ML23143A198
| ML23143A198 | |
| Person / Time | |
|---|---|
| Site: | Nuclear Energy Institute |
| Issue date: | 05/18/2023 |
| From: | Mogavero R Nuclear Energy Institute |
| To: | Office of Administration |
| References | |
| NRC-2023-0068, 88FR24715 00001 | |
| Download: ML23143A198 (1) | |
Text
5/23/23, 10:54 AM blob:https://www.fdms.gov/37bc8f14-a59f-43c2-b66a-27bf86d2d281 blob:https://www.fdms.gov/37bc8f14-a59f-43c2-b66a-27bf86d2d281 1/1 PUBLIC SUBMISSION As of: 5/23/23, 10:53 AM Received: May 18, 2023 Status: Pending_Post Tracking No. lht-8im5-m87w Comments Due: May 24, 2023 Submission Type: Web Docket: NRC-2023-0068 Draft Regulatory Guide: CyberSecurity Event Notifications Comment On: NRC-2023-0068-0001 Draft Regulatory Guide: Cybersecurity Event Notifications Document: NRC-2023-0068-DRAFT-0003 Comment on FR Doc # 2023-08532 Submitter Information Email:txc@nei.org Organization:Nuclear Energy Institute General Comment NEI Comments on Draft Regulatory Guide DG-5079, Cybersecurity Event Notifications (Docket ID NRC-2023-0068) (see attached file)
Attachments 05-18-23_NRC_NEI Comments on DG-5079 SUNSI Review Complete Template=ADM-013 E-RIDS=ADM-03 ADD: Stanley Gardock, Bridget Curran, Mary Neely Comment (1)
Publication Date:
4/24/2023 Citation: 88 FR 24715
RICHARD MOGAVERO Sr. Project Manager, Security & Incident Preparedness Technical and Regulatory Services 1201 F Street, NW, Suite 1100 Washington, DC 20004 P: 202.739.8174 rm@nei.org nei.org May 18, 2023 Office of Administration U.S. Nuclear Regulatory Commission Washington, DC 20555-0001 ATTN: Program Management, Announcements and Editing Staff Submitted via Regulations.gov
Subject:
NEI Comments on Draft Regulatory Guide DG-5079, Cybersecurity Event Notifications (Docket ID NRC-2023-0068)
Project Number: 689
Dear Program Management,
Announcements, and Editing Staff:
The Nuclear Energy Institute (NEI)1, on behalf of our members, appreciates the opportunity to comment on draft regulatory guide DG-5079 (RG 5.83, Rev. 1). The endorsement of NEI 15-09, Revision 1, Cybersecurity Event Notifications,2 through this regulatory guide, supports consistent implementation of reporting requirements and streamlines the process for making reportability determinations.
NEI offers specific comments on the additional clarity needed regarding the distinction between digital assets and Critical Digital Assets associated with safety, security, or emergency preparedness functions.
Our comments are provided in the attachment.
1 The Nuclear Energy Institute (NEI) is responsible for establishing unified policy on behalf of its members relating to matters affecting the nuclear energy industry, including the regulatory aspects of generic operational and technical issues. NEIs members include entities licensed to operate commercial nuclear power plants in the United States, nuclear plant designers, major architect and engineering firms, fuel cycle facilities, nuclear materials licensees, and other organizations involved in the nuclear energy industry.
2 Accession Number ML22298A228
Program Management, Announcements, and Editing Staff May 18, 2023 Page 2 We thank you for considering NEIs comments prior to finalizing and publishing the regulatory guide.
Please contact Richard Mogavero at rm@nei.org or (202) 739-8174 with any questions or comments.
Sincerely, Richard Mogavero
Attachment:
NEI Comments on DG-5079 c:
Daniel Warner, NRC/NSIR Brian Yip, NRC/NSIR NRC Document Control Desk
Program Management, Announcements, and Editing Staff May 18, 2023 Page 3 Attachment - NEI Comments on DG-5079 Comment Page Section Proposed Change/New Language Comment/Justification 1
3 Related Guidance NRC references RG 5.71 Consider adding NEI 08-09 as an acceptable alternative to RG 5.71 2
8
Background
Balance of Plant (BOP)
Structures, Systems, Components (SSCs) should reference BOP Critical Digital Assets (CDAs).
This comment applies throughout the document as the focus should be on CDAs instead of SSEP functions.
3 8
Background
Content states that the NRC may notify or forward reports to other licensees or government agencies.
The details of an event report are likely marked Security-related, SUNSI, or 2.390, etc. Consider the protections needed to secure this information.
4 10 1.2.2 Section 1.2.2 is contradictory to section 1.2.1.1.
1.2.2 says if the malware is quarantined by the antivirus software, then its not reportable.
Section 1.2.1.1 implies any malware on a CDA is to be a 4-hour report.
Recommend removal of the example in 1.2.1.1 as it introduces confusion and does not align with the other examples.
If the malware is mitigated (aka quarantined), it is still technically on the CDA. There are also scenarios where it could be proven that the malware would not or could not have had an adverse impact on the CDA.
5 11 1.2.8.6 Consider rewording, mobile or portable CDA The proposed definition aligns with definition within NEI 15-09R1.
6 25
- Glossary,
[Security]
Compromise Loss of confidentiality, integrity, or availability of data or system function.
The proposed definition aligns with definition within NEI 15-09R1.