ML21013A024
| ML21013A024 | |
| Person / Time | |
|---|---|
| Issue date: | 01/13/2021 |
| From: | Baker B NRC/OIG/AIGA |
| To: | Margaret Doane NRC/EDO |
| References | |
| OIG-19-A-13 | |
| Download: ML21013A024 (3) | |
Text
UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 OFFICE OF THE INSPECTOR GENERAL January 13, 2021 MEMORANDUM TO: Margaret M. Doane Executive Director for Operations FROM: Dr. Brett M. Baker /RA/
Assistant Inspector General for Audits
SUBJECT:
STATUS OF RECOMMENDATIONS: AUDIT OF NRCS CYBER SECURITY INSPECTIONS AT NUCLEAR POWER PLANTS (OIG-19-A-13)
REFERENCE:
DIRECTOR, OFFICE OF NUCLEAR SECURITY AND INCIDENT RESPONSE, MEMORANDUM DATED DECEMBER 22, 2020 Attached is the Office of the Inspector Generals (OIG) analysis and status of recommendations as discussed in the agencys response dated December 22, 2020.
Based on this response, recommendation 2 remains open and resolved.
Recommendation 1 was previously closed. Please provide an updated status of recommendation 2 by September 3, 2021.
If you have questions or concerns, please call me at (301) 415-5915, or Paul Rades, Team Leader, at (301) 415-6228.
Attachment:
As stated cc: C. Haney, OEDO S. Miotla, OEDO J. Jolicoeur, OEDO S. Mroz, OEDO RidsEdoMailCenter Resource OIG Liaison Resource EDO_ACS Distribution Resource
Audit Report AUDIT OF NRCS CYBER SECURITY INSPECTIONS AT NUCLEAR POWER PLANTS OIG-19-A-13 Status of Recommendations Recommendation 2: Use the results of operating experience and discussions with industry to develop and implement suitable cyber security performance measure(s) (e.g. testing, analysis of logs, etc.) by which licensees can demonstrate sustained program effectiveness.
Agency Response Dated December 22, 2020: The staff agrees with the recommendation and is addressing it as part of the staffs power reactor cyber security action plan.
In July 2019, the staff completed an assessment of the Power Reactor Cyber Security Program. In its assessment, the staff considered feedback and lessons learned from industry and other stakeholders regarding the cyber security rule, associated guidance, licensees implementation of their cyber programs, and ongoing NRC inspections of cyber security program full implementation (Milestone 8). In October 2019, staff finalized the power reactor cyber security action plan to move forward with appropriate program enhancements based on the assessment. This action plan includes guidance updates, development of cyber security performance measures, and a new inspection procedure (IP) for cyber inspections beyond Milestone 8 implementation.
The NRC staff is developing the new IP in parallel with completing the Milestone 8 inspections, ten of which have been delayed as a result of the COVID-19 public health emergency. Staff anticipates completing all Milestone 8 inspections by June 2021. The new IP will support a more performance-based inspection program and incorporate options for performance metrics and performance testing by licensees. Staff anticipates finalizing the new IP in July 2021, following completion of the Milestone 8 inspections.
1
Audit Report AUDIT OF NRCS CYBER SECURITY INSPECTIONS AT NUCLEAR POWER PLANTS OIG-19-A-13 Status of Recommendations Recommendation 2 (cont.):
Target date for completion: Issuance of the new cyber IP -
July 30, 2021.
Point of
Contact:
Kim Holloway, NSIR/DPCP (301) 415-0286 OIG Analysis: The actions proposed by the agency meet the intent of the recommendation. OIG will close this recommendation after verifying that NRC, through efforts to update the cyber security oversight program following the assessment, has developed and implemented suitable cyber security performance measure(s).
Status: Open: Resolved.
2