Text

Response to Public Comments on Draft Regulatory Guide (DG)-5079 Cybersecurity Event Notifications Proposed Revision 1 of Regulatory Guide (RG) 5.83 On April 24, 2023, the NRC published a notice in the Federal Register (88 FR 24715) for a 30-day public comment period that Draft Regulatory Guide, DG-5079, Proposed Revision 1 of RG 5.83, was available for public comment, reference Docket ID NRC-2023-0068. The public comment period ended on May 24, 2023. The NRC received comments from the organization listed below. The NRC has combined the comments and NRC staff responses in the following table:

Comments were received from the following individual/company and can be found in Agency Document Access Management Systems (ADAMS):

Comments -#1 Richard Mogavero Sr. Project Manager, Security & Incident Preparedness Technical and Regulatory Services1201 F Street, NW, Suite 1100 Washington, DC 20004 P: 202.739.8174 rm@nei.org ADAMS Accession No.: ML23143A198

Commenter Section Specific Comment and Proposed Resolution NRC Resolution NEI-1 Related Guidance NRC references RG 5.71.

Consider adding NEI 08-09 as an acceptable alternative to RG 5.71 The NRC staff agrees with this comment, changes made.

NEI 08-09 revision 6 published in April 2010 was approved by NRC staff as acceptable for use (ADAMS Accession No. ML101190371). The following reference to NEI 08-09 will be added to the background section.

The NRC issued Revision 1 of RG 5.71 in February 2023, providing licensees with guidance on establishing, maintaining, and implementing cybersecurity programs in accordance with 10 CFR 73.54. In addition, NEI developed NEI 08-09, Cyber Security Plan for Nuclear Power Reactors, Revision 6 to assist licensees in constructing and implementing submittals required by 10 CFR 73.54. In 2017 NEI also published several addendums to NEI 08-09 that the NRC has found acceptable for use.

NEI-2 Background Balance of Plant (BOP) Structures, Systems, Components (SSCs) should reference BOP Critical Digital Assets (CDAs).

This comment applies throughout the document as the focus should be on CDAs instead of SSEP functions.

The NRC staff disagrees with the comment, no changes made.

This section quotes SRM-COMWCO-10-0001, Staff Requirements - COMWCO-10-0001 - Regulation of Cyber Security at Nuclear Power Plants, dated, October 21, 2010 (ML102940009) and the language will remain as is to be consistent. The remainder of the document will also continue to discuss functions as written for consistency with previous revisions and other guidance documents.

NEI-3

Background

Content states that the NRC may notify or forward reports to other licensees or government agencies.

The details of an event report are likely marked Security-related, SUNSI, or 2.390, etc. Consider the protections needed to secure this information.

The NRC staff agrees with the comment; However, no changes are necessary. The NRCs policies for SUNSI, etc.

cover this concern.

NEI-4 1.2.2 Section 1.2.2 is contradictory to section 1.2.1.1.

1.2.2 says if the malware is quarantined by the antivirus software, then its not reportable.

Section 1.2.1.1 implies any malware on a CDA is to be a 4-hour report.

The NRC staff agrees with the comment.

Changes were made. The example in Section 1.2.1.1 was removed.

Commenter Section Specific Comment and Proposed Resolution NRC Resolution Recommend removal of the example in 1.2.1.1 as it introduces confusion and does not align with the other examples.

If the malware is mitigated (aka quarantined), it is still technically on the CDA. There are also scenarios where it could be proven that the malware would not or could not have had an adverse impact on the CDA.

NEI-5 1.2.8.6 Consider rewording, mobile or portable CDA The proposed definition aligns with definition within NEI 15-09R1.

The NRC staff agrees with the comment.

Section 1.2.8.6 was changed to refer to PMD instead of CDA. It now reads:

1.2.8.6 Control of a mobile or portable media device (PMD) was lost or misplaced, and there were signs of exploitation.

1.2.8.6.1 For example, a PMD used for maintenance and testing was misplaced or lost, and upon recovery, either the PMD itself showed signs of tampering (e.g., physical tampering, installation of malware), or CDAs maintained and tested by the lost or misplaced PMD showed signs of exploitation (e.g., malware, unauthorized access or activity).

NEI-

Glossary,

[Security]

Compromise Loss of confidentiality, integrity, or availability of data or system function.

The proposed definition aligns with definition within NEI 15-09R1.

The NRC staff disagrees with the comment.

This definition is intended to align with the definitions found in other agency guidance, such as RG 5.71. However, a minor change was made to maintain consistency with other agency guidance. It now reads:

A change to the state of a hardware, software, or firmware asset such that it performs outside of the intended functionality due to a loss of confidentiality, integrity, or availability of data, configuration, settings or system function; alteration of existing functionality; or introduction of new functionality.