Text

[7590-01-P]

NUCLEAR REGULATORY COMMISSION 10 CFR Part 73

[NRC-2023-0068]

Regulatory Guide: Cybersecurity Event Notifications AGENCY: Nuclear Regulatory Commission.

ACTION: Final guide; issuance.

SUMMARY

The U.S. Nuclear Regulatory Commission (NRC) is issuing Revision 1 to Regulatory Guide (RG), 5.83, Cybersecurity Event Notifications. This revision describes methods that the staff of the NRC considers acceptable for licensees to meet requirements in NRC regulations to report and record cybersecurity events.

DATES: Revision 1 to RG 5.83 is available on July 28, 2023.

ADDRESSES: Please refer to Docket ID NRC-2023-0068 when contacting the NRC about the availability of information regarding this document. You may obtain publicly available information related to this document using any of the following methods:

Federal Rulemaking Website: Go to https://www.regulations.gov and search for Docket ID NRC-2023-0068. Address questions about Docket IDs in Regulations.gov to Stacy Schumann; telephone: 301-415-0624; email:

Stacy.Schumann@nrc.gov. For technical questions, contact the individuals listed in the For Further Information Contact section of this document.

NRCs Agencywide Documents Access and Management System (ADAMS): You may obtain publicly available documents online in the ADAMS Public Documents collection at https://www.nrc.gov/reading-rm/adams.html. To begin the search, select Begin Web-based ADAMS Search. For problems with ADAMS, please contact the NRCs Public Document Room (PDR) reference staff at 1-800-397-4209, at

2 301-415-4737, or by email to PDR.Resource@nrc.gov. The ADAMS accession number for each document referenced (if it is available in ADAMS) is provided the first time that it is mentioned in this document.

NRCs PDR: The PDR, where you may examine and order copies of publicly available documents, is open by appointment. To make an appointment to visit the PDR, please send an email to PDR.Resource@nrc.gov or call 1-800-397-4209 or 301-415-4737, between 8 a.m. and 4 p.m. eastern time (ET), Monday through Friday, except Federal holidays.

Revision 1 to RG 5.83 and the response to public comments may be found in ADAMS under Accession Nos. ML23087A017 and ML23087A018, respectively.

Regulatory guides are not copyrighted, and NRC approval is not required to reproduce them.

FOR FURTHER INFORMATION CONTACT: Daniel Warner, Office of Nuclear Security and Incident Response, telephone: 301-287-3642; email: Daniel.Warner@nrc.gov; and Stanley Gardocki, Office of Nuclear Regulatory Research, telephone: 301-415-1067; email: Stanley.Gardocki@nrc.gov. Both are staff of the U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001.

SUPPLEMENTARY INFORMATION:

I. Discussion The NRC is issuing a revision in the NRCs Regulatory Guide series. This series was developed to describe methods that are acceptable to the NRC staff for implementing specific parts of the agencys regulations, to explain techniques that the staff uses in evaluating specific issues or postulated events, and to describe information that the staff needs in its review of applications for permits and licenses.

3 The proposed Revision 1 to RG 5.83 was issued with a temporary identification of Draft Regulatory Guide, DG-5079 (ADAMS Accession No. ML22250A443).

This revision of the guide (Revision 1) addresses new concerns identified since the NRC first issued RG 5.83 in 2015. The primary changes made have been to align the definitions in the glossary with those in recent updates to RG 5.71, and to provide clarification in the eight-hour notification section about the reportability of malicious activity against devices that reside on the same networks as critical digital assets (CDAs) or that support CDAs.

II. Additional Information The NRC published a notice of the availability of DG-5079 in the Federal Register on April 24, 2023 (88 FR 24715) for a 30-day public comment period. The public comment period closed on May 24, 2023. Public comments on DG-5079 and the staff responses to the public comments are available under ADAMS under Accession No. ML23087A018.

As noted in the Federal Register on December 9, 2022 (87 FR75671), this document is being published in the Rules section of the Federal Register to comply with publication requirements under title 1 of the Code of Federal Regulations (1 CFR),

chapter I.

III. Congressional Review Act This RG is a rule as defined in the Congressional Review Act (5 U.S.C. 801-808).

However, the Office of Management and Budget has not found it to be a major rule as defined in the Congressional Review Act.

IV. Backfitting, Forward Fitting, and Issue Finality Issuance of RG 5.83, Revision 1, does not constitute backfitting as defined in section 50.109 of title 10 of the Code of Federal Regulations (10 CFR), Backfitting, and

4 as described in NRC Management Directive (MD) 8.4, Management of Backfitting, Forward Fitting, Issue Finality, and Information Requests (ADAMS Accession No. ML18093B087); constitute forward fitting as that term is defined and described in MD 8.4; or affect issue finality of any approval issued under 10 CFR part 52, Licenses, Certifications, and Approvals for Nuclear Power Plants. As explained in RG 5.83, Revision 1, applicants and licensees are not required to comply with the positions set forth in this guide.

V. Submitting Suggestions for Improvement of Regulatory Guides A member of the public may, at any time, submit suggestions to the NRC for improvement of existing RGs or for the development of new RGs. Suggestions can be submitted on the NRCs public website at https://www.nrc.gov/reading-rm/doc-collections/reg-guides/contactus.html. Suggestions will be considered in future updates and enhancements to the Regulatory Guide series.

Dated: July 24, 2023.

For the Nuclear Regulatory Commission.

/RA/

Meraj Rahimi, Chief, Regulatory Guide and Programs Management Branch, Division of Engineering, Office of Nuclear Regulatory Research.