Text

NRC Review of Draft NEI White Paper, Changes to NEI 10-04 and NEI 13-10 Guidance for Identifying and Protecting Digital Assets Associated with Security, Dated December 2020

1. Page White Paper Text Revised Text Comment 1 1 NEI 10-04 section 2.2, "Security NEI 10-04 section 2.2, "Security Revised to clarify that the physical Systems," documents the interface Systems," documents the interface protection program performance and integration of cyber security and and integration of cyber security and objectives are broader than 10 CFR physical security programs required physical security programs required 73.55(b)(3).

to satisfy the physical protection to satisfy the physical protection performance objectives of 10 CFR performance objectives of 10 CFR 73.55(b). These objectives are 73.55(b). These objectives are provided in 10 CFR 73.55(b)(3), provided in 10 CFR 73.55(b)(3),

which requires which requires:

2 2 10 CFR 73.54(a)(1)(ii) and (iv) require 10 CFR 73.54(a)(1)(ii) and (iv) require Revised to broaden the scope from that licensees protect against cyber that licensees protect against cyber security functions to safety, security, attacks for those digital and attacks for those digital and and emergency preparedness (SSEP communication systems and communication systems and functions), consistent with 10 CFR networks associated with security networks associated with security 73.54(a)(1)(iv).

functions and support systems and functions and support systems and equipment which, if compromised, equipment which, if compromised, would adversely impact security would adversely impact security functions. SSEP functions.

3 3 licensees are required to perform The available guidance for how to an analysis perform an analysis of security critical digital assets (CDAs) should provide a level of detail consistent with other types of CDAs.

4 5 These devices should be analyzed These devices should be analyzed "Security function" replaced with but need not be classified as CDAs if but need not be classified as CDAs if "SSEP function" consistent with the licensee analysis demonstrates the licensee analysis demonstrates requirements for support systems.

that a cyber attack on the device that a cyber attack on the device cannot adversely impact a security cannot adversely impact an SSEP function. security function.

Enclosure

5 6 10 CFR 73.55(b)(7) requires Consistent with 10 CFR 73.54(a), 10 Revised to be consistent with the text licensees maintain an Access CFR 73.54(b), and their CSP, in Security Frequently Asked Authorization program in accordance licensees are required to perform an Question (SFAQ) 17-04, Access with 10 CFR 73.56... This would be analysis and determine those digital Authorization Systems, dated an adverse impact to access control assets that, if compromised, would January 22, 2018 (Agencywide functions. cause an adverse impact to SSEP Documents Access and Management functions and thus require protection. System (ADAMS) Accession No.

10 CFR 73.55(b)(7) requires ML18030A534, nonpublic).

licensees maintain an Access Authorization program in accordance with 10 CFR 73.56... This would be an adverse impact to access control security functions.

6 6 When analyzing digital computer This section should make clear that systems, the systems and equipment the list of security functions is not associated with the following security exhaustive. Consistent with the functions must be protected against NRCs position when it reviewed NEI adverse impact: 10-04, Revision 2, Identifying Systems and Assets Subject to the Cyber Security Rule in 2012 (ADAMS Accession No. ML12198A198), digital systems and equipment used to facilitate implementation of security programs specified in 10 CFR 73.55(b) are within the scope of 10 CFR 73.54.

The list of security functions in NEI 10-04 should also include the access authorization (AA) program, as specified in 10 CFR 73.55(b)(7).

7 6 Licensees are required to identify and Licensees are required to identify and "Failure or compromise" is consistent evaluate those digital assets evaluate those digital assets with the definition of CDA in NEI 08-associated with Security support associated with Security support 09, Revision 6, Cyber Security Plan 2

functions whose failure as the result functions systems whose failure or for Nuclear Power Reactors, dated of a cyber attack could result in an compromise as the result of a cyber April 2010 (ADAMS Accession No.

adverse impact to a Security function. attack could result in an adverse ML101180437).

impact to an Security SSEP function.

SSEP function is consistent with the requirements for support systems in 10 CFR 73.54.

8 7 3) Analysis, including operating Licensees are required by 10 CFR experience, training, and procedures 73.54(a)(1)(iv) to protect digital that demonstrate compensatory computer and communication measures can be taken to preclude systems and networks associated an adverse impact to SSEP functions, with support systems and equipment are sufficient to preclude classifying which, if compromised, would systems as CDAs. For example, CAS adversely impact safety, security, or and SAS HVAC should be analyzed emergency preparedness functions.

to determine the impact to the Licensees must identify all assets security functions. If licensees have associated with SSEP and support compensatory measures that can be functions to ensure that licensees can taken to preclude an adverse impact appropriately monitor those assets to the security function, then CAS and and reevaluate their associated risk SAS HVAC need not be classified as with the evolving threat environment.

a CDA. A licensee may consider the ability to implement compensatory measures when determining what security controls to apply to the assets.

9 The current NEI 13-10 Rev. 6 The current NEI 13-10 Rev. 6 NEI 13-10, Revision 5, Cyber guidance is adequate for performing guidance is adequate for performing Security Control Assessments, dated a consequence analysis for security a consequence analysis for security February 2017 (ADAMS Accession support systems, digital tools, and support systems, digital tools, and No. ML17046A658), provides personnel aids to determine if they personnel aids to determine the level licensees guidance on performing a meet the criteria for being classified of protection required for these consequence assessment to as an indirect CDA. assets. if they meet the criteria for determine the level of protection a being classified as an indirect CDA. CDA requires.

3

10 7 [A digital device should be identified [A digital device should be identified The change in a) is not consistent as a Critical Digital Asset (CDA) if it as a Critical Digital Asset (CDA) if it with 10 CFR 73.54 or existing performs:] performs:] guidance, which states that licensees a) SSEP functions and, through a) SSEP functions and, through shall protect all digital analysis, determines a compromise analysis, determines a or whose computers/networks associated with would adversely impact a SSEP compromise would adversely impact SSEP functions. The proposed function;... a SSEP function;... change to NEI 10-04 would have licensees to perform an additional c) Support functions (e.g., primary or c) Support functions (e.g., primary or analysis that determines a back-up power, HVAC, fire protection, back-up power, HVAC, fire protection, compromise of an asset performing etc.) and, through analysis, etc.) and, through analysis, an SSEP function would adversely determines a compromise would determines demonstrates a impact the function. This additional adversely impact a SSEP function. compromise would adversely impact step is inconsistent with 10 CFR a SSEP function. 73.54 and the definition of CDAs in other guidance.

11 8 Digital information systems and Digital information systems and As AA is a security function, applications that store or transmit applications that store or transmit licensees must protect digital assets personally-identifiable information personally-identifiable information associated with AA to meet the (PII) which is defined in NEI 03-01 as (PII) which is defined in NEI 03-01 as requirements of 10 CFR 73.54.

all information, unique to an all information, unique to an individual, that is collected or individual, that is collected or developed during the implementation developed during the implementation of the [unescorted access of the UAA or FFD program authorization or fitness for duty] requirements, should must be program requirements, should be identified as digital AA assets.

identified as digital AA assets. Licensee analysis of digital AA Licensee analysis of digital AA assets, used to facilitate the assets, used to facilitate the implementation of the AA program, implementation of the AA program, will determine if the security controls will determine if security controls are are needed to comply with 10 CFR needed to comply with 10 CFR 73.54, 10 CFR 73.55(b)(7), 10 CFR 73.55(b)(7), 10 CFR 73.56(m) and 10 73.56(m) and 10 CFR 73.56(o)

CFR 73.56(o) requirements. requirements.

4

12 8 10 CFR 73.56 Compliance 10 CFR 73.54 73.56 Compliance Consistent with SFAQ 17-04, this Alternatives Alternatives section should make clear that licensees are protecting AA assets Licensees can comply with 10 CFR Licensees can comply with 10 CFR against cyber attacks in accordance 73.56(m) and 10 CFR 73.56(o) 73.54(c)(1), 10 CFR 73.56(m), and 10 with 10 CFR 73.54.

requirements CFR 73.56(o) requirements...

13 8 Using only printed AA records. Use of Using only validated printed AA PII changed to personal this option requires AA records with records. Use of this option requires information consistent with the terms PII and either a National Identification AA records with personal information used in 10 CFR 73.56 and associated Number or government-issued PII and either a National Identification guidance.

identification must be physically Number or government-issued secured and access to those records identification must be physically All personal information (as defined in must be limited to authorized secured and access to those records 10 CFR 73.56 and associated personnel only. must be limited to authorized guidance) must be appropriately personnel only. protected, not only personal information that is additionally associated with an identification number.

14 7-12 Section 4.2, Proposed NEI 13-10 The text under Section 4.2 does not Changes consider other instances where manual verification process is used to ensure the integrity of the information that is reviewed to grant unescorted access authorization (UAA).

Additionally, in areas where manual verification is discussed, the document should describe what types of manual verification are acceptable.

15 10 Licensees that conduct an AA data Licensees that conduct an AA data a Revised to be consistent with the text analysis and classify their AA digital 10 CFR 73.54 analysis and classify in SFAQ 17-04. The deleted text assets as critical digital assets their determine that AA digital assets applies broadly to the cyber program, (CDAs) have the option of positioning as are critical digital assets (CDAs) 5

those AA digital assets on the higher have the option of positioning those but as written implied it applied to level(s) of protection of their AA digital assets on the higher specific CDAs.

defensive model (e.g., security level 3 level(s) of protection of their or 4 of their defensive architecture), defensive model (e.g., security level 3 as described in NEI 08-09 Rev. 6, or 4 of their defensive architecture),

section 4.3, Defense-in-Depth as described in NEI 08-09 Rev. 6, Protective Strategies. AA assets section 4.3, Defense-in-Depth classified as CDAs must be protected Protective Strategies. AA assets in a manner compliant with a classified as CDAs must be protected licensees Cyber Security Plan. When in a manner compliant with a classified as CDAs, 10 CFR 73.54(c) licensees Cyber Security Plan. When requires licensees to: classified as CDAs, 10 CFR 73.54(c)

• Implement security controls to requires licensees to:

protect the assets identified as within

• Implement security controls to the scope of the Rule; protect the assets identified as within

• Apply and maintain defense-in- the scope of the Rule; depth protective strategies;

• Apply and maintain defense-in-

• Mitigate the adverse impact of depth protective strategies; cyber-attacks; and

• Mitigate the adverse impact of

• Ensure the functions of protected cyber-attacks; and assets are not adversely impacted

• Ensure the functions of protected due to cyber attacks. assets are not adversely impacted due to cyber attacks.

16 11 To ensure AA assets and digital To ensure AA assets and digital Revised to use language consistent records are protected to the level of a records are protected to the level of a with SFAQ 17-04.

CDA and meet the 10 CFR 73.54(c) CDA and meet the 10 CFR 73.54(c) requirements listed above, the requirements listed above, the following cyber security controls must following cyber security controls must be addressed as described in NEI 08- be addressed as described in NEI 08-09 section 3.1.6: 09 section 3.1.6 To meet 10 CFR 73.54, licensees must, at minimum, address the following cyber security controls, as described in NEI 08-09, for AA digital assets that have been 6

identified as critical digital assets:

7