Text

September 13, 2017 Mr. Joseph Pollock Nuclear Energy Institute 1201 F St., NW, Suite 1100, Washington, DC 20004-1218

Dear Mr. Pollock,

I am writing to provide a status update on the U.S. Nuclear Regulatory Commissions (NRCs) review of a petition for rulemaking (PRM) that was submitted by the Nuclear Energy Institute (NEI) by letter dated June 12, 2014. In the PRM, NEI requested that the NRC amend the regulations in Title 10 of the Code of Federal Regulations (10 CFR) Section 73.54, Protection of Digital Computer and Communication Systems and Networks. Specifically, NEI requested that the NRC amend the scoping language contained in 10 CFR 73.54(a)(1) to focus on protection of digital computer and networks associated with only those structures, systems, and components (SSCs) that are necessary to prevent significant core damage and spent fuel sabotage or whose failure would cause a reactor scram.

The NRC docketed your letter as PRM 73-18. A notice of docketing and request for public comment was published in the Federal Register on September 22, 2014 (79 FR 56525). The public comment period for PRM 73-18 closed on December 8, 2014. The NRC received a total of 19 comment submissions on PRM 73-18, which can be viewed at http://www.regulations.gov by searching docket number NRC-2014-0165.

It is important to note that the NRC published the cyber security requirements in 10 CFR 73.54 in 2009 (74 FR 13926,13927) to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks up to and including the design basis threat, as stated in 10 CFR 73.1(a)(1)(v). The regulations in 10 CFR 73.54 require, in part, that licensees analyze their digital computer and communication systems and networks associated with safety, security, and emergency preparedness (SSEP) functions, as well as certain support systems and equipment to identify those that require protection. These requirements were substantial improvements upon the requirements imposed by the NRC in Order EA-02-06, Interim Compensatory Measures Order, issued on February 25, 2002. The regulations in 10 CFR 73.54 (cyber security rule) require that for both current and new licensees, the cyber security plan will become part of the licensees licensing basis in the same manner as other security plans.

Most licensees are working to complete implementation of the cyber security rule. The staff plans to conduct inspections after the licensees have completed full implementation. About a third of the way through the inspection cycle, the staff will conduct an assessment of the cyber security rule and its implementation. At that time, the staff will have collected sufficient data from these inspections including any insights regarding potential impacts to the cyber security rule. This process will include an evaluation of the scope of the cyber security rule and could result in recommendations for future rulemaking. The staff expects to complete these efforts and provide a recommendation to the Commission by December 2019.

I would like to highlight a couple of other important points regarding this petition. The staff has worked to reduce the potential burden of the rule. Specifically, the staff worked with external stakeholders to develop guidance that established a consequence-based approach, which has enabled licensees to apply controls consistent with the significance of the digital assets.

Second, as the required implementation date quickly approaches, the staff seeks to avoid distracting the licensees from completing the necessary actions. The plan to revisit the need for rule changes following the staffs assessment of full implementation will maximize insights gained, while remaining timely. The petition will remain open until the staffs assessment is complete. In the meantime, the staff will continue to provide you with status updates on your petition every six months. Once the petition has been resolved, the NRC will publish a notice in the Federal Register explaining the staffs finding. At that time, you will also receive a letter notifying you of the NRCs actions.

You may direct any questions regarding this matter to Meena Khanna by calling 301-415-2150 or by e-mailing Meena.Khanna@nrc.gov.

Sincerely,

/RA/

Brian E. Holian, Acting Director Office of Nuclear Reactor Regulation

ML17179A002; *concurrence via e-mail NRR-106