Text

January 28, 2019 MEMORANDUM TO: James Beardsley, Branch Chief Cyber Security Branch Division of Physical and Cyber Security Policy Office of Nuclear Security and Incident Response FROM: Brad Bergemann, Cyber Self-Assessment Team Lead /RA/

Cyber Security Branch Division of Physical and Cyber Security Policy Office of Nuclear Security and Incident Response

SUBJECT:

SUMMARY

OF CATEGORY 2 PUBLIC MEETING ON JANUARY 10, 2019, WITH INDUSTRY STAKEHOLDERS AND THE NUCLEAR ENERGY INSTITUTE REGARDING KICKOFF OF THE U.S. NUCLEAR REGULATORY COMMISSION CYBER ASSESSMENT On January 10, 2019, the U.S. Nuclear Regulatory Commission (NRC) staff held a public meeting with the Nuclear Energy Institute and other stakeholders. The purpose of the meeting was to discuss the upcoming schedule and activities for the assessment of the Power Reactor Cyber Security Program. The meeting also allowed stakeholders to ask questions with regards to the planned activities.

The NRC staff presented the objectives for the assessment, identified the personnel currently assigned to perform the assessment, a tentative schedule of the assessment activities, and a preliminary list of some of the questions that will be discussed with stakeholders throughout the process. The room and phone lines were then opened up to questions. These questions included:

1. How is NRC experience going to be integrated into the assessment?

NRC staff responded that, while not explicitly identified in the schedule, NRC experience with cyber security will be evaluated as part of the assessment. It was not included on the schedule since its an internal activity.

2. What is risk-informed and how will it apply to the cyber assessment?

NRC staff responded that risk-informed is still an ongoing issue within the agency and were still working on how to incorporate it into cyber at this time.

CONTACT: Daniel G. Warner, NSIR/DPCP (301) 287-3642

J. Beardsley 3. Once the assessment is complete, what happens next, and when?

NRC staff stated that this is not completely known yet, it depends on the feedback received as part of the assessment. The rulemaking process is lengthy and may not be the right choice. Guidance changes are another possibility. The report at the end of the assessment will provide the basis for a decision on the path forward and is intended to be implemented once all full implementation inspections are complete.

4. An industry stakeholder provided comments on Regulatory Guide (RG) 5.71 and asked why they havent seen a response yet. Also concerned about the theme that they keep hearing that there was misunderstanding in how the guidance was applied. They felt there was no real issue with the guidance, instead the issue is with the rule itself and how it identifies critical digital assets that need to be protected for Emergency Planning reasons. They indicated the rule should focus on targets sets and protecting other unnecessary components draws resources away from where needed.

NRC staff indicated the RG 5.71 comment incorporation process is still ongoing and thats why the commenter has not seen the feedback yet.

At the conclusion of the meeting, stakeholders indicated a call was planned for January 17th to discuss scheduling the engagement meetings and would provide the information on the meeting to NRC staff so they can attend.

No comments or questions were received on the call by members of the public.

Enclosures:

1. Attendee List

2. Slides Power Reactor Cyber Security Program Assessment

ML19024A051 OFFICE NSIR/DPCP/CSB NSIR/DPCP/CSB NSIR/DPCP/CSB NAME D. Warner B. Bergemann J. Beardsley DATE 1/25/19 1/28/19 1/28/19