ML23152A258
| ML23152A258 | |
| Person / Time | |
|---|---|
| Issue date: | 06/02/2023 |
| From: | Kim Lawson-Jenkins NRC/NSIR/DPCP/CSB |
| To: | |
| References | |
| ML23152A256 | |
| Download: ML23152A258 (1) | |
Text
NRC Inspection Manual Chapter 0612 Appendix E - Minor Examples Kim Lawson-Jenkins Cyber Security Branch Division of Physical and Cyber Security Policy Office of Nuclear Security and Incident Response U.S. Nuclear Regulatory Commission 1
2 Overview
- Cybersecurity Inspections
- IMC 0612 Appendix B - Issue Screening
- New Cybersecurity Minor Examples
- Next Steps
Cybersecurity Inspections
- Milestones 1 through 7
-CDA identification
- Full implementation (Milestone 8)
-CDA assessments, PMMD, alternate controls
- Reactor Oversight Program
-Areas related to maintaining an effective cybersecurity program CDA - critical digital asset PMMD - portable media and mobile devices 3
IMC 0612 Appendix B - Issue Screening 4
Is the performance deficiency More-than-Minor?
If the answer to any of the following questions is yes, then the performance deficiency is More-than-Minor and is a finding. If the answer to all of the following questions is no, then the performance deficiency is minor and is not a finding.
- 1. Could the performance deficiency reasonably be viewed as a precursor to a significant event?
- 2. If left uncorrected, would the performance deficiency have the potential to lead to a more significant safety concern?
- 3. Is the performance deficiency associated with one of the cornerstone attributes and did the performance deficiency adversely affect the associated cornerstone objective?
IMC 0612 Appendix B - Issue Screening 5
Defense in Depth considerations
- Capability to detect, respond to, and recover from cyber attacks
- Multiple layers of defensive security controls are placed throughout the system with the intent of providing overlapping defenses in the event that a control fails, or a vulnerability is exploited
New Cybersecurity Minor Examples
- Baseline Configuration
- Ongoing Monitoring and Assessment
- Removal of Unnecessary Services and Programs
- Physical Access Control
- Evaluate and Manage Cyber Risk (Vulnerability Management) 6
7 Next Steps
- June 15 - Draft to be shared regional inspectors; comment period closes by June 30
- July 15 - Comments resolved; updated section of the IMC is submitted to Office of Nuclear Reactor Regulations (NRR)