ML19296A038
| ML19296A038 | |
| Person / Time | |
|---|---|
| Issue date: | 10/28/2019 |
| From: | Kim Holloway NRC/NSIR/DPCP/CSB |
| To: | Baker B Office of Nuclear Reactor Regulation |
| Holloway K 301.415.0286 | |
| Shared Package | |
| ML19232A480 | List: |
| References | |
| OEDO-19-00273, OEDO-19-00401, OIG-19-A-13 | |
| Download: ML19296A038 (1) | |
Text
Enclosure STAFF RESPONSE TO THE OFFICE OF THE INSPECTOR GENERALS AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS CYBER SECURITY INSPECTIONS AT NUCLEAR POWER PLANTS OIG-19-A-13 In OIG-19-A-13, Audit of NRCs Cyber Security Inspections at Nuclear Power Plants, the Office of the Inspector General provided two recommendations to the U.S. Nuclear Regulatory Commissions (NRC) staff for improving the agencys cyber security oversight program. Below is the OIGs recommendation #2 followed by the NRC staffs responses; recommendation #1 is closed.
Recommendation 2:
Use the results of operating experience and discussions with industry to develop and implement suitable cyber security performance measure(s) (e.g., testing, analysis of logs, etc.) by which licensees can demonstrate sustained program effectiveness.
Update:
The staff agrees with the recommendation.
The staff has completed an assessment of the Power Reactor Cyber Security Program; the assessment reflects feedback and lessons learned from industry stakeholders regarding the cyber security rule, associated guidance, licensee implementation, and NRC inspections. The staff finalized the assessment report in July 2019 and developed an action plan (finalized October 2019) to evaluate and implement appropriate program enhancements (e.g., the need for program implementation guidance and adjustments to promote efficiency in the oversight program, and new or revised guidance). The assessment action plan considered feedback from the assessment itself, ongoing cyber security program full-implementation inspections, and proposed enhancements to the cyber security program. This plan includes the evaluation of potential performance metrics regarding licensees cyber security programs. In addition, some licensees are developing proposals to conduct performance testing to test their cyber security program performance against potential threats.
The action plan includes a staff effort to update the cyber security oversight program. This update will factor in lessons learned from the 2017-2020 cyber security inspection program that verified licensees full implementation. The update will include the development of a new inspection procedure to replace the current procedure IP 71130.10P. The IP, targeted for implementation in 2021, will shift the focus from program implementation to program performance effectiveness.
Target date for completion: Issuance of the new cyber inspection procedure, November 2020.
Point of
Contact:
Kim Holloway, NSIR/DPCP (301) 415-0286