ML21258A184
| ML21258A184 | |
| Person / Time | |
|---|---|
| Issue date: | 09/15/2021 |
| From: | Rivera E NRC/OIG |
| To: | Margaret Doane NRC/EDO |
| References | |
| OIG-19-A-13 | |
| Download: ML21258A184 (3) | |
Text
UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 OFFICE OF THE INSPECTOR GENERAL September 15, 2021 MEMORANDUM TO: Margaret M. Doane Executive Director for Operations FROM: Eric Rivera /RA/
Acting Assistant Inspector General for Audits
SUBJECT:
STATUS OF RECOMMENDATIONS: AUDIT OF NRCS CYBER SECURITY INSPECTIONS AT NUCLEAR POWER PLANTS (OIG-19-A-13)
REFERENCE:
DIRECTOR, OFFICE OF NUCLEAR SECURITY AND INCIDENT RESPONSE, MEMORANDUM DATED SEPTEMBER 10, 2021 Attached is the Office of the Inspector Generals (OIG) analysis and status of recommendations as discussed in the agencys response dated September 10, 2021.
Based on this response, recommendation two is now closed. Recommendation one was previously closed. Therefore, all recommendations associated with this report are now closed.
If you have questions or concerns, please call me at (301) 415-5915 or Paul Rades, Team Leader, at (301) 415-6228.
Attachment:
As stated cc: C. Haney, OEDO S. Miotla, OEDO J. Jolicoeur, OEDO S. Mroz, OEDO RidsEdoMailCenter Resource OIG Liaison Resource EDO_ACS Distribution Resource
Audit Report AUDIT OF NRCS CYBER SECURITY INSPECTIONS AT NUCLEAR POWER PLANTS OIG-19-A-13 Status of Recommendations Recommendation 2: Use the results of operating experience and discussions with industry to develop and implement suitable cyber security performance measure(s) (e.g. testing, analysis of logs, etc.) by which licensees can demonstrate sustained program effectiveness.
Agency Response Dated September 10, 2021: The staff agrees with the recommendation and is addressing it as part of the staffs power reactor cyber security action plan.
In July 2019, the staff completed an assessment of the Power Reactor Cyber Security Program. The assessment considered feedback and lessons learned from industry and other stakeholders regarding the cyber security rule, associated guidance, licensees implementation of their cyber programs, lessons learned, and ongoing NRC inspections of cyber security program full implementation (Milestone 8). In October 2019, staff finalized the power reactor cyber security action plan to move forward with appropriate program enhancements based on insights from the assessment. The action plan included development of cyber security performance measures, as part of a baseline inspection procedure (IP) for cyber security inspections beyond full implementation. The NRC staff completed full implementation inspection activity in July 2021.
In 2020 and 2021, the Office of Nuclear Security and Incident Response (NSIR) and regional staff collaborated on development of the new IP. The IP shifts cyber security oversight from a compliance focus to licensee performance.
The IP reflects experience from the full implementation inspections, identifying elements of program performance for the inspection focus. In addition, the IP provides licensees the opportunity to provide performance metrics and the results of performance testing.
1
Audit Report AUDIT OF NRCS CYBER SECURITY INSPECTIONS AT NUCLEAR POWER PLANTS OIG-19-A-13 Status of Recommendations Recommendation 2 (cont.):
The new IP was issued on September 3, 2021. Additionally, the staff is planning a series of tabletop-style public meetings to discuss the IP. These meetings will start in October and will allow NRC inspectors, licensee personnel, and members of the public to see how the new IP provisions will be implemented and ensure that the procedure is readily understood and can be implemented consistently across the agency. Based on the information provide in this update, the NSIR requests the closure of this recommendation.
Point of
Contact:
Kim Holloway, NSIR/DPCP (301) 415-0286 OIG Analysis: The OIG reviewed the new inspection procedure and the emphasis on licensee program performance, including the opportunity for licensees to provide performance metrics and performance testing results. As a result of this review, the OIG determined that the NRC has met the intent of this recommendation by developing suitable cyber security performance measures for implementation through the revised inspection procedure. Therefore, this recommendation is closed.
Status: Closed.
2