Text

STAFF RESPONSE TO THE OFFICE OF THE INSPECTOR GENERALS AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS CYBER SECURITY INSPECTIONS AT NUCLEAR POWER PLANTS OIG-19-A-13 In OIG-19-A-13, Audit of NRCs Cyber Security Inspections at Nuclear Power Plants, the Office of the Inspector General (OIG) provided two recommendations to the U.S. Nuclear Regulatory Commissions (NRC) staff for improving the agencys cyber security oversight program. Below is the OIGs recommendation No. 2 followed by the NRC staffs response.

Recommendation No. 1 is closed.

Recommendation 2:

Use the results of operating experience and discussions with industry to develop and implement suitable cyber security performance measure(s) (e.g., testing, analysis of logs, etc.) by which licensees can demonstrate sustained program effectiveness.

Update:

The staff agrees with the recommendation and addressed it as part of the staffs power reactor cyber security action plan (Agencywide Documents Access and Management System (ADAMS)

Accession No. ML21244A375).

In July 2019, the staff completed an assessment of the Power Reactor Cyber Security Program.

The assessment considered feedback and lessons learned from industry and other stakeholders regarding the cyber security rule, associated guidance, licensees implementation of their cyber programs, lessons learned, and ongoing NRC inspections of cyber security program full implementation (Milestone 8). In October 2019, staff finalized the power reactor cyber security action plan to move forward with appropriate program enhancements based on insights from the assessment. The action plan included development of cyber security performance measures, as part of a baseline inspection procedure (IP) for cyber security inspections beyond full implementation. The NRC staff completed full implementation inspection activity in July 2021.

In 2020 and 2021, the Office of Nuclear Security and Incident Response (NSIR) and regional staff collaborated on development of the new IP. The IP shifts cyber security oversight from a compliance focus to licensee performance. The IP reflects experience from the full implementation inspections, identifying elements of program performance for the inspection focus. In addition, the IP provides licensees the opportunity to provide performance metrics and the results of performance testing.

The new IP was issued on September 3, 2021 (ADAMS Accession No. ML21155A172).

Additionally, the staff is planning a series of tabletop-style public meetings to discuss the IP. These meetings will start in October and will allow NRC inspectors, licensee personnel, and members of the public to see how the new IP provisions will be implemented and ensure that Enclosure

the procedure is readily understood and can be implemented consistently across the agency. Based on the information provide in this update, NSIR requests the closure of this recommendation.

Point of

Contact:

Kim Holloway, NSIR/DPCP 301-415-0286 2