted to the NRC, although the documentation must be available for routine inspection. The types of events that must be documented include: (1) a system, component, or cyber security control has been compromised to the degree that it is rendered ineffective for the intended purpose (e.g., cessation of proper functioning); (2) a defect in equipment, personnel, or procedure that degrades the function or performance of the cyber security program necessary to meet the requirements of 10 CFR 73.53; or (3) a feature or attribute in a systems design, implementation, operation, or management that could render a VDA open to exploitation.

11.1 Voluntary Notifications Licensees are permitted and encouraged to voluntarily report any cyber-related event or condition that does not meet the criteria for required reporting, if the licensee believes that the event or condition might be of safety or security significance or of generic interest or concern. Assurance of safe operation of all plants depends on accurate and complete reporting by each licensee of events that have potential safety/security significance. For example, a cyber-related event or condition identified and mitigated outside the plant network with no impact on safety/security functions may be indicative of a recently identified or known cyber threat. Such activities should be voluntarily reported during NRC inspection to support Federal situational awareness activities.

12 Recordkeeping In accordance with 10 CFR 73.53(i), the licensee must retain all records and supporting technical documentation required to satisfy the requirements of this regulation until the Commission terminates the license for which the records were developed. Furthermore, the licensee must maintain superseded portions of these records for at least 3 years after the record is superseded, unless otherwise specified by the Commission.

An acceptable method for complying with this requirement is for the licensee to maintain records or supporting technical documentation so that inspectors, auditors, or assessors will have the ability to evaluate incidents, events, and other activities that are related to any of the cyber security elements described, referenced, and contained within the licensees NRC approved cyber security plan. Records required for retention include, but are not limited to, digital records, log files, audit files, and non-digital records that capture, record, and analyze network and VDA events. Licensees should retain these records to document access history and discover the source of cyber attacks or other security-related incidents affecting VDAs.

DG-5062, Page 41 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE D. IMPLEMENTATION The purpose of this chapter is to provide information on how licensees2 may use this guide and information regarding the NRCs plans for using this RG. In addition, it describes how the NRC staff complies with 10 CFR 70.76, Backfitting.

Use by Licensees Licensees may voluntarily3 use the guidance in this document to demonstrate compliance with the underlying NRC regulations. Methods or solutions that differ from those described in this RG may be deemed acceptable if they provide sufficient basis and information for the NRC staff to verify that the proposed alternative demonstrates compliance with the appropriate NRC regulations. Current licensees may continue to use guidance the NRC found acceptable for complying with the identified regulations as long as their current licensing basis remains unchanged.

Licensees may use the information in this RG for actions which do not require NRC review and approval such as changes to a facility design under 10 CFR 70.72, Facility changes and change process.

Licensees may use the information in this RG or applicable parts to resolve regulatory or inspection issues.

Use by the NRC Staff The NRC staff does not intend or approve any imposition or backfitting of the guidance in this RG. The NRC staff does not expect any existing licensee to use or commit to using the guidance in this RG, unless the licensee makes a change to its licensing basis. The NRC staff does not expect or plan to request licensees to voluntarily adopt this RG to resolve a generic regulatory issue. The NRC staff does not expect or plan to initiate NRC regulatory action which would require the use of this RG. Examples of such unplanned NRC regulatory actions include issuance of an order requiring the use of the RG, requests for information under 10 CFR 70.22(d) as to whether a licensee intends to commit to use of this RG, generic communication, or promulgation of a rule requiring the use of this RG without further backfit consideration.

During regulatory discussions on plant specific operational issues, the staff may discuss with licensees various actions consistent with staff positions in this RG, as one acceptable means of meeting the underlying NRC regulatory requirement. Such discussions would not ordinarily be considered backfitting even if prior versions of this RG are part of the licensing basis of the facility. However, unless this RG is part of the licensing basis for a facility, the staff may not represent to the licensee that the licensees failure to comply with the positions in this RG constitutes a violation.

If an existing licensee voluntarily seeks a license amendment or change and (1) the NRC staffs consideration of the request involves a regulatory issue directly relevant to this new or revised RG and (2) the specific subject matter of this RG is an essential consideration in the staffs determination of the acceptability of the licensees request, then the staff may request that the licensee either follow the guidance in this RG or provide an equivalent alternative process that demonstrates compliance with the 2 In this section, licensees refers to applicants for and holders of FCF licenses through 10 CFR Section 40.31 or 70.22.

3 In this section, voluntary and voluntarily means that the licensee is seeking the action of its own accord, without the force of a legally binding requirement or an NRC representation of further licensing or enforcement action.

DG-5062, Page 42 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE underlying NRC regulatory requirements. This is not considered backfitting as defined in 10 CFR 70.76(a)(1).

If a licensee believes that the NRC is either using this RG or requesting or requiring the licensee to implement the methods or processes in this RG in a manner inconsistent with the discussion in this Implementation chapter, then the licensee may file a backfit appeal with the NRC in accordance with the guidance in NUREG-1409, Backfitting Guidelines, (Ref. XX) and the NRC Management Directive 8.4, Management of Facility-Specific Backfitting and Information Collection (Ref. XX).

DG-5062, Page 43 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE GLOSSARY THIS CHAPTER IS UNDER DEVELOPMENT AND IS ONLY PRESENTED AS A SAMPLE FOR FORMATTING. THE EXAMPLE TERMINOLOGY DOES NOT ALIGN WITH THIS REGULATORY GUIDE.

assessment A planned and documented activity performed to determine whether various elements within a quality management system are effective in achieving stated quality objectives.

audit A planned and documented activity performed to determine by investigation, examination, or evaluation of objective evidence the adequacy of, and CONFORMANCE with, established procedures, instructions, drawings, and other applicable documents as well as the effectiveness of implementation. An audit should not be confused with surveillance or inspection activities performed for the sole purpose of process control or product acceptance.

background level A term that usually refers to the presence of radioactivity or radiation in the environment. From an analytical perspective, the presence of background radioactivity in samples needs to be considered when clarifying the radioanalytical aspects of the decision or study question. Many radionuclides are present in measurable quantities in the environment.

bias (of a A persistent deviation of the mean measured result from the true or accepted measurement reference value of the quantity being measured, which does not vary if a process) measurement is repeated.

calibration The set of operations that establish, under specified conditions, the relationship between values indicated by a measuring instrument or measuring system, or values represented by a material measure, and the corresponding known value of a parameter of interest.

DG-5062, Page 44 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE REFERENCES4 THIS CHAPTER IS UNDER DEVELOPMENT AND IS ONLY PRESENTED AS A SAMPLE FOR FORMATTING. THE EXAMPLE REFERENCES CITED DO NOT ALIGN WITH THIS REGULATORY GUIDE.

[Numbers cross-reference with in-text citations, such as (Ref. 12). The following sample list illustrates proper reference format. The footnotes provided should be used as appropriate, given the actual references cited in a particular draft RG. All referenced documents must be publicly available and ADAMS Accession numbers should be included for non-standard documents (do not include RGs ADAMS number). Please note that this list does not actually match the items cited in the sample guide.

Also, NOT EVERY REFERENCE NEEDS A FOOTNOTE (footnotes boilerplates can be found in RGDB SharePoint site: Addresses for Regulatory Guide References.docx )]

1. Executive Order 13526, Classified National Security Information, dated December 29, 2009 published January 5, 2010. (75 FR 707)
2. Administrative Procedure Act, § 6, 5 U.S.C § 555 (1982) 22 U.S.C. § 2567 (Supp. 1, 1983).
3. IAEA Nuclear Security Series No.: 13, Nuclear Security Recommendations on Physical Protection of Nuclear Material and Nuclear Facilities (INFCIRC/225/Revision 5) Vienna, Austria, 2011.5
4. U.S. Nuclear Regulatory Commission (NRC), NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants, Chapter 7, Instrumentation and Controls, Washington, DC. [unless a specific revision of SRP due to reasons such as the SRP endorsed other standards, no dates and revision number is added]
5. NRC, Branch Technical Position (BTP) Plant System Branch (SPLB) 9.5-1, Guidelines for Fire Protection for Nuclear Power Plants, Revision 4, Washington, DC, October 2003. (Available as an attachment to Ref. 2.)
6. NRC, Fire Protection Rule Federal Register, Vol. 45, No. 225: pp. 76602, (45 FR 76602),

Washington, DC, November 19, 1980.

4 Publicly available NRC published documents are available electronically through the NRC Library on the NRCs public Web site at: http://www.nrc.gov/reading-rm/doc-collections/ and through the NRCs Agencywide Documents Access and Management System (ADAMS) at: http://www.nrc.gov/reading-rm/adams.html The documents can also be viewed online or printed for a fee in the NRCs Public Document Room (PDR) at 11555 Rockville Pike, Rockville, MD. For problems with ADAMS, contact the PDR staff at: 301-415-4737 or (800) 397-4209; fax (301) 415-3548; or e-mail pdr.resource@nrc.gov.

5 Copies of International Atomic Energy Agency (IAEA) documents may be obtained through their Web site:

WWW.IAEA.Org/ or by writing the International Atomic Energy Agency, P.O. Box 100 Wagramer Strasse 5, A-1400 Vienna, Austria.

DG-5062, Page 45 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

7. National Fire Protection Association (NFPA), Standard 801, Standard for Fire Protection for Facilities Handling Radioactive Materials, Quincy, MA.6
8. NRC, Regulatory Guide (RG) 1.205, Risk-Informed, Performance-Based Fire Protection for Existing Light Water Nuclear Power Plants, Washington, DC.
9. U.S. Nuclear Regulatory Commission, Tornado Climatology of the Contiguous United States, NUREG/CR-4461, Rev. 2, Washington, DC, February 2007. (ADAMS No.: MLXXXXXXX)
10. NRC, Generic Letter (GL) 77-02, Nuclear Plant Fire Protection Functional Responsibilities, Administrative Controls and Quality Assurance, Washington, DC, August 29, 1977. (ADAMS No.: MLXXXXXXX)
11. NRC, SECY-98-0058, Development of a Risk-Informed, Performance-Based Regulation for Fire Protection at Nuclear Power Plants, Washington, DC, March 26, 1998. (ADAMS No.:

MLXXXXXXX)

12. NRC, Information Notice (IN) 99-17, Problems Associated with Post-Fire Safe-Shutdown Circuit Analyses, Washington, DC, June 3, 1999.
13. NRC, Enforcement Guidance Memorandum (EGM) 98-02, Enforcement Guidance MemorandumDisposition of Violations of Appendix R, Sections III.G and III.L Regarding Circuit Failures, February 2, 2000, Washington, DC. (ADAMS Accession No.:

MLXXXXXXX)

14. Electric Power Research Institute, (EPRI) Nuclear Energy Institute (NEI) EPRI/NEI Report No.:

1006961, Spurious Actuation of Electrical Circuits Due to Cable Fires: Results of an Expert Elicitation, Palo Alto, CA, May 2002.7

15. NRC, Regulatory Issue Summary (RIS) 2006-10, Regulatory Expectations with Appendix R Section III.G.2 Operator Manual Actions, Washington, DC, June 30, 2006.
16. NRC, Inspection Manual, (IM) STS-10, NRC Inspection Manual, Part 9900, Technical Guidance, Standard Technical Specification, Section 1.0, Operability, Washington, DC, p. 31, 1986. (Available at: http://www.nrc.gov/reading-rm/doc-collections/

insp-manual/technical-guidance/tgsts10.pdf.)

6 The National Fire Protection Association (NFPA) makes important safety codes and standards available for free online and documents are available at: http://www.nfpa.org/codes-and-standards/document-information-pages. They may also be purchased by calling NFPA Customer Sales 800.344.3555 or writing NFPA 1 Batterymarch Park, Quincy, MA 02169-7471.

7 Copies of Electric Power Research Institute (EPRI) standards and reports may be purchased from EPRI, 3420 Hillview Ave., Palo Alto, CA 94304; telephone (800) 313-3774; fax (925) 609-1310.

DG-5062, Page 46 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

17. American Society of Mechanical Engineers (ASME) Standard B31.1, Power Piping, New York, NY, February 29, 2000.8
18. American Nuclear Society, Selection and Training of Nuclear Power Plan Personnel, ANSI/ANS 3.1-1978, LaGrange Park, IL.9
19. Underwriters Laboratories (UL), UL Building Materials Directory, Inc., Northbrook, Illinois.

(See http://www.comm-2000.com/.)

20. Factory Mutual Approval Guide, Factory Mutual Research Approval GuideEquipment, Materials, Services for Conservation of Property, Factory Mutual Research Corp., Johnston, Rhode Island, September 2000.10
21. American Society for Testing and Materials, (ASTM), E-84, Standard Test Method for Surface Burning Characteristics of Building Materials, Annual Book of ASTM Standards, West Conshohocken, PA, February 29, 2000.11
22. UL Subject 1724, Appendix B, Qualification Test for Circuit Integrity of Insulated Electrical Wires and Cables in Electrical Circuit Protection Systems (Paragraph B3.16), to Outline of Investigation for Fire Tests for Electrical Circuit Protective Systems, Issue No.: 2, August 1991.

(See http://www.comm-2000.com/.)

23. U.S. Government Accountability Office 05-339, NRC Needs To Do More To Ensure That Power Plants Are Effectively Controlling Spent Nuclear Fuel.12 8 Copies of American Society of Mechanical Engineers (ASME) standards may be purchased from ASME, Two Park Avenue, New York, New York 10016-5990; telephone (800) 843-2763. Purchase information is available through the ASME Web-based store at:

http://www.asme.org/Codes/Publications/.

9 Copies of American Nuclear Society (ANS) standards may be purchased from the ANS Web site (http://www.new.ans.org/store/); or by writing to: American Nuclear Society, 555 North Kensington Avenue, La Grange Park, Illinois 60526, U.S.A., Telephone 800-323-3044.

10 Copies are available from Factory Mutual Research Corporation, 1301 Atwood Avenue, P.O. Box 7500, Johnston, Rhode Island 02919; telephone (401) 275-3000 and fax (401) 275-3029.

Purchase information is available through the Web-based FM Global Resource Catalog at:

http://www.fmglobalcatalog.com/ProductInfo.aspx?productid=P7825CD .

11 Copies of American Society for Testing and Materials (ASTM) standards may be purchased from ASTM, 100 Barr Harbor Drive, P.O. Box C700, West Conshohocken, Pennsylvania 19428-2959; telephone (610) 832-9585. Purchase information is available through the ASTM Web site at: http://www.astm.org.

12 Copies of this report are available electronically through the U.S. Government Printing Office web site at:

http://www.gpo.gov/fdsys.

DG-5062, Page 47 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE BIBLIOGRAPHY THIS CHAPTER IS UNDER DEVELOPMENT AND IS ONLY PRESENTED AS A SAMPLE FOR FORMATTING.

[The following sample list illustrates the proper bibliographic format. Note that the entries do not include numbers; instead, they are grouped by category and then by document type. Please note that a bibliography is optional, and should be used only if needed.]

U.S. Nuclear Regulatory Commission Documents (Bold 12-pt Times New Roman)

NUREG-Series Reports (Bold, Underlined, 11-pt Times New Roman)

NUREG-0654, Criteria for Preparation and Evaluation of Radiological Emergency Response Plans and Preparedness in Support of Nuclear Power Plants, Rev. 1, November 1980.

Generic Letters GL 82-21, Technical Specifications for Fire Protection Audits, October 6, 1982.

Information Notices IN 83-41, Actuation of Fire Suppression System Causing Inoperability of Safety-Related Equipment, June 22, 1983.

Regulatory Issue Summaries RIS 2004-03, Risk-Informed Approach for Post-Fire Safe-Shutdown Circuit Inspection, Revision 1, December 29, 2004.

Letters and Memoranda Stello Letter to Bixel, Victor Stello, Jr., Letter to David Bixel, Consumers Power Company,

Subject:

Manpower Requirements for Operating Reactors, Docket No. 50-255, June 8, 1978.

(ADAMS Accession No. ML031280307)

Miscellaneous NRC Documents AL 95-06, Relocation of Technical Specification Administrative Controls Related to Quality Assurance, Administrative Letter 95-06, Dennis M. Crutchfield, December 12, 1995. (Available at:

http://www.nrc.gov/reading-rm/doc-collections/gen-comm/admin-letters/1995/al95006.html.)

Inspection Manual Chapter 0609, Appendix F, Fire Protection Significance Determination Process, February 28, 2005. (Available at: http://www.nrc.gov/reading-rm/doc-collections/insp-manual/

manual-chapter/mc0609f.pdf.)

National Fire Protection Association Codes and Standards [Comment: 1st level heading within the bibliography]

NFPA 78, Lightning Protection Code.

DG-5062, Page 48 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE CYBER SECURITY PLAN TEMPLATE A-1 Purpose The purpose of this cyber security plan is to describe how the requirements of Title 10 of the Code of Federal Regulations (10 CFR) 73.53, Cyber Security for Fuel Cycle Facilities are implemented by [licensee/applicant] to establish and maintain a cyber security program. The intent of this cyber security plan is to support the sites safety and security programs in a continuing effort to protect the public health and safety and promote the common defense and security of the United States.

[Licensee/Applicant] acknowledges that the implementation of this cyber security plan does not alleviate its responsibility to comply with other U.S. Nuclear Regualtory Commission (NRC) regulations. This cyber security plan establishes the licensing basis for [licensee/applicant]s cyber security program. This cyber security plan shall be fully implemented within 12 months of approval by the NRC.

A-2 Cyber Security Program Performance Objectives As required by 10 CFR 73.53(b), [licensee/applicant] shall establish, implement, and maintain a cyber security program that shall detect, protect against, and respond to a cyber attack capable of causing a consequence of concern.

To meet the performance objective to detect cyber attacks, [licensee/applicant]s cyber security program shall be designed to detect cyber attacks directed towards vital digital assets and provide defense-in-depth through confirmation that cyber security controls are: (1) implemented correctly; (2) operating as intended; and (3) producing the desired outcome with respect to meeting the cyber security requirements of 10 CFR 73.53. The detection process includes multiple data collection points, indepth analysis mechanisms, and appropriate threat intelligence. Detection techniques shall be utilized that differentiate between normal and abnormal electronic activity associated with a consequence of concern.

Unusual activity or communication is identified and analyzed for impact in a timely manner. External cyber security detection data and intelligence information is reviewed on a quarterly basis for trends that could be used to improve the detection process. If a cyber attack is identified, its characteristics (e.g.

source, attack type, threat vector) are analyzed and compared to the [licensee/applicant] knowledgebase of previous events. The detection process is reviewed, as part of the biennial review, to confirm its function.

To meet the performance objective to protect against cyber attacks, [licensee/applicant]s cyber security program shall be designed to protect against cyber attacks directed towards vital digital assets by applying, monitoring, and maintaining cyber security controls on vital digital assets. In addition,

[licensee/applicant] shall develop compensatory measures to in the event cyber security controls fail, become degraded, or are not operating as intended. [Licensee/Applicant]s cyber security program shall also protect vital digital asset support systems, which if compromised by a cyber attack, could lead to a consequence of concern.

To meet the performance objective to respond to a cyber attack, [licensee/applicant]s cyber security program shall be capable of responding to cyber attacks directed towards vital digital assets. The

[insert name of incident response or emergency plan] of [licensee/applicant]: considers a cyber attack capable of causing a consequence of concern; provides a roadmap for implementing the cyber security incident response capability; references the specific steps and actions taken to respond to a cyber attack; describes the structure and organization of the cyber security incident response capability; and defines the DG-5062, Page A-1 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE resources and management support committed to effectively maintain this capability. The cyber security incident response portion of the [insert name of incident response or emergency plan] is reviewed and approved by the Cyber Security Team (CST) at least every 12 months, with updated copies distributed to all personnel with an incident response role and other appropriate personnel. [Licensee/Applicant] shall create, train, and maintain a Cyber Security Incident Response team (CSIRT) that promptly responds to cyber attacks directed towards vital digital assets and implement a mitigation strategy designed to isolate the attack and prevent or mitigate the consequence of concern. The CSIRT has experience in digital forensics, malicious code analysis, tool development, and facility engineering. The CSIRT is trained at least every 12 months on appropriate incident response measures for vital digital assets.

[Licensee/Applicant] shall provide reasonable assurance that the consequences of concern as described in 10 CFR 73.53(c)(2)-(4) are adequately protected against cyber attacks.

((Category I Licensee/Applicant] shall provide high assurance that the design basis threat consequences of concern, as described in 10 CFR 73.53(c)(1), are adequately protected against cyber attacks.]

A-3 Consequences of Concern As required by 10 CFR 73.53(c), [licensee/applicant]s cyber security program shall be designed to protect against the following types of consequences of concern.

A cyber attack that directly results in:

  • A radiological exposure of:

o 25 rem or greater for any individual; o 30 mg or greater intake of uranium in soluble form for any individual outside the controlled area;

  • An acute chemical exposure that could lead to irreversible or other serious, long lasting health effects for any individual.

The compromise, as a result of a cyber attack, of a function needed to prevent, mitigate, or respond to one or more of the following:

  • A radiological exposure of:

o 25 rem or greater for any individual; o 30 mg or greater intake of uranium in soluble form for any individual outside the controlled area;

  • An acute chemical exposure that could lead to irreversible or other serious, long lasting health effects for any individual;
  • Loss or unauthorized disclosure of classified information or classified matter.

[As required by 10 CFR 73.53(c), the cyber security program of [Category II licensee/applicant]

shall be designed to protect against the following types of consequences of concern.

The compromise, as a result of a cyber attack at a licensee authorized to possess or use special nuclear material of moderate strategic significance, of a function needed to prevent, mitigate, or respond to one or more of the following:

DG-5062, Page A-2 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

[As required by 10 CFR 73.53(c), the cyber security program of [Category I licensee/applicant]

shall be designed to protect against the following types of consequences of concern.

The compromise, as a result of a cyber attack at a licensee authorized to possess or use a formula quantity of strategic special nuclear material, of a function needed to prevent, mitigate, or respond to one or more of the following:

A-4 Cyber Security Program To meet the cyber security program performance objectives of 10 CFR 73.53(b),

[licensee/applicant]s cyber security program shall:

  • Establish and maintain a CST as required by 10 CFR 73.53(d)(1) that is adequately structured, staffed, trained, qualified, equipped and supported by management to implement an effective cyber security program. The CST shall consist of individuals that include management, cyber security experts, and technical experts that are knowledgeable of the sites safety, security and safeguards functions. The CST of [licensee/applicant] shall be responsible for:

o Conducting an analysis to identify digital assets associated with a consequence of concern and evaluating them to determine which digital assets are vital.

o Establishing, implementing, monitoring and maintaining cyber security controls on vital digital assets and associated support systems to prevent a cyber attack from causing an active consequence of concern or compromising the function needed to prevent, mitigate or respond to a latent consequence of concern.

o Developing cyber security awareness training and periodically evaluating its effectiveness.

o Performing periodic evaluations (e.g., scanning) of vital digital assets and associated support systems for vulnerabilities.

o Evaluating new digital assets and modifications affecting existing digital assets to determine whether they are or become associated with a consequence of concern.

o Maintaining awareness of the latest known cyber security threats, vulnerabilities, and exploits.

o Performing incident response activities in the event of a cyber attack directed towards a vital digital asset or associated support systems.

  • Establish and maintain cyber security controls as required by 10 CFR 73.53(d)(2) that provide the capability to prevent a cyber attack from causing a consequence of concern (specific to each applicable type of consequence of concern).

DG-5062, Page A-3 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

[Licensee/Applicant] shall establish and maintain cyber security controls and provide a list of cyber security controls specific to each applicable type of consequence of concern in Appendix

[insert appropriate values] to this plan.

[Licensee/Applicant] commits to the cyber security controls from Regulatory Guide 5.XX, Cyber Security for Fuel Cycle Facilities, including:

o Appendix B, Cyber Security Controls for Vital Digital Assets Associated with all Consequences of Concern; o Appendix E, Additional Cyber Security Controls for Vital Digital Assets Associated with Active Consequences of Concern - Safety; and o Appendix F, Additional Cyber Security Controls for Vital Digital Assets Associated with Latent Consequences of Concern - Safety & Security.

((Category II licensee/applicant] commits to the following additional cyber security controls from Regulatory Guide 5.XX, Cyber Security for Fuel Cycle Facilities:

o Appendix D, Additional Cyber Security Controls for Vital Digital Assets Associated with Latent Consequences of Concern - Safeguards (Category II Facilities Only).]

((Category I Licensee/Applicant] commits to the following additional cyber security controls from Regulatory Guide 5.XX, Cyber Security for Fuel Cycle Facilities:

o Appendix C, Additional Cyber Security Controls for Vital Digital Assets Associated with Latent Consequences of Concern - Design Basis Threat (Category I Facilities Only).]

[If [licensee/applicant] establishes and maintains cyber security controls from an alternate standard, provide the standard used [name of standard] (e.g., International Organization of Standardization and the International Electrotechnical Commission (ISO/IEC) 27001:27013) and a list of cyber security controls specific to each applicable type of consequence of concern with the cyber security plan [reference cyber security controls document].]

  • In accordance with 10 CFR 73.53(d)(3), [licensee/applicant] will conduct analyses to identify and document digital assets that if compromised by a cyber attack, would result in a consequence of concern. Documentation of the analyses includes but is not limited to the following:

o Name of each digital asset analyzed; o Functional area (e.g., safety);

o Brief description of each digital assets function (e.g., monitors moisture content of a process and provides alarm if a certain threshold is reached);

o Physical location of each digital asset analyzed (e.g., building 200, process area 900) as well logical location, if applicable (e.g., identified on a network or process drawing); and o consequence of concern(s) that may be associated with each digital asset (e.g., radiological exposure > 25 rem for an individual);

  • In accordance with 10 CFR 73.53(d)(4), [licensee/applicant] will conduct analyses to identify and document each digital asset associated with a consequence of concern within 4 months of approval, by the NRC, of this cyber security plan and determined: (1) vital digital assets, and (2) digital assets with an acceptable alternate means, protected from cyber attack (e.g., non-digital) that prevents an active consequence of concern or maintains the function needed to prevent, mitigate or respond to a latent consequence of concern. Documentation of the determination includes but is not limited to the following (can be added to existing documentation from 10 CFR 73.53(d)(3):

DG-5062, Page A-4 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE o Determination of each vital digital asset; o Determination of each digital asset with an acceptable alternate means; and Identification of the alternate means that prevents the consequence of concern; Location of the alternate means; Description of how the alternate means prevents the consequence of concern (e.g., always available and operates passively). Analysis should reveal that the alternate means is available within the timeframe required to prevent the consequence of concern and how compromise of the digital asset will be detected, if required, in order to initiate or deploy the alternate means; Reason the alternate means is protected from cyber attack (e.g., non-digital).

o Support systems associated with each vital digital asset (e.g., process area assigned laptop for periodic calibrations).

  • In accordance with 10 CFR 73.53(d)(5), [licensee/applicant] will ensure that each vital digital asset and associated support systems are protected against a cyber attack by applying and maintaining the applicable cyber security controls and establishing and maintaining written implementing procedures documenting the countermeasures to a cyber attack taken to address the cyber security controls. For each vital digital asset, [licensee/applicant] will address the cyber security controls established for the applicable type of consequence of concern.

Cyber security controls are addressed for the vital digital asset by either implementing the cyber security control as written, implementing an equivalent to the cyber security control, or demonstrate the cyber security control is not necessary because the problem the control addresses does not exist, with no controls applied (i.e., is not applicable).

  • [Licensee/Applicant] will address and maintain documentation within implementing procedures, the traceability of each cyber security control for each vital digital asset and associated support systems. For each cyber security control that is not applied, documentation reveals an analysis that indicates why the cyber security control was not applied (e.g., no attack path exists) or provides an equivalent compensatory control that was analyzed, selected and applied.
  • As required by 10 CFR 73.53(d)(6) when the countermeasures to a cyber attack taken to address the cyber security controls are degraded, provide compensatory measures to meet the cyber security program performance objectives. [Licensee/Applicant] maintains a process within their cyber security program that identifies when a countermeasures to a cyber attack taken to address the cyber security control becomes degraded (i.e., not operating as intended) and implements interim compensatory measures for the degraded countermeasure to maintain the cyber security program performance objectives. [Licensee/Applicant] maintains interim compensatory measures for degraded cyber security controls until they are corrected, tested and operating as intended. [Licensee/Applicant] monitors, tracks and documents the implementation, progress and completion of interim compensatory measures for degraded countermeasures. In addition,

[licensee/applicant] shall include the cyber security program in their [enter name of site-specific Corrective Actions Program] to identify and correct cyber security program deficiencies and develop and implement cyber security program improvements.

A-5 Cyber Security Plan As required by 10 CFR 73.53(e), [licensee/Applicant] will establish, implement, and maintain this cyber security plan to account for site-specific conditions and describes how the cyber security program performance objectives will be met. This cyber security plan establishes the licensing basis for the

[Licensee/Applicant] cyber security program. [Licensee/Applicant] acknowledges the implementation of DG-5062, Page A-5 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE this cyber security plan does not alleviate the responsibility of [licensee/applicant] to comply with other NRC regulations. Cyber security plan changes and amendments shall be submitted in accordance with 10 CFR 40.32(h) or 70.32(f) as applicable.

o Management and performance of the cyber security program; and As required by 10 CFR 73.53(e)(2)(i), [licensee/applicant] develops and maintains cyber security policies and implementing procedures establishing the cyber security program.

The cyber security policies and implementing procedures will address the cyber security program performance objectives and maintain the cyber security program. The development and implementation of the cyber security policies and implementing procedures as part of the cyber security program shall be supported by management and shall include a process for monitoring, reviewing, auditing and revising based on the verification of the effectiveness and adequateness of the cyber security program.

o Incident response to a cyber attack affecting vital digital assets.

As required by 10 CFR 73.53(e)(2)(ii), [licensee/applicant] develops and maintains implementing procedures on incident response capabilities and strategies for responding to cyber attacks directed at vital digital assets and associated support systems. The incident response implementing procedures will describe the CSIRT, their designated duties and responsibilities, training and qualifications, response and containment strategies for different types of cyber attacks and mitigation strategies for applicable consequences of concern. The cyber security incident response capabilities is tested in conjunction with other security response or emergency preparedness drills. An exercise to simulate a cyber security event and allow for incident response testing and training is conducted at least once during each biennial review cycle.

  • As required by 10 CFR 73.53(3) policies, implementing procedures, site-specific analysis, and other supporting technical information used by the licensee to support the development and implementation of the cyber security plan need not be submitted for Commission review and approval as part of the cyber security plan but are subject to inspection by the NRC staff.

A-6 Configuration Management As required by 10 CFR 73.53(f), [licensee/applicant] shall ensure that any additions, changes, or modifications to existing digital assets or vital digital assets are evaluated prior to implementation and do not adversely impact the licensees ability to meet the cyber security program performance objectives.

[Licensee/Applicant] shall include the cyber security program as part of the site-wide configuration management process [or provide name of similar site-specific process]. [Licensee/Applicant] develops and maintains implementing procedures that include cyber security as part of the side-wide configuration management process. Implementing procedures will address the review process for changes within the safety, security, and safeguards programs as well as how changes within the cyber security program are approved, tested, and implemented.

DG-5062, Page A-6 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE A-7 Biennial Review of the Cyber Security Program As required by 10 CFR 73.53(g), [licensee/applicant] shall perform a review of the cyber security program at least every 24 months. This review will document, track, and address in a timely manner findings, deficiencies, and recommendations that result from:

  • Verification of the effectiveness and adequateness of the cyber security program;
  • Evaluations of digital assets and vital digital assets and their applicable cyber security controls, alternate means of protection, and defensive architecture.

[Licensee/Applicant] shall use [enter name of site-specific corrective action program] to document, track and address findings, deficiencies and recommendations for reviews of the cyber security program.

A-8 Event Reporting and Tracking As required by 10 CFR 73.53(h), [licensee/applicant] shall inform the NRC upon discovery that an event requiring notification under existing regulations is the result of a cyber attack. In addition, the following shall be recorded within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> of discovery and tracked to resolution:

  • A failure, compromise, degradation, or discovered vulnerability in a cyber security control protecting a vital digital asset;

[Licensee/Applicant] shall use a safeguards log or [provide name of similar site-specific log] to enter 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> cyber security events. The safeguards log or licensees [enter name of site-specific Corrective Actions Program] can be used to track and resolve cyber security deficiencies and events based on licensees classification of the event or site-specific policies.

A-9 Records As required by 10 CFR 73.53(i), [licensee/applicant] shall retain supporting technical documentation demonstrating compliance with the requirements of this section as a record.

[Licensee/Applicant] shall maintain and make available for inspection all records, reports, and documents required to be kept by Commission regulations, orders, or license conditions until the Commission terminates the license. [Licensee/Applicant] shall maintain superseded portions of these records, reports, and documents for at least 3 years after they are superseded, unless otherwise specified by the Commission.

DG-5062, Page A-7 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE CYBER SECURITY CONTROLS FOR VITAL DIGITAL ASSETS ASSOCIATED WITH ANY CONSEQUENCE OF CONCERN B-1 DETECTION (informed by National Institute for Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cyber Security)

[Licensee/Applicant]:

  • Monitors the effectiveness of the countermeasures used to protect those assets from a cyber attack; and

o Monitor networks associated with a vital digital asset (VDA);

o Monitor the physical environment in conjunction with the physical security program; o Monitor activity within VDAs; o Monitor external service provider or contractor activity; o Scan for malicious or unauthorized code; o Perform vulnerability scans on the VDAs; and o Update vulnerability information regarding VDAs at least every 7 days.

B-2 POLICIES AND PROCEDURES (informed by NIST Special Publication (SP) 800-53 Rev. 4)

[Licensee/Applicant] develops, documents, and disseminates to all personnel, including contractors, the following policies and procedures:

  • Access Control;
  • Security awareness and training;
  • Audit and accountability;
  • System and Information integrity;
  • Identification and authentication;
  • System maintenance;
  • Media protection;
  • System and services acquisition; and
  • System and communications protection.

These policies and procedures shall:

  • Address the purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance;
  • Facilitate the implementation of the policy and associated security controls; and
  • Are reviewed and updated at least every 24 months, when changes occur in VDAs, the environment that may adversely impact the cyber security program, or the licensees ability to prevent a consequence of concern.

DG-5062, Page B-1 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE B-3 SEPARATION OF DUTIES (informed by NIST SP 800-53 Rev. 4, AC-5)

[Licensee/Applicant]:

  • Separates the duties of VDA management, programming, configuration management, quality assurance and testing, and network security for VDAs;
  • Documents the separation of duties of individuals; and
  • Defines access authorizations to support separation of duties.

B-4 LEAST PRIVILEGE (informed by NIST SP 800-53 Rev. 4, AC-6)

[Licensee/Applicant] employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks when it is not technically feasible to perform the function with a non-privileged account.

B-5 AUTHORIZE ACCESS TO SECURITY FUNCTIONS (informed by NIST SP 800-53 Rev. 4, AC-6 (1))

[Licensee/Applicant] explicitly authorizes access to VDAs, and security functions credited with protected VDAs (deployed in hardware, software, and firmware) and security-relevant information.

B-6 NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS (informed by NIST SP 800-53 Rev. 4, AC-6 (2))

[Licensee/Applicant] requires that users of accounts or roles with access to VDAs, security functions credited with protecting a VDA, or security-relevant information use non-privileged accounts or roles when accessing nonsecurity functions.

B-7 NETWORK ACCESS TO PRIVILEGED COMMANDS (informed by NIST SP 800-53 Rev. 4, AC-6 (3))

[Licensee/Applicant] authorizes network access to privileged commands only for compelling operational needs and documents the rationale for such access.

B-8 PRIVILEGED ACCOUNTS (informed by NIST SP 800-53 Rev. 4, AC-6 (5))

[Licensee/Applicant] restricts privileged accounts on the VDA to personnel or roles that, due to the design of the VDA, must have this access and implements adequate protection to ensure this access is monitored and unauthorized access is prohibited.

B-9 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION (informed by NIST SP 800-53 Rev. 4, AC-14)

[Licensee/Applicant] identifies and documents user actions that can be performed on the VDA without identification or authentication, and documents supporting rationale for user actions not requiring identification or authentication.

DG-5062, Page B-2 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE B-10 PRIVILEGED COMMANDS AND ACCESS (informed by NIST SP 800-53 Rev. 4, AC-17 (4))

[Licensee/Applicant]:

  • Authorizes the execution of privileged commands and access to security-relevant information via remote access only for the necessary, safe operation of the VDA or to prevent a consequence of concern; and
  • Documents the rationale for such access in the security plan for the VDA.

B-11 ACCESS CONTROL FOR MOBILE DEVICES (informed by NIST SP 800-53 Rev. 4, AC-19)

[Licensee/Applicant]:

  • Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for mobile devices; and
  • Authorizes the connection of mobile devices to organizational VDAs.

B-12 FULL-DEVICE OR CONTAINER-BASED ENCRYPTION (informed by NIST SP 800-53 Rev. 4, AC-19 (5))

[Licensee/Applicant] employs full-device encryption or container encryption to protect the confidentiality and integrity of information on mobile devices used with VDAs.

B-13 PUBLICLY ACCESSIBLE CONTENT (informed by NIST SP 800-53 Rev. 4, AC-22)

[Licensee/Applicant]:

  • Designates individuals authorized to post information onto a publicly accessible VDA;
  • Trains authorized individuals to ensure that publicly accessible information does not contain security sensitive information;
  • Reviews the proposed content of information prior to posting onto the publicly accessible VDA to ensure that nonpublic information is not included; and
  • Reviews the content on the publicly accessible VDA for nonpublic information at least every 30 days and removes such information, if discovered.

B-14 LOG EVENTS (informed by NIST SP 800-53 Rev. 4, AU-2)

[Licensee/Applicant]:

  • Develops and documents a list of auditable records that provide adequate information to prevent a consequence of concern including, at a minimum, the following events: user login or logouts; configuration, software, or firmware changes; audit setting changes; privileged access or commands; and any modifications of the security functions of VDAs;
  • Determines that the VDA is capable of generating auditable records which can be reviewed in a timely manner;
  • Coordinates the security audit function internally with personnel and groups requiring audit-related information to enhance mutual support and to help guide the selection of auditable events; and
  • Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents.

DG-5062, Page B-3 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE B-15 REVIEWS AND UPDATES (informed by NIST SP 800-53 Rev. 4, AU-2 (3))

[Licensee/Applicant] reviews and updates the list of auditable records at least every 12 months or based on current threat intelligence information, detection mechanisms, and configuration management activities, whichever is more frequently.

B-16 AUDIT RECORD RETENTION (informed by NIST SP 800-53 Rev. 4, AU-11)

[Licensee/Applicant] retains audit records until the record is superseded to provide support for after-the-fact investigations of security incidents and to meet U.S. Nuclear Regulatory Commission (NRC) record retention requirements.

B-17 VDA CONNECTIONS (informed by NIST SP 800-53 Rev. 4, CA-3)

[Licensee/Applicant]:

  • Authorizes connections from the VDA to other digital assets;
  • Documents for each interconnection the interface characteristics, security requirements, and the nature of the information communicated; and
  • Reviews and updates the authorizations at least every 12 months.

B-18 CONTINUOUS MONITORING (informed by NIST SP 800-53 Rev. 4, CA-7)

[Licensee/Applicant] develops a continuous monitoring strategy and implements a continuous monitoring program that includes:

  • Establishment and monitoring of sufficient cyber security metrics to provide adequate confirmation that security controls are in place and effective;
  • Establishment, justification, and documentation of the monitoring and assessment frequencies for each metric;
  • Ongoing security control assessments in accordance with the continuous monitoring strategy;
  • Ongoing security status monitoring of cyber security metrics in accordance with the continuous monitoring strategy;
  • Correlation and analysis of security-related information generated by assessments and monitoring;
  • Response actions to address results of the analysis of security-related information; and
  • Documenting the security status of the VDAs and their operating environment by the Cyber Security Team (CST) at least every 30 days.

B-19 BASELINE CONFIGURATION (informed by NIST SP 800-53 Rev. 4, CM-2 & CM-2 (1))

[Licensee/Applicant]:

  • Develops, documents, and maintains under configuration control, a current baseline configuration of the VDA;
  • Reviews the baseline configuration of the VDA when required due to an identified vulnerability, relevant change in threat intelligence, or suspected compromise; and DG-5062, Page B-4 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

  • Updates the baseline configuration of the VDA as an integral part of modifications.

B-20 AUTOMATED DOCUMENT / NOTIFICATION / PROHIBITION OF CHANGES (informed by NIST SP 800-53 Rev. 4, CM-3 (1))

[Licensee/Applicant] employs automated mechanisms to:

  • Document proposed changes to the VDA;
  • Notify appropriate personnel of proposed changes to the VDA and request change approval;
  • Prohibit changes to the VDA until designated approvals are received;
  • Document all changes to the VDA; and
  • Notify appropriate personnel when approved changes to the VDA are completed.

B-21 ACCESS CONTROL FOR TRANSMISSION MEDIUM (informed by NIST SP 800-53 Rev. 4, PE-4)

[Licensee/Applicant] controls physical access to VDA distribution and transmission lines such that they are adequately protected to prevent a consequence of concern.

B-22 ACCESS CONTROL FOR OUTPUT DEVICES (informed by NIST SP 800-53 Rev. 4, PE-5)

[Licensee/Applicant] controls physical access to VDA output devices to prevent unauthorized individuals from obtaining the output.

B-23 IMPLEMENTING PROCEDURES FOR VDAS (informed by NIST SP 800-53 Rev. 4, PL-2 & PL-2 (3))

[Licensee/Applicant]:

  • Develops implementing procedures for each VDA that:

o Provides the associated consequence of concern for the VDA including supporting rationale; o Describes the operational environment for the VDA and relationships with or connections to other digital assets; o Provides an overview of the security requirements for theVDA; o Describes the cyber security measures in place or planned for meeting cyber security control requirements including a rationale for equivalent measures; and

  • Distributes copies of the implementing procedures and communicates subsequent changes to the procedures only to authorized personnel with a need-to-know;
  • Updates the procedures to address changes to the VDA and environment of operation or problems identified during the performance of implementing procedures or security control assessments;
  • Protects the implementing procedures from unauthorized disclosure and modification; and
  • Plans and coordinates security-related activities affecting the VDA with the CST before conducting such activities in order to reduce the impact on other organizational entities.

B-24 CYBER SECURITY ARCHITECTURE (informed by NIST SP 800-53 Rev. 4, PL-8 & PL-8 (1))

[Licensee/Applicant]:

DG-5062, Page B-5 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE o Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of VDA or related information; o Describes any security assumptions about, and dependencies on, external services; and

  • Reviews and updates the cyber security architecture at least every 24 months to reflect updates; and
  • Ensures that planned cyber security architecture changes are reflected in the implementing procedures, procurements, and acquisitions.

[Licensee/Applicant] designs its security architecture using a defense-in-depth approach that:

  • Employs complementary and redundant cyber security measures that establish multiple layers of protection to safeguard VDAs;
  • Ensures that the allocated security safeguards operate in a coordinated and mutually reinforcing manner; and
  • Ensures the capability to detect, prevent, respond to, and mitigate cyber attacks.

B-25 ACQUISITION PROCESS (informed by NIST SP 800-53 Rev. 4, SA-4)

[Licensee/Applicant] includes explicitly or by reference the following requirements, descriptions, and criteria in the acquisition contract for the VDA, its components, or related services:

  • Security functional requirements;
  • Security strength requirements;
  • Security assurance requirements;
  • Security-related documentation requirements;
  • Requirements for protecting security-related documentation;
  • Description of the VDA development environment and environment in which the VDA is intended to operate; and
  • Acceptance criteria.

B-26 FUNCTIONAL PROPERTIES OF SECURITY CONTROLS (informed by NIST SP 800-53 Rev. 4, SA-4, SA-4 (1), SA-4 (2), & SA-4 (9))

[Licensee/Applicant] requires the developer of the VDA, component, or service to:

  • Provide a description of the functional security properties, design, and implementation information to be employed, with sufficient documentation to support the licensees conclusions that the functional security features will work as intended; and
  • Identify the functions, ports, protocols, and services employed.

B-27 NATIONAL INFORMATION ASSURANCE PARTNERSHIP (NIAP)-APPROVED PROTECTION PROFILES (informed by NIST SP 800-53 Rev. 4, SA-4 (7))

[Licensee/Applicant]:

  • Limits the use of commercially provided information assurance (IA) and IA-enabled information technology products to those products that have been successfully evaluated against a NIAP-approved Protection Profile for a specific technology type, if such a profile exists; and
  • Requires, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is validated by the NIST Cryptographic Module Validation Program.

DG-5062, Page B-6 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE B-28 USE OF APPROVED PIV PRODUCTS (informed by NIST SP 800-53 Rev. 4, SA-4 (10))

[Licensee/Applicant] employs only technology on the Federal Information Processing Standard 201-approved products list for Personal Identity Verification capabilities used to protect VDAs.

B-29 VDA DOCUMENTATION (informed by NIST SP 800-53 Rev. 4, SA-5)

[Licensee/Applicant]:

  • Obtains administrator documentation for the VDA, component, or service that describes:

o Secure configuration, installation, and operation; o Effective use and maintenance of security functions and mechanisms; o Known vulnerabilities regarding configuration and use of administrative and privileged functions; and

  • Obtains user documentation for the VDA, component, or service that describes:

o User-accessible security functions and mechanisms and how to effectively use those security functions and mechanisms; o Methods for user interaction, which enables individuals to use the VDA, component, or service in a more secure manner; o User responsibilities in maintaining the security of the VDA, component, or service; and

  • Documents the attempts to obtain VDA, component, or service documentation when such documentation is either unavailable or nonexistent and take appropriate actions to compensate for the lack of information regarding the security features;
  • Protects documentation from unauthorized access; and
  • Distributes documentation to authorized personnel on a need-to-know basis.

B-30 SECURITY ENGINEERING PRINCIPLES (informed by NIST SP 800-53 Rev. 4, SA-8)

[Licensee/Applicant] applies cyber security engineering principles in the specification, design, development, implementation, and modification of the VDA.

B-31 DEVELOPER-PROVIDED TRAINING (informed by NIST SP 800-53 Rev. 4, SA-16)

[Licensee/Applicant] requires the developer of the VDA, component, or service to provide adequate role-based training on the correct use and operation of the implemented security functions, controls, and mechanisms.

B-32 MOBILE CODE (informed by NIST SP 800-53 Rev. 4, SC-18)

[Licensee/Applicant]:

  • Defines a technical basis for acceptable and unacceptable mobile code and mobile code technologies to prevent a consequence of concern;
  • Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and
  • Authorizes, monitors, and controls the use of mobile code within the VDA.

DG-5062, Page B-7 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE B-33 INFORMATION INPUT VALIDATION (informed by NIST SP 800-53 Rev. 4, SI-10)

[Licensee/Applicant]:

  • Ensures the VDA checks the validity of information inputs automatically for accuracy, completeness, validity, and authenticity;
  • Enforces that rules for checking the valid syntax of VDA inputs (e.g., character set, length, numerical range, acceptable values) are documented and in place to verify that inputs match specified definitions for format and content; and
  • Confirms that inputs passed to interpreters are prescreened to prevent the content from being unintentionally interpreted as commands.

B-34 CONFIGURATION MANAGEMENT PLAN (informed by NIST SP 800-53 Rev. 4, CM-1)

[Licensee/Applicant] develops, documents, and implements a configuration management plan for the VDA that:

  • Addresses roles, responsibilities, and configuration management processes and procedures;
  • Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
  • Defines the configuration items for the VDA and places the configuration items under configuration management; and
  • Protects the configuration management plan from unauthorized disclosure and modification.

B-35 SECURITY AWARENESS TRAINING (informed by NIST SP 800-53 Rev. 4, AT-1)

[Licensee/Applicant]:

  • Provides basic security awareness training to VDA users (including managers, senior executives, and contractors):

o As part of initial training for new users; o When required by VDA changes; o At least every 12 months thereafter; and

  • Provides role-based security training to personnel with assigned security roles and responsibilities:

o Before authorizing access to the VDA or performing assigned duties; o When required by VDA changes; o At least every 12 months thereafter; and

  • Documents and monitors individual VDA security training activities including basic security awareness training and specific VDA security training; and
  • Retains individual training records consistent with Title 10 of the Code of Federal Regulations (10 CFR) 73.53(i).

DG-5062, Page B-8 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE B-36 PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS (informed by NIST SP 800-53 Rev. 4, AC-6 (10))

[Licensee/Applicant] ensures the VDA prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards and countermeasures.

B-37 UNSUCCESSFUL LOGON ATTEMPTS (informed by NIST SP 800-53 Rev. 4, AC-7)

[Licensee/Applicant]:

  • Limits the number of failed login attempts in a specified time period, which may vary by VDA (i.e., more than three invalid attempts within a 1-hour time period will automatically lock out the account); and
  • Ensures the VDA enforces the lock out mode automatically.

B-38 PURGE OR WIPE MOBILE DEVICE (informed by NIST SP 800-53 Rev. 4, AC-7 (2))

[Licensee/Applicant] ensures that, for mobile devices used with VDAs, the mobile device purges or wipes information in a manner that would prevent recovery of the data by an adversary within 10 consecutive unsuccessful device logon attempts.

B-39 VDA USE NOTIFICATION (informed by NIST SP 800-53 Rev. 4, AC-8)

[Licensee/Applicant] ensures VDAs display to users a use notification message or banner before granting access that provides appropriate security notices consistent with NRC regulations, and to support the prevention of consequence of concern, and retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the VDA. The notice informs the user that:

  • Users are accessing a VDA;
  • Usage may be monitored, recorded, and subject to audit;
  • Unauthorized use is prohibited and subject to criminal and civil penalties;
  • Use indicates consent to monitoring and recording; and
  • For publicly accessible VDAs:

o Displays VDA use information before granting further access; o Displays references, if any, to monitoring, recording, or auditing that are consistent with the requirements for non-public VDAs; and o Includes a description of the authorized uses.

B-40 CONCURRENT SESSION CONTROL (informed by NIST SP 800-53 Rev. 4, AC-10)

[Licensee/Applicant] ensures the VDA limits the number of concurrent sessions for each account and account type to the minimum necessary to perform the VDAs function.

DG-5062, Page B-9 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE B-41 SESSION LOCK AND TERMINATION (informed by NIST SP 800-53 Rev. 4, AC-11 & AC-12)

[Licensee/Applicant] ensures the VDA:

  • Prevents further access to, and conceals information previously visible on, the display by initiating a session lock within 30 minutes of inactivity or upon receiving a request from a user;
  • Retains the session lock until the user reestablishes access using established identification and authentication procedures; and
  • Automatically terminates a user session within 45 minutes of inactivity.

B-42 AUTOMATED MONITORING / CONTROL (informed by NIST SP 800-53 Rev. 4, AC-17 (1))

[Licensee/Applicant] ensures the VDA monitors and controls remote access methods.

B-43 PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION (informed by NIST SP 800-53 Rev. 4, AC-17 (2))

[Licensee/Applicant] ensures the VDA implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.

B-44 AUTHENTICATION AND ENCRYPTION (informed by NIST SP 800-53 Rev. 4, AC-18 (1))

[Licensee/Applicant] ensures the VDA protects wireless access to the VDA using authentication of users and encryption.

B-45 LOG REDUCTION AND REPORT GENERATION (informed by NIST SP 800-53 Rev. 4, AU-7)

[Licensee/Applicant] ensures the VDA provides a log reduction and report generation capability that:

  • Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and
  • Does not alter the original content or time ordering of audit records.

B-46 AUTOMATIC PROCESSING (informed by NIST SP 800-53 Rev. 4, AU-7 (1))

[Licensee/Applicant] ensures the VDA provides the capability to process audit event and log records based on events of interest identified by the content of the specific audit record.

B-47 TIME STAMPS (informed by NIST SP 800-53 Rev. 4, AU-8)

[Licensee/Applicant]:

  • Uses a time source protected at an equal or greater level than the VDAs they support; and
  • Ensures the VDA:

DG-5062, Page B-10 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE o Implements time synchronization mechanisms that do not introduce a vulnerability leading to a consequence of concern; o Synchronizes its internal clock from the protected time source; and o Uses its internal clock to generate time stamps for audit records.

B-48 SUPPLY CHAIN PROTECTION (informed by NIST SP 800-53 Rev. 4, SA-12)

[Licensee/Applicant] protects against supply chain threats to the VDA, component, or information system service by:

  • Establishing of trusted distribution paths;
  • Validating vendors; and
  • Requiring tamper proof products or tamper evident seals on acquired products as part of a comprehensive, defense-in-breadth information security strategy.

DG-5062, Page B-11 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE ADDITIONAL CYBER SECURITY CONTROLS FOR VITAL DIGITAL ASSETS ASSOCIATED WITH LATENT CONSEQUENCES OF CONCERN - DESIGN BASIS THREAT (CATEGORY I FACILITIES ONLY)

C-1 INSIDER THREAT PROGRAM (informed by National Institute for Standards and Technology (NIST) Special Publication (SP) 800-53 Rev. 4, PM-12 & AT-2 (2))

[Licensee/Applicant] implements an insider threat program that includes a cross-discipline insider threat incident handling team. [Licensee/Applicant] includes security awareness training on recognizing and reporting potential indicators of insider threat.

C-2 ACCOUNT MANAGEMENT PROCEDURES (informed by NIST SP 800-53 Rev. 4, AC-2)

[Licensee/Applicant] employs, at a minimum, the following measures in support of the management of user accounts on vital digital assets (VDAs):

  • Assigns account managers for VDA accounts;
  • Establishes conditions for group and role membership;
  • Specifies authorized users of the VDA, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
  • Requires independent management approval for requests to create VDA accounts;
  • Creates, enables, modifies, disables, and removes VDA accounts in accordance with the Access Control policy;
  • Monitors the use of VDA accounts;
  • Notifies account managers in a timely manner:

o When accounts are no longer required; o When users are terminated or transferred; o When individual VDA usage or need-to-know changes; and

  • Authorizes access to the VDA based on:

o A valid access authorization; o Intended VDA usage; and

  • Reviews accounts at least every 30 days for compliance with account management requirements; and
  • Employs, at a minimum, the following measures to restrict the creation and issuance of shared/group VDA accounts:

o Ensures shared/group account requests:

Are issued only when necessary to prevent a consequence of concern; Include a documented technical justification; Are reviewed and approved by the Cyber Security Team (CST) prior to issuance; and o Automatically terminates and establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.

DG-5062, Page C-1 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE C-3 ACCOUNT MANAGEMENT (informed by NIST SP 800-53 Rev. 4, AC-2(5), AC-2(12), & AC-2(13))

[Licensee/Applicant] employs, at minimum, the following measures in support of the management of VDA accounts using a combination of procedural activity and automated means:

  • Requires that users log out within 15 minutes of inactivity unless the login session must be maintained to prevent a consequence of concern;
  • Monitors VDA accounts for atypical usage and anomalous activity that could indicate account compromise;
  • Reports atypical usage of VDA accounts to the CST; and
  • Disables user accounts that have been potentially compromised upon discovery.

C-4 AUTOMATED ACCOUNT MANAGEMENT (informed by NIST SP 800-53 Rev. 4, AC-2 (1), AC-2 (2), AC-2 (3), AC-2 (4) & AC-2 (11))

[Licensee/Applicant] employs, at minimum, the following automated technical mechanisms to support the management of VDA accounts, including:

  • Automatically removes or disables temporary and emergency accounts once they are no longer needed;
  • Automatically disables inactive accounts within 30 days; and
  • Automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies appropriate personnel in a timely manner.

C-5 ACCESS MANAGEMENT (informed by NIST SP 800-53 Rev. 4, AC-3, AC-3 (2), AC-4, AC-4 (4), & AC-4 (21))

[Licensee/Applicant] ensures the VDA employs technical measures in support of the enforcement of account access to enforce approved authorizations for:

  • Logical access to VDA information and VDA resources in accordance with applicable access control policies; and
  • Controlling the flow of information within the VDA and between interconnected systems and VDAs.

[Licensee/Applicant] ensures the VDA employs automated technical measures to:

  • Enforce dual authorization for privileged commands, operations or access;
  • Prevent encrypted information from bypassing content-checking mechanisms;
  • Separate information flows logically or physically; and
  • Notify the user, upon successful logon/access:

o The date and time of the last logon/access; o The number of unsuccessful logon/access attempts since the last successful logon/access; o The number of successful and unsuccessful logons/accesses within the last 7 days; and o Changes to security-related characteristics/parameters of the users account within the last 7 days.

C-6 SECURITY ATTRIBUTES (informed by NIST SP 800-53 Rev. 4, AC-16, AC-16 (4), SC-16, & SC-16 (1))

[Licensee/Applicant]:

  • Provides the means to associate security attributes with information in storage, in process, and/or in transmission; DG-5062, Page C-2 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

  • Ensures that the security attribute associations are made and retained with the information;
  • Establishes the permitted security attributes for VDAs;
  • Determines the permitted values or ranges for each of the established security attributes;
  • Supports the association of security attributes for the VDA with information exchanged or transmitted between digital assets, VDAs, and components; and
  • Validates the integrity of transmitted security attributes for the VDA.

C-7 MANAGED ACCESS CONTROL POINTS (informed by NIST SP 800-53 Rev. 4, AC-17 (3))

[Licensee/Applicant] prohibits all remote and off-site access to VDAs. Access to VDAs must be from a digital asset that is protected equivalent to the VDA.

C-8 USE OF EXTERNAL INFORMATION SYSTEMS (informed by NIST SP 800-53 Rev. 4, AC-20 (3), & AC-20 (4))

[Licensee/Applicant]:

  • Prohibits the use of non-licensee owned information systems, VDA components, or devices used with VDAs; and
  • Prohibits the use of organization-controlled network accessible storage devices] in external information systems.

C-9 CYBER SECURITY TRAINING (informed by NIST SP 800-53 Rev. 4, AT-2 (1) & AT-3 (3))

[Licensee/Applicant] includes practical exercises in security awareness training that simulate actual cyber attacks. [Licensee/Applicant] includes practical exercises in role based security training that reinforce training objectives.

[Licensee/Applicant] provides role based training to its personnel to recognize suspicious communications and anomalous behavior in VDAs.

C-10 AUDIT DATA DEFINITION, GENERATION, AND CONTENT (informed by NIST SP 800-53 Rev. 4, AU-3, AU-3 (1), AU-3 (2), AU-5, AU-5 (2), AU-12 (3),

AU-14, AU-14 (1), & AU-14 (2))

[Licensee/Applicant] ensures the VDA:

  • Generates records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event;
  • Generates records containing information necessary to prevent a consequence of concern from a cyber attack, including, at a minimum:

o Account (user or service) login failure and success; o Account role or privilege change; o File or object creation, modification and deletion; o Service start and stop; o Privileged service call; o Account creation, modification and deletion; o Account right assignment and removal; o Audit policy change; DG-5062, Page C-3 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE o User account password change; o User group creation, modification and deletion; and o Remote session start, stop and failure.

[Licensee/Applicant] ensures the VDA auditing function:

  • Alerts cyber security personnel in near real-time of an audit processing failure, or where audit failure events occur that could indicate VDA compromise;
  • Takes automated measures to preserve audit data;
  • Provides the capability to increase or modify audit record content in response to threat intelligence;
  • Initiates session audits at VDA start-up;
  • Provides the capability for authorized users to select a user session to capture/record or view/hear;
  • Provides the capability for authorized users to capture/record and log content related to a user session; and
  • Provides centralized management and configuration of the content to be captured in audit records.

C-11 AUDIT DATA MANAGEMENT AND PROTECTION (informed by NIST SP 800-53 Rev. 4, AU-4, AU-5 (1), AU-6 (7), AU-9, AU-9 (2), AU-9 (3),

AU-9 (4), AU-9 (5), & AU-10)

[Licensee/Applicant]:

  • Allocates sufficient audit record storage capacity in accordance with U.S. Nuclear Regulatory Commission (NRC) record retention requirements and configures auditing to prevent capacity from being exceeded;
  • Authorizes access to management of audit functionality to only authorized users with cyber security responsibilities;
  • Enforces dual authorization for movement or deletion of audit information;
  • Specifies the permitted actions for each role or user associated with the review, analysis, and reporting of audit information;
  • Ensures the VDA provides an alert to authorized personnel when allocated audit record storage volume reaches 80 percent of repository maximum audit record storage capacity;
  • Ensures the VDA backs up audit records onto a physically different VDA than the VDA being audited;
  • Ensures the VDA protects audit information and audit tools from unauthorized access, modification, and deletion;
  • Ensures the VDA implements cryptographic mechanisms to protect the integrity of audit information and audit tools; and
  • Ensures the VDA protects against an individual (or process acting on behalf of an individual) falsely denying having performed any action on the VDA.

C-12 AUDIT REVIEW, ANALYSIS, AND REPORTING (informed by NIST SP 800-53 Rev. 4, AU-6, AU-6a, AU-6b, AU-6 (1), AU-6 (3), AU-6 (5),

AU-6 (6), AU-10 (3), AU-10 (4), & AU-12 (1))

[Licensee/Applicant]:

  • Employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities;
  • Reviews and analyzes VDA audit records in a timely manner for indications of potential compromise; DG-5062, Page C-4 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

  • Analyzes and correlates audit records across different repositories to gain organization-wide situational awareness;
  • Integrates analysis of audit records with analysis of vulnerability scanning information, performance data, VDA monitoring information, and data/information collected from other sources to further enhance the ability to identify potential unauthorized activity;
  • Correlates information from audit records with information obtained from monitoring physical access to the VDA to further enhance the ability to identify potential unauthorized activity;
  • Reports findings to the CST; and
  • Ensures the VDA compiles audit records into a logical or physical audit trail that is time-correlated to, at a minimum, within one-tenth of a second.

[Licensee/Applicant] ensures the VDA:

  • Maintains reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released;
  • Validates the binding of the information reviewer identity to the information at the transfer or release points prior to release/transfer; and
  • Prevents access to, modification of, or transfer of the information in the event of a validation error.

C-13 SECURITY CONTROL ASSESSMENTS (informed by NIST SP 800-53 Rev. 4, CA-2)

[Licensee/Applicant]:

  • Develops a security assessment plan that describes the scope of the assessment including:

o Security controls and control enhancements under assessment; o Assessment procedures to be used to determine security control effectiveness; o Assessment environment, assessment team, and assessment roles and responsibilities; and

  • Assesses the security controls in the VDA and its environment of operation at least every 92 days to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;
  • Produces a security assessment report that documents the results of the assessment;
  • Includes and documents as part of VDA security control assessments:

o An attack tree/attack surface analysis of the VDA (to be done at least every 24 months);

o Announced assessments:

In-depth monitoring (to be done automatically, in real time);

Vulnerability scanning (to be done at least every 30 days);

Malicious actor testing (to be done at least every 92 days);

Insider threat assessment (to be done at least every 92 days); and o Unannounced assessments (in addition to announced assessments above):

Vulnerability scanning (to be done at least every 183 days);

Malicious actor testing (to be done at least every 12 months);

Insider threat assessment (to be done at least every 183 days);

Performance/load testing (to be done at least every 183 days); and o Provides the results of the security control assessment to the CST; and

  • Restricts access to the results of the security control assessment to authorized personnel with a need-to-know.

DG-5062, Page C-5 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE C-14 INDEPENDENCE OF ASSESSORS (informed by NIST SP 800-53 Rev. 4, CA-2 (1), CA-7 (1), CA-8, CA-8 (1), CA-8 (2))

[Licensee/Applicant]:

  • Utilizes assessors or assessment teams that are independent of those personnel responsible for program management or cyber security control implementation to conduct assessments of the cyber security controls;
  • Utilizes assessors or assessment teams that are independent of those personnel responsible for program management or cyber security control implementation to monitor the cyber security controls for the VDA on an ongoing basis;
  • Conducts penetration testing at least every 183 days on the VDA;
  • Employs red team exercises to simulate attempts by adversaries to compromise VDAs; and
  • Utilizes assessors or assessment teams that are independent of those personnel responsible for program management or cyber security control implementation to perform penetration testing on the VDA.

C-15 ENHANCEMENTS TO VDA CONNECTIONS (informed by NIST SP 800-53 Rev. 4, CA-3 (3), CA-3 (4), CA-3 (5), & CA-9)

[Licensee/Applicant]:

  • Employs a deny-all, permit-by-exception policy for allowing VDAs to connect to other digital assets;
  • Prohibits access from and the connection of a VDA to an external network;
  • Prohibits the direct connection of a VDA to a public network;
  • Authorizes connections to the VDA; and
  • Documents, for each connection, the interface characteristics, security requirements, and the nature of the information communicated.

C-16 NATIONAL SECURITY SYSTEM CONNECTIONS (informed by NIST SP 800-53 Rev. 4, CA-3 (1))

For VDAs within NRCs regulatory purview store, process or transmit classified information or that qualify as an national security system, as defined by the Committee for National Security Systems, the licensee prohibits connection of the VDA to a public or external network.

C-17 INTERIM COMPENSATORY MEASURES (informed by NIST SP 800-53 Rev. 4, CA-5)

[Licensee/Applicant]:

  • Documents an interim compensatory measure plan to correct weaknesses or deficiencies noted during the assessment of VDA security controls and to reduce or eliminate known vulnerabilities in the VDA;
  • Updates interim compensatory measure plan at least every 30 days based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities; and
  • Restricts access to the interim compensatory measure plan to authorized personnel with a need-to-know.

DG-5062, Page C-6 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE C-18 INTERNAL SYSTEM CONNECTIONS (informed by NIST SP 800-53 Rev. 4, CA-9)

[Licensee/Applicant]:

  • Authorizes internal connections of VDA components to the VDA; and
  • Documents, for each connection, the interface characteristics, security requirements, and the nature of the information communicated.

C-19 AUTOMATED BASELINE CONFIGURATION (informed by NIST SP 800-53 Rev. 4, CM-2 (2))

[Licensee/Applicant] employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the VDA.

C-20 CONFIGURE VDAS FOR HIGH-RISK AREAS (informed by NIST SP 800-53 Rev. 4, CM-2 (7))

Prior to transporting VDAs associated with a design basis threat consequence of concern to locations that the [Licensee/Applicant] deems to be of significant risk, the [Licensee/Applicant]:

  • Documents a detailed justification for the VDA to be transported;
  • Obtains written approval from the CST and management;
  • Documents the VDA configuration baseline and component inventory prior to leaving controlled areas;
  • Ensures safeguards or security-related information on the VDA is purged or protected in a manner that prevents an adversary from recovering the data prior to leaving controlled areas;
  • Observes chain-of-custody of the VDA or VDA component;
  • Performs a review of the VDA configuration baseline and component inventory upon return;
  • Performs testing of the VDA to ensure no cyber compromise has occurred; and
  • Performs a security control assessment to ensure all controls are in place, operational, and performing the intended function.

C-21 CONFIGURATION CHANGE CONTROL (informed by NIST SP 800-53 Rev. 4, CM-3)

[Licensee/Applicant]:

  • Documents changes to the VDA that shall be configuration-controlled per Title 10 of the Code of Federal Regulations (10 CFR) 73.53;
  • Reviews proposed configuration-controlled changes to the VDA and approves or disapproves such changes with explicit consideration for security impact analyses before implementation of the change;
  • Documents configuration change decisions associated with the VDA;
  • Implements approved configuration-controlled changes to the VDA;
  • Retains records of configuration-controlled changes to the VDA in accordance with NRC record retention requirements;
  • Audits and reviews activities associated with configuration-controlled changes to the VDA; and
  • Coordinates and provides oversight for configuration change control activities through the change management process.

DG-5062, Page C-7 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE C-22 CHANGE TESTING AND ANALYSIS (informed by NIST SP 800-53 Rev. 4, CM-3 (2), CM-4, CM-4 (1), & CM-4 (2))

[Licensee/Applicant]:

  • Tests, validates, and documents changes to the VDA before implementing the changes on the VDA;
  • Analyzes changes to the VDA to determine potential security impacts prior to change implementation;
  • Analyzes changes to the VDA in a separate test environment before implementation in an operational environment, looking for security impacts due to flaws, weaknesses, incompatibility, or intentional malice; and
  • Checks the security functions after a VDA is changed to verify that the functions are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security requirements for the VDA.

C-23 ACCESS RESTRICTIONS FOR CHANGE (informed by NIST SP 800-53 Rev. 4, CM-5, CM-5 (1), & CM-5 (4))

[Licensee/Applicant]:

  • Defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the VDA;
  • Enforces dual authorization for implementing changes to VDAs and components; and
  • Enforces VDA access restrictions and supports auditing of the enforcement actions.

C-24 REVIEW VDA CHANGES (informed by NIST SP 800-53 Rev. 4, CM-5 (2))

[Licensee/Applicant] reviews VDA changes at least every 183 days or in the event of suspected compromise to determine whether unauthorized changes have occurred.

C-25 SIGNED COMPONENTS (informed by NIST SP 800-53 Rev. 4, CM-5 (3))

[Licensee/Applicant] ensures the VDA prevents the installation of software and firmware components without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.

C-26 CONFIGURATION SETTINGS (informed by NIST SP 800-53 Rev. 4, CM-6, CM-6 (1), & CM-6 (2))

[Licensee/Applicant]:

  • Establishes and documents configuration settings within the VDA that reflect the most restrictive mode consistent with operational requirements;
  • Implements the configuration settings;
  • Identifies, documents, and approves any deviations from established configuration settings;
  • Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures;
  • Employs automated mechanisms to centrally manage, apply, and verify VDA configuration settings; and DG-5062, Page C-8 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

  • Reports unauthorized changes to VDA configuration settings to the cyber security incident response team upon detection.

C-27 LEAST FUNCTIONALITY (informed by NIST SP 800-53 Rev. 4, CM-7)

[Licensee/Applicant]:

  • Configures the VDA to provide only essential capabilities, to perform its function and maintain safe and secure operations; and
  • Prohibits or restricts the use of unneeded functions, ports, protocols, and/or services.

C-28 PERIODIC REVIEW (informed by NIST SP 800-53 Rev. 4, CM-7 (1))

[Licensee/Applicant]:

  • Reviews the VDA continuously to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and
  • Disables or restricts unneeded functions, ports, protocols, and/or services identified by the review.

C-29 AUTHORIZED SOFTWARE (informed by NIST SP 800-53 Rev. 4, CM-7 (2) CM-7 (5), CM-8 (1), CM-8 (2), & CM-8 (3))

[Licensee/Applicant]:

  • Identifies software programs authorized to execute on the VDA;
  • Employs an deny-all, allow-by-exception policy to prohibit the execution of unauthorized software programs on the VDA;
  • Reviews and updates the list of authorized software programs, at least every 92 days;
  • Employs automated mechanisms for the VDA (i.e. application white-listing) to prevent unauthorized program execution;
  • Develops and documents an inventory of information VDA components that:

o Accurately reflects the current VDA; o Includes all components within the boundary of the VDA; o Is at the level of granularity necessary for tracking and reporting; o Includes information necessary to achieve effective information VDA component accountability; and

  • Reviews and updates the VDA component inventory at least every 92 days or as part of any changes to a VDA;
  • Updates the inventory of information VDA components as an integral part of component installations, removals, and VDA updates;
  • Employs automated mechanisms to detect the presence of unauthorized hardware, software, and firmware components within the VDA;
  • employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of VDA components; and
  • Takes appropriate actions when unauthorized components are detected to remove, disable, or otherwise prevent the unauthorized component from causing a consequence of concern.

DG-5062, Page C-9 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE C-30 VDA COMPONENT INVENTORY (informed by NIST SP 800-53 Rev. 4, CM-8, CM-8 (1), CM-8 (2), CM-8 (3), & CM-8 (4))

[Licensee/Applicant]:

  • Develops and documents an inventory of VDA components that:

o Accurately reflects the current VDA; o Includes all components within the boundary of the VDA; o Is at the level of granularity necessary for tracking and reporting; o Includes information necessary to achieve effective VDA component accountability; and

  • Reviews and updates the VDA component inventory at least every 92 days or as part of any changes to a VDA;
  • Updates the inventory of VDA components as an integral part of component installations, removals, and VDA updates;
  • Employs automated mechanisms to detect the presence of unauthorized hardware, software, and firmware components within the VDA;
  • Employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of VDA components;
  • Includes in the VDA component inventory information, a means for identifying individuals responsible/accountable for administering those components; and
  • Takes appropriate actions when unauthorized components are detected to remove, disable, or otherwise prevent the unauthorized component from causing a consequence of concern.

C-31 INSTALLED SOFTWARE (informed by NIST SP 800-53 Rev. 4, CM-11, CM-11 (1), & CM-11 (2))

[Licensee/Applicant]:

  • Establishes policies governing the installation of software on VDAs consistent with configuration management in 10 CFR 73.53(f);
  • Enforces software installation policies using automated measures where supported;
  • Monitors policy compliance using automated measures where supported;
  • Ensures appropriate personnel are alerted in near-realtime when the unauthorized installation of software is detected on the VDA; and
  • Prohibits user installation of software on the VDA without explicit privileged status.

C-32 IDENTIFICATION AND AUTHENTICATION (informed by NIST SP 800-53 Rev. 4, IA-2, IA-2 (1), IA-2 (2), IA-2 (3), IA-2 (4), IA-2 (8), IA-2 (9), IA-2 (11), IA-2 (12), IA-3, IA-3 (4), & IA-8)

[Licensee/Applicant] ensures the VDA:

  • Uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users) and non-organizational users (or processes acting on behalf of non-organizational users);
  • Implements multifactor authentication for network access to privileged accounts;
  • Implements multifactor authentication for network access to non-privileged accounts;
  • Implements multifactor authentication for local access to privileged accounts;
  • Implements multifactor authentication for local access to non-privileged accounts;
  • Implements replay-resistant authentication mechanisms for network access to privileged accounts;
  • Implements replay-resistant authentication mechanisms for network access to non-privileged accounts; DG-5062, Page C-10 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

  • Implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets E-authentication Assurance Level 4 as described in NIST SP 800-63-2 or later revisions;
  • Accepts and electronically verifies Personal Identity Verification credentials;
  • Uniquely identifies and authenticates devices before establishing a connection to a VDA; and
  • Ensures that device identification and authentication based on attestation is handled by the configuration management process.

C-33 IDENTIFIER MANAGEMENT (informed by NIST SP 800-53 Rev. 4, IA-4, IA-4 (2), & IA-4 (7))

[Licensee/Applicant] manages VDA identifiers by:

  • Receiving independent management authorization to assign an individual, group, role, or device identifier;
  • Selecting an identifier that identifies an individual, group, role, or device;
  • Assigning the identifier to the intended individual, group, role, or device;
  • Preventing reuse of identifiers where reuse could allow unintended or unauthorized access; and
  • Disabling the identifier within 30 days of inactivity.

[Licensee/Applicant] requires that the registration process to receive an individual identifier:

  • Includes supervisor authorization; and
  • Is conducted in-person before a designated registration authority.

C-34 AUTHENTICATOR MANAGEMENT (informed by NIST SP 800-53 Rev. 4, IA-5)

[Licensee/Applicant] manages VDA authenticators by:

  • Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
  • Establishing initial authenticator content for authenticators defined by the organization;
  • Ensuring that authenticators have sufficient strength of mechanism for their intended use;
  • Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
  • Changing default content of authenticators prior to VDA installation;
  • Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
  • Documenting authenticator types approved for use, the frequency for changing/refreshing, and the technical justification that demonstrates that adequate security is provided by the frequency;
  • Protecting authenticator content from unauthorized disclosure and modification;
  • Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
  • Changing authenticators for group/role accounts when membership to those accounts changes.

[Licensee/Applicant] requires that the registration process to receive authenticators be conducted in person or by a trusted third party with management authorization.

DG-5062, Page C-11 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE C-35 PASSWORD-BASED AUTHENTICATION (informed by NIST SP 800-53 Rev. 4, IA-5 (1))

For password-based authentication for the VDA, the [licensee/applicant]:

  • Enforces a minimum password length, strength, and complexity that is within the capabilities of the VDA and commensurate with the required level of security;
  • Enforces password complexity such that the passwords cannot be found in a dictionary and do not contain predictable sequences of numbers or letters;
  • Enforces a sufficient number of changed characters when new passwords are created to ensure adversaries cannot determine the current password from previous entries;
  • Stores and transmits only cryptographically-protected passwords;
  • Enforces lifetime restrictions for password minimums of 1 day and provides a technical basis for maximums defined and documented by the CST that prevents unauthorized access;
  • Prohibits password reuse for 10 generations;
  • Requires an immediate change to a permanent password upon the first logon, when temporary passwords are used for VDA logons;
  • Stores written or electronic copies of master passwords in a secure location with limited access; and
  • Employs automated tools to determine if password authenticators are sufficiently strong to prevent an adversary from executing a password-guessing attack.

C-36 PUBLIC KEY INFRASTRUCTURE (PKI)-BASED AUTHENTICATION (informed by NIST SP 800-53 Rev. 4, IA-5 (2))

[Licensee/Applicant] ensures that PKI-based authentication for the VDA:

  • Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;
  • Enforces authorized access to the corresponding private key;
  • Maps the authenticated identity to the account of the individual or group; and
  • Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.

C-37 IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION (informed by NIST SP 800-53 Rev. 4, IA-5 (3))

[Licensee/Applicant] requires that the registration process to receive authenticators be conducted in person or by a trusted third party with management authorization.

C-38 HARDWARE TOKEN-BASED AUTHENTICATION (informed by NIST SP 800-53 Rev. 4, IA-5 (11))

[Licensee/Applicant] ensures that hardware token-based authentication for the VDA, employs mechanisms that satisfy Level 4 as described in NIST SP 800-63-2 or later revisions.

DG-5062, Page C-12 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE C-39 AUTHENTICATOR FEEDBACK (informed by NIST SP 800-53 Rev. 4, IA-6)

[Licensee/Applicant] ensures the VDA obscures feedback of authentication information during the authentication process to protect the information from possible exploitation or use by unauthorized individuals.

C-40 CRYPTOGRAPHIC MODULE AUTHENTICATION (informed by NIST SP 800-53 Rev. 4, IA-7)

[Licensee/Applicant] ensures the VDA implements mechanisms for authentication to a cryptographic module based on NIST Cryptographic Module Validation Program (CMVP) and associated guidance for such authentication.

C-41 INCIDENT RESPONSE TRAINING (informed by NIST SP 800-53 Rev. 4, IR-2, IR-2 (1), & IR-2 (2))

[Licensee/Applicant] provides incident response training to VDA users consistent with assigned roles and responsibilities:

  • Within 92 days of assuming an incident response role or responsibility;
  • When required by VDA changes; and
  • At least every 12 months.

[Licensee/Applicant]:

  • Incorporates simulated events into incident response training to facilitate effective response by personnel in crisis situations; and
  • Employs automated mechanisms to provide a more thorough and realistic incident response training environment.

C-42 INCIDENT RESPONSE TESTING (informed by NIST SP 800-53 Rev. 4, IR-3 & IR-3 (2))

[Licensee/Applicant]:

  • Tests the incident response capability for the VDA at least every 92 days using one or more of the following methods to determine the incident response effectiveness and documents the results of checklists, walk-through or tabletop exercises, and simulations (parallel/full interrupt);
  • Tests the incident response capability for the VDA at least every 36 months using a comprehensive exercise; and
  • Coordinates incident response testing with organizational elements responsible for related plans.

C-43 INCIDENT HANDLING (informed by NIST SP 800-53 Rev. 4, IR-4, IR-4 (1), & IR-4 (4))

[Licensee/Applicant]:

  • Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;
  • Coordinates incident handling activities with contingency planning activities;
  • Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly;
  • Employs automated mechanisms to support the incident handling process; and DG-5062, Page C-13 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

  • Correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.

C-44 INCIDENT MONITORING (informed by NIST SP 800-53 Rev. 4, IR-5 & IR-5 (1))

[Licensee/Applicant]

  • Tracks and documents VDA security incidents; and
  • Employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information.

C-45 INCIDENT REPORTING (informed by NIST SP 800-53 Rev. 4, IR-6 & IR-6 (1))

[Licensee/Applicant]:

  • Requires personnel to report suspected cyber security incidents to the CST upon discovery; and
  • Employs automated mechanisms to assist in the reporting of security incidents.

C-46 INCIDENT RESPONSE ASSISTANCE (informed by NIST SP 800-53 Rev. 4, IR-7 & IR-7 (1))

[Licensee/Applicant]:

  • Provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the VDA for the handling and reporting of security incidents; and
  • Employs automated mechanisms to increase the availability of incident response-related information and support.

C-47 INFORMATION SPILLAGE RESPONSE (informed by NIST SP 800-53 Rev. 4, IR-9, IR-9 (1), IR-9 (2), IR-9 (3), & IR-9 (4))

[Licensee/Applicant]:

  • Responds to information spills by:

o Identifying the specific information involved in the information system contamination; o Alerting the CST of the information spill using a method of communication not associated with the spill; o Isolating the contaminated information system or VDA component; o Eradicating the information from the contaminated information system or VDA component; o Identifying other VDAs that may have been subsequently contaminated; o Documenting the incident; and

  • Assigns cleared personnel with responsibility for responding to information spills;
  • Provides information spillage response training at least every 12 months;
  • Implements procedures to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions; and
  • Employs appropriate response procedures and safeguards for personnel exposed to information not within assigned access authorizations.

DG-5062, Page C-14 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE C-48 CONTROLLED MAINTENANCE (informed by NIST SP 800-53 Rev. 4, MA-2 & MA-2 (2))

[Licensee/Applicant]:

  • Performs and documents maintenance and repairs on VDAs in a timely manner to prevent a consequence of concern;
  • Reviews records for maintenance and repairs on VDAs in accordance with manufacturer or vendor specifications but at least every 30 days;
  • Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;
  • Requires that CST approve the removal of the VDA for off-site maintenance or repairs outside the licensees positive control;
  • Sanitizes equipment to remove all information from associated media prior to removal for off-site maintenance or repairs outside the licensees positive control;
  • Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions;
  • Includes in records of maintenance and repairs on VDA components at a minimum: date, time, identification of those performing the maintenance, description of maintenance performed, and VDA components removed or replaced;
  • Retains records for inspection by the NRC;
  • Employs automated mechanisms to schedule, conduct, and document maintenance and repairs; and
  • Produces up-to date, accurate, and complete records of all maintenance and repair actions requested, scheduled, in process, and completed.

C-49 MAINTENANCE TOOLS (informed by NIST SP 800-53 Rev. 4, MA-3, MA-3 (1), MA-3 (2), & MA-3 (3))

[Licensee/Applicant]:

  • Approves, controls, and monitors VDA maintenance tools;
  • Inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications; and
  • Checks media containing diagnostic and test programs for malicious code before the media are used in the VDA.

[Licensee/Applicant] prevents the unauthorized removal of maintenance equipment containing VDA information by:

  • Verifying that there is no VDA information contained on the equipment;
  • Sanitizing or destroying the equipment;
  • Retaining the equipment within the facility; or
  • Obtaining an exemption from the CST explicitly authorizing removal of the equipment from the facility.

C-50 NONLOCAL MAINTENANCE (informed by NIST SP 800-53 Rev. 4, MA-4, MA-4 (2), & MA-4 (3))

[Licensee/Applicant]:

  • Approves and monitors nonlocal maintenance and diagnostic activities; DG-5062, Page C-15 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

  • Documents and only allows the use of nonlocal maintenance and diagnostic tools for the VDA where those tools do not introduce vulnerabilities or lead to a consequence of concern (e.g.,

information systems that perform maintenance on VDAS are protected equivalent to the VDA);

  • Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;
  • Maintains records for nonlocal maintenance and diagnostic activities; and
  • Terminates session and network connections when nonlocal maintenance is completed.

[Licensee/Applicant]:

  • Documents the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections; or
  • Removes the component to be serviced from the VDA prior to nonlocal maintenance or diagnostic services, sanitizes the component (with regard to VDA information) before removal from licensee facilities, and after the service is performed, inspects and sanitizes the component (with regard to potentially malicious software) before reconnecting the component to the VDA.

C-51 MAINTENANCE PERSONNEL (informed by NIST SP 800-53 Rev. 4, MA-5, MA-5 (1), & MA-5 (2))

[Licensee/Applicant]:

  • Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;
  • Ensures that unescorted personnel performing maintenance on the VDA have required access authorizations;
  • Ensures that personnel performing maintenance and diagnostic activities on an VDA processing, storing, or transmitting classified information possess security clearances and formal access approvals for at least the highest classification level and for all compartments of information on the VDA;
  • Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations;
  • Implements procedures for the use of maintenance personnel that lack appropriate security clearances that include the following requirements:

o Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the VDA by approved personnel who are fully cleared, have appropriate access authorizations, and are technically qualified; o Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the VDA are sanitized and all nonvolatile storage media are removed or physically disconnected from the VDA and secured; and

  • Develops and implements alternate security safeguards in the event an information VDA component cannot be sanitized, removed, or disconnected from the VDA.

C-52 TIMELY MAINTENANCE (informed by NIST SP 800-53 Rev. 4, MA-6)

[Licensee/Applicant] obtains maintenance support and/or spare parts for VDAs that must remain operational to prevent a consequence of concern.

DG-5062, Page C-16 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE C-53 MEDIA ACCESS (informed by NIST SP 800-53 Rev. 4, MP-2)

[Licensee/Applicant] restricts access to VDA media to authorized individuals only. VDA media includes any active storage device, passive storage device or passive media that:

  • Contain information used to manage, configure, maintain, secure or operate the VDA; or
  • Are used on the VDA for any purpose.

C-54 MEDIA MARKING (informed by NIST SP 800-53 Rev. 4, MP-3)

[Licensee/Applicant] marks VDA media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information.

C-55 MEDIA STORAGE (informed by NIST SP 800-53 Rev. 4, MP-4)

[Licensee/Applicant]:

  • Physically controls and securely stores VDA media; and
  • Protects VDA media until the media are destroyed or sanitized using approved equipment, techniques, and procedures that would prevent recovery of the data by an adversary.

C-56 MEDIA TRANSPORT (informed by NIST SP 800-53 Rev. 4, MP-5 & MP-5 (4))

[Licensee/Applicant]:

  • Protects and controls VDA media during transport outside of controlled areas;
  • Maintains accountability for VDA media during transport outside of controlled areas;
  • Documents activities associated with the transport of VDA media;
  • Restricts the activities associated with the transport of VDA media to authorized personnel; and
  • Implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.

C-57 MEDIA SANITIZATION (informed by NIST SP 800-53 Rev. 4, MP-6, MP-6 (1), MP-6 (2), & MP-6 (3))

[Licensee/Applicant]:

  • Sanitizes VDA media prior to disposal, release out of organizational control, or release for reuse in a manner that would prevent recovery of the data by an adversary;
  • Reviews, approves, tracks, documents, and verifies media sanitization and disposal actions;
  • Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information;
  • Tests sanitization equipment and procedures at least every 12 months to verify that the intended sanitization is being achieved;
  • Applies nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the VDA; and
  • Enforces dual authorization for the sanitization of media.

DG-5062, Page C-17 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE C-58 MEDIA USE (informed by NIST SP 800-53 Rev. 4, MP-7, & MP-7 (1))

[Licensee/Applicant]:

  • Prohibits the use of any media with a VDA, except specifically approved VDA media with an identifiable and verifiable owner; and
  • Prohibits the use of sanitization-resistant media in any VDA.

C-59 ENHANCEMENTS TO ACCESS CONTROL FOR TRANSMISSION MEDIUM (informed by NIST SP 800-53 Rev. 4, PE-4)

[Licensee/Applicant]:

  • Monitors physical access to VDA transmission and distribution lines; and
  • Reviews VDA transmission and distribution lines physical protection measures for tampering or indications of attempted unauthorized access.

C-60 MONITORING PHYSICAL ACCESS (informed by NIST SP 800-53 Rev. 4, PE-6)

[Licensee/Applicant]:

  • Monitors physical access to the facility where the VDA resides to detect and respond to physical security incidents;
  • Reviews physical access logs in a timely manner and upon occurrence of anomalous behavior;
  • Coordinates results of reviews and investigations with the organizational incident response capability; and
  • Monitors physical access to the VDA to detect unauthorized access in a timely manner.

C-61 ENHANCEMENT TO CYBER SECURITY ARCHITECTURE (informed by NIST SP 800-53 Rev. 4, PL-8 (2))

[Licensee/Applicant] requires that security safeguards are obtained from different suppliers.

C-62 VULNERABILITY SCANNING (informed by NIST SP 800-53 Rev. 4, RA-5, RA-5 (1), RA-5 (2), RA-5 (3), RA-5 (4), RA-5 (5),

& RA-5 (8))

[Licensee/Applicant]:

  • Scans for vulnerabilities in the VDA and hosted applications at least every 30 days and when new vulnerabilities potentially affecting the VDA, applications or both are identified and reported;
  • Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:

o Enumerating platforms, software flaws, and improper configurations; o Formatting checklists and test procedures; o Measuring vulnerability impact; and

  • Analyzes vulnerability scan reports and results from security control assessments;
  • Addresses vulnerabilities in a timely and technically justified manner to prevent a consequence of concern;
  • Shares information obtained from the vulnerability scanning process and security control assessments with appropriate personnel to help eliminate similar vulnerabilities in other VDAs (i.e., systemic weaknesses or deficiencies);

DG-5062, Page C-18 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

  • Employs vulnerability scanning tools that include the capability to readily update the VDA vulnerabilities to be scanned;
  • Updates the VDA vulnerabilities scanned prior to a new scan;
  • Employs vulnerability scanning procedures that can identify the breadth and depth of coverage (i.e., information VDA components scanned and vulnerabilities checked);
  • Determines what information about the VDA is discoverable by adversaries and takes measures to address the associated potential cyber security issues;
  • Implements privileged access authorization to the VDA for vulnerability scanning activities; and
  • Reviews historic audit logs to determine if a vulnerability identified in the VDA has been previously exploited.

C-63 EXTERNAL INFORMATION SYSTEM SERVICES (informed by NIST SP 800-53 Rev. 4, SA-9, SA-9 (2), & SA-9 (3))

[Licensee/Applicant]:

  • Requires that providers of external information system services that interact with VDAs comply with information security requirements and address security controls for the associated consequence of concern;
  • Defines and documents oversight and user roles and responsibilities with regard to external information system services;
  • Employs automated mechanisms to monitor security control compliance by external service providers on an ongoing basis;
  • Requires providers of external information system services that interact with VDAs to identify the functions, ports, protocols, and other services required for the use of such services; and
  • Establishes, documents, and maintains trust relationships with external service providers through contracts or service-level agreements to provide assurance that external information system services that interact with VDAs the security requirements necessary to address the security controls in this Appendix.

C-64 DEVELOPER CONFIGURATION MANAGEMENT (informed by NIST SP 800-53 Rev. 4, SA-10)

[Licensee/Applicant] requires the developer of the VDA, VDA component, or VDA service to:

  • Perform configuration management during the VDA, component, or service lifecycle;
  • Document, manage, and control the integrity of changes to the VDA, component, or service;
  • Implement only organization-approved changes to the VDA, component, or service;
  • Document approved changes to the VDA, component, or service and the potential security impacts of such changes; and
  • Track security flaws and flaw resolution within the VDA, component, or service and report findings to CST.

C-65 THIRD-PARTY HARDWARE, SOFTWARE AND FIRMWARE (informed by NIST SP 800-53 Rev. 4, SA-10 (1), SA-10 (2), SA-10 (3), SA-10 (6), SA-11 (1),

SA-11 (2), SA-11 (3), SA-11 (4), SA-11 (5), SA-11 (6), SA-11 (7), & SA-11 (8))

[Licensee/Applicant] requires the developer of the VDA, VDA component, or VDA service to:

  • Create and implement a security assessment plan to include, at a minimum:

o Integrity verification of hardware, software and firmware components; o Ensuring that security-relevant hardware, software, and firmware updates distributed to the

[Licensee/Applicant] are exactly as specified by the master copies; DG-5062, Page C-19 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE o Static and dynamic code analysis using tools and techniques that identify common flaws (including manual code review) and document the results of the analysis; o Threat and vulnerability analyses and subsequent testing/evaluation of the as-built VDA, component, or service; o Full penetration testing; o Attack surface review; o Verify that the scope of security testing/evaluation provides complete coverage of required security controls; and

  • Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation;
  • Implement a verifiable flaw remediation process; and
  • Correct flaws identified during security testing/evaluation.

C-66 DEVELOPER SECURITY TESTING AND EVALUATION (informed by NIST SP 800-53 Rev. 4, SA-11)

[Licensee/Applicant] requires the developer of the VDA, VDA component, or VDA service to:

  • Create and implement a security assessment plan;
  • Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation;
  • Implement a verifiable flaw remediation process; and
  • Correct flaws identified during security testing/evaluation.

C-67 ENHANCEMENTS TO SUPPLY CHAIN PROTECTION (informed by NIST SP 800-53 Rev. 4, SA-12 (1), SA-12 (2), SA-12 (9), SA-12 (10), & SA-12 (14))

[Licensee/Applicant]:

  • Utilizes acquisition strategies, contract tools, and procurement methods for the purchase of the VDA, VDA component, or VDA service from suppliers to reinforce supply chain protection;
  • Conducts a supplier review prior to entering into a contractual agreement to acquire the VDA, VDA component, or VDA service;
  • Utilizes operations security safeguards in accordance with classification guides to protect supply chain-related information for the VDA, VDA component, or VDA service;
  • Utilizes security safeguards to validate that the VDA received is genuine and has not been altered; and
  • Establishes and retains unique identification of supply chain elements, processes, and actors for the VDA, VDA component, or VDA service.

C-68 TRUSTWORTHINESS (informed by NIST SP 800-53 Rev. 4, SA-13)

When acquiring, designing, developing, or implementing VDAs, the [licensee/applicant]:

  • Describes the level of required trustworthiness required in the VDA to meet security requirements; and
  • Implements measures to achieve, measure and document such trustworthiness.

DG-5062, Page C-20 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE C-69 DEVELOPMENT PROCESS, STANDARDS, AND TOOLS (informed by NIST SP 800-53 Rev. 4, SA-15)

[Licensee/Applicant]:

  • Requires the developer of the VDA, VDA component, or VDA service to follow a documented development process that:

o Explicitly addresses security requirements; o Identifies the standards and tools used in the development process; o Documents the specific tool options and tool configurations used in the development process; and

  • Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and
  • Reviews the development process, standards, tools, and tool options/configurations to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy VDA security requirements.

C-70 THIRD-PARTY DEVELOPER PROCESS, STANDARDS, AND TOOLS (informed by NIST SP 800-53 Rev. 4, SA-15 (1), SA-15 (2), SA-15 (3), SA-15 (4), SA-15 (5),

SA-15 (6), & SA-15 (7))

[Licensee/Applicant] requires the developer of the VDA, VDA component, or VDA service to:

  • Define quality metrics at the beginning of the development process;
  • Provide evidence of meeting the quality metrics upon delivery;
  • Select and employ a security tracking tool for use during the development process;
  • Perform a criticality analysis;
  • Perform threat modeling and a vulnerability analysis ;
  • Reduce attack surfaces;
  • Implement an explicit process to continuously improve the development process; and
  • Perform an automated vulnerability analysis; o Determine the exploitation potential for discovered vulnerabilities; o Determine potential risk mitigations for delivered vulnerabilities; and o Deliver the outputs of the tools and results of the analysis to the CST.

C-71 DEVELOPER SECURITY ARCHITECTURE AND DESIGN (informed by NIST SP 800-53 Rev. 4, SA-17)

[Licensee/Applicant] requires the developer of the VDA, VDA component, or VDA service e to produce a design specification and security architecture that:

  • Is consistent with and supportive of the licensees security architecture;
  • Accurately and completely describes the required security functionality, and the allocation of security controls among physical and logical components; and
  • Expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection.

C-72 THIRD-PARTY DEVELOPER SECURITY ARCHITECTURE AND DESIGN (informed by NIST SP 800-53 Rev. 4, SA-17 (1) & SA-17 (2))

[Licensee/Applicant] requires the developer of the VDA, VDA component, or VDA service to:

  • Produce, as an integral part of the development process, a formal policy model describing how security controls in this Appendix are met; DG-5062, Page C-21 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

  • Prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security policy when implemented;
  • Define security-relevant hardware, software, and firmware; and
  • Provide a rationale that the definition for security-relevant hardware, software, and firmware is complete.

C-73 TAMPER RESISTANCE AND DETECTION (informed by NIST SP 800-53 Rev. 4, SA-18, SA-18 (1), & SA-18 (2))

[Licensee/Applicant]:

  • Implements a tamper protection program for the VDA, VDA component, or VDA service;
  • Employs anti-tamper technologies and techniques during multiple phases in the system development life cycle including design, development, integration, operations, and maintenance; and
  • Inspects VDA and VDA components randomly, but at least every hour, to detect tampering.

C-74 COMPONENT AUTHENTICITY (informed by NIST SP 800-53 Rev. 4, SA-19)

[Licensee/Applicant]:

  • Develops and implements anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the VDA;
  • Reports counterfeit information VDA components to the NRC and relevant law enforcement agencies;
  • Trains CST personnel to detect counterfeit information VDA components (including hardware, software, and firmware); and
  • Scans for counterfeit information VDA components during VDA validation activities.

C-75 DEVELOPER SCREENING (informed by NIST SP 800-53 Rev. 4, SA-21 & SA-21 (1))

[Licensee/Applicant] requires that the developer of the VDA, VDA component or VDA service:

  • Have appropriate access authorizations;
  • Satisfy licensee personnel security requirements; and
  • Document and provide for inspection and assessment to ensure that the required access authorizations and screening criteria are satisfied.

C-76 UNSUPPORTED VDA COMPONENTS (informed by NIST SP 800-53 Rev. 4, SA-22 & SA-22 (1))

[Licensee/Applicant]:

  • Replaces information VDA components when support for the components is no longer available from the developer, vendor, or manufacturer;
  • Provides justification and documents approval for the continued use of unsupported VDA components required to satisfy mission/business needs; and
  • Retains support for unsupported information VDA components either in-house or though an approved and validated external third-party.

DG-5062, Page C-22 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE C-77 SYSTEM PROTECTION (informed by NIST SP 800-53 Rev. 4, SC-2, SC-2 (1), SC-3, SC-3 (1), SC-3 (2), & SC-4)

[Licensee/Applicant]:

  • Separates user functionality on the VDA (including user interface services) from VDA management functionality;
  • Isolates security functions from nonsecurity functions on the VDA;
  • Prevents unauthorized and unintended information transfer via shared resources;
  • Prevents the presentation of VDA management-related functionality at an interface for non-privileged users;
  • Utilizes underlying hardware separation mechanisms to implement security function isolation; and
  • Isolates security functions enforcing access and information flow control from nonsecurity functions and from other security functions.

C-78 DENIAL OF SERVICE PROTECTION (informed by NIST SP 800-53 Rev. 4, SC-5)

[Licensee/Applicant] protects against or limits the effects of denial of service attacks by employing technical safeguards and countermeasures.

C-79 BOUNDARY PROTECTION (informed by NIST SP 800-53 Rev. 4, SC-7 & SC-7 (3), SC-7 (4), SC-7 (5), SC-7 (7). SC-7 (8),

SC-7 (10), SC-7 (11), SC-7 (12), SC-7 (14), SC-7 (18), SC-7 (20), & SC-7 (21))

[Licensee/Applicant] ensures the VDA:

  • Denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception);
  • Fails securely and safely in the event of an operational failure of a boundary protection device; and
  • Monitors and controls communications at the boundary of the VDA and at key internal boundaries within the VDA.

[Licensee/Applicant]:

  • Provides the capability to dynamically isolate/segregate VDAs from other VDAs;
  • prohibits external network connections to the VDA;
  • Protects against unauthorized physical connections to the VDA;
  • Allows only incoming communications from authorized sources to be routed to VDAs;
  • Implements host-based firewalls on VDAs;
  • Protects against unauthorized physical connections to the VDA; and
  • Employs boundary mechanisms.

[Licensee/Applicant], for boundary control devices:

  • Establishes a traffic flow policy for each interface;
  • Protects the confidentiality and integrity of the information being transmitted across each interface;
  • Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; DG-5062, Page C-23 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

  • Reviews exceptions to the traffic flow policy at least every 30 days and removes exceptions that are no longer supported by an explicit mission/business need;
  • Allows only incoming communications from authorized sources to be routed to VDAs;
  • Implements host-based firewalls on VDAs;
  • Provides the capability to dynamically isolate/segregate VDAs from other VDAs; and
  • Ensures the VDA denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception).

C-80 EXTERNAL TELECOMMUNICATIONS SERVICES (informed by NIST SP 800-53 Rev. 4, SC-7 (4), SC-7 (5), SC-7 (7). SC-7 (8), SC-7 (10),

SC-7 (11), SC-7 (12), SC-7 (14), SC-7 (18), SC-7 (20), & SC-7 (21))

[Licensee/Applicant]:

  • Implements a managed interface for each external telecommunication service;
  • Establishes a traffic flow policy for each managed interface;
  • Protects the confidentiality and integrity of the information being transmitted across each interface;
  • Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need;
  • Reviews exceptions to the traffic flow policyon a timely basis and removes exceptions that are no longer supported by an explicit mission/business need;
  • Implements a managed interface for each external telecommunication service;
  • Establishes a traffic flow policy for each managed interface;
  • Protects the confidentiality and integrity of the information being transmitted across each interface;
  • Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need;
  • Reviews exceptions to the traffic flow policy at least every 30 days and removes exceptions that are no longer supported by an explicit mission/business need;
  • Prevents the unauthorized exfiltration of information across managed interfaces;
  • Allows only incoming communications from authorized sources to be routed to VDAs;
  • Implements host-based firewalls on VDAs;
  • Protects against unauthorized physical connections to the VDA; and
  • Employs boundary protection mechanisms.

[Licensee/Applicant] ensures the VDA:

  • Has managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception);
  • Prevents, in conjunction with a remote device, the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks;
  • Routes internal communications traffic to external networks through authenticated proxy servers at managed interfaces;
  • Provides the capability to dynamically isolate/segregate VDAs from other VDAs;
  • Fails securely and safely in the event of an operational failure of a boundary protection device.

DG-5062, Page C-24 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE C-81 TRANSMISSION CONFIDENTIALITY AND INTEGRITY (informed by NIST SP 800-53 Rev. 4, SC-8 & SC-8 (1))

[Licensee/Applicant] ensures the VDA:

  • Protects the confidentiality and integrity of transmitted information; and
  • Implements cryptographic mechanisms to prevent unauthorized disclosure of information and to detect changes to information during transmission, unless the transmission medium is otherwise protected by alternative physical safeguards.

C-82 NETWORK DISCONNECT (informed by NIST SP 800-53 Rev. 4, SC-10)

[Licensee/Applicant] terminates the network connection associated with a VDA communications session at the end of the session or within 10 minutes of inactivity, except for communications sessions that are necessary for safe operation of the VDA or are necessary to prevent a consequence of concern.

C-83 TRUSTED PATH (informed by NIST SP 800-53 Rev. 4, SC-11 & SC-11 (1))

[Licensee/Applicant] establishes a trusted VDA communications path between the user and the security functions of the VDA to include at a minimum, authentication and re-authentication.

[Licensee/Applicant] provides a trusted VDA communications path that is logically isolated and distinguishable from other paths.

C-84 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT (informed by NIST SP 800-53 Rev. 4, SC-12 & SC-12 (1))

[Licensee/Applicant]:

  • Establishes and manages cryptographic keys for required cryptography employed within the VDA in accordance with NIST CMVP; and
  • Maintains availability of information necessary to safely operate the VDA or prevent a consequence of concern in the event of the loss of cryptographic keys by users.

C-85 COLLABORATIVE COMPUTING DEVICES (informed by NIST SP 800-53 Rev. 4, SC-15, SC-15 (1), SC-15 (3), & SC-15 (4))

[Licensee/Applicant] disables or removes collaborative computing devices from digital assets in areas where access could disclose information leading to a consequence of concern.

[Licensee/Applicant] ensure the VDA:

  • Prohibits remote activation of collaborative computing devices except where explicitly authorized;
  • Provides an explicit indication of use to users physically present at the devices;
  • Provides physical disconnect of collaborative computing devices in a manner that supports ease of use; and
  • Provides an explicit indication of current participants in collaborative sessions.

DG-5062, Page C-25 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE C-86 PUBLIC KEY INFRASTRUCTURE CERTIFICATES (informed by NIST SP 800-53 Rev. 4, SC-17)

[Licensee/Applicant] issues public key certificates under a certificate policy or obtains public key certificates from a service provider approved by the licensee.

C-87 VOICE OVER INTERNET PROTOCOL (VOIP)

(informed by NIST SP 800-53 Rev. 4, SC-19)

[Licensee/Applicant]:

  • Establishes usage restrictions and implementation guidance for VoIP technologies based on the potential to cause damage to the VDA if used maliciously; and
  • Authorizes, monitors, and controls the use of VoIP within the VDA.

C-88 SECURE NAME / ADDRESS RESOLUTION (informed by NIST SP 800-53 Rev. 4, SC-20, SC-20a, SC-20 (2), SC-21, & SC-22)

[Licensee/Applicant] ensures the VDA:

  • Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the VDA returns in response to external name/address resolution queries;
  • Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace;
  • Requests and performs data origin authentication and data integrity verification on the name/address resolution responses the VDA receives from authoritative sources;
  • Collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation; and
  • Provides data origin and integrity protection artifacts for internal name/address resolution queries.

C-89 SESSION AUTHENTICITY (informed by NIST SP 800-53 Rev. 4, SC-23)

[Licensee/Applicant] ensures the VDA protects the authenticity of communications sessions.

C-90 FAIL IN KNOWN STATE (informed by NIST SP 800-53 Rev. 4, SC-24)

[Licensee/Applicant]:

  • Ensures VDAs fail in a known-state to ensure that functions are not adversely impacted; and
  • Prevents a loss of confidentiality, integrity, or availability in the event of a failure of the VDA or a component of the VDA.

C-91 HONEYPOTS (informed by NIST SP 800-53 Rev. 4, SC-26)

[Licensee/Applicant] ensures the VDA includes components specifically designed to be the target of malicious attacks for the purpose of detecting, deflecting, and analyzing such attacks.

DG-5062, Page C-26 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE C-92 PROTECTION OF INFORMATION AT REST (informed by NIST SP 800-53 Rev. 4, SC-28)

[Licensee/Applicant] ensures the VDA:

  • Protects the confidentiality and integrity of VDA information at rest; and
  • Implements cryptographic mechanisms to prevent unauthorized disclosure and modification of VDA information.

C-93 OPERATIONS SECURITY (informed by NIST SP 800-53 Rev. 4, SC-38)

[Licensee/Applicant] employs operations security safeguards to protect VDA information throughout the system development life cycle.

C-94 PROCESS ISOLATION (informed by NIST SP 800-53 Rev. 4, SC-39)

[Licensee/Applicant] maintains a separate execution domain for each executing process.

C-95 PORT AND I/O DEVICE ACCESS (informed by NIST SP 800-53 Rev. 4, SC-41)

[Licensee/Applicant] physically disables or removes unused ports or input/output devices on VDAs and VDA components.

C-96 FLAW REMEDIATION (informed by NIST SP 800-53 Rev. 4, SI-2, SI-2 (1), & SI-2 (2))

[Licensee/Applicant]:

  • Identifies, reports, and corrects VDA flaws;
  • Implement interim compensatory measure following identification of the flaw;
  • Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
  • Correcting the flaw expeditiously using the configuration management process;
  • Incorporates flaw remediation into the organizational configuration management process;
  • Performs vulnerability scans and assessments of the VDA to validate that the flaw has been eliminated before the VDA is put into production;
  • Centrally manages the flaw remediation process; and
  • Employs automated mechanisms to determine the state of VDA components with regard to flaw remediation.

C-97 MALICIOUS CODE PROTECTION (informed by NIST SP 800-53 Rev. 4, SI-3, SI-3 (1), SI-3 (2), SI-3 (8), & SI-2 (10))

[Licensee/Applicant]:

  • Employs malicious code protection mechanisms at VDA network entry and exit points to detect and eradicate malicious code;
  • Updates malicious code protection mechanisms whenever new releases are available;
  • Configures malicious code protection mechanisms to:

o Perform periodic scans of the VDA at least every 7 days; DG-5062, Page C-27 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE o Perform real-time scans of files from external sources as the files are downloaded, opened, or executed; o Prevent malicious code execution; o Alert the CST of the detection of malicious code in a timely manner; and

  • Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the VDA;
  • Centrally manages malicious code protection mechanisms;
  • Automatically updates malicious code protection mechanisms for the VDA;
  • Detects unauthorized operating system commands in VDAs through the kernel application programming interface and:

o Issues a warning; o Audits the command execution; o Prevents the execution of the command; and

  • Employs tools and techniques to analyze the characteristics and behavior of malicious code; and
  • Incorporates the results from malicious code analysis into organizational incident response and flaw remediation processes.

C-98 VDA MONITORING (informed by NIST SP 800-53 Rev. 4, SI-4, SI-4 (2), SI-4 (4), SI-4 (5), SI-4 (9), SI-4 (10),

SI-4 (11), SI-4 (12), SI-4 (13), SI-4 (14), SI-4 (15), SI-4 (16), SI-4 (17), SI-4 (19), SI-4 (20),

SI-4 (21), SI-4 (22), SI-4 (23), & SI-4 (24))

[Licensee/Applicant]:

  • Monitors the VDA to detect:

o Cyber attacks and indicators of potential cyber attacks; o Unauthorized local, network, and remote connections; and

  • Identifies unauthorized use of the VDA using automated or other means;
  • Utilizes internal and external monitoring of VDAs to ensure adequate capability to detect cyber attacks and indicators of compromise;
  • Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;
  • Heightens the level of VDA monitoring activity whenever there is an indication of increased risk to the facility or VDAs that can result in a consequence of concern, based on law enforcement information, intelligence information, or other credible sources of information;
  • Provides VDA monitoring information to appropriate licensee cyber security personnel as necessary;
  • Employs automated tools to support near real-time analysis of events;
  • Monitors inbound and outbound VDA communications traffic in near real-time for unusual or unauthorized activities or conditions;
  • Ensures appropriate cyber security personnel are alerted when indications of compromise or potential compromise of a VDA occurs;
  • Tests intrusion-monitoring tools at least every 92 days;
  • Makes provisions so that encrypted communications traffic is visible to authorized network monitoring tools;
  • Analyzes outbound communications traffic for VDAs at the external boundary and selected interior points within the boundary to discover anomalies;
  • Employs automated mechanisms to alert security personnel, in a timely manner, of inappropriate or unusual activities with security implications;
  • Analyzes communications traffic/event patterns for the VDA; DG-5062, Page C-28 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

  • Develops profiles representing common traffic patterns and/or events;
  • Uses the traffic/event profiles in tuning system-monitoring devices to reduce the number of false positives and the number of false negatives;
  • Employs a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises/breaches to the VDA;
  • Employs an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks;
  • Correlates information from monitoring tools employed throughout the VDA;
  • Correlates information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness;
  • Implements additional monitoring of: privileged users, probationary personnel, and individuals determined to be high-risk;
  • Detects VDA network services that have not been authorized or approved and alerts appropriate personnel in a timely manner;
  • Implements host-based monitoring mechanisms; and
  • Discovers, collects, distributes, and uses indicators of VDA compromise.

C-99 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES (informed by NIST SP 800-53 Rev. 4, SI-5 & SI-5 (1))

[Licensee/Applicant]:

  • Receives cyber security alerts, advisories, and directives from diverse and credible external sources on an ongoing basis;
  • Generates internal security alerts, advisories, and directives as necessary to prevent a consequence of concern;
  • Disseminates security alerts, advisories, and directives to appropriate personnel and the NRC;
  • Implements security directives in a timely manner; and
  • Employs automated mechanisms to make security alert and advisory information available throughout the organization.

C-100 SECURITY FUNCTION VERIFICATION (informed by NIST SP 800-53 Rev. 4, SI-6 & SI-6 (3))

[Licensee/Applicant] ensures the VDA:

  • Verifies the correct operation of security functions;
  • Performs this verification upon startup and restart, upon command by a user with appropriate privilege, at least every 7 days, and when anomalies are discovered; and
  • Notifies appropriate personnel in a timely manner of failed security verification tests.

[Licensee/Applicant] reports the results of security function verification to the CST.

C-101 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY (informed by NIST SP 800-53 Rev. 4, SI-7, SI-7 (1), SI-7 (2), SI-7 (5), SI-7 (7), SI-7 (12),

SI-7 (12), SI-7 (14))

[Licensee/Applicant]:

  • Employs integrity verification tools to detect unauthorized changes to VDA software, firmware, and information; DG-5062, Page C-29 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

  • Performs an integrity check of VDA software, firmware, and information. This occurs, where possible, upon startup and restart, upon command by a user with appropriate privilege, at least every 30 days, and when anomalies are discovered;
  • Employs automated tools that provide notification to appropriate personnel upon discovering discrepancies during integrity verification;
  • Automatically takes proactive protection measures when VDA integrity violations are discovered;
  • Incorporates the detection of unauthorized security-relevant changes to the VDA into the organizational incident response capability;
  • Requires that the integrity of software be verified prior to execution; and
  • Prohibits the use of binary or machine-executable code from sources with limited or no warranty and without the provision of source code.

C-102 ENHANCEMENTS TO INFORMATION INPUT VALIDATION (informed by NIST SP 800-53 Rev. 4, SI-10 (3) & SI-10 (5))

[Licensee/Applicant]:

  • Ensures the VDA behaves in a predictable and documented manner when invalid inputs are received; and
  • Restricts the use of information inputs to defined trusted sources and defined formats.

C-103 ERROR HANDLING (informed by NIST SP 800-53 Rev. 4, SI-11)

[Licensee/Applicant] ensures the VDA:

  • Generates VDA error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries; and
  • Reveals VDA error messages only to authorized personnel with a need-to-know.

C-104 INFORMATION HANDLING AND RETENTION (informed by NIST SP 800-53 Rev. 4, SI-12)

[Licensee/Applicant] handles and retains information within the VDA and information output from the VDAin accordance with NRC record retention requirements.

C-105 MEMORY PROTECTION (informed by NIST SP 800-53 Rev. 4, SI-16)

[Licensee/Applicant] implements automated mechanisms and safeguards for the VDA to protect its memory from unauthorized code execution.

DG-5062, Page C-30 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE ADDITIONAL CYBER SECURITY CONTROLS FOR VITAL DIGITAL ASSETS ASSOCIATED WITH LATENT CONSEQUENCES OF CONCERN - SAFEGUARDS (CATEGORY II FACILITIES ONLY)

D-1 INSIDER THREAT PROGRAM (informed by National Institute for Standards and Technology (NIST) Special Publication (SP) 800-53 Rev. 4, PM-12 & AT-2 (2))

[Licensee/Applicant] implements an insider threat program that includes a cross-discipline insider threat incident handling team. [Licensee/Applicant] includes security awareness training on recognizing and reporting potential indicators of insider threat.

D-2 ACCOUNT MANAGEMENT PROCEDURES (informed by NIST SP 800-53 Rev. 4, AC-2)

[Licensee/Applicant] employs, at a minimum, the following measures in support of the management of user accounts on vital digital assets (VDAs):

  • Assigns account managers for VDA accounts;
  • Establishes conditions for group and role membership;
  • Specifies authorized users of the VDA, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
  • Requires independent management approval for requests to create VDA accounts;
  • Creates, enables, modifies, disables, and removes VDA accounts in accordance with the Access Control policy;
  • Monitors the use of VDA accounts;
  • Notifies account managers in a timely manner:

o When accounts are no longer required; o When users are terminated or transferred; o When individual VDA usage or need-to-know changes; and

  • Authorizes access to the VDA based on:

o A valid access authorization; o Intended VDA usage; and

  • Reviews accounts at least every 30 days for compliance with account management requirements; and
  • Employs, at a minimum, the following measures to restrict the creation and issuance of shared/group VDA accounts:

o Ensures shared/group account requests:

Are issued only when necessary to prevent a consequence of concern; Include a documented technical justification; Are reviewed and approved by the Cyber Security Team (CST) prior to issuance; and o Automatically terminates and establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.

DG-5062, Page D-1 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE D-3 ACCOUNT MANAGEMENT (informed by NIST SP 800-53 Rev. 4, AC-2 (5), AC-2 (12), & AC-2 (13))

[Licensee/Applicant] employs, at minimum, the following measures in support of the management of VDA accounts using a combination of procedural activity and automated means:

  • Requires that users log out within 15 minutes of inactivity unless the login session must be maintained to prevent a consequence of concern;
  • Monitors VDA accounts for atypical usage and anomalous activity that could indicate account compromise;
  • Reports atypical usage of VDA accounts to the CST; and
  • Disables user accounts that have been potentially compromised upon discovery.

D-4 AUTOMATED ACCOUNT MANAGEMENT (informed by NIST SP 800-53 Rev. 4, AC-2 (1), AC-2 (2), AC-2 (3), & AC-2 (4))

[Licensee/Applicant] employs, at minimum, the following automated technical mechanisms to support the management of VDA accounts including:

  • Automatically removes or disables temporary and emergency accounts once they are no longer needed;
  • Automatically disables inactive accounts within 30 days; and
  • Automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies appropriate personnel in a timely manner.

D-5 ACCESS MANAGEMENT (informed by NIST SP 800-53 Rev. 4, AC-3 & AC-4)

[Licensee/Applicant] ensures the VDA employs technical measures in support of the enforcement of account access to enforce approved authorizations for:

  • Logical access to VDA information and VDA resources in accordance with applicable access control policies; and
  • Controlling the flow of information within the VDA and between interconnected systems and VDAs.

D-6 SECURITY ATTRIBUTES (informed by NIST SP 800-53 Rev. 4, AC-16, AC-16 (1), AC-16 (4), & SC-16)

[Licensee/Applicant]:

  • Provides the means to associate security attributes with information in storage, in process, and/or in transmission;
  • Ensures that the security attribute associations are made and retained with the information;
  • Establishes the permitted security attributes for VDAs;
  • Determines the permitted values or ranges for each of the established security attributes;
  • Supports the association of VDA security attributes with information exchanged or transmitted between digital assets, VDAs, and components; and
  • Validates the integrity of transmitted security attributes for the VDA.

DG-5062, Page D-2 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE D-7 REMOTE ACCESS (informed by NIST SP 800-53 Rev. 4, AC-17)

[Licensee/Applicant]:

  • Establishes and documents usage restrictions, configurations, connection requirements, and implementation guidance for each type of remote access allowed; and
  • Authorizes remote access to the VDA prior to allowing such connections.

D-8 MANAGED ACCESS CONTROL POINTS (informed by NIST SP 800-53 Rev. 4, AC-17 (3))

[Licensee/Applicant]

  • Prohibits all remote access to VDAs associated with security functions; and
  • Ensures all remote accesses to non-security related VDAs is through a boundary control device meeting the requirements in cyber security control, BOUNDARY PROTECTION, of this Appendix.

D-9 WIRELESS ACCESS (informed by NIST SP 800-53 Rev. 4, AC-18)

[Licensee/Applicant]:

  • Establishes usage restrictions, configurations, connection requirements, and implementation guidance for wireless access; and
  • Authorizes wireless access to the VDA prior to allowing such connections.

D-10 RESTRICT CONFIGURATIONS BY USERS (informed by NIST SP 800-53 Rev. 4, AC-18 (4))

[Licensee/Applicant] identifies and explicitly authorizes users allowed to independently configure wireless networking capabilities.

D-11 ANTENNAS AND TRANSMISSION POWER LEVELS (informed by NIST SP 800-53 Rev. 4, AC-18 (5))

[Licensee/Applicant] selects radio antennas and calibrates transmission power levels to reduce the probability that usable signals can be accessed outside of licensee-controlled boundaries.

D-12 EXTERNAL INFORMATION SHARING (informed by NIST SP 800-53 Rev. 4, AC-21)

When VDA information is shared with external parties, [licensee/applicant]:

  • Ensures that access authorizations assigned to the sharing partner match the access restrictions on the information; and
  • Employs automated mechanisms to enforce these restrictions.

DG-5062, Page D-3 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE D-13 USE OF EXTERNAL INFORMATION SYSTEMS (informed by NIST SP 800-53 Rev. 4, AC-20, AC-20 (1), AC-20 (2), & AC-20 (4))

[Licensee/Applicant] establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:

  • Access the VDA from external information systems; and
  • Process, store, or transmit organization-controlled information using external information systems.

[Licensee/Applicant]:

  • Restricts the use of organization-controlled portable storage devices by authorized individuals on external information systems;
  • Prohibits the use of organization-controlled network accessible storage devices] in external information systems; and
  • Permits authorized individuals to use an external information system to access the VDA or to process, store, or transmit organization-controlled information only when the [licensee/applicant]:

o Verifies the implementation of security controls on the external system equivalent to security controls addressed for the VDA; or o Retains approved information system connection or processing agreements with the organizational entity hosting the external information system.

D-14 AUDIT DATA DEFINITION, GENERATION, AND CONTENT (informed by NIST SP 800-53 Rev. 4, AU-3, AU-3 (1), AU-3 (2), AU-5, AU-5 (2), AU-12, AU-12 (3), AU-14, AU-14 (1), & AU-14 (2))

[Licensee/Applicant] ensures the VDA:

  • Generates records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event; and
  • Generates records containing information necessary to prevent a consequence of concern from a cyber attack, including, at a minimum:

o Account (user or service) login failure; o Account role or privilege change; o File or object creation, modification and deletion; o Service start and stop; o Privileged service call; o Account creation and modification; o Account right assignment; o Audit policy change; o User account password change; o User group creation and modification; and o Remote session start and failure.

[Licensee/Applicant] ensures the VDA auditing function:

  • Alerts cyber security personnel in near real-time of an audit processing failure, or where audit failure events occur that could indicate VDA compromise;
  • Takes automated measures to preserve audit data;
  • Provides the capability to increase or modify audit record content in response to threat intelligence; DG-5062, Page D-4 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

  • Initiates session audits at VDA start-up;
  • Provides the capability for authorized users to select a user session to capture/record or view/hear;
  • Provides the capability for authorized users to capture/record and log content related to a user session; and
  • Provides centralized management and configuration of the content to be captured in audit records.

D-15 AUDIT DATA MANAGEMENT AND PROTECTION (informed by NIST SP 800-53 Rev. 4, AU-4, AU-5 (1), AU-9, AU-9 (2), AU-9 (3), AU-9 (4), &

AU-10)

[Licensee/Applicant]:

  • Allocates sufficient audit record storage capacity in accordance with U.S. Nuclear Regulatory Commission (NRC) record retention requirements and configures auditing to prevent capacity from being exceeded;
  • Authorizes access to management of audit functionality to only authorized users with cyber security responsibilities;
  • Ensures the VDA provides an alert to authorized personnel when allocated audit record storage volume reaches 80 percent of repository maximum audit record storage capacity;
  • Ensures the VDA backs up audit records onto a physically different VDA than the VDA being audited;
  • Ensures the VDA protects audit information and audit tools from unauthorized access, modification, and deletion;
  • Ensures the VDA implements cryptographic mechanisms to protect the integrity of audit information and audit tools; and
  • Ensures the VDA protects against an individual (or process acting on behalf of an individual) falsely denying having performed any action on the VDA.

D-16 AUDIT REVIEW, ANALYSIS, AND REPORTING (informed by NIST SP 800-53 Rev. 4, AU-6, AU-6a, AU-6b, AU-6 (1), AU-6 (3), AU-6 (5),

AU-6 (6), AU-10 (3), AU-10 (4), & AU-12 (1))

[Licensee/Applicant]:

  • Employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities;
  • Reviews and analyzes VDA audit records in a timely manner for indications of potential compromise;
  • Analyzes and correlates audit records across different repositories to gain organization-wide situational awareness;
  • Integrates analysis of audit records with analysis of vulnerability scanning information, performance data, VDA monitoring information, and data/information collected from other sources to further enhance the ability to identify potential unauthorized activity;
  • Correlates information from audit records with information obtained from monitoring physical access to the VDA to further enhance the ability to identify potential unauthorized activity;
  • Reports findings to the CST; and
  • Ensures the VDA compiles audit records into a logical or physical audit trail that is time-correlated to, at a minimum, within one-tenth of a second.

[Licensee/Applicant] ensures the VDA:

  • Maintains reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released; DG-5062, Page D-5 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

  • Validates the binding of the information reviewer identity to the information at the transfer or release points prior to release/transfer; and
  • Prevents access to, modification of, or transfer of the information in the event of a validation error.

D-17 SECURITY CONTROL ASSESSMENTS (informed by NIST SP 800-53 Rev. 4, CA-2)

[Licensee/Applicant]:

  • Develops a security assessment plan that describes the scope of the assessment including:

o Security controls and control enhancements under assessment; o Assessment procedures to be used to determine security control effectiveness; o Assessment environment, assessment team, and assessment roles and responsibilities; and

  • Assesses the security controls in the VDA and its environment of operation at least every 92 days to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;
  • Produces a security assessment report that documents the results of the assessment;
  • Includes and documents as part of VDA security control assessments:

o An attack tree/attack surface analysis of the VDA (to be done at least every 24 months);

o Announced assessments:

In-depth monitoring (to be done automatically, in real time);

Vulnerability scanning (to be done at least every 30 days);

Malicious actor testing (to be done at least every 92 days);

Insider threat assessment (to be done at least every 92 days); and o Unannounced assessments (in addition to announced assessments above):

Vulnerability scanning (to be done at least every 183 days);

Malicious actor testing (to be done at least every 12 months);

Insider threat assessment (to be done at least every 183 days);

Performance/load testing (to be done at least every 183 days); and o Provides the results of the security control assessment to the CST; and

  • Restricts access to the results of the security control assessment to authorized personnel with a need-to-know.

D-18 INDEPENDENCE OF ASSESSORS (informed by NIST SP 800-53 Rev. 4, CA-2 (1), CA-7 (1), CA-8, & CA-8 (1))

[Licensee/Applicant]:

  • Utilizes assessors or assessment teams that are independent of those personnel responsible for program management or cyber security control implementation to conduct assessments of the cyber security controls;
  • Utilizes assessors or assessment teams that are independent of those personnel responsible for program management or cyber security control implementation to monitor the cyber security controls for the VDA on an ongoing basis;
  • Conducts penetration testing at least every 12 months on the VDA; and
  • Utilizes assessors or assessment teams that are independent of those personnel responsible for program management or cyber security control implementation to perform penetration testing on the VDA.

DG-5062, Page D-6 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE D-19 ENHANCEMENTS TO VDA CONNECTIONS (informed by NIST SP 800-53 Rev. 4, CA-3 (3), CA-3 (4), CA-3 (5), & CA-9)

[Licensee/Applicant]:

  • Prohibits remote access to VDAs associated with security functions;
  • Employs a deny-all, permit-by-exception policy for allowing non-security related VDAs to connect to external information systems;
  • Prohibits the direct connection of a non-security related VDA to an external network without the use of:

o At least one separate, intervening access control device (e.g. firewall, cross domain solution);

o At least one separate, intervening intrusion detection/prevention mechanism with near-realtime prevention, detection and alerting capability; o Host-based protective measures; o Other measures necessary to prevent a consequence of concern; and

  • Prohibits the direct connection of a VDA to a public network;
  • Authorizes connections to the VDA; and
  • Documents, for each connection, the interface characteristics, security requirements, and the nature of the information communicated.

D-20 INTERIM COMPENSATORY MEASURES (informed by NIST SP 800-53 Rev. 4, CA-5)

[Licensee/Applicant]:

  • Documents an interim compensatory measure plan to correct weaknesses or deficiencies noted during the assessment of VDA security controls and to reduce or eliminate known vulnerabilities in the VDA;
  • Updates interim compensatory measure plan at least every 30 days based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities; and
  • Restricts access to the interim compensatory measure plan to authorized personnel with a need-to-know.

D-21 CONFIGURE VDAS FOR HIGH-RISK AREAS (informed by NIST SP 800-53 Rev. 4, CM-2 (7))

Prior to transporting VDAs to locations that [licensee/applicant] deems to be of significant risk, the [licensee/applicant]:

  • Documents a detailed justification for the VDA to be transported;
  • Obtains written approval from the CST and management;
  • Documents the VDA configuration baseline and component inventory prior to leaving controlled areas;
  • Ensures safeguards or security-related information on the VDA is purged or protected in a manner that prevents an adversary from recovering the data prior to leaving controlled areas;
  • Performs a review of the VDA configuration baseline and component inventory upon return;
  • Performs testing of the VDA to ensure no cyber compromise has occurred; and
  • Performs a security control assessment to ensure all controls are in place, operational, and performing the intended function.

DG-5062, Page D-7 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE D-22 CONFIGURATION CHANGE CONTROL (informed by NIST SP 800-53 Rev. 4, CM-3)

[Licensee/Applicant]:

  • Documents changes to the VDA that shall be configuration-controlled per Title 10 of the Code of Federal Regulations (10 CFR) 73.53;
  • Reviews proposed configuration-controlled changes to the VDA and approves or disapproves such changes with explicit consideration for security impact analyses before implementation of the change;
  • Documents configuration change decisions associated with the VDA;
  • Implements approved configuration-controlled changes to the VDA;
  • Retains records of configuration-controlled changes to the VDA in accordance with NRC record retention requirements;
  • Audits and reviews activities associated with configuration-controlled changes to the VDA; and
  • Coordinates and provides oversight for configuration change control activities through the change management process.

D-23 CHANGE TESTING AND ANALYSIS (informed by NIST SP 800-53 Rev. 4, CM-3 (2), CM-4, & CM-4 (1))

[Licensee/Applicant]:

  • Tests, validates, and documents changes to the VDA before implementing the changes to the VDA;
  • Analyzes changes to the VDA to determine potential security impacts prior to change implementation; and
  • Analyzes changes to the VDA in a separate test environment before implementation in an operational environment, looking for security impacts due to flaws, weaknesses, incompatibility, or intentional malice.

D-24 ACCESS RESTRICTIONS FOR CHANGE (informed by NIST SP 800-53 Rev. 4, CM-5 & CM-5 (1))

[Licensee/Applicant]:

  • Defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the VDA; and
  • Ensures VDA enforces access restrictions and supports auditing of the enforcement actions.

D-25 REVIEW VDA CHANGES (informed by NIST SP 800-53 Rev. 4, CM-5 (2))

[Licensee/Applicant] reviews VDA changes at least every 183 days or in the event of suspected compromise to determine whether unauthorized changes have occurred.

D-26 SIGNED COMPONENTS (informed by NIST SP 800-53 Rev. 4, CM-5 (3))

[Licensee/Applicant] ensures the VDA prevents the installation of software and firmware components without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.

DG-5062, Page D-8 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE D-27 CONFIGURATION SETTINGS (informed by NIST SP 800-53 Rev. 4, CM-6, CM-6 (1), & CM-6 (2))

[Licensee/Applicant]:

  • Establishes and documents configuration settings within the VDA that reflect the most restrictive mode consistent with operational requirements;
  • Implements the configuration settings;
  • Identifies, documents, and approves any deviations from established configuration settings;
  • Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures;
  • Employs automated mechanisms to centrally manage, apply, and verify VDA configuration settings; and
  • Reports unauthorized changes to VDA configuration settings to the cyber security incident response team upon detection.

D-28 LEAST FUNCTIONALITY (informed by NIST SP 800-53 Rev. 4, CM-7)

[Licensee/Applicant]:

  • Configures the VDA to provide only essential capabilities, to perform its function and maintain safe and secure operations; and
  • Prohibits or restricts the use of unneeded functions, ports, protocols, and/or services.

D-29 PERIODIC REVIEW (informed by NIST SP 800-53 Rev. 4, CM-7 (1))

[Licensee/Applicant]:

  • Reviews the VDA at least every 30 days to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and
  • Disables or restricts unneeded functions, ports, protocols, and/or services identified by the review.

D-30 AUTHORIZED SOFTWARE (informed by NIST SP 800-53 Rev. 4, CM-7 (2) & CM-7 (4))

[Licensee/Applicant]:

  • Identifies software programs authorized to execute on the VDA;
  • Employs an deny-all, allow-by-exception policy to prohibit the execution of unauthorized software programs on the VDA;
  • Reviews and updates the list of authorized software programs, at least every 183 days; and
  • Employs automated mechanisms for the VDA(i.e. application white-listing) to prevent unauthorized program execution.

D-31 VDA COMPONENT INVENTORY (informed by NIST SP 800-53 Rev. 4, CM-8, CM-8 (1), CM-8 (2), CM-8 (3), & CM-8 (4)

[Licensee/Applicant]:

  • Develops and documents an inventory of VDA components that:

o Accurately reflects the current VDA; o Includes all components within the boundary of the VDA; DG-5062, Page D-9 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE o Is at the level of granularity necessary for tracking and reporting; o Includes information necessary to achieve effective VDA component accountability; and

  • Reviews and updates the VDA component inventory at least every 92 days or as part of any changes to a VDA;
  • Updates the inventory of VDA components as an integral part of component installations, removals, and VDA updates;
  • Employs automated mechanisms to detect the presence of unauthorized hardware, software, and firmware components within the VDA;
  • Employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of VDA components;
  • Includes in the VDA component inventory information, a means for identifying individuals responsible/accountable for administering those components; and
  • Takes appropriate actions when unauthorized components are detected to remove, disable, or otherwise prevent the unauthorized component from causing a consequence of concern.

D-32 INSTALLED SOFTWARE (informed by NIST SP 800-53 Rev. 4, CM-11)

[Licensee/Applicant]:

  • Establishes policies governing the installation of software on VDAs consistent with configuration management in 10 CFR 73.53(f);
  • Enforces software installation policies using automated measures where supported; and
  • Monitors policy compliance using automated measures where supported.

D-33 IDENTIFICATION AND AUTHENTICATION (informed by NIST SP 800-53 Rev. 4, IA-2, IA-2 (1), IA-2 (2), IA-2 (3), IA-2 (4), IA-2 (8), IA-2 (9), IA-2 (11), IA-2 (12), IA-3, & IA-8)

[Licensee/Applicant] ensures the VDA:

  • Uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users) and non-organizational users (or processes acting on behalf of non-organizational users);
  • Implements multifactor authentication for network access to privileged accounts;
  • Implements multifactor authentication for network access to non-privileged accounts;
  • Implements multifactor authentication for local access to privileged accounts;
  • Implements multifactor authentication for local access to non-privileged accounts;
  • Implements replay-resistant authentication mechanisms for network access to privileged accounts;
  • Implements replay-resistant authentication mechanisms for network access to non-privileged accounts;
  • Implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the VDA gaining access and the device meets E-authentication Assurance Level 3 as described in NIST SP 800-63-2 or later revisions;
  • Accepts and electronically verifies Personal Identity Verification credentials; and
  • Uniquely identifies and authenticates devices before establishing a connection to a VDA.

DG-5062, Page D-10 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE D-34 IDENTIFIER MANAGEMENT (informed by NIST SP 800-53 Rev. 4, IA-4)

[Licensee/Applicant] manages VDA identifiers by:

  • Receiving independent management authorization to assign an individual, group, role, or device identifier;
  • Selecting an identifier that identifies an individual, group, role, or device;
  • Assigning the identifier to the intended individual, group, role, or device;
  • Preventing reuse of identifiers where reuse could allow unintended or unauthorized access; and
  • Disabling the identifier within 30 days of inactivity.

D-35 AUTHENTICATOR MANAGEMENT (informed by NIST SP 800-53 Rev. 4, IA-5)

[Licensee/Applicant] manages VDA authenticators by:

  • Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
  • Establishing initial authenticator content for authenticators defined by the organization;
  • Ensuring that authenticators have sufficient strength of mechanism for their intended use;
  • Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
  • Changing default content of authenticators prior to VDA installation;
  • Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
  • Documenting authenticator types approved for use, the frequency for changing/refreshing, and the technical justification that demonstrates that adequate security is provided by the frequency;
  • Protecting authenticator content from unauthorized disclosure and modification;
  • Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
  • Changing authenticators for group/role accounts when membership to those accounts changes.

[Licensee/Applicant] requires that the registration process to receive authenticators be conducted in person or by a trusted third party with management authorization.

D-36 PASSWORD-BASED AUTHENTICATION (informed by NIST SP 800-53 Rev. 4, IA-5 (1))

For password-based authentication for the VDA, the [Licensee/Applicant]:

  • Enforces a minimum password length, strength, and complexity that is within the capabilities of the VDA and commensurate with the required level of security;
  • Enforces password complexity such that the passwords cannot be found in a dictionary and do not contain predictable sequences of numbers or letters;
  • Enforces a sufficient number of changed characters when new passwords are created to ensure adversaries cannot determine the current password from previous entries;
  • Stores and transmits only cryptographically-protected passwords;
  • Enforces lifetime restrictions for password minimums of 1 day and provides a technical basis for maximums defined and documented by the CST that prevents unauthorized access;
  • Prohibits password reuse for 10 generations;
  • Requires an immediate change to a permanent password upon the first logon, when temporary passwords are used for VDA logons; and DG-5062, Page D-11 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

  • Stores written or electronic copies of master passwords in a secure location with limited access.

D-37 PUBLIC KEY INFRASTRUCTURE (PKI)-BASED AUTHENTICATION (informed by NIST SP 800-53 Rev. 4, IA-5 (2))

[Licensee/Applicant] ensures that PKI-based authentication for the VDA:

  • Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;
  • Enforces authorized access to the corresponding private key;
  • Maps the authenticated identity to the account of the individual or group; and
  • Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.

D-38 IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION (informed by NIST SP 800-53 Rev. 4, IA-5 (3))

[Licensee/Applicant] requires that the registration process to receive authenticators be conducted in person or by a trusted third party with management authorization.

D-39 HARDWARE TOKEN-BASED AUTHENTICATION (informed by NIST SP 800-53 Rev. 4, IA-5 (11))

[Licensee/Applicant] ensures that hardware token-based authentication for the VDA, employs mechanisms that satisfy Level 4 as described in NIST SP 800-63-2 or later revisions.

D-40 AUTHENTICATOR FEEDBACK (informed by NIST SP 800-53 Rev. 4, IA-6)

[Licensee/Applicant] ensures the VDA obscures feedback of authentication information during the authentication process to protect the information from possible exploitation or use by unauthorized individuals.

D-41 CRYPTOGRAPHIC MODULE AUTHENTICATION (informed by NIST SP 800-53 Rev. 4, IA-7)

[Licensee/Applicant] ensures the VDA implements mechanisms for authentication to a cryptographic module based on NIST Cryptographic Module Validation Program (CMVP) and associated guidance for such authentication.

D-42 INCIDENT RESPONSE TRAINING (informed by NIST SP 800-53 Rev. 4, IR-2, IR-2 (1), & IR-2 (2))

[Licensee/Applicant] provides incident response training to VDA users consistent with assigned roles and responsibilities:

  • Within 92 days of assuming an incident response role or responsibility;
  • When required by VDA changes; and
  • At least every 12 months.

DG-5062, Page D-12 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

[Licensee/Applicant]:

  • Incorporates simulated events into incident response training to facilitate effective response by personnel in crisis situations; and
  • Employs automated mechanisms to provide a more thorough and realistic incident response training environment.

D-43 INCIDENT RESPONSE TESTING (informed by NIST SP 800-53 Rev. 4, IR-3 & IR-3 (2))

[Licensee/Applicant]:

  • Tests the incident response capability for the VDA at least every 92 days using one or more of the following methods to determine the incident response effectiveness and documents the results of checklists, walk-through or tabletop exercises, and simulations (parallel/full interrupt);
  • Tests the incident response capability for the VDA at least every 36 months using a comprehensive exercise; and
  • Coordinates incident response testing with organizational elements responsible for related plans.

D-44 INCIDENT HANDLING (informed by NIST SP 800-53 Rev. 4, IR-4, IR-4 (1), & IR-4 (4))

[Licensee/Applicant]:

  • Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;
  • Coordinates incident handling activities with contingency planning activities;
  • Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly;
  • Employs automated mechanisms to support the incident handling process; and
  • Correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.

D-45 INCIDENT MONITORING (informed by NIST SP 800-53 Rev. 4, IR-5 & IR-5 (1))

[Licensee/Applicant]

  • Tracks and documents VDA security incidents; and
  • Employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information.

D-46 INCIDENT REPORTING (informed by NIST SP 800-53 Rev. 4, IR-6 & IR-6 (1))

[Licensee/Applicant]:

  • Requires personnel to report suspected cyber security incidents to the CST upon discovery; and
  • Employs automated mechanisms to assist in the reporting of security incidents.

DG-5062, Page D-13 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE D-47 INCIDENT RESPONSE ASSISTANCE (informed by NIST SP 800-53 Rev. 4, IR-7 & IR-7 (1))

[Licensee/Applicant]:

  • Provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the VDA for the handling and reporting of security incidents; and
  • Employs automated mechanisms to increase the availability of incident response-related information and support.

D-48 INFORMATION SPILLAGE RESPONSE (informed by NIST SP 800-53 Rev. 4, IR-9, IR-9 (1), IR-9 (2), IR-9 (3), & IR-9 (4))

[Licensee/Applicant]:

  • Responds to information spills by:

o Identifying the specific information involved in the VDA contamination; o Alerting the CST of the information spill using a method of communication not associated with the spill; o Isolating the contaminated VDA or system component; o Eradicating the information from the contaminated VDA or component; o Identifying other VDAs or system components that may have been subsequently contaminated; o Documenting the incident; and

  • Assigns authorized personnel with responsibility for responding to information spills;
  • Provides information spillage response training at least every 12 months;
  • Implements procedures to ensure that corrective actions associated with information spills cannot result in consequence of concern; and
  • Utilizes appropriate response procedures and safeguards for personnel exposed to information not within assigned access authorizations.

D-49 CONTROLLED MAINTENANCE (informed by NIST SP 800-53 Rev. 4, MA-2 & MA-2 (2))

[Licensee/Applicant]:

  • Performs and documents maintenance and repairs on VDAs in a timely manner to prevent a consequence of concern;
  • Reviews records for maintenance and repairs on VDAs in accordance with manufacturer or vendor specifications but at least every 30 days;
  • Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;
  • Requires that CST approve the removal of the VDA for off-site maintenance or repairs outside the licensees positive control;
  • Sanitizes equipment to remove all information from associated media prior to removal for off-site maintenance or repairs outside the licensees positive control;
  • Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions;
  • Includes in records of maintenance and repairs on VDA components at a minimum: date, time, identification of those performing the maintenance, description of maintenance performed, and VDA components removed or replaced;
  • Retains records for inspection by the NRC; DG-5062, Page D-14 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

  • Employs automated mechanisms to schedule, conduct, and document maintenance and repairs; and
  • Produces up-to date, accurate, and complete records of all maintenance and repair actions requested, scheduled, in process, and completed.

D-50 MAINTENANCE TOOLS (informed by NIST SP 800-53 Rev. 4, MA-3, MA-3 (1), & MA-3 (2), & MA-3 (3))

[Licensee/Applicant]:

  • approves, controls, and monitors VDA maintenance tools;
  • inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications; and
  • checks media containing diagnostic and test programs for malicious code before the media are used in the VDA.

[Licensee/Applicant] prevents the unauthorized removal of maintenance equipment containing VDA information by:

  • Verifying that there is no VDA information contained on the equipment;
  • Sanitizing or destroying the equipment;
  • Retaining the equipment within the facility; or
  • Obtaining an exemption from the CST explicitly authorizing removal of the equipment from the facility.

D-51 NONLOCAL MAINTENANCE (informed by NIST SP 800-53 Rev. 4, MA-4, MA-4 (2), & MA-4 (3))

[Licensee/Applicant]:

  • Approves and monitors nonlocal maintenance and diagnostic activities;
  • Documents and only allows the use of nonlocal maintenance and diagnostic tools for the VDA where those tools do not introduce vulnerabilities or lead to a consequence of concern (e.g.,

information systems that perform maintenance on VDAS are protected equivalent to the VDA.);

  • Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;
  • Maintains records for nonlocal maintenance and diagnostic activities; and
  • Terminates session and network connections when nonlocal maintenance is completed.

[Licensee/Applicant]:

  • Documents the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections; or
  • Removes the component to be serviced from the VDA prior to nonlocal maintenance or diagnostic services, sanitizes the component (with regard to VDA information) before removal from licensee facilities, and after the service is performed, inspects and sanitizes the component (with regard to potentially malicious software) before reconnecting the component to the VDA.

D-52 MAINTENANCE PERSONNEL (informed by NIST SP 800-53 Rev. 4, MA-5 & MA-5 (1))

[Licensee/Applicant]:

  • Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel; DG-5062, Page D-15 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

  • Ensures that unescorted personnel performing maintenance on the VDA have required access authorizations; and
  • Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

[Licensee/Applicant]:

  • Implements procedures for the use of maintenance personnel that lack appropriate security clearances that include the following requirements:

o Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the VDA by approved personnel who are fully cleared, have appropriate access authorizations, and are technically qualified; o Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the VDA are sanitized and all nonvolatile storage media are removed or physically disconnected from the VDA and secured; and

  • Develops and implements alternate security safeguards in the event a VDA component cannot be sanitized, removed, or disconnected from the VDA.

D-53 TIMELY MAINTENANCE (informed by NIST SP 800-53 Rev. 4, MA-6)

[Licensee/Applicant] obtains maintenance support and/or spare parts for VDAs that must remain operational to prevent a consequence of concern.

D-54 MEDIA ACCESS (informed by NIST SP 800-53 Rev. 4, MP-2)

[Licensee/Applicant] restricts access to VDA media to authorized individuals only. VDA media includes any active storage device, passive storage device, or passive media that:

  • Contain information used to manage, configure, maintain, secure or operate the VDA; or
  • Are used on the VDA for any purpose.

D-55 MEDIA MARKING (informed by NIST SP 800-53 Rev. 4, MP-3)

[Licensee/Applicant] marks VDA media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information.

D-56 MEDIA STORAGE (informed by NIST SP 800-53 Rev. 4, MP-4)

[Licensee/Applicant]:

  • Physically controls and securely stores VDA media; and
  • Protects VDA media until the media are destroyed or sanitized using approved equipment, techniques, and procedures that would prevent recovery of the data by an adversary.

DG-5062, Page D-16 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE D-57 MEDIA TRANSPORT (informed by NIST SP 800-53 Rev. 4, MP-5 & MP-5 (4))

[Licensee/Applicant]:

  • Protects and controls VDA media during transport outside of controlled areas;
  • Maintains accountability for VDA media during transport outside of controlled areas;
  • Documents activities associated with the transport of VDA media;
  • Restricts the activities associated with the transport of VDA media to authorized personnel; and
  • Implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.

D-58 MEDIA SANITIZATION (informed by NIST SP 800-53 Rev. 4, MP-6, MP-6 (1), MP-6 (2), & MP-6 (3))

[Licensee/Applicant]:

  • Sanitizes VDA media prior to disposal, release out of organizational control, or release for reuse in a manner that would prevent recovery of the data by an adversary;
  • Reviews, approves, tracks, documents, and verifies media sanitization and disposal actions;
  • Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information;
  • Tests sanitization equipment and procedures at least every 12 months to verify that the intended sanitization is being achieved; and
  • Applies nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the VDA.

D-59 MEDIA USE (informed by NIST SP 800-53 Rev. 4, MP-7 & MP-7 (1))

[Licensee/Applicant] prohibits the use of any media with a VDA, except specifically approved VDA media with an identifiable and verifiable owner.

D-60 MONITORING PHYSICAL ACCESS (informed by NIST SP 800-53 Rev. 4, PE-6)

[Licensee/Applicant]:

  • Monitors physical access to the facility where the VDA resides to detect and respond to physical security incidents;
  • Reviews physical access logs in a timely manner and upon occurrence of anomalous behavior;
  • Coordinates results of reviews and investigations with the organizational incident response capability; and
  • Monitors physical access to the VDA to detect unauthorized access in a timely manner.

D-61 VULNERABILITY SCANNING (informed by NIST SP 800-53 Rev. 4, RA-5, RA-5 (1), RA-5 (2), RA-5 (3), RA-5 (4), &

RA-5 (5))

[Licensee/Applicant]:

  • Scans for vulnerabilities in the VDA and hosted applications at least every 30 days and when new vulnerabilities potentially affecting the VDA, applications or both are identified and reported; DG-5062, Page D-17 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

  • Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:

o Enumerating platforms, software flaws, and improper configurations; o Formatting checklists and test procedures; o Measuring vulnerability impact; and

  • Analyzes vulnerability scan reports and results from security control assessments;
  • Addresses vulnerabilities in a timely and technically justified manner to prevent a consequence of concern;
  • Shares information obtained from the vulnerability scanning process and security control assessments with appropriate personnel to help eliminate similar vulnerabilities in other VDAs (i.e., systemic weaknesses or deficiencies);
  • Employs vulnerability scanning tools that include the capability to readily update the VDA vulnerabilities to be scanned;
  • Updates the VDA vulnerabilities scanned prior to a new scan;
  • Employs vulnerability scanning procedures that can identify the breadth and depth of coverage (i.e., information VDA components scanned and vulnerabilities checked);
  • Determines what information about the VDA is discoverable by adversaries and takes measures to address the associated potential cyber security issues; and
  • Implements privileged access authorization to the VDA for vulnerability scanning activities.

D-62 EXTERNAL INFORMATION SYSTEM SERVICES (informed by NIST SP 800-53 Rev. 4, SA-9 & SA-9 (2))

[Licensee/Applicant]:

  • Requires that providers of external information system services that interact with VDAs comply with information security requirements and address security controls for the associated consequence of concern;
  • Defines and documents oversight and user roles and responsibilities with regard to external information system services;
  • Employs automated mechanisms to monitor security control compliance by external service providers on an ongoing basis; and
  • Requires providers of external information system services that interact with VDAs to identify the functions, ports, protocols, and other services required for the use of such services.

D-63 DEVELOPER CONFIGURATION MANAGEMENT (informed by NIST SP 800-53 Rev. 4, SA-10)

[Licensee/Applicant] requires the developer of the VDA, component, or information system service to:

  • Perform configuration management during the VDA, component, or service lifecycle;
  • Document, manage, and control the integrity of changes to the VDA, component, or service;
  • Implement only organization-approved changes to the VDA, component, or service;
  • Document approved changes to the VDA, component, or service and the potential security impacts of such changes; and
  • Track security flaws and flaw resolution within the VDA, component, or service and report findings to CST.

DG-5062, Page D-18 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE D-64 DEVELOPER SECURITY TESTING AND EVALUATION (informed by NIST SP 800-53 Rev. 4, SA-11)

[Licensee/Applicant] requires the developer of the VDA, component, or information system service to:

  • Create and implement a security assessment plan;
  • Produce evidence of the execution of the security assessment plan and the results of the security testing and evaluation;
  • Implement a verifiable flaw remediation process; and
  • Correct flaws identified during security testing and evaluation.

D-65 DEVELOPMENT PROCESS, STANDARDS, AND TOOLS (informed by NIST SP 800-53 Rev. 4, SA-15)

[Licensee/Applicant]:

  • Requires the developer of the VDA, VDA component, or VDA service to follow a documented development process that:

o Explicitly addresses security requirements; o Identifies the standards and tools used in the development process; o Documents the specific tool options and tool configurations used in the development process; and

  • Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and
  • Reviews the development process, standards, tools, and tool options/configurations to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy VDA security requirements.

D-66 DEVELOPER SECURITY ARCHITECTURE AND DESIGN (informed by NIST SP 800-53 Rev. 4, SA-17)

[Licensee/Applicant] requires the developer of the VDA, VDA component, or VDA service e to produce a design specification and security architecture that:

  • Is consistent with and supportive of the licensees security architecture;
  • Accurately and completely describes the required security functionality, and the allocation of security controls among physical and logical components; and
  • Expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection.

D-67 SYSTEM PROTECTION (informed by NIST SP 800-53 Rev. 4, SC-2, SC-3, & SC-4)

[Licensee/Applicant]:

  • Separates user functionality on the VDA (including user interface services) from VDA management functionality;
  • Isolates security functions from nonsecurity functions on the VDA; and
  • Prevents unauthorized and unintended information transfer via shared resources.

DG-5062, Page D-19 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE D-68 DENIAL OF SERVICE PROTECTION (informed by NIST SP 800-53 Rev. 4, SC-5)

[Licensee/Applicant] protects against or limits the effects of denial of service attacks by employing technical safeguards and countermeasures.

D-69 BOUNDARY PROTECTION (informed by NIST SP 800-53 Rev. 4, SC-7, SC-7 (3), SC-7 (4), SC-7 (5), & SC-7 (7))

[Licensee/Applicant] ensures the VDA:

  • Monitors and controls communications at the boundary of the VDA and at key internal boundaries within the VDA;
  • Implements subnetworks for publicly or externally accessible VDA components that are physically or logically separated from internal [licensee/applicant] networks; and
  • Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with the security architecture.

D-70 EXTERNAL TELECOMMUNICATIONS SERVICES (informed by NIST SP 800-53 Rev. 4, SC-7 (4), SC-7 (5), SC-7 (7). SC-7 (8), SC-7 (10),

SC-7 (11), SC-7 (12), SC-7 (14), SC-7 (18), SC-7 (20), & SC-7 (21))

[Licensee/Applicant]:

  • Implements a managed interface for each external telecommunication service;
  • Establishes a traffic flow policy for each managed interface;
  • Protects the confidentiality and integrity of the information being transmitted across each interface;
  • Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need;
  • Reviews exceptions to the traffic flow policyon a timely basis and removes exceptions that are no longer supported by an explicit mission/business need;
  • Implements a managed interface for each external telecommunication service;
  • Establishes a traffic flow policy for each managed interface;
  • Protects the confidentiality and integrity of the information being transmitted across each interface;
  • Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need;
  • Reviews exceptions to the traffic flow policy at least every 30 days and removes exceptions that are no longer supported by an explicit mission/business need;
  • Prevents the unauthorized exfiltration of information across managed interfaces;
  • Allows only incoming communications from authorized sources to be routed to VDAs;
  • Implements host-based firewalls on VDAs;
  • Protects against unauthorized physical connections to the VDA; and
  • Employs boundary mechanisms.

[Licensee/Applicant] ensures the VDA:

  • Has managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception);
  • Prevents, in conjunction with a remote device, the device from simultaneously establishing DG-5062, Page D-20 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE non-remote connections with the system and communicating via some other connection to resources in external networks;

  • Routes internal communications traffic to external networks through authenticated proxy servers at managed interfaces;
  • Provides the capability to dynamically isolate/segregate VDAs from other VDAs; and
  • Fails securely and safely in the event of an operational failure of a boundary protection device.

D-71 TRANSMISSION CONFIDENTIALITY AND INTEGRITY (informed by NIST SP 800-53 Rev. 4, SC-8 & SC-8 (1))

[Licensee/Applicant] ensures the VDA:

  • Protects the confidentiality and integrity of transmitted information; and
  • Implements cryptographic mechanisms to prevent unauthorized disclosure of information and to detect changes to information during transmission, unless the transmission medium is otherwise protected by alternative physical safeguards.

D-72 NETWORK DISCONNECT (informed by NIST SP 800-53 Rev. 4, SC-10)

[Licensee/Applicant] terminates the network connection associated with a VDA communications session at the end of the session or within 10 minutes of inactivity, except for communications sessions that are necessary for safe operation of the VDA or are necessary to prevent a consequence of concern.

D-73 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT (informed by NIST SP 800-53 Rev. 4, SC-12 & SC-12 (1))

[Licensee/Applicant]:

  • Establishes and manages cryptographic keys for required cryptography employed within the VDA in accordance with NIST CMVP; and
  • Maintains availability of information necessary to safely operate the VDA or prevent a consequence of concern in the event of the loss of cryptographic keys by users.

D-74 COLLABORATIVE COMPUTING DEVICES (informed by NIST SP 800-53 Rev. 4, SC-15, SC-15 (1), SC-15 (3), & SC-15 (4))

[Licensee/Applicant] disables or removes collaborative computing devices from digital assets in areas where access could disclose information leading to a consequence of concern.

[Licensee/Applicant] ensures the VDA:

  • Prohibits remote activation of collaborative computing devices except where explicitly authorized;
  • Provides an explicit indication of use to users physically present at the devices;
  • Provides physical disconnect of collaborative computing devices in a manner that supports ease of use; and
  • Provides an explicit indication of current participants in collaborative sessions.

DG-5062, Page D-21 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE D-75 PUBLIC KEY INFRASTRUCTURE CERTIFICATES (informed by NIST SP 800-53 Rev. 4, SC-17)

[Licensee/Applicant] issues public key certificates under a certificate policy or obtains public key certificates from a service provider approved by the licensee.

D-76 VOICE OVER INTERNET PROTOCOL (VOIP)

(informed by NIST SP 800-53 Rev. 4, SC-19)

[Licensee/Applicant]:

  • Establishes usage restrictions and implementation guidance VoIP technologies based on the potential to cause damage to the VDA if used maliciously; and
  • Authorizes, monitors, and controls the use of VoIP within the VDA.

D-77 SECURE NAME / ADDRESS RESOLUTION (informed by NIST SP 800-53 Rev. 4, SC-20, SC-20a, SC-21, & SC-22)

[Licensee/Applicant] ensures the VDA:

  • Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the VDA returns in response to external name/address resolution queries;
  • Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace;
  • Requests and performs data origin authentication and data integrity verification on the name/address resolution responses the VDA receives from authoritative sources; and
  • Collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation.

D-78 SESSION AUTHENTICITY (informed by NIST SP 800-53 Rev. 4, SC-23)

[Licensee/Applicant] ensures the VDA protects the authenticity of communications sessions.

D-79 FAIL IN KNOWN STATE (informed by NIST SP 800-53 Rev. 4, SC-24)

[Licensee/Applicant]:

  • Ensures VDAs fail in a known-state to ensure that functions are not adversely impacted; and
  • Prevents a loss of confidentiality, integrity, or availability in the event of a failure of the VDA or a component of the VDA.

D-80 PROTECTION OF INFORMATION AT REST (informed by NIST SP 800-53 Rev. 4, SC-28)

[Licensee/Applicant] protects the confidentiality and integrity of VDA information at rest.

DG-5062, Page D-22 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE D-81 PROCESS ISOLATION (informed by NIST SP 800-53 Rev. 4, SC-39)

[Licensee/Applicant] maintains a separate execution domain for each executing process.

D-82 FLAW REMEDIATION (informed by NIST SP 800-53 Rev. 4, SI-2 & SI-2 (2))

[Licensee/Applicant]:

  • Identifies, reports, and corrects VDA flaws;
  • Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
  • Correcting the flaw expeditiously using the configuration management process;
  • Incorporates flaw remediation into the organizational configuration management process;
  • Performs vulnerability scans and assessments of the VDA to validate that the flaw has been eliminated before the VDA is put into production; and
  • Employs automated mechanisms to determine the state of VDA components with regard to flaw remediation.

D-83 MALICIOUS CODE PROTECTION (informed by NIST SP 800-53 Rev. 4, SI-3, SI-3 (1), SI-3 (2), SI-3 (8), & SI-3 (10))

[Licensee/Applicant]:

  • Employs malicious code protection mechanisms at VDA network entry and exit points to detect and eradicate malicious code;
  • Updates malicious code protection mechanisms whenever new releases are available;
  • Configures malicious code protection mechanisms to:

o Perform periodic scans of the VDA at least every 7 days; o Perform real-time scans of files from external sources as the files are downloaded, opened, or executed; o Prevent malicious code execution; o Alert the CST of the detection of malicious code in a timely manner; and

  • Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the VDA;
  • Centrally manages malicious code protection mechanisms;
  • Automatically updates malicious code protection mechanisms for the VDA;
  • Detects unauthorized operating system commands in VDAs through the kernel application programming interface and:

o Issues a warning; o Audits the command execution; o Prevents the execution of the command; and

  • Employs tools and techniques to analyze the characteristics and behavior of malicious code; and
  • Incorporates the results from malicious code analysis into organizational incident response and flaw remediation processes.

D-84 VDA MONITORING (informed by NIST SP 800-53 Rev. 4, SI-4, SI-4 (2), SI-4 (4), & SI-4 (5))

[Licensee/Applicant]:

  • Monitors the VDA to detect:

DG-5062, Page D-23 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE o Cyber attacks and indicators of potential cyber attacks; o Unauthorized local, network, and remote connections; and

  • Identifies unauthorized use of the VDA using automated or other means;
  • Deploys monitoring devices:

o Strategically within the VDA to collect organization-determined essential information; o At ad hoc locations within the system to track specific types of transactions of interest to the organization; and

  • Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;
  • Heightens the level of VDA monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;
  • Provides VDA monitoring information to appropriate licensee cyber security personnel as necessary;
  • Employs automated tools to support near real-time analysis of events;
  • Monitors inbound and outbound communications traffic for the VDA in near real-time for unusual or unauthorized activities or conditions; and
  • Ensures appropriate cyber security personnel are alerted when indications of compromise or potential compromise of the VDA occurs.

D-85 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES (informed by NIST SP 800-53 Rev. 4, SI-5 & SI-5 (1))

[Licensee/Applicant]:

  • Receives cyber security alerts, advisories, and directives from diverse and credible external sources on an ongoing basis;
  • Generates internal security alerts, advisories, and directives as necessary to prevent a consequence of concern;
  • Disseminates security alerts, advisories, and directives to appropriate personnel and the NRC;
  • Implements security directives in a timely manner; and
  • Employs automated mechanisms to make security alert and advisory information available throughout the organization.

D-86 SECURITY FUNCTION VERIFICATION (informed by NIST SP 800-53 Rev. 4, SI-6 & SI-6 (3))

[Licensee/Applicant]:

  • Verifies the correct operation of security functions;
  • Performs this verification upon startup and restart, upon command by a user with appropriate privilege, at least every 7 days, and when anomalies are discovered;
  • Notifies appropriate personnel in a timely manner of failed security verification tests; and
  • Reports the results of security function verification to the CST.

D-87 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY (informed by NIST SP 800-53 Rev. 4, SI-7, SI-7 (1), SI-7 (2), SI-7 (5), SI-7 (7), SI-7 (12),

SI-7 (12), SI-7 (14))

[Licensee/Applicant]:

  • Employs integrity verification tools to detect unauthorized changes to VDA software, firmware, and information; DG-5062, Page D-24 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

  • Performs an integrity check of VDA software, firmware, and information. This occurs, where possible, upon startup and restart, upon command by a user with appropriate privilege, at least every 30 days, and when anomalies are discovered;
  • Employs automated tools that provide notification to appropriate personnel upon discovering discrepancies during integrity verification;
  • Automatically takes proactive protection measures when VDA integrity violations are discovered;
  • Incorporates the detection of unauthorized security-relevant changes to the VDA into the organizational incident response capability;
  • Requires that the integrity of software be verified prior to execution; and
  • Prohibits the use of binary or machine-executable code from sources with limited or no warranty and without the provision of source code.

D-88 ENHANCEMENTS TO INFORMATION INPUT VALIDATION (informed by NIST SP 800-53 Rev. 4, SI-10 (5))

[Licensee/Applicant] restricts the use of information inputs to defined trusted sources and defined formats.

D-89 ERROR HANDLING (informed by NIST SP 800-53 Rev. 4, SI-11)

[Licensee/Applicant] ensures the VDA:

  • Generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries; and
  • Reveals error messages only to authorized personnel with a need-to-know.

D-90 INFORMATION HANDLING AND RETENTION (informed by NIST SP 800-53 Rev. 4, SI-12)

[Licensee/Applicant] handles and retains information within the VDA and information output from the VDA in accordance with NRC record retention requirements.

D-91 MEMORY PROTECTION (informed by NIST SP 800-53 Rev. 4, SI-16)

[Licensee/Applicant] implements automated mechanisms and safeguards for the VDA to protect its memory from unauthorized code execution.

DG-5062, Page D-25 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE ADDITIONAL CYBER SECURITY CONTROLS FOR VITAL DIGITAL ASSETS ASSOCIATED WITH ACTIVE CONSEQUENCES OF CONCERN - SAFETY E-1 ACCOUNT MANAGEMENT PROCEDURES (informed by National Institute for Standards and Technology (NIST) Special Publication (SP) 800-53 Rev. 4, AC-2)

[Licensee/Applicant] employs, at a minimum, the following measures in support of the management of user accounts on vital digital assets (VDAs):

  • Assigns account managers for VDA accounts;
  • Establishes conditions for group and role membership;
  • Specifies authorized users of the VDA, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
  • Requires independent management approval for requests to create VDA accounts;
  • Creates, enables, modifies, disables, and removes VDA accounts in accordance with the Access Control policy;
  • Monitors the use of VDA accounts;
  • Notifies account managers in a timely manner:

o When accounts are no longer required; o When users are terminated or transferred; o When individual VDA usage or need-to-know changes; and

  • Authorizes access to the VDA based on:

o A valid access authorization; o Intended VDA usage; and

  • Reviews accounts at least every 30 days for compliance with account management requirements; and
  • Employs, at a minimum, the following measures to restrict the creation and issuance of shared/group VDA accounts:

o Ensures shared/group account requests:

Are issued only when necessary to prevent a consequence of concern; Include a documented technical justification; Are reviewed and approved by the Cyber Security Team (CST) prior to issuance; and o Automatically terminates and establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.

E-2 ACCOUNT MANAGEMENT (informed by NIST SP 800-53 Rev. 4, AC-2 (5), AC-2 (12), & AC-2 (13))

[Licensee/Applicant] employs, at minimum, the following measures in support of the management of VDA accounts using a combination of procedural activity and automated means:

  • Requires that users log out within 15 minutes of inactivity unless the login session must be maintained to prevent a consequence of concern;
  • Monitors VDA accounts for atypical usage and anomalous activity that could indicate account compromise;
  • Reports atypical usage of VDA accounts to the CST; and DG-5062, Page E-1 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

  • Disables user accounts that have been potentially compromised upon discovery.

E-3 AUTOMATED ACCOUNT MANAGEMENT (informed by NIST SP 800-53 Rev. 4, AC-2 (1), AC-2 (2), AC-2 (3), & AC-2 (4))

[Licensee/Applicant] employs, at minimum, the following automated technical mechanisms to support the management of VDA accounts, including:

  • Automatically removes or disables temporary and emergency accounts once they are no longer needed;
  • Automatically disables inactive accounts within 30 days; and
  • Automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies appropriate personnel in a timely manner.

E-4 ACCESS MANAGEMENT (informed by NIST SP 800-53 Rev. 4, AC-3 & AC-4)

[Licensee/Applicant] ensures VDAs employ technical measures in support of the enforcement of account access to enforce approved authorizations for:

  • Logical access to VDA information and VDA resources in accordance with applicable access control policies; and
  • Controlling the flow of information within the VDA and between interconnected systems and VDAs.

E-5 REMOTE ACCESS (informed by NIST SP 800-53 Rev. 4, AC-17)

[Licensee/Applicant]:

  • Establishes and documents usage restrictions, configurations, connection requirements, and implementation guidance for each type of remote access allowed; and
  • Authorizes remote access to the VDA prior to allowing such connections.

E-6 MANAGED ACCESS CONTROL POINTS (informed by NIST SP 800-53 Rev. 4, AC-17 (3))

[Licensee/Applicant] ensures all remote accesses to VDAs is through a boundary control device meeting the requirements in cyber security control, BOUNDARY PROTECTION, of this Appendix.

E-7 WIRELESS ACCESS (informed by NIST SP 800-53 Rev. 4, AC-18)

[Licensee/Applicant]:

  • Establishes usage restrictions, configurations, connection requirements, and implementation guidance for wireless access; and
  • Authorizes wireless access to the VDA prior to allowing such connections.

DG-5062, Page E-2 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE E-8 RESTRICT CONFIGURATIONS BY USERS (informed by NIST SP 800-53 Rev. 4, AC-18 (4))

[Licensee/Applicant] identifies and explicitly authorizes users allowed to independently configure wireless networking capabilities.

E-9 ANTENNAS AND TRANSMISSION POWER LEVELS (informed by NIST SP 800-53 Rev. 4, AC-18 (5))

[Licensee/Applicant] selects radio antennas and calibrates transmission power levels to reduce the probability that usable signals can be accessed outside of licensee-controlled boundaries.

E-10 EXTERNAL INFORMATION SHARING (informed by NIST SP 800-53 Rev. 4, AC-21)

When VDA information is shared with external parties, [licensee/applicant]:

  • Ensures that access authorizations assigned to the sharing partner match the access restrictions on the information; and
  • Employs automated mechanisms to enforce these restrictions.

E-11 USE OF EXTERNAL INFORMATION SYSTEMS (informed by NIST SP 800-53 Rev. 4, AC-20, AC-20 (1), & AC-20 (2))

[Licensee/Applicant] establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:

  • Access the VDA from external information systems; and
  • Process, store, or transmit organization-controlled information using external information systems.

[Licensee/Applicant]:

  • Restricts the use of organization-controlled portable storage devices by authorized individuals on external information systems; and
  • Permits authorized individuals to use an external information system to access the VDA or to process, store, or transmit organization-controlled information only when the [licensee/applicant]:

o Verifies the implementation of security controls on the external system equivalent to security controls addressed for the VDA; or o Retains approved information system connection or processing agreements with the organizational entity hosting the external information system.

E-12 AUDIT DATA DEFINITION, GENERATION, AND CONTENT (informed by NIST SP 800-53 Rev. 4, AU-3, AU-3 (1), AU-3 (2), AU-5, AU-5 (2), AU-12, AU-12 (3), AU-14, AU-14 (1), & AU-14 (2))

[Licensee/Applicant] ensures the VDA:

  • Generates records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event; and
  • Generates records containing information necessary to prevent a consequence of concern from a cyber attack, including, at a minimum:

DG-5062, Page E-3 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE o Account (user or service) login failure; o Account role or privilege change; o File or object creation, modification and deletion; o Service start and stop; o Privileged service call; o Account creation and modification; o Account right assignment; o Audit policy change; o User account password change; o User group creation and modification; and o Remote session start and failure.

[Licensee/Applicant] ensures the VDA auditing function:

  • Alerts cyber security personnel in near real-time of an audit processing failure, or where audit failure events occur that could indicate VDA compromise;
  • Takes automated measures to preserve audit data;
  • Provides the capability to increase or modify audit record content in response to threat intelligence;
  • Initiates session audits at VDA start-up;
  • provides the capability for authorized users to select a user session to capture/record or view/hear;
  • Provides the capability for authorized users to capture/record and log content related to a user session; and
  • Provides centralized management and configuration of the content to be captured in audit records.

E-13 AUDIT DATA MANAGEMENT AND PROTECTION (informed by NIST SP 800-53 Rev. 4, AU-4, AU-5 (1), AU-9, AU-9 (2), AU-9 (3), AU-9 (4), &

AU-10)

[Licensee/Applicant]:

  • Allocates sufficient audit record storage capacity in accordance with U.S. Nuclear Regulatory Commission (NRC) record retention requirements and configures auditing to prevent capacity from being exceeded;
  • Authorizes access to management of audit functionality to only authorized users with cyber security responsibilities;
  • Ensures the VDA provides an alert to authorized personnel when allocated audit record storage volume reaches 80 percent of repository maximum audit record storage capacity;
  • Ensures the VDA backs up audit records onto a physically different VDA than the VDA being audited;
  • Ensures the VDA protects audit information and audit tools from unauthorized access, modification, and deletion;
  • Ensures the VDA implements cryptographic mechanisms to protect the integrity of audit information and audit tools; and
  • Ensures the VDA protects against an individual (or process acting on behalf of an individual) falsely denying having performed any action on the VDA.

DG-5062, Page E-4 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE E-14 AUDIT REVIEW, ANALYSIS, AND REPORTING (informed by NIST SP 800-53 Rev. 4, AU-6, AU-6 (1), AU-6 (3), AU-6 (5), AU-6 (6), & AU-12 (1))

[Licensee/Applicant]:

  • Employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities;
  • Reviews and analyzes VDA audit records in a timely manner for indications of potential compromise;
  • Analyzes and correlates audit records across different repositories to gain organization-wide situational awareness;
  • Integrates analysis of audit records with analysis of vulnerability scanning information, performance data, VDA monitoring information, and data/information collected from other sources to further enhance the ability to identify potential unauthorized activity;
  • Correlates information from audit records with information obtained from monitoring physical access to the VDA to further enhance the ability to identify potential unauthorized activity;
  • Reports findings to the CST; and
  • Ensures the VDA compiles audit records into a logical or physical audit trail that is time-correlated to, at a minimum, within one-tenth of a second.

E-15 SECURITY CONTROL ASSESSMENTS (informed by NIST SP 800-53 Rev. 4, CA-2 (2))

[Licensee/Applicant] includes and documents as part of VDA security control assessments:

  • An attack tree/attack surface analysis of the VDA (to be done at least every 24 months);
  • Announced assessments:

o In-depth monitoring (to be done automatically, in real time);

o Vulnerability scanning (to be done at least every 30 days);

o Malicious actor testing (to be done at least every 92 days); and

  • Unannounced assessments (in addition to announced assessments above):

o Vulnerability scanning (to be done at least every 183 days);

o Malicious actor testing (to be done at least every 12 months); and o Performance/load testing (to be done at least every 183 days).

E-16 INDEPENDENCE OF ASSESSORS (informed by NIST SP 800-53 Rev. 4, CA-2 (1), CA-7 (1), CA-8, & CA-8 (1))

[Licensee/Applicant]:

  • Utilizes assessors or assessment teams that are independent of those personnel responsible for program management or cyber security control implementation to conduct assessments of the cyber security controls;
  • Utilizes assessors or assessment teams that are independent of those personnel responsible for program management or cyber security control implementation to monitor the cyber security controls for the VDA on an ongoing basis;
  • Conducts penetration testing at least every 12 months on the VDA; and
  • Utilizes assessors or assessment teams that are independent of those personnel responsible for program management or cyber security control implementation to perform penetration testing on the VDA.

DG-5062, Page E-5 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE E-17 ENHANCEMENTS TO VDA CONNECTIONS (informed by NIST SP 800-53 Rev. 4, CA-3 (3), CA-3 (4), CA-3 (5), & CA-9)

[Licensee/Applicant]:

  • Employs a deny-all, permit-by-exception policy for allowing VDAs to connect to external information systems;
  • Prohibits the direct connection of a VDA to an external network without the use of:

o At least one separate, intervening access control device (e.g. firewall, cross domain solution);

o At least one separate, intervening intrusion detection/prevention mechanism with near-realtime prevention, detection and alerting capability; o Host-based protective measures; o Other measures necessary to prevent a consequence of concern; and

  • Prohibits the direct connection of a VDA to a public network;
  • Authorizes connections to the VDA; and
  • Documents, for each connection, the interface characteristics, security requirements, and the nature of the information communicated.

E-18 AUTOMATED BASELINE CONFIGURATION (informed by NIST SP 800-53 Rev. 4, CM-2 (2))

[Licensee/Applicant] employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the VDA.

E-19 CONFIGURE VDAS FOR HIGH-RISK AREAS (informed by NIST SP 800-53 Rev. 4, CM-2 (7))

Prior to transporting VDAs associated with an active consequence of concern to locations that the

[licensee/applicant] deems to be of significant risk, the [licensee/applicant]:

  • Documents a detailed justification for the VDA to be transported;
  • Obtains written approval from the CST and management;
  • Documents the VDA configuration baseline and component inventory prior to leaving controlled areas;
  • Observes chain-of-custody of the VDA or VDA component;
  • Performs a review of the VDA configuration baseline and component inventory upon return;
  • Performs testing of the VDA to ensure no cyber compromise has occurred; and
  • Performs a security control assessment to ensure all controls are in place, operational, and performing the intended function.

E-20 CONFIGURATION CHANGE CONTROL (informed by NIST SP 800-53 Rev. 4, CM-3)

[Licensee/Applicant]:

  • Documents changes to the VDA that shall be configuration-controlled per Title 10 of the Code of Federal Regulations (10 CFR) 73.53;
  • Reviews proposed configuration-controlled changes to the VDA and approves or disapproves such changes with explicit consideration for security impact analyses before implementation of the change;
  • Documents configuration change decisions associated with the VDA;
  • Implements approved configuration-controlled changes to the VDA; DG-5062, Page E-6 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

  • Retains records of configuration-controlled changes to the VDA in accordance with NRC record retention requirements;
  • Audits and reviews activities associated with configuration-controlled changes to the VDA; and
  • Coordinates and provides oversight for configuration change control activities through the change management process.

E-21 CHANGE TESTING AND ANALYSIS (informed by NIST SP 800-53 Rev. 4, CM-3 (2), CM-4, & CM-4 (1))

[Licensee/Applicant]:

  • Tests, validates, and documents changes to the VDA before implementing the changes to the VDA;
  • Analyzes changes to the VDA to determine potential security impacts prior to change implementation; and
  • Analyzes changes to the VDA in a separate test environment before implementation in an operational environment, looking for security impacts due to flaws, weaknesses, incompatibility, or intentional malice.

E-22 ACCESS RESTRICTIONS FOR CHANGE (informed by NIST SP 800-53 Rev. 4, CM-5 & CM-5 (1))

[Licensee/Applicant]:

  • Defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the VDA; and
  • Ensures VDA enforces access restrictions and supports auditing of the enforcement actions.

E-23 REVIEW VDA CHANGES (informed by NIST SP 800-53 Rev. 4, CM-5 (2))

[Licensee/Applicant] reviews VDA changes at least every 183 days or in the event of suspected compromise to determine whether unauthorized changes have occurred.

E-24 SIGNED COMPONENTS (informed by NIST SP 800-53 Rev. 4, CM-5 (3))

[Licensee/Applicant] ensures the VDA prevents the installation of software and firmware components without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.

E-25 CONFIGURATION SETTINGS (informed by NIST SP 800-53 Rev. 4, CM-6, CM-6 (1), & CM-6 (2))

[Licensee/Applicant]:

  • Establishes and documents configuration settings within the VDA that reflect the most restrictive mode consistent with operational requirements;
  • Implements the configuration settings;
  • Identifies, documents, and approves any deviations from established configuration settings;
  • Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures; DG-5062, Page E-7 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

  • Employs automated mechanisms to centrally manage, apply, and verify VDA configuration settings; and
  • Reports unauthorized changes to VDA configuration settings to the cyber security incident response team upon detection.

E-26 LEAST FUNCTIONALITY (informed by NIST SP 800-53 Rev. 4, CM-7)

[Licensee/Applicant]:

  • Configures the VDA to provide only essential capabilities, to perform its function and maintain safe and secure operations; and
  • Prohibits or restricts the use of unneeded functions, ports, protocols, and/or services.

E-27 PERIODIC REVIEW (informed by NIST SP 800-53 Rev. 4, CM-7 (1))

[Licensee/Applicant]:

  • Reviews the VDA at least every 30 days to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and
  • Disables or restricts unneeded functions, ports, protocols, and/or services identified by the review.

E-28 AUTHORIZED SOFTWARE (informed by NIST SP 800-53 Rev. 4, CM-7 (2) & CM-7 (4))

[Licensee/Applicant]:

  • Identifies software programs authorized to execute on the VDA;
  • Employs an deny-all, allow-by-exception policy to prohibit the execution of unauthorized software programs on the VDA;
  • Reviews and updates the list of authorized software programs, at least every 183 days; and
  • Employs automated mechanisms for the VDA(i.e. application white-listing) to prevent unauthorized program execution.

E-29 VDA COMPONENT INVENTORY (informed by NIST SP 800-53 Rev. 4, CM-8, CM-8 (1), CM-8 (2), CM-8 (3), & CM-8 (4)

[Licensee/Applicant]:

  • Develops and documents an inventory of VDA components that:

o Accurately reflects the current VDA; o Includes all components within the boundary of the VDA; o Is at the level of granularity necessary for tracking and reporting; o Includes information necessary to achieve effective VDA component accountability; and

  • Reviews and updates the VDA component inventory at least every 92 days or as part of any changes to a VDA;
  • Updates the inventory of VDA components as an integral part of component installations, removals, and VDA updates;
  • Employs automated mechanisms to detect the presence of unauthorized hardware, software, and firmware components within the VDA;
  • Employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of VDA components; DG-5062, Page E-8 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

  • Includes in the VDA component inventory information, a means for identifying individuals responsible/accountable for administering those components; and
  • Takes appropriate actions when unauthorized components are detected to remove, disable, or otherwise prevent the unauthorized component from causing a consequence of concern.

E-30 INSTALLED SOFTWARE (informed by NIST SP 800-53 Rev. 4, CM-11)

[Licensee/Applicant]:

  • Establishes policies governing the installation of software on VDAs consistent with configuration management in 10 CFR 73.53(f);
  • Enforces software installation policies using automated measures where supported; and
  • Monitors policy compliance using automated measures where supported.

E-31 IDENTIFICATION AND AUTHENTICATION (informed by NIST SP 800-53 Rev. 4, IA-2, IA-2 (1), IA-2 (2), IA-2 (3), IA-2 (4), IA-2 (8),

IA-2 (9), IA-2 (11), IA-2 (12), IA-3, & IA-8)

[Licensee/Applicant] ensures the VDA:

  • Uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users) and non-organizational users (or processes acting on behalf of non-organizational users);
  • Implements multifactor authentication for network access to privileged accounts;
  • Implements multifactor authentication for network access to non-privileged accounts;
  • Implements multifactor authentication for local access to privileged accounts;
  • Implements multifactor authentication for local access to non-privileged accounts;
  • Implements replay-resistant authentication mechanisms for network access to privileged accounts;
  • Implements replay-resistant authentication mechanisms for network access to non-privileged accounts;
  • Implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the VDA gaining access and the device meets E-authentication Assurance Level 3 as described in NIST SP 800-63-2 or later revisions;
  • Accepts and electronically verifies Personal Identity Verification credentials; and
  • Uniquely identifies and authenticates devices before establishing a connection to a VDA.

E-32 IDENTIFIER MANAGEMENT (informed by NIST SP 800-53 Rev. 4, IA-4)

[Licensee/Applicant] manages VDA identifiers by:

  • Receiving independent management authorization to assign an individual, group, role, or device identifier;
  • Selecting an identifier that identifies an individual, group, role, or device;
  • Assigning the identifier to the intended individual, group, role, or device;
  • Preventing reuse of identifiers where reuse could allow unintended or unauthorized access; and
  • Disabling the identifier within 30 days of inactivity.

DG-5062, Page E-9 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE E-33 AUTHENTICATOR MANAGEMENT (informed by NIST SP 800-53 Rev. 4, IA-5)

[Licensee/Applicant] manages VDA authenticators by:

  • Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
  • Establishing initial authenticator content for authenticators defined by the organization;
  • Ensuring that authenticators have sufficient strength of mechanism for their intended use;
  • Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
  • Changing default content of authenticators prior to VDA installation;
  • Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
  • Documenting authenticator types approved for use, the frequency for changing/refreshing, and the technical justification that demonstrates that adequate security is provided by the frequency;
  • Protecting authenticator content from unauthorized disclosure and modification;
  • Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
  • Changing authenticators for group/role accounts when membership to those accounts changes.

[Licensee/Applicant] requires that the registration process to receive authenticators be conducted in person or by a trusted third party with management authorization.

E-34 PASSWORD-BASED AUTHENTICATION (informed by NIST SP 800-53 Rev. 4, IA-5 (1))

For password-based authentication for the VDA, the [Licensee/Applicant]:

  • Enforces a minimum password length, strength, and complexity that is within the capabilities of the VDA and commensurate with the required level of security;
  • Enforces password complexity such that the passwords cannot be found in a dictionary and do not contain predictable sequences of numbers or letters;
  • Enforces a sufficient number of changed characters when new passwords are created to ensure adversaries cannot determine the current password from previous entries;
  • Stores and transmits only cryptographically-protected passwords;
  • Enforces lifetime restrictions for password minimums of 1 day and provides a technical basis for maximums defined and documented by the CST that prevents unauthorized access;
  • Prohibits password reuse for 10 generations;
  • Requires an immediate change to a permanent password upon the first logon, when temporary passwords are used for VDA logons; and
  • Stores written or electronic copies of master passwords in a secure location with limited access.

E-35 PUBLIC KEY INFRASTRUCTURE (PKI)-BASED AUTHENTICATION (informed by NIST SP 800-53 Rev. 4, IA-5 (2))

[Licensee/Applicant] ensures that PKI-based authentication for the VDA:

  • Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;
  • Enforces authorized access to the corresponding private key;
  • Maps the authenticated identity to the account of the individual or group; and DG-5062, Page E-10 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

  • Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.

E-36 HARDWARE TOKEN-BASED AUTHENTICATION (informed by NIST SP 800-53 Rev. 4, IA-5 (11))

[Licensee/Applicant] ensures that the VDA, for hardware token-based authentication, employs mechanisms that satisfy E-authentication Assurance Level 3 as described in NIST SP 800-63-2 or later revisions.

E-37 AUTHENTICATOR FEEDBACK (informed by NIST SP 800-53 Rev. 4, IA-6)

[Licensee/Applicant] ensures that the VDA obscures feedback of authentication information during the authentication process to protect the information from possible exploitation or use by unauthorized individuals.

E-38 CRYPTOGRAPHIC MODULE AUTHENTICATION (informed by NIST SP 800-53 Rev. 4, IA-7)

[Licensee/Applicant] ensures that the VDA implements mechanisms for authentication to a cryptographic module based on NIST Cryptographic Module Validation Program (CMVP) and associated guidance for such authentication.

E-39 INCIDENT RESPONSE TRAINING (informed by NIST SP 800-53 Rev. 4, IR-2, IR-2 (1), & IR-2 (2))

[Licensee/Applicant] provides incident response training to VDA users consistent with assigned roles and responsibilities:

  • Within 92 days of assuming an incident response role or responsibility;
  • When required by VDA changes; and
  • At least every 12 months.

[Licensee/Applicant]:

  • Incorporates simulated events into incident response training to facilitate effective response by personnel in crisis situations; and
  • Employs automated mechanisms to provide a more thorough and realistic incident response training environment.

E-40 INCIDENT RESPONSE TESTING (informed by NIST SP 800-53 Rev. 4, IR-3 & IR-3 (2))

[Licensee/Applicant]:

  • Tests the incident response capability for the VDA at least every 92 days using one or more of the following methods to determine the incident response effectiveness and documents the results of checklists, walk-through or tabletop exercises, and simulations (parallel/full interrupt);
  • Tests the incident response capability for the VDA at least every 36 months using a comprehensive exercise; and
  • Coordinates incident response testing with organizational elements responsible for related plans.

DG-5062, Page E-11 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE E-41 INCIDENT HANDLING (informed by NIST SP 800-53 Rev. 4, IR-4, IR-4 (1), & IR-4 (4))

[Licensee/Applicant]:

  • Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;
  • Coordinates incident handling activities with contingency planning activities;
  • Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly;
  • Employs automated mechanisms to support the incident handling process; and
  • Correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.

E-42 INCIDENT MONITORING (informed by NIST SP 800-53 Rev. 4, IR-5 & IR-5 (1))

[Licensee/Applicant]

  • Tracks and documents VDA security incidents; and
  • Employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information.

E-43 INCIDENT REPORTING (informed by NIST SP 800-53 Rev. 4, IR-6 & IR-6 (1))

[Licensee/Applicant]:

  • Requires personnel to report suspected cyber security incidents to the CST upon discovery; and
  • Employs automated mechanisms to assist in the reporting of security incidents.

E-44 INCIDENT RESPONSE ASSISTANCE (informed by NIST SP 800-53 Rev. 4, IR-7, IR-7 (1), & IR-7 (2))

[Licensee/Applicant]:

  • Provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the VDA for the handling and reporting of security incidents; and
  • Employs automated mechanisms to increase the availability of incident response-related information and support.

[Licensee/Applicant]:

  • Establishes a direct, cooperative relationship between its incident response capability and external providers of cyber security protection capabilities; and
  • Identifies organizational cyber security incident response team members to the external providers.

E-45 CONTROLLED MAINTENANCE (informed by NIST SP 800-53 Rev. 4, MA-2 & MA-2 (2))

[Licensee/Applicant]:

  • Performs and documents maintenance and repairs on VDAs in a timely manner to prevent a consequence of concern; DG-5062, Page E-12 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

  • Reviews records for maintenance and repairs on VDAs in accordance with manufacturer or vendor specifications but at least every 30 days;
  • Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;
  • Requires that CST approve the removal of the VDA for off-site maintenance or repairs outside the licensees positive control;
  • Sanitizes equipment to remove all information from associated media prior to removal for off-site maintenance or repairs outside the licensees positive control;
  • Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions;
  • Includes in records of maintenance and repairs on VDA components at a minimum: date, time, identification of those performing the maintenance, description of maintenance performed, and VDA components removed or replaced;
  • Retains records for inspection by the NRC;
  • Employs automated mechanisms to schedule, conduct, and document maintenance and repairs; and
  • Produces up-to date, accurate, and complete records of all maintenance and repair actions requested, scheduled, in process, and completed.

E-46 MAINTENANCE TOOLS (informed by NIST SP 800-53 Rev. 4, MA-3, MA-3 (1), & MA-3 (2))

[Licensee/Applicant]:

  • approves, controls, and monitors VDA maintenance tools;
  • inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications; and
  • checks media containing diagnostic and test programs for malicious code before the media are used in the VDA.

[Licensee/Applicant] prevents the unauthorized removal of maintenance equipment containing VDA information by:

  • Verifying that there is no VDA information contained on the equipment;
  • Sanitizing or destroying the equipment;
  • Retaining the equipment within the facility; or
  • Obtaining an exemption from the CST explicitly authorizing removal of the equipment from the facility.

E-47 NONLOCAL MAINTENANCE (informed by NIST SP 800-53 Rev. 4, MA-4, MA-4 (2), & MA-4 (3))

[Licensee/Applicant]:

  • Approves and monitors nonlocal maintenance and diagnostic activities;
  • Documents and only allows the use of nonlocal maintenance and diagnostic tools for the VDA where those tools do not introduce vulnerabilities or lead to a consequence of concern (e.g.,

information systems that perform maintenance on VDAS are protected equivalent to the VDA.);

  • Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;
  • Maintains records for nonlocal maintenance and diagnostic activities; and
  • Terminates session and network connections when nonlocal maintenance is completed.

DG-5062, Page E-13 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

[Licensee/Applicant]:

  • Documents the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections; or
  • Removes the component to be serviced from the VDA prior to nonlocal maintenance or diagnostic services, sanitizes the component (with regard to VDA information) before removal from licensee facilities, and after the service is performed, inspects and sanitizes the component (with regard to potentially malicious software) before reconnecting the component to the VDA.

E-48 MAINTENANCE PERSONNEL (informed by NIST SP 800-53 Rev. 4, MA-5 & MA-5 (1))

[Licensee/Applicant]:

  • Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;
  • Ensures that unescorted personnel performing maintenance on the VDA have required access authorizations; and
  • Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

[Licensee/Applicant]:

  • Implements procedures for the use of maintenance personnel that lack appropriate security clearances that include the following requirements:

o Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the VDA by approved personnel who are fully cleared, have appropriate access authorizations, and are technically qualified; o Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the VDA are sanitized and all nonvolatile storage media are removed or physically disconnected from the VDA and secured; and

  • Develops and implements alternate security safeguards in the event a VDA component cannot be sanitized, removed, or disconnected from the VDA.

E-49 TIMELY MAINTENANCE (informed by NIST SP 800-53 Rev. 4, MA-6)

[Licensee/Applicant] obtains maintenance support and/or spare parts for VDAs that must remain operational to prevent a consequence of concern.

E-50 MEDIA ACCESS (informed by NIST SP 800-53 Rev. 4, MP-2)

[Licensee/Applicant] restricts access to VDA media to authorized individuals only. VDA media includes any active storage device, passive storage device or passive media that:

  • Contain information used to manage, configure, maintain, secure or operate the VDA; or
  • Are used on the VDA for any purpose.

DG-5062, Page E-14 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE E-51 MEDIA MARKING (informed by NIST SP 800-53 Rev. 4, MP-3)

[Licensee/Applicant] marks VDA media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information.

E-52 MEDIA STORAGE (informed by NIST SP 800-53 Rev. 4, MP-4)

[Licensee/Applicant]:

  • Physically controls and securely stores VDA media; and
  • Protects VDA media until the media are destroyed or sanitized using approved equipment, techniques, and procedures that would prevent recovery of the data by an adversary.

E-53 MEDIA TRANSPORT (informed by NIST SP 800-53 Rev. 4, MP-5 & MP-5 (4))

[Licensee/Applicant]:

  • Protects and controls VDA media during transport outside of controlled areas;
  • Maintains accountability for VDA media during transport outside of controlled areas;
  • Documents activities associated with the transport of VDA media;
  • Restricts the activities associated with the transport of VDA media to authorized personnel; and
  • Implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.

E-54 MEDIA SANITIZATION (informed by NIST SP 800-53 Rev. 4, MP-6, MP-6 (1), MP-6 (2), & MP-6 (3))

[Licensee/Applicant]:

  • Sanitizes VDA media prior to disposal, release out of organizational control, or release for reuse in a manner that would prevent recovery of the data by an adversary;
  • Reviews, approves, tracks, documents, and verifies media sanitization and disposal actions;
  • Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information;
  • Tests sanitization equipment and procedures at least every 12 months to verify that the intended sanitization is being achieved; and
  • Applies nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the VDA.

E-55 MEDIA USE (informed by NIST SP 800-53 Rev. 4, MP-7 & MP-7 (1))

[Licensee/Applicant] prohibits the use of any media with a VDA, except specifically approved VDA media with an identifiable and verifiable owner.

DG-5062, Page E-15 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE E-56 MONITORING PHYSICAL ACCESS (informed by NIST SP 800-53 Rev. 4, PE-6)

[Licensee/Applicant]:

  • Monitors physical access to the facility where the VDA resides to detect and respond to physical security incidents;
  • Reviews physical access logs in a timely manner and upon occurrence of anomalous behavior; and
  • Coordinates results of reviews and investigations with the organizational incident response capability.

E-57 VULNERABILITY SCANNING (informed by NIST SP 800-53 Rev. 4, RA-5, RA-5 (1), RA-5 (2), RA-5 (3), RA-5 (4), &

RA-5 (5))

[Licensee/Applicant]:

  • Scans for vulnerabilities in the VDA and hosted applications at least every 30 days and when new vulnerabilities potentially affecting the VDA, applications or both are identified and reported;
  • Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:

o Enumerating platforms, software flaws, and improper configurations; o Formatting checklists and test procedures; o Measuring vulnerability impact; and

  • Analyzes vulnerability scan reports and results from security control assessments;
  • Addresses vulnerabilities in a timely and technically justified manner to prevent a consequence of concern;
  • Shares information obtained from the vulnerability scanning process and security control assessments with appropriate personnel to help eliminate similar vulnerabilities in other VDAs (i.e., systemic weaknesses or deficiencies);
  • Employs vulnerability scanning tools that include the capability to readily update the VDA vulnerabilities to be scanned;
  • Updates the VDA vulnerabilities scanned prior to a new scan;
  • Employs vulnerability scanning procedures that can identify the breadth and depth of coverage (i.e., information VDA components scanned and vulnerabilities checked);
  • Determines what information about the VDA is discoverable by adversaries and takes measures to address the associated potential cyber security issues; and
  • Implements privileged access authorization to the VDA for vulnerability scanning activities.

E-58 EXTERNAL INFORMATION SYSTEM SERVICES (informed by NIST SP 800-53 Rev. 4, SA-9 & SA-9 (2))

[Licensee/Applicant]:

  • Requires that providers of external information system services that interact with VDAs comply with information security requirements and address security controls for the associated consequence of concern;
  • Defines and documents oversight and user roles and responsibilities with regard to external information system services;
  • Employs automated mechanisms to monitor security control compliance by external service providers on an ongoing basis; and DG-5062, Page E-16 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

  • Requires providers of external information system services that interact with VDAs to identify the functions, ports, protocols, and other services required for the use of such services.

E-59 DEVELOPER CONFIGURATION MANAGEMENT (informed by NIST SP 800-53 Rev. 4, SA-10)

[Licensee/Applicant] requires the developer of the VDA, component, or information system service to:

  • Perform configuration management during the VDA, component, or service lifecycle;
  • Document, manage, and control the integrity of changes to the VDA, component, or service;
  • Implement only organization-approved changes to the VDA, component, or service;
  • Document approved changes to the VDA, component, or service and the potential security impacts of such changes; and
  • Track security flaws and flaw resolution within the VDA, component, or service and report findings to CST.

E-60 DEVELOPER SECURITY TESTING AND EVALUATION (informed by NIST SP 800-53 Rev. 4, SA-11)

[Licensee/Applicant] requires the developer of the VDA, component, or information system service to:

  • Create and implement a security assessment plan;
  • Produce evidence of the execution of the security assessment plan and the results of the security testing and evaluation;
  • Implement a verifiable flaw remediation process; and
  • Correct flaws identified during security testing/evaluation.

E-61 DEVELOPMENT PROCESS, STANDARDS, AND TOOLS (informed by NIST SP 800-53 Rev. 4, SA-15)

[Licensee/Applicant]:

  • Requires the developer of the VDA, VDA component, or VDA service to follow a documented development process that:

o Explicitly addresses security requirements; o Identifies the standards and tools used in the development process; o Documents the specific tool options and tool configurations used in the development process; and

  • Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and
  • Reviews the development process, standards, tools, and tool options/configurations to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy VDA security requirements.

E-62 DEVELOPER SECURITY ARCHITECTURE AND DESIGN (informed by NIST SP 800-53 Rev. 4, SA-17)

[Licensee/Applicant] requires the developer of the VDA, VDA component, or VDA service e to produce a design specification and security architecture that:

  • Is consistent with and supportive of the licensees security architecture; DG-5062, Page E-17 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

  • Accurately and completely describes the required security functionality, and the allocation of security controls among physical and logical components; and
  • Expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection.

E-63 SYSTEM PROTECTION (informed by NIST SP 800-53 Rev. 4, SC-2, SC-3, & SC-4)

[Licensee/Applicant]:

  • Separates user functionality on the VDA (including user interface services) from VDA management functionality;
  • Isolates security functions from nonsecurity functions on the VDA; and
  • Prevents unauthorized and unintended information transfer via shared resources.

E-64 DENIAL OF SERVICE PROTECTION (informed by NIST SP 800-53 Rev. 4, SC-5)

[Licensee/Applicant] protects against or limits the effects of denial of service attacks by employing technical safeguards and countermeasures.

E-65 BOUNDARY PROTECTION (informed by NIST SP 800-53 Rev. 4, SC-7, SC-7 (3), SC-7 (4), SC-7 (5), SC-7 (7), SC-7 (8),

SC-7 (14), SC-7 (18), & SC-7 (21))

[Licensee/Applicant]:

  • Monitors and controls communications at the boundary of the VDA and at key internal boundaries within the VDA;
  • Implements subnetworks for publicly or externally accessible VDA components that are physically or logically separated from internal [licensee/applicant] networks;
  • Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with the security architecture; and
  • Limits the number of external network connections to the VDA.

E-66 TRANSMISSION CONFIDENTIALITY AND INTEGRITY (informed by NIST SP 800-53 Rev. 4, SC-8 & SC-8 (1))

[Licensee/Applicant] ensures the VDA:

  • Protects the confidentiality and integrity of transmitted information; and
  • Implements cryptographic mechanisms to prevent unauthorized disclosure of information and to detect changes to information during transmission, unless the transmission medium is otherwise protected by alternative physical safeguards.

E-67 NETWORK DISCONNECT (informed by NIST SP 800-53 Rev. 4, SC-10)

[Licensee/Applicant] terminates the network connection associated with VDA communications session at the end of the session or within 10 minutes of inactivity, except for communications sessions that are necessary for safe operation of the VDA or are necessary to prevent a consequence of concern.

DG-5062, Page E-18 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE E-68 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT (informed by NIST SP 800-53 Rev. 4, SC-12 & SC-12 (1))

[Licensee/Applicant]:

  • Establishes and manages cryptographic keys for required cryptography employed within the VDA in accordance with NIST CMVP; and
  • Maintains availability of information necessary to safely operate the VDA or prevent a consequence of concern in the event of the loss of cryptographic keys by users.

E-69 COLLABORATIVE COMPUTING DEVICES (informed by NIST SP 800-53 Rev. 4, SC-15, SC-15 (1), SC-15 (3), & SC-15 (4))

[Licensee/Applicant] disables or removes collaborative computing devices from digital assets in areas where access could disclose information leading to a consequence of concern.

[Licensee/Applicant] ensures the VDA:

  • Prohibits remote activation of collaborative computing devices except where explicitly authorized;
  • Provides an explicit indication of use to users physically present at the devices;
  • Provides physical disconnect of collaborative computing devices in a manner that supports ease of use; and
  • Provides an explicit indication of current participants in collaborative sessions.

E-70 PUBLIC KEY INFRASTRUCTURE CERTIFICATES (informed by NIST SP 800-53 Rev. 4, SC-17)

[Licensee/Applicant] issues public key certificates under a certificate policy or obtains public key certificates from a service provider approved by the licensee.

E-71 VOICE OVER INTERNET PROTOCOL (VOIP)

(informed by NIST SP 800-53 Rev. 4, SC-19)

[Licensee/Applicant]:

  • Establishes usage restrictions and implementation guidance for VoIP technologies based on the potential to cause damage to the VDA if used maliciously; and
  • Authorizes, monitors, and controls the use of VoIP within the VDA.

E-72 SECURE NAME / ADDRESS RESOLUTION (informed by NIST SP 800-53 Rev. 4, SC-20, SC-20a, SC-21, & SC-22)

[Licensee/Applicant] ensures the VDA:

  • Provides additional data origin authentication and integrity verification artifacts for the VDA along with the authoritative name resolution data the VDA returns in response to external name/address resolution queries;
  • Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace;
  • Requests and performs data origin authentication and data integrity verification on the name/address resolution responses the VDA receives from authoritative sources; and DG-5062, Page E-19 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

  • Collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation.

E-73 SESSION AUTHENTICITY (informed by NIST SP 800-53 Rev. 4, SC-23)

[Licensee/Applicant] ensures the VDA protects the authenticity of communications sessions.

E-74 FAIL IN KNOWN STATE (informed by NIST SP 800-53 Rev. 4, SC-24)

[Licensee/Applicant]:

  • Ensures VDAs fail in a known-state to ensure that functions are not adversely impacted; and
  • Prevents a loss of confidentiality, integrity, or availability in the event of a failure of the VDA or a component of the VDA.

E-75 PROTECTION OF INFORMATION AT REST (informed by NIST SP 800-53 Rev. 4, SC-28)

[Licensee/Applicant] protects the confidentiality and integrity of VDA information at rest.

E-76 PROCESS ISOLATION (informed by NIST SP 800-53 Rev. 4, SC-39)

[Licensee/Applicant] maintains a separate execution domain for each executing process.

E-77 FLAW REMEDIATION (informed by NIST SP 800-53 Rev. 4, SI-2, SI-2 (1) & SI-2 (2))

[Licensee/Applicant]:

  • Identifies, reports, and corrects VDA flaws;
  • Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
  • Correcting the flaw expeditiously using the configuration management process;
  • Incorporates flaw remediation into the organizational configuration management process;
  • Performs vulnerability scans and assessments of the VDA to validate that the flaw has been eliminated before the VDA is put into production;
  • Centrally manages the flaw remediation process; and
  • Employs automated mechanisms to determine the state of VDA components with regard to flaw remediation.

E-78 MALICIOUS CODE PROTECTION (informed by NIST SP 800-53 Rev. 4, SI-3, SI-3 (1), SI-3 (2), SI-3 (8), & SI-2 (10))

[Licensee/Applicant]:

  • Employs malicious code protection mechanisms at VDA network entry and exit points to detect and eradicate malicious code;
  • Updates malicious code protection mechanisms whenever new releases are available;
  • Configures malicious code protection mechanisms to:

o Perform periodic scans of the VDA at least every 7 days; DG-5062, Page E-20 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE o Perform real-time scans of files from external sources as the files are downloaded, opened, or executed; o Prevent malicious code execution; o Alert the CST of the detection of malicious code in a timely manner; and

  • Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the VDA;
  • Centrally manages malicious code protection mechanisms;
  • Automatically updates malicious code protection mechanisms for the VDA;
  • Detects unauthorized operating system commands in VDAs through the kernel application programming interface and:

o Issues a warning; o Audits the command execution; o Prevents the execution of the command; and

  • Employs tools and techniques to analyze the characteristics and behavior of malicious code; and
  • Incorporates the results from malicious code analysis into organizational incident response and flaw remediation processes.

E-79 VDA MONITORING (informed by NIST SP 800-53 Rev. 4, SI-4, SI-4 (2), SI-4 (4), SI-4 (5), SI-4 (10), SI-4 (11), &

SI-4 (20))

[Licensee/Applicant]:

  • Monitors the VDA to detect:

o Cyber attacks and indicators of potential cyber attacks; o Unauthorized local, network, and remote connections; and

  • Identifies unauthorized use of the VDA using automated or other means;
  • Deploys monitoring devices:

o Strategically within the VDA to collect organization-determined essential information; o At ad hoc locations within the system to track specific types of transactions of interest to the organization; and

  • Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;
  • Heightens the level of VDA monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;
  • Provides VDA monitoring information to appropriate licensee cyber security personnel as necessary;
  • Employs automated tools to support near real-time analysis of events;
  • Monitors inbound and outbound communications traffic for the VDA in near real-time for unusual or unauthorized activities or conditions;
  • Ensures appropriate cyber security personnel are notified when indications of compromise or potential compromise of the VDA occurs;
  • Makes provisions so that encrypted communications traffic is visible to authorized network monitoring tools;
  • Analyzes outbound communications traffic at the external boundary of the VDA and selected interior points within the VDA to discover anomalies; and
  • Implements additional monitoring of privileged users.

DG-5062, Page E-21 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE E-80 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES (informed by NIST SP 800-53 Rev. 4, SI-5 & SI-5 (1))

[Licensee/Applicant]:

  • Receives security alerts, advisories, and directives from diverse and credible external sources on an ongoing basis;
  • Generates internal security alerts, advisories, and directives as necessary to prevent a consequence of concern;
  • Disseminates security alerts, advisories, and directives to appropriate personnel and the NRC;
  • Implements security directives in a timely manner; and
  • Employs automated mechanisms to make security alert and advisory information available throughout the organization.

E-81 SECURITY FUNCTION VERIFICATION (informed by NIST SP 800-53 Rev. 4, SI-6 & SI-6 (3))

[Licensee/Applicant]:

  • Verifies the correct operation of security functions;
  • Performs this verification upon startup and restart, upon command by a user with appropriate privilege, at least every 7 days, and when anomalies are discovered; and
  • Notifies appropriate personnel in a timely manner of failed security verification tests.

[Licensee/Applicant] reports the results of security function verification to the CST.

E-82 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY (informed by NIST SP 800-53 Rev. 4, SI-7, SI-7 (1), SI-7 (2), SI-7 (5), SI-7 (7), SI-7 (12),

SI-7 (12), SI-7 (14))

[Licensee/Applicant]:

  • Employs integrity verification tools to detect unauthorized changes to VDA software, firmware, and information;
  • Performs an integrity check of VDA software, firmware, and information. This occurs, where possible, upon startup and restart, upon command by a user with appropriate privilege, at least every 30 days, and when anomalies are discovered;
  • Employs automated tools that provide notification to appropriate personnel upon discovering discrepancies during integrity verification;
  • Automatically takes proactive protection measures when VDA integrity violations are discovered;
  • Incorporates the detection of unauthorized security-relevant changes to the VDA into the organizational incident response capability;
  • Requires that the integrity of software be verified prior to execution; and
  • Prohibits the use of binary or machine-executable code from sources with limited or no warranty and without the provision of source code.

E-83 ERROR HANDLING (informed by NIST SP 800-53 Rev. 4, SI-11)

[Licensee/Applicant] ensures the VDA:

  • Generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries; and
  • Reveals VDA error messages only to authorized personnel with a need-to-know.

DG-5062, Page E-22 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE E-84 INFORMATION HANDLING AND RETENTION (informed by NIST SP 800-53 Rev. 4, SI-12)

[Licensee/Applicant] handles and retains information within the VDA and information output from the VDA in accordance with NRC record retention requirements.

E-85 MEMORY PROTECTION (informed by NIST SP 800-53 Rev. 4, SI-16)

[Licensee/Applicant] implements automated mechanisms and safeguards for the VDA to protect its memory from unauthorized code execution.

DG-5062, Page E-23 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE ADDITIONAL CYBER SECURITY CONTROLS FOR VITAL DIGITAL ASSETS ASSOCIATED WITH LATENT CONSEQUENCES OF CONCERN - SAFETY & SECURITY F-1 ACCOUNT MANAGEMENT PROCEDURES (informed by National Institute for Standards and Technology (NIST) Special Publication (SP) 800-53 Rev. 4, AC-2)

[Licensee/Applicant] employs, at minimum, the following measures in support of the management of user accounts on vital digital assets (VDAs):

  • Assigns account managers for VDA accounts;
  • Establishes conditions for group and role membership;
  • Specifies authorized users of the VDA, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
  • Requires independent management approval for requests to create VDA accounts;
  • Creates, enables, modifies, disables, and removes VDA accounts in accordance with the Access Control policy;
  • Monitors the use of VDA accounts;
  • Notifies account managers in a timely manner:

o When accounts are no longer required; o When users are terminated or transferred; o When individual VDA usage or need-to-know changes; and

  • Authorizes access to the VDA based on:

o A valid access authorization; o Intended VDA usage; and

  • Reviews accounts at least every 30 days for compliance with account management requirements; and
  • Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.

F-2 ACCOUNT MANAGEMENT (informed by NIST SP 800-53 Rev. 4, AC-2 (5), AC-2 (12), & AC-2 (13))

[Licensee/Applicant] employs, at minimum, the following measures in support of the management of VDA accounts using a combination of procedural activity and automated means:

  • Requires that users log out within 15 minutes of inactivity unless the login session must be maintained to prevent a consequence of concern.
  • Monitors VDA accounts for atypical usage and anomalous activity that could indicate account compromise;
  • Reports atypical usage of VDA accounts to the CST; and
  • Disables user accounts that have been potentially compromised upon discovery.

DG-5062, Page F-1 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE F-3 AUTOMATED ACCOUNT MANAGEMENT (informed by NIST SP 800-53 Rev. 4, AC-2 (1), AC-2 (2), AC-2 (3), & AC-2 (4))

[Licensee/Applicant] employs, at minimum, the following automated technical mechanisms to support the management of VDA accounts, including:

  • Automatically removes or disables temporary and emergency accounts once they are no longer needed;
  • Automatically disables inactive accounts within 30 days; and
  • Automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies appropriate personnel in a timely manner.

F-4 ACCESS MANAGEMENT (informed by NIST SP 800-53 Rev. 4, AC-3 & AC-4)

[Licensee/Applicant] ensures the VDA employs technical measures in support of the enforcement of account access to enforce approved authorizations for:

  • Logical access to VDA information and VDA resources in accordance with applicable access control policies; and
  • Controlling the flow of information within the VDA and between interconnected systems and VDAs.

F-5 REMOTE ACCESS (informed by NIST SP 800-53 Rev. 4, AC-17)

[Licensee/Applicant]:

  • Establishes and documents usage restrictions, configurations, connection requirements, and implementation guidance for each type of remote access allowed; and
  • Authorizes remote access to the VDA prior to allowing such connections.

F-6 MANAGED ACCESS CONTROL POINTS (informed by NIST SP 800-53 Rev. 4, AC-17 (3))

[Licensee/Applicant] ensures all remote accesses to VDAs is through a boundary control device meeting the requirements in cyber security control BOUNDARY CONTROL, of this Appendix.

F-7 WIRELESS ACCESS (informed by NIST SP 800-53 Rev. 4, AC-18)

[Licensee/Applicant]:

  • Establishes usage restrictions, configurations, connection requirements, and implementation guidance for wireless access; and
  • Authorizes wireless access to the VDA prior to allowing such connections.

F-8 RESTRICT CONFIGURATIONS BY USERS (informed by NIST SP 800-53 Rev. 4, AC-18 (4))

[Licensee/Applicant] identifies and explicitly authorizes users allowed to independently configure wireless networking capabilities.

DG-5062, Page F-2 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE F-9 ANTENNAS AND TRANSMISSION POWER LEVELS (informed by NIST SP 800-53 Rev. 4, AC-18 (5))

[Licensee/Applicant] selects radio antennas and calibrates transmission power levels to reduce the probability that usable signals can be accessed outside of licensee-controlled boundaries.

F-10 EXTERNAL INFORMATION SHARING (informed by NIST SP 800-53 Rev. 4, AC-21)

When VDA information is shared with external parties, [licensee/applicant]:

  • Ensures that access authorizations assigned to the sharing partner match the access restrictions on the information; and
  • Employs automated mechanisms to enforce these restrictions.

F-11 USE OF EXTERNAL INFORMATION SYSTEMS (informed by NIST SP 800-53 Rev. 4, AC-20, AC-20 (1), & AC-20 (2))

[Licensee/Applicant] establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:

  • Access the VDA from external information systems; and
  • Process, store, or transmit organization-controlled information using external information systems.

[Licensee/Applicant]:

  • Restricts the use of organization-controlled portable storage devices by authorized individuals on external information systems; and
  • Permits authorized individuals to use an external information system to access the VDA or to process, store, or transmit organization-controlled information only when the [licensee/applicant]:

o Verifies the implementation of security controls on the external system equivalent to security controls addressed for the VDA; or o Retains approved information system connection or processing agreements with the organizational entity hosting the external information system.

F-12 AUDIT DATA DEFINITION, GENERATION, AND CONTENT (informed by NIST SP 800-53 Rev. 4, AU-3, AU-3 (1), AU-3 (2), AU-5, AU-5 (2), AU-12, AU-12 (3), AU-14, AU-14 (1), & AU-14 (2))

[Licensee/Applicant] ensures the VDA:

  • Generates records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event; and
  • Generates records containing information necessary to prevent a consequence of concern from a cyber attack, including, at a minimum:

o Account (user or service) login failure; o Account role or privilege change; o File or object creation, modification and deletion; o Service start and stop; o Privileged service call; o Account creation and modification; DG-5062, Page F-3 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE o Account right assignment; o Audit policy change; o User account password change; o User group creation and modification; and o Remote session start and failure.

[Licensee/Applicant] ensures the VDA auditing function:

  • Alerts cyber security personnel in near real-time of an audit processing failure, or where audit failure events occur that could indicate VDA compromise;
  • Takes automated measures to preserve audit data;
  • Provides the capability to increase or modify audit record content in response to threat intelligence;
  • Initiates session audits at VDA start-up;
  • provides the capability for authorized users to select a user session to capture/record or view/hear;
  • Provides the capability for authorized users to capture/record and log content related to a user session; and
  • Provides centralized management and configuration of the content to be captured in audit records.

F-13 AUDIT DATA MANAGEMENT AND PROTECTION (informed by NIST SP 800-53 Rev. 4, AU-4, AU-5 (1), AU-9 (2), AU-9 (3), AU-9 (4), & AU-10)

[Licensee/Applicant]:

  • Allocates sufficient audit record storage capacity in accordance with U.S. Nuclear Regulatory Commission (NRC) record retention requirements and configures auditing to prevent capacity from being exceeded; and
  • Authorizes access to management of audit functionality to only authorized users with cyber security responsibilities.

[Licensee/Applicant] ensures the VDA:

  • Provides an alert to authorized personnel when allocated audit record storage volume reaches 80 percent of repository maximum audit record storage capacity;
  • Backs up audit records onto a physically different system than the VDA or component being audited;
  • Protects audit information and audit tools from unauthorized access, modification, and deletion;
  • Implements cryptographic mechanisms to protect the integrity of audit information and audit tools; and
  • Protects against an individual (or process acting on behalf of an individual) falsely denying having performed any action on the VDA.

F-14 AUDIT REVIEW, ANALYSIS, AND REPORTING (informed by NIST SP 800-53 Rev. 4, AU-6, AU-6a, AU-6b, AU-6 (1), & AU-6 (3))

[Licensee/Applicant]:

  • Employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities;
  • Reviews and analyzes VDA audit records in a timely manner for indications of potential compromise;
  • Analyzes and correlates audit records across different repositories to gain organization-wide situational awareness; and

DG-5062, Page F-4 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE F-15 INDEPENDENCE OF ASSESSORS (informed by NIST SP 800-53 Rev. 4, CA-2 (1), CA-7 (1), CA-8, & CA-8 (1))

[Licensee/Applicant]:

  • Utilizes assessors or assessment teams that are independent of those personnel responsible for program management or cyber security control implementation to conduct assessments of the cyber security controls;
  • Utilizes assessors or assessment teams that are independent of those personnel responsible for program management or cyber security control implementation to monitor the cyber security controls for the VDA on an ongoing basis;
  • Conducts penetration testing at least every 12 months on the VDA; and
  • Utilizes assessors or assessment teams that are independent of those personnel responsible for program management or cyber security control implementation to perform penetration testing on the VDA.

F-16 SECURITY CONTROL ASSESSMENTS (informed by NIST SP 800-53 Rev. 4, CA-2 (2))

[Licensee/Applicant] includes and documents as part of VDA security control assessments:

  • An attack tree/attack surface analysis of the VDA (to be done at least every 24 months);
  • Announced assessments:

o In-depth monitoring (to be done automatically, in real time);

o Vulnerability scanning (to be done at least every 30 days);

o Malicious actor testing (to be done at least every 92 days); and

  • Unannounced assessments (in addition to announced assessments above):

o Vulnerability scanning (to be done at least every 183 days); and o Malicious actor testing (to be done at least every 12 months).

F-17 ENHANCEMENTS TO VDA CONNECTIONS (informed by NIST SP 800-53 Rev. 4, CA-3 (3), CA-3 (4), CA-3 (5), & CA-9)

[Licensee/Applicant]:

  • Employs a deny-all, permit-by-exception policy for allowing VDAs to connect to external information systems;
  • Prohibits the direct connection of a VDA to an external network without the use of:

o At least one separate, intervening access control device (e.g. firewall, cross domain solution);

o At least one separate, intervening intrusion detection/prevention mechanism with near-realtime prevention, detection and alerting capability; o Host-based protective measures; o Other measures necessary to prevent a consequence of concern; and

  • Prohibits the direct connection of a VDA to a public network;
  • Authorizes connections to the VDA; and
  • Documents, for each connection, the interface characteristics, security requirements, and the nature of the information communicated.

DG-5062, Page F-5 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE F-18 CONFIGURE VDAS FOR HIGH-RISK AREAS (informed by NIST SP 800-53 Rev. 4, CM-2 (7))

[Licensee/Applicant] ensures the CST:

  • Issues permission for individuals traveling with a VDA to locations that the [Licensee/Applicant]

deems to be of significant risk; and

  • Reviews the VDA upon return to ensure the device is uncompromised.

F-19 CONFIGURATION CHANGE CONTROL (informed by NIST SP 800-53 Rev. 4, CM-3)

[Licensee/Applicant]:

  • Documents changes to the VDA that shall be configuration-controlled per Title 10 of the Code of Federal Regulations (10 CFR) 73.53;
  • Reviews proposed configuration-controlled changes to the VDA and approves or disapproves such changes with explicit consideration for security impact analyses before implementation of the change;
  • Documents configuration change decisions associated with the VDA;
  • Implements approved configuration-controlled changes to the VDA;
  • Retains records of configuration-controlled changes to the VDA in accordance with NRC record retention requirements;
  • Audits and reviews activities associated with configuration-controlled changes to the VDA; and
  • Coordinates and provides oversight for configuration change control activities through the change management process.

F-20 CHANGE TESTING AND ANALYSIS (informed by NIST SP 800-53 Rev. 4, CM-3 (2) & CM-4)

[Licensee/Applicant]

  • Tests, validates, and documents changes to the VDA before implementing the changes to the VDA; and
  • Analyzes changes to the VDA to determine potential security impacts prior to change implementation.

F-21 ACCESS RESTRICTIONS FOR CHANGE (informed by NIST SP 800-53 Rev. 4, CM-5)

[Licensee/Applicant] defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the VDA.

F-22 CONFIGURATION SETTINGS (informed by NIST SP 800-53 Rev. 4, CM-6, CM-6 (1), & CM-6 (2))

[Licensee/Applicant]:

  • Establishes and documents configuration settings within the VDA that reflect the most restrictive mode consistent with operational requirements;
  • Implements the configuration settings;
  • Identifies, documents, and approves any deviations from established configuration settings;
  • Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures; DG-5062, Page F-6 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

  • Employs automated mechanisms to centrally manage, apply, and verify VDA configuration settings; and
  • Reports unauthorized changes to VDA configuration settings to the cyber security incident response team upon detection.

F-23 LEAST FUNCTIONALITY (informed by NIST SP 800-53 Rev. 4, CM-7)

[Licensee/Applicant]:

  • Configures the VDA to provide only essential capabilities, to perform its function and maintain safe and secure operations; and
  • Prohibits or restricts the use of unneeded functions, ports, protocols, and/or services.

F-24 PERIODIC REVIEW (informed by NIST SP 800-53 Rev. 4, CM-7 (1))

[Licensee/Applicant]:

  • Reviews the VDA at least every 30 days to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and
  • Disables or restricts unneeded functions, ports, protocols, and/or services identified by the review.

F-25 AUTHORIZED SOFTWARE (informed by NIST SP 800-53 Rev. 4, CM-7 (2) & CM-7 (4))

[Licensee/Applicant]:

  • Identifies software programs authorized to execute on the VDA;
  • Employs an deny-all, allow-by-exception policy to prohibit the execution of unauthorized software programs on the VDA;
  • Reviews and updates the list of authorized software programs, at least every 183 days; and
  • Employs automated mechanisms for the VDA(i.e. application white-listing) to prevent unauthorized program execution.

F-26 VDA COMPONENT INVENTORY (informed by NIST SP 800-53 Rev. 4, CM-8, CM-8 (1), & CM-8 (3))

[Licensee/Applicant]:

  • Develops and documents an inventory of VDA components that:

o Accurately reflects the current VDA; o Includes all components within the boundary of the VDA; o Is at the level of granularity necessary for tracking and reporting; o Includes information necessary to achieve effective VDA component accountability; and

  • Reviews and updates the VDA component inventory at least every 92 days or as part of any changes to a VDA;
  • Updates the inventory of VDA components as an integral part of component installations, removals, and VDA updates;
  • Employs automated mechanisms to detect the presence of unauthorized hardware, software, and firmware components within the VDA; and
  • Takes appropriate actions when unauthorized components are detected to remove, disable, or otherwise prevent the unauthorized component from causing a consequence of concern.

DG-5062, Page F-7 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE F-27 INSTALLED SOFTWARE (informed by NIST SP 800-53 Rev. 4, CM-11)

[Licensee/Applicant]:

  • Establishes policies governing the installation of software on VDAs consistent with configuration management in 10 CFR 73.53(f);
  • Enforces software installation policies using automated measures where supported; and
  • Monitors policy compliance using automated measures where supported.

F-28 IDENTIFICATION AND AUTHENTICATION (informed by NIST SP 800-53 Rev. 4, IA-2, IA-2 (1), IA-2 (2), IA-2 (3), IA-2 (8), IA-2 (11),

IA-2 (12), IA-3, & IA-8)

[Licensee/Applicant] ensures the VDA:

  • Uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users) and non-organizational users (or processes acting on behalf of non-organizational users);
  • Implements multifactor authentication for network access to privileged accounts;
  • Implements multifactor authentication for network access to non-privileged accounts;
  • Implements multifactor authentication for local access to privileged accounts;
  • Implements replay-resistant authentication mechanisms for network access to privileged accounts;
  • Implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets E-authentication Assurance Level 3 as described in NIST SP 800-63-2 or later revisions;
  • Accepts and electronically verifies Personal Identity Verification credentials; and
  • Uniquely identifies and authenticates devices before establishing a connection to a VDA.

F-29 IDENTIFIER MANAGEMENT (informed by NIST SP 800-53 Rev. 4, IA-4)

[Licensee/Applicant] manages VDA identifiers by:

  • Receiving independent management authorization to assign an individual, group, role, or device identifier;
  • Selecting an identifier that identifies an individual, group, role, or device;
  • Assigning the identifier to the intended individual, group, role, or device; and
  • Preventing reuse of identifiers where reuse could allow unintended or unauthorized access; and
  • Disabling the identifier within 60 days of inactivity.

F-30 AUTHENTICATOR MANAGEMENT (informed by NIST SP 800-53 Rev. 4, IA-5)

[Licensee/Applicant] manages VDA authenticators by:

  • Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
  • Establishing initial authenticator content for authenticators defined by the organization;
  • Ensuring that authenticators have sufficient strength of mechanism for their intended use; DG-5062, Page F-8 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

  • Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
  • Changing default content of authenticators prior to VDA installation;
  • Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
  • Documenting authenticator types approved for use, the frequency for changing/refreshing, and the technical justification that demonstrates that adequate security is provided by the frequency;
  • Protecting authenticator content from unauthorized disclosure and modification;
  • Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
  • Changing authenticators for group/role accounts when membership to those accounts changes.

F-31 PASSWORD-BASED AUTHENTICATION (informed by NIST SP 800-53 Rev. 4, IA-5 (1))

[Licensee/Applicant] ensures that password-based authentication for the VDA:

  • Enforces a minimum password length, strength, and complexity that is within the capabilities of the VDA and commensurate with the required level of security;
  • Enforces password complexity such that the passwords cannot be found in a dictionary and do not contain predictable sequences of numbers or letters;
  • Enforces a sufficient number of changed characters when new passwords are created to ensure adversaries cannot determine the current password from previous entries;
  • Stores and transmits only cryptographically-protected passwords;
  • Enforces lifetime restrictions for password minimums of 1 day and provides a technical basis for maximums defined and documented by the CST that prevents unauthorized access;
  • Prohibits password reuse for 10 generations; and
  • When temporary passwords are used for VDA logons, an immediate change to a permanent password is required upon the first logon.

[Licensee/Applicant] ensures that written or electronic copies of master passwords are stored in a secure location with limited access.

F-32 PUBLIC KEY INFRASTRUCTURE (PKI)-BASED AUTHENTICATION (informed by NIST SP 800-53 Rev. 4, IA-5 (2))

[Licensee/Applicant] ensures that PKI-based authentication for the VDA:

  • Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;
  • Enforces authorized access to the corresponding private key;
  • Maps the authenticated identity to the account of the individual or group; and
  • Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.

F-33 HARDWARE TOKEN-BASED AUTHENTICATION (informed by NIST SP 800-53 Rev. 4, IA-5 (11))

[Licensee/Applicant] ensures that hardware token-based authentication for the VDA, employs mechanisms that satisfy E-authentication Assurance Level 3 as described in NIST SP 800-63-2 or later revisions.

DG-5062, Page F-9 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE F-34 AUTHENTICATOR FEEDBACK (informed by NIST SP 800-53 Rev. 4, IA-6)

[Licensee/Applicant] ensures the VDA obscures feedback of authentication information during the authentication process to protect the information from possible exploitation or use by unauthorized individuals.

F-35 CRYPTOGRAPHIC MODULE AUTHENTICATION (informed by NIST SP 800-53 Rev. 4, IA-7)

[Licensee/Applicant] ensures the VDA implements mechanisms for authentication to a cryptographic module based on NIST Cryptographic Module Validation Program (CMVP) and associated guidance for such authentication.

F-36 INCIDENT RESPONSE TRAINING (informed by NIST SP 800-53 Rev. 4, IR-2)

[Licensee/Applicant] provides incident response training to VDA users consistent with assigned roles and responsibilities:

  • Within 92 days of assuming an incident response role or responsibility;
  • When required by VDA changes; and
  • At least every 12 months.

F-37 INCIDENT RESPONSE TESTING (informed by NIST SP 800-53 Rev. 4, IR-3 & IR-3 (2))

[Licensee/Applicant]:

  • Tests the incident response capability for the VDA at least every 92 days using one or more of the following methods to determine the incident response effectiveness and documents the results of checklists, walk-through or tabletop exercises, and simulations (parallel/full interrupt).
  • Tests the incident response capability for the VDA at least every 36 months using a comprehensive exercise; and
  • Coordinates incident response testing with organizational elements responsible for related plans.

F-38 INCIDENT HANDLING (informed by NIST SP 800-53 Rev. 4, IR-4 & IR-4 (1))

[Licensee/Applicant]:

  • Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;
  • Coordinates incident handling activities with contingency planning activities;
  • Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly; and
  • Utilizes automated mechanisms to support the incident handling process.

F-39 INCIDENT MONITORING (informed by NIST SP 800-53 Rev. 4, IR-5)

[Licensee/Applicant] tracks and documents VDA security incidents.

DG-5062, Page F-10 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE F-40 INCIDENT REPORTING (informed by NIST SP 800-53 Rev. 4, IR-6 & IR-6 (1))

[Licensee/Applicant]:

  • Requires personnel to report suspected cyber security incidents to the CST upon discovery; and
  • Employs automated mechanisms to assist in the reporting of security incidents.

F-41 INCIDENT RESPONSE ASSISTANCE (informed by NIST SP 800-53 Rev. 4, IR-7 & IR-7 (1))

[Licensee/Applicant]:

  • Provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the VDA for the handling and reporting of security incidents; and
  • Employs automated mechanisms to increase the availability of incident response-related information and support.

F-42 CONTROLLED MAINTENANCE (informed by NIST SP 800-53 Rev. 4, MA-2)

[Licensee/Applicant]:

  • Performs and documents maintenance and repairs on VDAs in a timely manner to prevent a consequence of concern;
  • Reviews records for maintenance and repairs on VDAs in accordance with manufacturer or vendor specifications but at least every 30 days;
  • Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;
  • Requires that CST approve the removal of the VDA for off-site maintenance or repairs outside the licensees positive control;
  • Sanitizes equipment to remove all information from associated media prior to removal for off-site maintenance or repairs outside the licensees positive control;
  • Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions;
  • Includes in records of maintenance and repairs on VDA components at a minimum: date, time, identification of those performing the maintenance, description of maintenance performed, and VDA components removed or replaced; and
  • Retains records for inspection by the NRC.

F-43 MAINTENANCE TOOLS (informed by NIST SP 800-53 Rev. 4, MA-3, MA-3 (1), & MA-3 (2))

[Licensee/Applicant]:

  • Approves, controls, and monitors VDA maintenance tools;
  • Inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications; and
  • Checks media containing diagnostic and test programs for malicious code before the media are used in the VDA.

DG-5062, Page F-11 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE F-44 NONLOCAL MAINTENANCE (informed by NIST SP 800-53 Rev. 4, MA-4, MA-4 (2), & MA-4 (3))

[Licensee/Applicant]:

  • Approves and monitors nonlocal maintenance and diagnostic activities;
  • Documents and only allows the use of nonlocal maintenance and diagnostic tools for the VDA where those tools do not introduce vulnerabilities or lead to a consequence of concern (e.g.,

information systems that perform maintenance on VDAs are protected equivalent to the VDA);

  • Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;
  • Maintains records for nonlocal maintenance and diagnostic activities; and
  • Terminates session and network connections when nonlocal maintenance is completed.

[Licensee/Applicant]:

  • Documents the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections; or
  • Removes the component to be serviced from the VDA prior to nonlocal maintenance or diagnostic services, sanitizes the component (with regard to VDA information) before removal from licensee facilities, and after the service is performed, inspects and sanitizes the component (with regard to potentially malicious software) before reconnecting the component to the VDA.

F-45 MAINTENANCE PERSONNEL (informed by NIST SP 800-53 Rev. 4, MA-5)

[Licensee/Applicant]:

  • Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;
  • Ensures that unescorted personnel performing maintenance on the VDA have required access authorizations; and
  • Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

F-46 TIMELY MAINTENANCE (informed by NIST SP 800-53 Rev. 4, MA-6)

[Licensee/Applicant] obtains maintenance support and/or spare parts for VDAs that must remain operational to prevent a consequence of concern.

F-47 MEDIA ACCESS (informed by NIST SP 800-53 Rev. 4, MP-2)

[Licensee/Applicant] restricts access to VDA media to authorized individuals only. VDA media includes any active storage device, passive storage device or passive media that:

  • Contain information used to manage, configure, maintain, secure or operate the VDA; or
  • Are used on the VDA for any purpose.

DG-5062, Page F-12 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE F-48 MEDIA MARKING (informed by NIST SP 800-53 Rev. 4, MP-3)

[Licensee/Applicant] marks VDA media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information.

F-49 MEDIA STORAGE (informed by NIST SP 800-53 Rev. 4, MP-4)

[Licensee/Applicant]:

  • Physically controls and securely stores VDA media; and
  • Protects VDA media until the media are destroyed or sanitized using approved equipment, techniques, and procedures that would prevent recovery of the data by an adversary.

F-50 MEDIA TRANSPORT (informed by NIST SP 800-53 Rev. 4, MP-5 & MP-5 (4))

[Licensee/Applicant]:

  • Protects and controls VDA media during transport outside of controlled areas;
  • Maintains accountability for VDA media during transport outside of controlled areas;
  • Documents activities associated with the transport of VDA media;
  • Restricts the activities associated with the transport of VDA media to authorized personnel; and
  • Implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.

F-51 MEDIA SANITIZATION (informed by NIST SP 800-53 Rev. 4, MP-6)

[Licensee/Applicant]:

  • Sanitizes VDA media prior to disposal, release out of organizational control, or release for reuse in a manner that would prevent recovery of the data by an adversary; and
  • Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.

F-52 MEDIA USE (informed by NIST SP 800-53 Rev. 4, MP-7)

[Licensee/Applicant] prohibits the use of any media with a VDA, except specifically approved VDA media.

F-53 VULNERABILITY SCANNING (informed by NIST SP 800-53 Rev. 4, RA-5, RA-5 (1), RA-5 (2), & RA-5 (5))

[Licensee/Applicant]:

  • Scans for vulnerabilities in the VDA and hosted applications at least every 30 days and when new vulnerabilities potentially affecting the VDA, applications or both are identified and reported;
  • Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:

o Enumerating platforms, software flaws, and improper configurations; o Formatting checklists and test procedures; DG-5062, Page F-13 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE o Measuring vulnerability impact; and

  • Analyzes vulnerability scan reports and results from security control assessments;
  • Addresses vulnerabilities in a timely and technically justified manner to prevent a consequence of concern;
  • Shares information obtained from the vulnerability scanning process and security control assessments with appropriate personnel to help eliminate similar vulnerabilities in other VDAs (i.e., systemic weaknesses or deficiencies);
  • Employs vulnerability scanning tools that include the capability to readily update the VDA vulnerabilities to be scanned;
  • Updates the VDA vulnerabilities scanned prior to a new scan; and
  • Implements privileged access authorization to the VDA for vulnerability scanning activities.

F-54 EXTERNAL INFORMATION SYSTEM SERVICES (informed by NIST SP 800-53 Rev. 4, SA-9 & SA-9 (2))

[Licensee/Applicant]:

  • Requires that providers of external information system services that interact with VDAs comply with information security requirements and address security controls for the associated consequence of concern;
  • Defines and documents oversight and user roles and responsibilities with regard to external information system services;
  • Employs automated mechanisms to monitor security control compliance by external service providers on an ongoing basis; and
  • Requires providers of external information system services that interact with VDAs to identify the functions, ports, protocols, and other services required for the use of such services.

F-55 DEVELOPER CONFIGURATION MANAGEMENT (informed by NIST SP 800-53 Rev. 4, SA-10)

[Licensee/Applicant] requires the developer of the VDA, component, or information system service to:

  • Perform configuration management during the VDA, component, or service lifecycle;
  • Document, manage, and control the integrity of changes to the VDA, component, or service;
  • Implement only organization-approved changes to the VDA, component, or service;
  • Document approved changes to the VDA, component, or service and the potential security impacts of such changes; and
  • Track security flaws and flaw resolution within the VDA, component, or service and report findings to CST.

F-56 DEVELOPER SECURITY TESTING AND EVALUATION (informed by NIST SP 800-53 Rev. 4, SA-11)

[Licensee/Applicant] requires the developer of the VDA, component, or information system service to:

  • Create and implement a security assessment plan;
  • Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation;
  • Implement a verifiable flaw remediation process; and DG-5062, Page F-14 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

  • Correct flaws identified during security testing and evaluation.

F-57 SYSTEM PROTECTION (informed by NIST SP 800-53 Rev. 4, SC-2 & SC-4)

[Licensee/Applicant]:

  • Separates user functionality of the VDA (including user interface services) from VDA management functionality; and
  • Prevents unauthorized and unintended information transfer via shared resources.

F-58 DENIAL OF SERVICE PROTECTION (informed by NIST SP 800-53 Rev. 4, SC-5)

[Licensee/Applicant] protects against or limits the effects of denial of service attacks by employing technical safeguards and countermeasures.

F-59 BOUNDARY PROTECTION (informed by NIST SP 800-53 Rev. 4, SC-7, SC-7 (3), SC-7 (4), SC-7 (5), & SC-7 (7))

[Licensee/Applicant] ensures the VDA:

  • Monitors and controls communications at the boundary of the VDA and at key internal boundaries within the VDA;
  • Implements subnetworks for publicly or externally accessible VDA components that are physically or logically separated from internal [licensee/applicant] networks;
  • Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with the security architecture; and
  • Denies network communications traffic at managed interfaces by default and allows network communications traffic by exception (i.e., deny all, permit by exception).

[Licensee/Applicant] limits the number of external network connections to the VDA.

F-60 EXTERNAL TELECOMMUNICATIONS SERVICES (informed by NIST SP 800-53 Rev. 4, SC-7 (4), SC-7 (5), SC-7 (7). SC-7 (8), SC-7 (10),

SC-7 (11), SC-7 (12), SC-7 (14), SC-7 (18), SC-7 (20), & SC-7 (21))

[Licensee/Applicant]:

  • Implements a managed interface for each external telecommunication service;
  • Establishes a traffic flow policy for each managed interface;
  • Protects the confidentiality and integrity of the information being transmitted across each interface;
  • Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need;
  • Reviews exceptions to the traffic flow policyon a timely basis and removes exceptions that are no longer supported by an explicit mission/business need;
  • Implements a managed interface for each external telecommunication service;
  • Establishes a traffic flow policy for each managed interface;
  • Protects the confidentiality and integrity of the information being transmitted across each interface; DG-5062, Page F-15 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

  • Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need;
  • Reviews exceptions to the traffic flow policy at least every 30 days and removes exceptions that are no longer supported by an explicit mission/business need;
  • Prevents the unauthorized exfiltration of information across managed interfaces;
  • Allows only incoming communications from authorized sources to be routed to VDAs;
  • Implements host-based firewalls on VDAs;
  • Protects against unauthorized physical connections to the VDA; and
  • Employs boundary protection mechanisms.

[Licensee/Applicant] ensures the VDA:

  • Has managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception);
  • Prevents, in conjunction with a remote device, the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks;
  • Routes internal communications traffic to external networks through authenticated proxy servers at managed interfaces;
  • Provides the capability to dynamically isolate/segregate VDAs from other VDAs; and
  • Fails securely and safely in the event of an operational failure of a boundary protection device.

F-61 TRANSMISSION CONFIDENTIALITY AND INTEGRITY (informed by NIST SP 800-53 Rev. 4, SC-8 & SC-8 (1))

[Licensee/Applicant] ensures the VDA:

  • Protects the confidentiality and integrity of transmitted information; and
  • Implements cryptographic mechanisms to prevent unauthorized disclosure of information and to detect changes to information during transmission, unless the transmission medium is otherwise protected by alternative physical safeguards.

F-62 NETWORK DISCONNECT (informed by NIST SP 800-53 Rev. 4, SC-10)

[Licensee/Applicant] terminates the network connection associated with a VDA communications session at the end of the session or within 10 minutes of inactivity, except for communications sessions that are necessary for safe operation of the VDA or are necessary to prevent a consequence of concern, F-63 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT (informed by NIST SP 800-53 Rev. 4, SC-12 & SC-12 (1))

[Licensee/Applicant]:

  • Establishes and manages cryptographic keys for required cryptography employed within the VDA in accordance with NIST CMVP; and
  • Maintains availability of information necessary to safely operate the VDA or prevent a consequence of concern in the event of the loss of cryptographic keys by users.

DG-5062, Page F-16 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE F-64 COLLABORATIVE COMPUTING DEVICES (informed by NIST SP 800-53 Rev. 4, SC-15)

[Licensee/Applicant] ensures the VDA:

  • Prohibits remote activation of collaborative computing devices except where explicitly authorized; and
  • Provides an explicit indication of use to users physically present at the devices.

F-65 PUBLIC KEY INFRASTRUCTURE CERTIFICATES (informed by NIST SP 800-53 Rev. 4, SC-17)

[Licensee/Applicant] issues public key certificates under a certificate policy or obtains public key certificates from a service provider approved by the licensee.

F-66 VOICE OVER INTERNET PROTOCOL (VOIP)

(informed by NIST SP 800-53 Rev. 4, SC-19)

[Licensee/Applicant]:

  • Establishes usage restrictions and implementation guidance for VoIP technologies based on the potential to cause damage to the VDA if used maliciously; and
  • Authorizes, monitors, and controls the use of VoIP within the VDA.

F-67 SECURE NAME / ADDRESS RESOLUTION (informed by NIST SP 800-53 Rev. 4, SC-20, SC-20a, SC-21, & SC-22)

[Licensee/Applicant] ensures the VDA:

  • Provides additional data origin authentication and integrity verification artifacts for the VDA along with the authoritative name resolution data the VDA returns in response to external name/address resolution queries;
  • Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace;
  • Requests and performs data origin authentication and data integrity verification on the name/address resolution responses the VDA receives from authoritative sources; and
  • Collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation.

F-68 SESSION AUTHENTICITY (informed by NIST SP 800-53 Rev. 4, SC-23)

[Licensee/Applicant] ensures the VDA protects the authenticity of communications sessions.

F-69 PROTECTION OF INFORMATION AT REST (informed by NIST SP 800-53 Rev. 4, SC-28)

[Licensee/Applicant] protects the confidentiality and integrity of VDA information at rest.

DG-5062, Page F-17 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE F-70 PROCESS ISOLATION (informed by NIST SP 800-53 Rev. 4, SC-39)

[Licensee/Applicant] maintains a separate execution domain for each executing process.

F-71 FLAW REMEDIATION (informed by NIST SP 800-53 Rev. 4, SI-2 & SI-2 (2))

[Licensee/Applicant]:

  • Identifies, reports, and corrects VDA flaws;
  • Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
  • Correcting the flaw expeditiously using the configuration management process;
  • Incorporates flaw remediation into the organizational configuration management process;
  • Performs vulnerability scans and assessments of the VDA to validate that the flaw has been eliminated before the VDA is put into production; and
  • Employs automated mechanisms to determine the state of VDA components with regard to flaw remediation.

F-72 MALICIOUS CODE PROTECTION (informed by NIST SP 800-53 Rev. 4, SI-3, SI-3 (1), & SI-3 (2))

[Licensee/Applicant]:

  • Employs malicious code protection mechanisms at VDA network entry and exit points to detect and eradicate malicious code;
  • Updates malicious code protection mechanisms whenever new releases are available;
  • Configures malicious code protection mechanisms to:

o Perform periodic scans of the VDA at least every 7 days; o Perform real-time scans of files from external sources as the files are downloaded, opened, or executed; o Prevent malicious code execution; o Alert the CST of the detection of malicious code in a timely manner; and

  • Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the VDA;
  • Centrally manages malicious code protection mechanisms; and
  • Automatically updates malicious code protection mechanisms for the VDA.

F-73 VDA MONITORING (informed by NIST SP 800-53 Rev. 4, SI-4, SI-4 (2), SI-4 (4), & SI-4 (5))

[Licensee/Applicant]:

  • Monitors the VDA to detect:

o Cyber attacks and indicators of potential cyber attacks; o Unauthorized local, network, and remote connections; and

  • Identifies unauthorized use of the VDA using automated or other means;
  • Deploys monitoring devices:

o Strategically within the VDA to collect organization-determined essential information; o At ad hoc locations within the system to track specific types of transactions of interest to the organization; and DG-5062, Page F-18 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE

  • Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;
  • Heightens the level of VDA monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;
  • Provides VDA monitoring information to appropriate licensee cyber security personnel as necessary;
  • Employs automated tools to support near real-time analysis of events;
  • Monitors inbound and outbound communications traffic for the VDA in near real-time for unusual or unauthorized activities or conditions; and
  • Ensures appropriate cyber security personnel are alerted when indications of compromise or potential compromise of the VDA occurs.

F-74 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES (informed by NIST SP 800-53 Rev. 4, SI-5)

[Licensee/Applicant]:

  • Receives cyber security alerts, advisories, and directives from diverse and credible external sources on an ongoing basis;
  • Generates internal security alerts, advisories, and directives as necessary;
  • Disseminates security alerts, advisories, and directives to appropriate personnel and the NRC; and
  • Implements security directives in a timely manner.

F-75 SECURITY FUNCTION VERIFICATION (informed by NIST SP 800-53 Rev. 4, SI-6 & SI-6 (3))

[Licensee/Applicant]:

  • Verifies the correct operation of security functions;
  • Performs this verification upon startup and restart, upon command by a user with appropriate privilege, at least every 7 days, and when anomalies are discovered;
  • Notifies appropriate personnel in a timely manner of failed security verification tests; and
  • Reports the results of security function verification to the CST.

F-76 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY (informed by NIST SP 800-53 Rev. 4, SI-7, SI-7 (1), SI-7 (2), SI-7 (5), SI-7 (7), SI-7 (12),

SI-7 (12), SI-7 (14))

[Licensee/Applicant]:

  • Employs integrity verification tools to detect unauthorized changes to VDA software, firmware, and information;
  • Performs an integrity check of VDA software, firmware, and information that occurs, where possible, upon startup and restart, upon command by a user with appropriate privilege, at least every 30 days, and when anomalies are discovered; and
  • Incorporates the detection of unauthorized security-relevant changes to the VDA into the organizational incident response capability.

DG-5062, Page F-19 DRAFT REGULATORY GUIDE

DRAFT REGULATORY GUIDE F-77 ERROR HANDLING (informed by NIST SP 800-53 Rev. 4, SI-11)

[Licensee/Applicant] ensures the VDA:

  • Generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries; and
  • Reveals error messages only to personnel responsible for VDA operation and maintenance.

F-78 INFORMATION HANDLING AND RETENTION (informed by NIST SP 800-53 Rev. 4, SI-12)

[Licensee/Applicant] handles and retains information within the VDA and information output from the VDA in accordance with NRC record retention requirements.

F-79 MEMORY PROTECTION (informed by NIST SP 800-53 Rev. 4, SI-16)

[Licensee/Applicant] implements automated mechanisms and safeguards for the VDA to protect its memory from unauthorized code execution.

DG-5062, Page F-20 DRAFT REGULATORY GUIDE