Text

July 21, 2017 Ms. Sue Perkins-Grew, Sr. Director Nuclear Security & Incident Preparedness Nuclear Energy Institute 1201 F Street, NW, Suite 1100 Washington, DC 20004

SUBJECT:

NUCLEAR ENERGY INSTITUTE 13-10, CYBER SECURITY CONTROL ASSESSMENTS, REVISION 5, DATED FEBRUARY 2017

Dear Ms. Perkins-Grew:

In your letter dated February 10, 2017 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML17046A650), you requested that the U.S. Nuclear Regulatory Commission (NRC) staff review and endorse the Nuclear Energy Institutes (NEIs) guidance document NEI 13-10, Cyber Security Control Assessments, Revision 5, dated February 2017 (ADAMS Accession No. ML17046A658). The purpose of Revision 5 is to address lessons learned from a workshop conducted in 2016.

The NRC staff completed the review of NEI 13-10, Revision 5 using NRC security regulations, regulatory guidance, and industry guidance determined by the NRC to be acceptable for use by industry in meeting the requirements of Title 10 of the Code of Federal Regulations (10 CFR) 73.54. A list of these documents is provided as Enclosure 1. Based on the review, the NRC staff concludes that before the staff can find NEI 13-10, Revision 5 acceptable for use by licensees to address the security controls provided in their cyber security plans, NEI 13-10, Revision 5 needs to address the following issues:

1. The proposed new term safety-related used in NEI 13-10, Revision 5 is not acceptable.

Replace the proposed term with the term safety that was used in Revision 4.

By changing the term safety functions provided in NEI 13-10, Revision 4 with the term safety-related, non-safety-related systems and equipment that are relied upon to remain functional during and following accident or transient events that are not analyzed in Chapter 15 of the FSAR [Final Safety Analysis Report] will not be identified as direct CDAs. These CDAs, if compromised, could pose significant impact to safety-related or important-to-safety functions. Based on the above, the term safety-related as used in NEI 13-10, Revision 5 to replace the term safety provided in NEI 13-10, Revision 4 is not acceptable.

Additionally, the staff finds that Section 3.2 of NEI 13-10 needs to include the following statement to clarify the safety functions:

For the purposes of the indirect screening, the following SSCs are considered to perform safety functions: safety-related or non-safety-related SSCs that are relied upon to remain functional during any plant conditions to ensure:

a. The integrity of the reactor coolant pressure boundary;

b. The capability to shut down the reactor and maintain it in a safe shutdown condition; or

S. Perkins-Grew 2

c. The capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposures comparable to those referred to in 10 CFR 50.34(a)(1), 10 CFR 50.67(b)(2), or 10 CFR 100.11.

2. Revise the answers to Question 1 and Question 2 provided in Appendix E to reflect the term safety defined in Item 1 above.

3. Revise the non-direct CDA determination questions provided in Appendix B and C to correctly reference the flow chart box numbers provided in Figure 1 and Figure 2 of NEI 13-10. provides a redline and strike-out version of NEI 13-10, Revision 5 that reflects the staffs above conclusions.

Please contact Mr. James Beardsley at (301) 287-0908 or Mr. Eric Lee at (301) 287-3461 if you have any questions.

Sincerely,

/RA/

James Andersen, Director Division of Physical and Cyber Security Policy Office of Nuclear Security and Incident Response

ML17179A265 OFC NSIR/DPCP/CSB NSIR/DPCP/CSB NSIR/DPCP NAME E. Lee J. Beardsley J. Andersen DATE 7/5/17 7/6/17 7/21/17