Text

September 7, 2017 Ms. Sue Perkins-Grew, Sr. Director Nuclear Security & Incident Preparedness Nuclear Energy Institute 1201 F Street, NW, Suite 1100 Washington, DC 20004

SUBJECT:

NUCLEAR ENERGY INSTITUTE 13-10, CYBER SECURITY CONTROL ASSESSMENTS, REVISION 5, DATED FEBRUARY 2017

Dear Ms. Perkins-Grew:

In your letter dated August 16, 2017 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML17234A616), you requested that the U.S. Nuclear Regulatory Commission (NRC) staff review and endorse the Nuclear Energy Institutes (NEIs) guidance document NEI 13-10, Cyber Security Control Assessments, Revision 6, dated August 2017 (ADAMS Accession No. ML17234A615). The purpose of Revision 6 is to address the staffs comments on NEI 13-10, Revision 5. Those comments were provided to NEI by letter dated July 21, 2017 (ADAMS Accession No. ML17179A266). The following three items were addressed in Revision 6:

1. Revision 6 was clarified regarding the term safety functions with respect to the identification of Critical Digital Assets as direct or indirect. Conforming changes were made to questions 1 and 2 in appendix E.

2. Question 6 of appendix E was clarified to indicate that for limited capability devices, detection may be possible using existing administrative measures.

3. The template in appendix B and examples in appendix C were clarified to correctly reference the figures in appendix A.

The NRC staff has completed its review of the revision and concludes that NEI 13-10, Revision 6 is acceptable for use by licensees to address the security controls provided in their cyber security plans.

S. Perkins-Grew 2

Please contact Mr. James Beardsley at (301) 287-0908 or Mr. Eric Lee at (301) 287-3461 if you have any questions.

Sincerely,

/RA/

James Andersen, Director Division of Physical and Cyber Security Policy Office of Nuclear Security and Incident Response

ML17240A002 OFFICE NSIR/DPCP/CSB NSIR/DPCP/CSB NSIR/DPCP NAME E. Lee J. Beardsley J. Andersen DATE 9/6 /17 9/6/17 9/7/17