Text

Commenter Section of IMC 0612 Appendix E Specific Comments CSB Staff Resolution Region I Example 11.a A significant number of findings were written using MC 0612 Appendix E example 11.a to support the MTM justification since full implementation. Please strongly consider maintaining this example in MC 0612 Appendix E and use the attached updated example 11.a provided to NSIR that refers to CSP 3.16, Mitigation of Vulnerabilities and Application of Cyber Security Controls instead of referring to CSP 3.1.3., Identification of Critical Digital Assets. This example illustrates missed security controls that are required to be implemented for Indirect and Direct CDAs and continues to be a value added example to support issues identified during the cyber security baseline inspections.

The example was updated to cite NEI 08-09, Appendix A, Section 3.1.6 - Mitigation of Vulnerabilities and Application of Cyber Security Controls instead of NEI 08-09, Appendix A, Section 3.1.3 - Identification of Critical Digital Assets and clarified that the example addresses misclassification of a CDA that results in inadequate protection against a cyber-attack.

Region IV Example 11.a The text commensurate to the required baseline controls seems a bit vague to me. I recommend adding language similar to "...that mitigate the consequences of the threat/attack vector(s) associated with one or more of the cyber security controls..." for consistency with the guidance.

The required baseline controls are specifically identified for indirect CDAs in NEI 13-10. The update text regarding misclassification of the CDA provides clarity and reduces subjectivity when determining whether the performance deficiency is minor. No additional changes were made to the text based on this comment.

Region II Example 11.a RII also believes that 11.a should be deleted.

See answer for the RI comment on this example, which revised the original example and added clarifying text.

Region IV Example 11.d Would it be useful to include a discussion on the 92-day audit requirement under 10.3?

It would be more appropriate to address this issue with additional guidance to discuss acceptable alternative controls for periodicity requirements for security controls, which would include the Regional Inspector Comments on Updates to IMC 0612 Appendix E Section 11 Cybersecurity

2 Commenter Section of IMC 0612 Appendix E Specific Comments CSB Staff Resolution periodicity to verify baseline configurations. CSB staff will be reviewing new NEI guidance in this area.

Region I Example 11.f The MTM if section should include the language that we have used to screen recent issues at MTM such as MTM if unnecessary services and programs are installed but not disabled without a cyber impact assessment to justify that those programs and surfaces do not introduce any new or unmitigated vulnerabilities or MTM if unnecessary services and programs are installed and manually turned off, but not disabled which would not prevent those services and programs from running if another system, service or application triggers those unnecessary programs or services to run.

It is not clear to CSB staff that the text in the comment would provide clarity for the example.

The impact should not result in the reduction of the defense in depth protective strategy. The given MTM examples are specific in stating how the unnecessary service or program would impact other security controls in the CSP and reduce the overall defense in depth strategy. No change was made to the text based on this comment.

Region I Example 11.g It is standard practice for sites to perform a performance test using an x-ray test block at the beginning of each shift or even prior to every scan.

The Minor if includes a functional X-Ray test block to verify operability prior to use of searching.

We have issued Findings even though sites have performed this test so the statement should be clarified or removed from this example.

Changed the text from functional X-ray block test to testing. This leaves the flexibility to the inspector to determine if the combination of security protections with the specific level of testing is adequate.

Region I Example 11.e 11.e seems to toggle from missing a cyber security control in the Minor if section and focus on failing to perform an ongoing assessment of controls. The example needs to only focus on one or the other. I would revise to change the minor if to only discuss ongoing assessment portion. We can discuss later for details.

There have been instances on inspections where security controls that had been in place but were inadvertently changed during the lifecycle of the CDA. In almost all cases, if the licensee was performing adequate ongoing assessments, they would have determined that the security control was no longer in place. Some inspectors have written violations based on the failure to perform

3 Commenter Section of IMC 0612 Appendix E Specific Comments CSB Staff Resolution adequate ongoing assessments rather than the missing control. No change was made to the text based on this comment.

Region I Example 11.f In prior discussions with Tim Marshall, we have also incorporated the additional complexity of running versus standby (but not disabled) as part of the minor/more than minor discussion.

It is understood that the listed criteria is not all inclusive and the additional criteria proposed would be included in the reduction of the defense in depth strategy. No change was made to the text based on this comment.

Region I Example 11.h Consider changing the minor if from isolated cases of vulnerability to an isolated vulnerability.

As typically the inspectors only ask for a few vulnerabilities and therefore having multiple is actually a high percentage of the ones inspected.

On the MTM if, we could also include or multiple applicable vulnerabilities were not assessed.

CSB staff agree to the suggested changes and updated the text.