Text

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 December 13, 2021 Mr. William R. Gross Director, Incident Preparedness Nuclear Energy Institute 1201 F Street NW, Suite 1100 Washington, DC 20004

Dear Mr. Gross:

On behalf of the U.S. Nuclear Regulatory Commission (NRC), I am responding to your letter dated November 10, 2021 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML21319A352), requesting a fee exemption under Title 10 of the Code of Federal Regulations (10 CFR) 170.11(a)(1)(ii) for NRC review and endorsement of NEI 10-04, Identifying Systems and Assets Subject to the Cyber Security Rule, Revision 3, dated October 2021; and to NEI 13-10, Cyber Security Control Assessments, Revision 7, dated October 2021.

The NRC has established regulations for granting fee exemptions under 10 CFR 170.11, Exemptions, which may be applied for in accordance with 10 CFR 170.5, Communications.1 The NRC staff has reviewed your request based on the following regulations, 10 CFR 170.11(a)(1)(ii) and 10 CFR 170.11(a)(13):

10 CFR 170.11(a) No application fees, license fees, renewal fees, inspection fees, or special project fees shall be required for: (1) A special project that is a request/report submitted to the NRC . . . (ii) When the NRC, at the time the request/report is submitted, plans to use the information in response to an NRC request from the Office Director level or above to resolve an identified safety, safeguards, or environmental issue, or to assist the NRC in generic regulatory improvements or efforts (e.g., rules, regulatory guides, regulations, policy statements, generic letters, or bulletins).

10 CFR 170.11(a)(13) All fee exemption requests must be submitted in writing to the Chief Financial Officer in accordance with § 170.5, and the Chief Financial Officer will grant or deny such requests in writing.

NEI previously submitted papers for NRC review and approval that revised guidance for the identification and protection of digital assets associated with Emergency Preparedness, Balance of Plant, Safety-Related and Important-to-Safety, and Security Critical Digital Assets. These changes are intended to improve the effectiveness and efficiency of licensee cyber security 1 10 CFR 170.5 provides that All communications concerning the regulations in this part should be addressed to the NRC's Chief Financial Officer, either by mail to the U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001; by hand delivery to the NRC's offices at 11555 Rockville Pike, Rockville, Maryland; or, where practicable, by electronic submission, for example, via Electronic Information Exchange, or CD-ROM.

W. R. Gross programs and address cyber security controls to meet the requirements of 10 CFR 73.54, Protection of digital computer and communication systems and networks. This submittal is a final administrative update to integrate the approved changes from all four papers into a revision to NEI 10-04 and NEI 13-10.

If approved by the NRC, the revised guidance may be used by licensees who have used Regulatory Guide (RG) 5.71, Cyber Security Programs for Nuclear Facilities, or NEI 08-09, Cyber Security Plan for Nuclear Power Reactors, Revision 6, dated April 2010, as a basis for their Cyber Security Plans. NEI 08-09, Revision 6, Appendix A, Section 3.1.3, Identification of Critical Digital Assets, corresponds to NRC RG 5.71, Appendix A, Section 3.1.3. The changes described in the publicly available NEI 10-04, Identifying Systems and Assets Subject to the Cyber Security Rule, Revision 3, dated October 2021; and of NEI 13-10, Cyber Security Control Assessments, Revision 7, dated October 2021, will improve the effectiveness and efficiency of licensee and applicant cyber security programs and the NRC oversight and licensing functions.

Based on the NRC staffs review of your fee exemption request under 10 CFR 170.11(a)(1)(ii), I am granting NEIs fee exemption request to cover activities associated with the review of NEI 10-04, Identifying Systems and Assets Subject to the Cyber Security Rule, Revision 3, dated October 2021; and of NEI 13-10, Cyber Security Control Assessments, Revision 7, dated October 2021. These efforts meet the criteria under 10 CFR 170.11(a)(1)(ii) because this will assist the NRC in generic regulatory improvements or efforts. The NRC will make NEI 10-04, Identifying Systems and Assets Subject to the Cyber Security Rule, Revision 3, dated October 2021; and of NEI 13-10, Cyber Security Control Assessments, Revision 7, dated October 2021, guidance available to all licensees if accepted for use. Any future revisions should be submitted for a fee exemption consideration under 10 CFR 170.11(a)(1)(ii).

If you have any technical questions regarding this matter, please contact Mr. Dan Warner at 301-287-3642. Please contact Mr. Billy Blaney, of my staff, at 301-415-5092 for any fee-related questions.

Sincerely, Signed by Johnson,Cherish re: on 12/13/21 Cherish K. Johnson Chief Financial Officer

SUBJECT:

LETTER TO WILLIAM GROSS RESPONSE TO FEE EXEMPTION REQUEST FOR NEI 10-04 AND 13-10 DISTRIBUTION:

DWarner, NSIR CPantalo, NSIR KRiner, OCFO NAridi, OCFO RidsNrrOd Resource ADAMS: Yes No Initials: WB SUNSI Review: WB Publicly Available Non-Publicly Available Sensitive Non-Sensitive ADAMS Accession No: ML21322A193 (pkg); ML19284A626 (incoming);

ML21322A190 (letter) *via e-mail OFFICE OCFO/DOB/LFPT OCFO/DOB/LFPT NSIR/DPCP/CSB NSIR/DPCP NAME WBlaney JJacobs JBeardsley SAtack DATE 11/18/2021 11/18/2021 11/22/2021 11/22/2021 OFFICE OGC OCFO/DOC/LAFBB OCFO/DOC/LAFBB OCFO/DOB/LFPT NAME BHarris MLee MBlair ARossi DATE 12/06/2021 12/06/2021 12/08/2021 12/07/2021 OFFICE OCFO/DOB OCFO/DOB DCFO CFO NAME RCAllwein JEShay BFicks CKJohnson DATE 12/08/2021 12/13/2021 12/13/2021 12/ /2021 OFFICIAL RECORD ONLY