ML20223A256
| ML20223A256 | |
| Person / Time | |
|---|---|
| Issue date: | 08/28/2020 |
| From: | Russell Felts NRC/NSIR/DPCP |
| To: | Gross W Nuclear Energy Institute |
| Lee E, 301-287-3461 | |
| References | |
| Download: ML20223A256 (3) | |
Text
August 28, 2020 Mr. William R. Gross Director, Incident Preparedness Nuclear Energy Institute 1201 F Street NW, Suite 1100 Washington, DC 20004
SUBJECT:
RESPONSE TO NEI WHITE PAPER, "CHANGES TO NEI 10-04 AND NEI 13-10 GUIDANCE FOR IDENTIFYING AND PROTECTING DIGITAL ASSETS ASSOCIATED WITH SAFETY-RELATED AND IMPORTANT-TO-SAFETY FUNCTIONS," DATED JULY 2020
Dear Mr. Gross:
In your letter, dated July 17, 2020 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML20199M368), in which you enclosed and requested the U.S.
Nuclear Regulatory Commission (NRC) staff to review NEI White Paper, Changes to NEI 10-04 and NEI 13-10 Guidance for Identifying and Protecting Digital Assets Associated with Safety- Related and Important-To-Safety Functions," dated July 2020 (the July SR/ITS white paper). The letter requested that the NRC staff confirm that the changes proposed in the July SR/ITS white paper do not decrease the effectiveness of the cyber security plan provided in NEI 08-09, Cyber Security Plan for Nuclear Power Reactors, Revision 6, dated April 2010 (ADAMS Access No. ML101180427).
The July SR/ITS white paper reflects updates to a previous SR/ITS white paper that was submitted in a letter dated May 14, 2020 (ADAMS Access No. ML20139A190), to address comments received at a public meeting conducted on June 10, 2020. The meeting provided the public and stakeholders an opportunity to provide feedback on the previous SR/ITS white paper.
A summary of the public meeting and comments provided at the meeting are documented in Summary of Category 2 Public Meeting on June 10, 2020 With Industry Stakeholders and the Nuclear Energy Institute White Paper, Changes To NEI 10-04 and NEI 13-10 Guidance for Identifying and Protecting Digital Assets Associated with Safety-Related and Important-to-Safety Functions, Dated May 2020, (ADAMS Accession Number ML20169A428).
The July SR/ITS white paper describes proposed changes to previously approved NEI guidance for identifying and protecting safety-related and important-to-safety critical digital assets (CDAs).
The changes are intended to improve the efficiency of licensees' cyber security programs while maintaining program effectiveness to protect against cyber attacks, up to and including the design basis threat. The July SR/ITS white paper did not include guidance for identifying BOP digital assets that can impact reactivity as important-to-safety CDAs because guidance on identifying and protecting BOP CDAs is provided in the NEI White Paper, Changes to NEI 10-04 and NEI 13-10 Guidance for Identifying and Protecting Digital Assets Associated with the Balance of Plant, dated July 2020 (ADAMS Accession Number ML20205L604) (the July BOP
W. Gross white paper ). My response letter to you, dated August 14, 2020 (ADAMS Accession Number ML20209A442), addressed the method for identifying and protecting BOP CDAs described in the July BOP white paper. This letter does not change the staffs response to the July BOP white paper noted above.
The NRC staff reviewed the July SR/ITS white paper based on NRC regulations and NRC generic communications, including guidance and generic letters associated with safety. Based on the review, the staff concluded that the method for identifying and protecting safety-related and important-to-safety CDAs described in that white paper are consistent with NEI 08-09 Revision 6.
If licensees elect to implement the changes proposed in the July SR/ITS white paper, licensees are responsible to ensure that the implementation of changes to their cyber security programs do not decrease the effectiveness of their cyber security plans in accordance with the review process set forth in Title 10, of the Code of Federal Regulations Conditions of Licenses.
Licensees are also responsible for ensuring assessments performed analyzing safety related/important to safety digital assets to implement the revised guidance are available for inspection by NRC staff. For additional information, licensees may refer to NEI 11-08, Guidance on Submitting Security Plan Changes, Rev 0, dated August 2012, reviewed and approved for use by the NRC ADAMS Accession Number ML12216A194.
This letter is not an endorsement of the July SR/ITS white paper. The NRC expects the changes proposed in the white paper to be incorporated in future revisions of NEI 10-04 and NEI 13-10.
Should you or your staff have any questions, please contact Mr. Eric Lee at (301) 287-3687.
Sincerely,
/RA/
Russell N. Felts, Director (Acting)
Division of Physical and Cyber Security Policy Office of Nuclear Security and Incident
Response
cc: J. Yerokun, Director RI DRS M. Franke, Director RII DRS D. Curtis, Director (Acting) RIII DRS R. Lantz, Director RIV DRS K. Brock, Director HQ DPR
W. Gross
SUBJECT:
RESPONSE TO NEI WHITE PAPER, "CHANGES TO NEI 10-04 AND NEI 13-10 GUIDANCE FOR IDENTIFYING AND PROTECTING DIGITAL ASSETS ASSOCIATED WITH SAFETY-RELATED AND IMPORTANT-TO-SAFETY FUNCTIONS," DATED AUGUST 28, 2020 DISTRIBUTION:
PUBLIC ADAMS Accession Number: ML20223A256 *via email OFFICE NSIR/DPCP/CSB NSIR/DPCP/CSB NSIR/DPCP/D NAME ELee* JBeardsley* RFelts*(Acting)
DATE 7/28/2020 8/24/2020 08/28/2020 OFFICIAL RECORD COPY