ML20085E651
| ML20085E651 | |
| Person / Time | |
|---|---|
| Site: | Grand Gulf, Arkansas Nuclear, River Bend, Waterford  (DPR-051, NPF-006, NPF-029, NPF-038, NPF-047) |
| Issue date: | 04/29/2020 |
| From: | Clay Johnson NRC/OCFO |
| To: | Halter M Entergy Services |
| Lingam S | |
| References | |
| CAC 001648, EPID P-2020-PRF-0000 | |
| Download: ML20085E651 (4) | |
Text
UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 April 29, 2020 Mrs. Mandy Halter Vice President, Regulatory Assurance Entergy Services, LLC M-ECH-61 1340 Echelon Parkway Jackson, MS 39213
SUBJECT:
PERFORMANCE-BASED TESTING PROPOSAL FOR ENTERGYS CYBER SECURITY TESTING PLAN (EPID P-2020-PRF-0000; CAC NO. 001648)
Dear Mrs. Halter:
On behalf of the U.S. Nuclear Regulatory Commission (NRC, the Commission), I am responding to your letter dated March 12, 2020 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML20072M555), requesting a fee waiver under Section 170.11(a)(1)(ii) of Title 10 of the Code of Federal Regulations (10 CFR) for NRC review associated with a proposed performance-based cyber security testing plan.
The NRC has established regulations for the granting of fee exemptions under 10 CFR 170.11, Exemptions, which may be applied for in accordance with 10 CFR 170.5, Communications.1 The NRC staff has reviewed your request based on 10 CFR 170.11(a)(1)(ii) and 10 CFR 170.11(a)(13), which provide as follows:
10 CFR 170.11(a) No application fees, license fees, renewal fees, inspection fees, or special project fees shall be required for: (1) A special project that is a request/report submitted to the NRC... (ii) When the NRC, at the time the request/report is submitted, plans to use the information in response to an NRC request from the Office Director level or above to resolve an identified safety, safeguards, or environmental issue, or to assist the NRC in generic regulatory improvements or efforts (e.g., rules, regulatory guides, regulations, policy statements, generic letters, or bulletins).
10 CFR 170.11(a)(13) All fee exemption requests must be submitted in writing to the Chief Financial Officer in accordance with § 170.5, and the Chief Financial Officer will grant or deny such requests in writing.
At present, the NRC staff performs periodic cyber security inspections of the licensees facilities to verify compliance with the NRC-approved cyber security plan for each site per the 1 10 CFR 170.5 provides that All communications concerning the regulations in this part should be addressed to the NRC's Chief Financial Officer, either by mail to the U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001; by hand delivery to the NRC's offices at 11555 Rockville Pike, Rockville, Maryland; or, where practicable, by electronic submission, for example, via Electronic Information Exchange, or CD-ROM.
requirements of 10 CFR 73.54, Protection of digital computer and communication systems and networks, also known as the cyber security rule. The current inspection process consumes a significant amount of effort and time from both NRC and the licensees to conduct the cyber security inspections. By letter dated December 21, 2019, Entergy Services, LLC (Entergy) submitted a draft report, Approach to Performance-Based Testing for the Nuclear Cyber Security Program, requesting NRCs review and acceptance. Entergy stated that the proposed testing would be performance-based in order to demonstrate the protection, detection, and response capabilities of the systems and devices meet or exceed the cyber security requirements. The performance-based testing will include the following cyber defenses in the performance-based testing laboratory:
Defense-in-depth architecture Portable digital media program Security information and event management architecture As a part of the review of this proposal, the NRC staff conducted internal meetings with the Entergy representatives to discuss the performance-based tests in support of the inspection. By letter dated January 24, 2020 (ADAMS Accession No. ML20031C877), the NRC informed Entergy that the draft report is acceptable for use during inspections if Entergy develops an acceptable appendix with details of the performance testing protocols before the proposal is implemented.
If the final Entergy report is approved by the NRC, the report may be used in support of NRC cyber security inspections at Entergy sites. Further, NRC review and endorsement of the proposal will improve the effectiveness and efficiency of licensee cyber security programs and NRC oversight functions and can be used by the NRC as it develops and implements its Cyber Security Action Plan. In addition, Entergy plans to share its NRC-approved performance-based testing procedure with the rest of the nuclear industry through the Nuclear Information Technology Strategic Leadership Organization after redacting any sensitive or proprietary details specific to the Entergy (ADAMS Accession No. ML20093C307). Entergys redacted version will include the tests goals and objectives that will serve the purpose for the rest of the nuclear industry.
The NRC staff concludes Entergys request for review of its final report resulting from the performance-based cyber security testing plan at Entergys sites meets the criteria under 10 CFR 170.11(a)(1)(ii) because these changes will enhance the NRC performance review in support of cyber security inspections; therefore, the fee waiver request is approved.
If you have any technical questions regarding this matter, please contact Mr. Ralph Costello at 301-287-3618. Please contact Mr. William Blaney, of my staff, at 301-415-5092 for any fee-related questions.
Sincerely,
/RA/
Cherish K. Johnson Chief Financial Officer Office of the Chief Financial Officer Docket Nos. 50-313, 50-368, 50-382 50-416, and 50-458
SUBJECT:
PERFORMANCE-BASED TESTING PROPOSAL FOR ENTERGYS CYBER SECURITY TESTING PLAN (EPID P-2020-PRF-0000; CAC NO. 001648)
DATED April 29, 2020 DISTRIBUTION: Y020200073 PUBLIC RidsNrrDorl Resource RidsNrrDorlLpl4 Resource RidsNrrOd Resource RidsOcfoMailCenter Resource ADAMS: Yes No Initials: SUNSI Review:
Publicly Available Non-Publicly Available Sensitive Non-Sensitive ADAMS Accession Nos.:
ML20072M555 (incoming); ML20085E651 (letter)
- via e-mail OFFICE DORL/LPL4/PM NSIR/DCP/CSB OCFO/DOB/LFPT OCFO/DOB/LFPT NAME SLingam*
RCostello*
WBlaney*
JJacobs*
DATE 03/23/2020 03/24/2020 03/24/2020 03/24/2020 OFFICE DORL/LPL4/LA DORL/LPL4/BC DORL/D NSIR/DPCP/CSB/BC NAME PBlechman*
JDixon-Herrity*
CErlanger (GSuber for)*
JBeardsley*
DATE 3/25/2020 3/25/2020 4/1/2020 3/31/2020 OFFICE NSIR/DPCP/D OGC OCFO/DOC/LAFBB OCFO/DOC/LAFBB NAME Shelton*
M. Clark* NLO JGibbs-Nicholson*
MBlair*
DATE 4/1/2020 04/16/2020 04/23/2020 04/20/2020 OFFICE OCFO/DOB/LFPT OCFO/DOB OCFO/DOB DCFO NAME ARossi*
RAllwein*
JEShay*
BFicks*
DATE 04/24/2020 04/27/2020 04/29/2020 04/29/2020 OFFICE CFO NAME CKJohnson DATE 04/29/2020 OFFICIAL RECORD ONLY