Text

STAFF RESPONSE TO THE OFFICE OF THE INSPECTOR GENERALS AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS CYBER SECURITY INSPECTIONS AT NUCLEAR POWER PLANTS OIG-19-A-13 In Office of the Inspector Generals (OIG)-19-A-13, Audit of NRCs Cyber Security Inspections at Nuclear Power Plants, the OIG provided two recommendations to the U.S. Nuclear Regulatory Commissions (NRC) staff for improving the agencys cyber security oversight program. Below are the OIGs recommendations followed by the NRC staffs responses, including target completion dates.

Recommendation 1:

Concurrent with developing any changes to the cyber security inspection program, use the Strategic Workforce Planning initiative to identify critical skill gap and closure strategies for future cyber security inspection staffing, such as:

a) Hiring flexibilities, b) Internal rotations, c) Competency modeling, d) Availability of outside training and continuous training, and e) Appropriate numbers and roles of staff.

NRC Response:

The staff agrees with the recommendation.

The enhanced Strategic Workforce Planning (SWP) program is an agency-wide initiative that enables the NRC to recruit, retain and develop a skilled and diverse workforce having the competencies and agility to address emerging demands and workload fluctuations to accomplish the agency mission. As a part of this program, senior agency leaders and first-line supervisors continuously assess the changing industry and regulatory landscape, the forecasted workload over a rolling 5-year period, and resource capacity (demand/supply) to identify where reshaping of the workforce may be necessary, and to address resource and skill gaps or overages in the workforce.

During fiscal year (FY) 2018, an SWP pilot was implemented and jointly led by the Office of the Executive Director for Operations (OEDO) and the Office of the Chief Human Capital Officer (OCHCO). The pilot was an outcome of a tasking memorandum from the Executive Director for Operations, Enhancing Strategic Workforce Planning, dated January 19, 2017 (ML17005A256). The pilot offices included the Office of Regulatory Research (RES), the Office of the Chief Financial Officer (OCFO), and Region II. Following the success of the pilot, Phase II of the SWP program was implemented in August 2018, and expanded to include the following offices:

• Phase I Pilot Offices (RES, OCFO, and Region II)

• Program Offices (Office of Nuclear Materials Safety and Safeguards, Office of New Reactors, Office of Nuclear Reactor Regulation, and Office Nuclear Security and Incident Response (NSIR))

• Regions I, III, IV

• Office of the Chief Information Officer Enclosure

As an outcome of this effort, program offices at NRC headquarters and Regions I-IV are developing strategies to sustain a robust cyber security inspection workforce informed by the insights drawn from the SWP process and any other fact of life changes. Implementation of the strategies will be monitored by the respective program offices and Regions, and by OCHCO and OEDO. The SWP process will be implemented on an annual cycle and, in FY 2020, progress towards addressing these strategies in cyber security will be assessed, and adjustments will be considered based on information collected through the SWP process each year.

Additionally, NSIR is utilizing internal and external training activities to further develop the skills of inspectors. The staff will continue the routine tele-training of specific key areas to enhance inspector understanding and expertise. Furthermore, NSIR is working with outside cyber security training specialists to provide in-house training for NRC cyber security specialist and inspectors. This will support the SWP initiatives to further develop our cyber security skills.

Therefore, the staff considers Recommendation 1 to be complete.

Target date for completion: Completed June 28, 2019 Point of

Contact:

Anthony Bowers, NSIR/DPCP/CSB, 301-415-1955 Recommendation 2:

Use the results of operating experience and discussions with industry to develop and implement suitable cyber security performance measure(s) (e.g. testing, analysis of logs, etc.) by which licensees can demonstrate sustained program effectiveness.

NRC Response:

The staff agrees with the recommendation.

The staff has completed an assessment of the Power Reactor Cyber Security Program, which collected feedback and lessons learned from stakeholders regarding the cyber security rule, associated guidance, licensee implementation, and NRC inspections. The staff is finalizing the assessment report to be complete in July 2019, and developing an action plan (due September 2019) to evaluate and implement appropriate program enhancements (e.g., new or revised program implementation guidance for licensees and adjustments to the oversight program). The assessment action plan will consider feedback from the assessment itself, ongoing cyber security plan full-implementation inspections, and proposed enhancements to the cyber security program presented to NRC by industry in a closed public meeting on May 29, 2019. The industry-proposed enhancements included an initiative to improve the cyber security inspection program using various methods, including input from licensee ongoing performance monitoring processes and the establishment of performance indicators.

Target date for completion: Issuance of the NRC Assessment Report: Fourth Quarter of FY 2019 Issuance of the NRC Action Plan: Fourth Quarter of FY 2019 Point of

Contact:

Anthony Bowers, NSIR/DPCP/CSB, 301-415-1955