Text

Enclosure NRC Review of Draft NEI White Paper, Changes to NEI 10-04 and NEI 13-10 Guidance for Identifying and Protecting Digital Assets Associated with Security, Dated December 2020 Page White Paper Text Revised Text Comment 1

1 NEI 10-04 section 2.2, "Security Systems," documents the interface and integration of cyber security and physical security programs required to satisfy the physical protection performance objectives of 10 CFR 73.55(b). These objectives are provided in 10 CFR 73.55(b)(3),

which requires NEI 10-04 section 2.2, "Security Systems," documents the interface and integration of cyber security and physical security programs required to satisfy the physical protection performance objectives of 10 CFR 73.55(b). These objectives are provided in 10 CFR 73.55(b)(3),

which requires:

Revised to clarify that the physical protection program performance objectives are broader than 10 CFR 73.55(b)(3).

2 2

10 CFR 73.54(a)(1)(ii) and (iv) require that licensees protect against cyber attacks for those digital and communication systems and networks associated with security functions and support systems and equipment which, if compromised, would adversely impact security functions.

10 CFR 73.54(a)(1)(ii) and (iv) require that licensees protect against cyber attacks for those digital and communication systems and networks associated with security functions and support systems and equipment which, if compromised, would adversely impact security SSEP functions.

Revised to broaden the scope from security functions to safety, security, and emergency preparedness (SSEP functions), consistent with 10 CFR 73.54(a)(1)(iv).

3 3

licensees are required to perform an analysis The available guidance for how to perform an analysis of security critical digital assets (CDAs) should provide a level of detail consistent with other types of CDAs.

4 5

These devices should be analyzed but need not be classified as CDAs if the licensee analysis demonstrates that a cyber attack on the device cannot adversely impact a security function.

These devices should be analyzed but need not be classified as CDAs if the licensee analysis demonstrates that a cyber attack on the device cannot adversely impact an SSEP security function.

"Security function" replaced with "SSEP function" consistent with requirements for support systems.

5 6

10 CFR 73.55(b)(7) requires licensees maintain an Access Authorization program in accordance with 10 CFR 73.56... This would be an adverse impact to access control functions.

Consistent with 10 CFR 73.54(a), 10 CFR 73.54(b), and their CSP, licensees are required to perform an analysis and determine those digital assets that, if compromised, would cause an adverse impact to SSEP functions and thus require protection.

10 CFR 73.55(b)(7) requires licensees maintain an Access Authorization program in accordance with 10 CFR 73.56... This would be an adverse impact to access control security functions.

Revised to be consistent with the text in Security Frequently Asked Question (SFAQ) 17-04, Access Authorization Systems, dated January 22, 2018 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML18030A534, nonpublic).

6 6

When analyzing digital computer systems, the systems and equipment associated with the following security functions must be protected against adverse impact:

This section should make clear that the list of security functions is not exhaustive. Consistent with the NRCs position when it reviewed NEI 10-04, Revision 2, Identifying Systems and Assets Subject to the Cyber Security Rule in 2012 (ADAMS Accession No. ML12198A198), digital systems and equipment used to facilitate implementation of security programs specified in 10 CFR 73.55(b) are within the scope of 10 CFR 73.54.

The list of security functions in NEI 10-04 should also include the access authorization (AA) program, as specified in 10 CFR 73.55(b)(7).

7 6

Licensees are required to identify and evaluate those digital assets associated with Security support Licensees are required to identify and evaluate those digital assets associated with Security support "Failure or compromise" is consistent with the definition of CDA in NEI 08-09, Revision 6, Cyber Security Plan 2

functions whose failure as the result of a cyber attack could result in an adverse impact to a Security function.

functions systems whose failure or compromise as the result of a cyber attack could result in an adverse impact to an Security SSEP function.

for Nuclear Power Reactors, dated April 2010 (ADAMS Accession No. ML101180437).

SSEP function is consistent with the requirements for support systems in 10 CFR 73.54.

8 7

3) Analysis, including operating experience, training, and procedures that demonstrate compensatory measures can be taken to preclude an adverse impact to SSEP functions, are sufficient to preclude classifying systems as CDAs. For example, CAS and SAS HVAC should be analyzed to determine the impact to the security functions. If licensees have compensatory measures that can be taken to preclude an adverse impact to the security function, then CAS and SAS HVAC need not be classified as a CDA.

Licensees are required by 10 CFR 73.54(a)(1)(iv) to protect digital computer and communication systems and networks associated with support systems and equipment which, if compromised, would adversely impact safety, security, or emergency preparedness functions.

Licensees must identify all assets associated with SSEP and support functions to ensure that licensees can appropriately monitor those assets and reevaluate their associated risk with the evolving threat environment.

A licensee may consider the ability to implement compensatory measures when determining what security controls to apply to the assets.

9 The current NEI 13-10 Rev. 6 guidance is adequate for performing a consequence analysis for security support systems, digital tools, and personnel aids to determine if they meet the criteria for being classified as an indirect CDA.

The current NEI 13-10 Rev. 6 guidance is adequate for performing a consequence analysis for security support systems, digital tools, and personnel aids to determine the level of protection required for these assets. if they meet the criteria for being classified as an indirect CDA.

NEI 13-10, Revision 5, Cyber Security Control Assessments, dated February 2017 (ADAMS Accession No. ML17046A658), provides licensees guidance on performing a consequence assessment to determine the level of protection a CDA requires.

3

10 7

[A digital device should be identified as a Critical Digital Asset (CDA) if it performs:]

a) SSEP functions and, through analysis, determines a compromise would adversely impact a SSEP function;...

c) Support functions (e.g., primary or back-up power, HVAC, fire protection, etc.) and, through analysis, determines a compromise would adversely impact a SSEP function.

[A digital device should be identified as a Critical Digital Asset (CDA) if it performs:]

a) SSEP functions and, through analysis, determines a or whose compromise would adversely impact a SSEP function;...

c) Support functions (e.g., primary or back-up power, HVAC, fire protection, etc.) and, through analysis, determines demonstrates a compromise would adversely impact a SSEP function.

The change in a) is not consistent with 10 CFR 73.54 or existing guidance, which states that licensees shall protect all digital computers/networks associated with SSEP functions. The proposed change to NEI 10-04 would have licensees to perform an additional analysis that determines a compromise of an asset performing an SSEP function would adversely impact the function. This additional step is inconsistent with 10 CFR 73.54 and the definition of CDAs in other guidance.

11 8

Digital information systems and applications that store or transmit personally-identifiable information (PII) which is defined in NEI 03-01 as all information, unique to an individual, that is collected or developed during the implementation of the [unescorted access authorization or fitness for duty]

program requirements, should be identified as digital AA assets.

Licensee analysis of digital AA assets, used to facilitate the implementation of the AA program, will determine if security controls are needed to comply with 10 CFR 73.55(b)(7), 10 CFR 73.56(m) and 10 CFR 73.56(o) requirements.

Digital information systems and applications that store or transmit personally-identifiable information (PII) which is defined in NEI 03-01 as all information, unique to an individual, that is collected or developed during the implementation of the UAA or FFD program requirements, should must be identified as digital AA assets.

Licensee analysis of digital AA assets, used to facilitate the implementation of the AA program, will determine if the security controls are needed to comply with 10 CFR 73.54, 10 CFR 73.55(b)(7), 10 CFR 73.56(m) and 10 CFR 73.56(o) requirements.

As AA is a security function, licensees must protect digital assets associated with AA to meet the requirements of 10 CFR 73.54.

4

12 8

10 CFR 73.56 Compliance Alternatives Licensees can comply with 10 CFR 73.56(m) and 10 CFR 73.56(o) requirements 10 CFR 73.54 73.56 Compliance Alternatives Licensees can comply with 10 CFR 73.54(c)(1), 10 CFR 73.56(m), and 10 CFR 73.56(o) requirements...

Consistent with SFAQ 17-04, this section should make clear that licensees are protecting AA assets against cyber attacks in accordance with 10 CFR 73.54.

13 8

Using only printed AA records. Use of this option requires AA records with PII and either a National Identification Number or government-issued identification must be physically secured and access to those records must be limited to authorized personnel only.

Using only validated printed AA records. Use of this option requires AA records with personal information PII and either a National Identification Number or government-issued identification must be physically secured and access to those records must be limited to authorized personnel only.

PII changed to personal information consistent with the terms used in 10 CFR 73.56 and associated guidance.

All personal information (as defined in 10 CFR 73.56 and associated guidance) must be appropriately protected, not only personal information that is additionally associated with an identification number.

14 7-12 Section 4.2, Proposed NEI 13-10 Changes The text under Section 4.2 does not consider other instances where manual verification process is used to ensure the integrity of the information that is reviewed to grant unescorted access authorization (UAA).

Additionally, in areas where manual verification is discussed, the document should describe what types of manual verification are acceptable.

15 10 Licensees that conduct an AA data analysis and classify their AA digital assets as critical digital assets (CDAs) have the option of positioning Licensees that conduct an AA data a 10 CFR 73.54 analysis and classify their determine that AA digital assets as are critical digital assets (CDAs)

Revised to be consistent with the text in SFAQ 17-04. The deleted text applies broadly to the cyber program, 5

those AA digital assets on the higher level(s) of protection of their defensive model (e.g., security level 3 or 4 of their defensive architecture),

as described in NEI 08-09 Rev. 6, section 4.3, Defense-in-Depth Protective Strategies. AA assets classified as CDAs must be protected in a manner compliant with a licensees Cyber Security Plan. When classified as CDAs, 10 CFR 73.54(c) requires licensees to:

• Implement security controls to protect the assets identified as within the scope of the Rule;

• Apply and maintain defense-in-depth protective strategies;

• Mitigate the adverse impact of cyber-attacks; and

• Ensure the functions of protected assets are not adversely impacted due to cyber attacks.

have the option of positioning those AA digital assets on the higher level(s) of protection of their defensive model (e.g., security level 3 or 4 of their defensive architecture),

as described in NEI 08-09 Rev. 6, section 4.3, Defense-in-Depth Protective Strategies. AA assets classified as CDAs must be protected in a manner compliant with a licensees Cyber Security Plan. When classified as CDAs, 10 CFR 73.54(c) requires licensees to:

• Implement security controls to protect the assets identified as within the scope of the Rule;

• Apply and maintain defense-in-depth protective strategies;

• Mitigate the adverse impact of cyber-attacks; and

• Ensure the functions of protected assets are not adversely impacted due to cyber attacks.

but as written implied it applied to specific CDAs.

16 11 To ensure AA assets and digital records are protected to the level of a CDA and meet the 10 CFR 73.54(c) requirements listed above, the following cyber security controls must be addressed as described in NEI 08-09 section 3.1.6:

To ensure AA assets and digital records are protected to the level of a CDA and meet the 10 CFR 73.54(c) requirements listed above, the following cyber security controls must be addressed as described in NEI 08-09 section 3.1.6 To meet 10 CFR 73.54, licensees must, at minimum, address the following cyber security controls, as described in NEI 08-09, for AA digital assets that have been Revised to use language consistent with SFAQ 17-04.

6

identified as critical digital assets:

7