Text

Mr. William R. Gross Director, Incident Preparedness Nuclear Energy Institute 1201 F Street NW, Suite 1100 Washington, DC 20004

SUBJECT:

REVIEW OF THE NUCLEAR ENERGY INSTITUTE WHITE PAPER, CHANGES TO NEI 10-04 AND NEI 13-10 GUIDANCE FOR IDENTIFYING AND PROTECTING DIGITAL ASSETS ASSOCIATED WITH SECURITY, DATED JUNE 2021

Dear Mr. Gross:

In your letter dated June 4, 2021, you requested the U.S. Nuclear Regulatory Commission (NRC) staff review and endorse the Nuclear Energy Institutes (NEIs) white paper, Changes to NEI 10-04 and NEI 13-10 Guidance for Identifying and Protecting Digital Assets Associated with Security, dated June 2021 (Agencywide Documents Access and Management System [ADAMS] Accession No. ML21155A216). The purpose of this review is to ensure the guidance changes proposed in the white paper do not decrease the effectiveness of the cyber security plan provided in NEI 08-09, Cyber Security Plan for Nuclear Power Reactors, Revision 6 (ADAMS Accession No. ML101180427).

The white paper describes proposed changes to guidance in NEI 10-04, Identifying Systems and Assets Subject to the Cyber Security Rule, Revision 2 (ADAMS Accession No. ML12180A081) and NEI 13-10, Cyber Security Control Assessments, Revision 6 (ADAMS Accession No. ML17234A615). Your letter indicates these changes are necessary to improve the efficiency of licensees cyber security programs while maintaining program effectiveness in protecting against cyber attacks, up to and including the design basis threat.

This revision of the white paper reflects changes to a previous white paper that NEI submitted for review on December 18, 2020 (ADAMS Accession No. ML20353A133). The changes address comments received at a public meeting held on January 28, 2021, where the NRC staff, members of the public, and other stakeholders provided feedback on the white paper. A summary of the meeting and the comments received is available at ADAMS Accession No. ML21033A876.

The staff has reviewed the current white paper based on NRC regulations and guidance associated with physical and cyber security. Based on this review, the staff concluded that the methods in the white paper for identifying and protecting critical digital assets associated with security functions are consistent with NEI 08-09, Revision 6.

If licensees elect to implement the changes proposed in the white paper, licensees are responsible to ensure that the implementation of changes to their cyber security programs do June 30, 2021

W. Gross not decrease the effectiveness of their cyber security plans, in accordance with the requirements in Title 10 of the Code of Federal Regulations Section 50.54, Conditions of Licenses. Licensees are also responsible for ensuring that assessments performed on security digital assets to implement the revised guidance are available for inspection by the NRC. For additional information, licensees may refer to NEI 11-08, Guidance on Submitting Security Plan Changes, Revision 0 (ADAMS Accession No. ML12216A194).

This letter is not an endorsement of NEIs white paper. Additionally, as noted in your letter dated December 18, 2021, the white paper does not address the two exceptions identified in the NRCs 2012 letter accepting for use NEI 10-04, Revision 2 (ADAMS Accession No. ML12194A532). The NRC expects these exceptions and the changes proposed in the white paper to be addressed and incorporated into future revisions of NEI 10-04 and NEI 13-10.

Should you or your staff have any questions, please contact Mr. Brian Yip at 301-415-3154.

Sincerely, Sabrina D. Atack, Acting Director Division of Physical and Cyber Security Policy Office of Nuclear Security and Incident Response Signed by Atack, Sabrina on 06/30/21

Ltr ML21140A140 OFFICE NSIR/DPCP/CSB NSIR/DPCP/CSB NSIR/DSO NAME BYip JBeardsley SAtack DATE Jun 21, 2021 Jun 28, 2021 Jun 30, 2021