Text

August 3, 2021 Mr. Doug E. True Chief Nuclear Officer and Senior Vice President Nuclear Energy Institute 1201 F Street, NW, Suite 1100 Washington, DC 20004

Dear Mr. True:

I am responding to the Nuclear Energy Institutes petition for rulemaking (PRM), dated June 12, 2014 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML14184B120). In this petition, the Nuclear Energy Institute requested that the U.S.

Nuclear Regulatory Commission (NRC) amend its regulations to clarify the scope of Section 73.54 of Title 10 of the Code of Federal Regulations (10 CFR), Protection of digital computer and communications systems and networks, to protect only systems and networks associated with structures, systems, or components that are necessary to prevent significant core damage and spent fuel sabotage or whose failure would cause a reactor scram. The petition requested specific changes to the regulatory language in 10 CFR 73.54(a) to effect this change.

The NRC docketed the petition as PRM-73-18 on June 27, 2014. The NRC published a notice of docketing and request for public comment in the Federal Register on September 22, 2014 (79 FR 56525). The comment period closed December 8, 2014. The public comment submissions are available at https://www.regulations.gov under Docket ID NRC-2014-0165.

Following docketing of the PRM, the staff established a working group to evaluate the petitioners request and the public comments received.

In 2013, the NRC began performing inspections of NRC licensees 10 CFR 73.54 cyber security programs. By 2016, the NRC had completed initial inspections of all NRC licensees cyber security programs. During this period of time, both industry and the NRC gained valuable insights and lessons learned from implementation of the NRCs cyber security requirements. In September 2017 (ADAMS Accession No. ML17179A002), the petitioner was informed that the NRC intended to keep the PRM open until completion of the staffs assessment of the insights and lessons learned from the licensees implementation of their cyber security programs.

In January 2019, the staff began an assessment of the NRCs Power Reactor Cyber Security Program. Based on the results of this assessment, the staff determined that there was a need for revisions to cyber security guidance documents. The NRC has engaged with stakeholders on these potential revisions. In November 2019 (ADAMS Accession No. ML19329C684), the petitioner was informed by the NRC about the plan to defer the decision on this PRM for 12 months while it continued to engage with stakeholders on potential revisions to guidance documents. The staff plans to capture industry guidance revisions in the ongoing revision to Regulatory Guide 5.71, Cyber Security Programs for Nuclear Facilities, currently planned for completion in calendar year 2021.

D. True 2

The NRC is denying PRM-73-18 because the petition did not present sufficient new information to warrant the requested rulemaking. The NRCs current cyber security requirements in 10 CFR 73.54(a) are consistent with the NRCs original intent for the cyber security rule, and these requirements continue to provide reasonable assurance of adequate protection of public health and safety, and the common defense and security. Additionally, the staff has determined that the language in 10 CFR 73.54(a) is not overly broad and that existing and ongoing revisions to guidance can effectively address the issues raised in PRM-73-18 without the need for rulemaking. The reasons for the denial are discussed in detail in the enclosed notice, which will be published in the Federal Register. Upon publication of the enclosed notice, the NRC will close the Docket for PRM-73-18.

You may direct any questions on this matter to Juan Lopez by calling 301-415-2338 or by sending an e-mail to Juan.Lopez@nrc.gov.

Sincerely, Annette L. Vietti-Cook Secretary of the Commission

Enclosure:

Federal Register notice Annette L.

Vietti-Cook Digitally signed by Annette L. Vietti-Cook Date: 2021.08.03 16:25:13 -04'00'