ML21033A876
ML21033A876 | |
Person / Time | |
---|---|
Issue date: | 02/05/2021 |
From: | Brian Yip NRC/NSIR/DPCP/CSB |
To: | Michele Sampson NRC/NSIR/DPCP/CSB |
Yip B | |
Shared Package | |
ML21033A874 | List: |
References | |
Download: ML21033A876 (3) | |
Text
February 5, 2021 MEMORANDUM TO: Michele M. Sampson, Acting Chief Cyber Security Branch Division of Physical and Cyber Security Policy Office of Nuclear Security and Incident Response Signed by Yip, Brian FROM: Brian M. Yip, IT Specialist (Cyber) on 02/05/21 Cyber Security Branch Division of Physical and Cyber Security Policy Office of Nuclear Security and Incident Response
SUBJECT:
SUMMARY
OF JANUARY 28, 2021, PUBLIC MEETING TO DISCUSS THE NUCLEAR ENERGY INSTITUTES DECEMBER 2020 WHITE PAPER ON SECURITY CRITICAL DIGITAL ASSETS On January 28, 2021, the U.S. Nuclear Regulatory Commission (NRC) held a Category 2 public meeting to discuss the Nuclear Energy Institutes (NEIs) white paper, Changes to NEI 10-04 and NEI 13-10 Guidance for Identifying and Protecting Digital Assets Associated with Security, dated December 2020 (Agencywide Documents Access and Management System [ADAMS]
Accession No. ML20353A133). The meeting notice, dated January 14, 2021, is available at ADAMS Accession No. ML21015A039.
The NEI has requested NRC review of the white paper, noting that it contains proposed changes to NEI 10-04, Revision 2, Identifying Systems and Assets Subject to the Cyber Security Rule (ADAMS Accession No. ML12180A081) and NEI 13-01, Revision 6, Cyber Security Control Assessments (ADAMS Accession No. ML17234A615) intended to improve the efficiency of licensee cyber security programs while maintaining program effectiveness in protecting against cyber attacks. The purpose of the meeting was to obtain feedback on the proposed guidance change from the public and other stakeholders as part of the NRCs review.
Following introductory remarks, NEI representatives provided an overview of the contents of the white paper. The NEI noted that in 2012, the NRC found NEI 10-04 acceptable for use with the exception of sections 2.2 and 2.4, for reasons stated in the NRCs response letter (ADAMS Accession No. ML12194A532). The NEI indicated that while it plans to address the NRCs concern with section 2.4 in a future revision to NEI 10-04, changes proposed in the white paper should resolve the NRCs concerns with section 2.2.
CONTACT: Brian Yip, NSIR/DPCP 301-415-3154
M. Sampson 2 Following NEIs remarks, NRC staff noted that the white paper establishes a definition of security function but does not include access authorization as one of those elements. Industry representatives agreed that the access authorization program required by Title 10 of the Code of Federal Regulations (10 CFR) Section 73.55(b)(7) is one of the security functions that must be protected under 10 CFR 73.54. The NEI further indicated that with regard to areas of the white paper that address access authorization, its intent is that guidance in the white paper be consistent with the guidance established within the Security Frequently Asked Questions.
The NRC staff inquired whether NEI intended through one proposed change to allow licensees to not classify a system as a critical digital asset (CDA) if the licensee could implement compensatory measures to preclude an adverse impact to safety, security, or emergency preparedness (SSEP) functions. An industry representative confirmed that the intention of this change is to expand on what was done with emergency preparedness digital assets and allow licensees to not classify a digital asset associated with SSEP functions as a CDA if the licensee could implement compensatory measures to preclude an adverse impact to the function. The NRC staff noted that the changes proposed in the white paper would also have the effect of redefining adverse impact, and that changes to the guidance should maintain consistency with the definition in other guidance. Another participant also noted that, when identifying CDAs, it is not sufficient to consider only whether an asset impacts an SSEP function; licensees must also ensure the asset does not create a potential attack pathway to another CDA or function.
One participant from the public inquired if licensees are currently required to protect access authorization records, and whether the proposed changes would increase, or decrease those protections. The staff noted that access authorization assets are currently protected under the current regulatory requirements, and NEI reiterated that its intention is to provide guidance on access authorization in NEI 13-10 consistent with the existing Security Frequently Asked Question guidance.
One participant believed that the proposed changes reduce the clarity of the existing guidance in some areas. Additionally, the commenter noted that in some of the proposed changes to NEI 10-04 and NEI 13-10 provide guidance outside the stated purpose and scope of those documents. The commenter noted that the revisions proposed in the white paper need additional changes in some areas to ensure clarity. Lastly, the participant believed that the industry would be best served if the guidance was written in a way that clearly addressed the majority of circumstances and digital assets, with separate instruction on how to address unique circumstances where the guidance may not apply, rather than attempting to provide a single set of guidance written broadly enough to address all cases.
The staff concluded the meeting by noting that it plans to continue its review of the white paper, taking into consideration comments received during the public meeting, and will provide a written response to NEI upon completion of its review.
Enclosures:
- 1. List of participants
ML21033A874; ML21033A876 OFFICE NSIR/DPCP/CSB NSIR/DPCP/RSB NSIR/DPCP/CSB NAME BYip BY MSampson MS BYip BY DATE Feb 3, 2021 Feb 4, 2021 Feb 5, 2021