Text

May 20, 2022 William R. Gross, Director, Incident Preparedness Nuclear Energy Institute 1201 F Street, NW, Suite 1100 Washington, DC 20004

SUBJECT:

NRC REVIEW OF NEI 10-04, IDENTIFYING SYSTEMS AND ASSETS SUBJECT TO THE CYBER SECURITY RULE, REVISION 3

Dear Mr. Gross:

In your letter dated October 29, 2021, you requested that the U.S. Nuclear Regulatory Commission (NRC) staff review and endorse the Nuclear Energy Institutes (NEIs) guidance document NEI 10-04, Identifying Systems and Assets Subject to the Cyber Security Rule, Revision 3, (Agencywide Documents Access and Management System (ADAMS) Accession No. ML21342A168). The NEI submitted this revision following NRC acceptance of a series of white papers proposing revisions to NEI 10-04, Revision 2, and NEI 13-10, Cyber Security Control Assessments, Revision 6, in the areas of safety (ML20199M368), balance of plant (ML20205L604), security (ML21155A216), and emergency preparedness (ML20126G492). The technical and regulatory bases for the changes, and limitations to the applicability and scope of the guidance are described in the Discussion and Compliance with Regulatory Requirements sections of the white papers.

In a letter dated July 27, 2012 (ML12194A532), the staff informed the NEI that it found NEI 10-04, Revision 2, acceptable for use, with the exception of sections 2.2 and 2.4. Section 2.2 did not include all the security systems that are within the scope of 10 CFR 73.54. NEI 10-04, Revision 3, includes changes to section 2.2 that define security function and removes text that would have categorically excluded certain security systems from the scope of 10 CFR 73.54.

Section 2.4 of NEI 10-04, Revision 2, did not specify that safety system digital test and maintenance equipment, which may not be permanently connected to a critical system but could still have an adverse impact on the systems ability to perform its function, is within the scope of 10 CFR 73.54. This concern has been resolved through the issuance of Security Frequently Asked Question 16-03, Treatment of Digital Maintenance and Test Equipment, dated March 8, 2017 (not publicly available). Additionally, the staff acknowledges that the NEI intends to incorporate the information in this SFAQ into a planned revision to NEI 08-09, Cyber Security Plan for Nuclear Power Reactors, Revision 6 (ML101180437).

The staff completed its review of NEI 10-04, Revision 3, using NRC regulations, regulatory guidance, and relevant industry guidance acceptable for use by licensees in meeting the requirements of Title 10 of the Code of Federal Regulations (10 CFR) 73.54, Protection of digital computer and communication systems and networks. Based on this review, the staff concludes that NEI 10-04, Revision 3, in its entirety, is acceptable for use by licensees. The staff plans to note its acceptance of NEI 10-04, Revision 3, in its anticipated revision to

W. Gross Regulatory Guide 5.71, Cyber Security Programs for Nuclear Power Reactors. The NRCs finding that NEI 10-04, Revision 3 is acceptable for use is a rule as defined in the Congressional Review Act (5 U.S.C. 801-808). However, the Office of Management and Budget has not found it to be a major rule as defined in the Congressional Review Act.

The staff notes that NEI 10-04, Revision 3 contains new guidance that applies only to a subset of digital assets. For example, section 5 contains provisions for crediting alternate methods of performing emergency preparedness functions when determining where an emergency preparedness digital asset is a critical digital asset (CDA). Section 5 also provides a process for considering whether a licensee has alternate means to perform a security support function when determining whether security support systems are CDAs. Licensees may not use guidance intended for specific types of digital assets as a basis for determining whether other types of digital assets are CDAs.

Please contact Mr. Duane White at (301) 287-3627 if you have any questions.

Sincerely, Signed by Sampson, Michele on 05/20/22 Michele Sampson, Director (Acting)

Division of Physical and Cyber Security Policy Office of Nuclear Security and Incident Response

ML22112A072 NMSS/MSST OGC/GCRPS OFFICE NSIR/DPCP/CSB NSIR/DPCP/RSB

/MSEB /HLWFCNS/NLO NAME BYip BY DWhite DW JMaltese JM MSampson MS DATE Apr 22, 2022 Apr 22, 2022 Apr 22, 2022 May 20, 2022