Text

.

MEMORANDUM TO: Jeff Bream, Acting Chief Cyber Security Branch Division of Physical and Cyber Security Policy Office of Nuclear Security and Incident Response FROM: Tanvir Siddiky, IT Specialist (Cyber)

Cyber Security Branch Division of Physical and Cyber Security Policy Office of Nuclear Security and Incident Response

SUBJECT:

SUMMARY

OF DECEMBER 14, 2023, PUBLIC MEETING TO PROVIDE FEEDBACK ON THE NUCLEAR ENERGY INSTITUTES (NEIS) ONGOING MONITORING AND ASSESSMENT WHITE PAPER.

On December 14, 2023, the U.S. Nuclear Regulatory Commission (NRC) held an open public meeting to provide feedback on the Nuclear Energy Institutes (NEIs) white paper, Ongoing Monitoring and Assessment (Agencywide Documents Access and Management System (ADAMS) Accession No. ML23205A200), submitted for the NRCs review in support of its planned revision to NEI 08-09, Cybersecurity Plan for Nuclear Power Reactors". The meeting notice is available at ML23326A070. Approximately 52 participants, representing the NRC, the industry, and members of the public attended the meeting.

The white paper aims to provide licensees guidance and examples on Ongoing Monitoring and Assessment (OM&A) activities and changing control periodicity based on the nine categories in section 3.1.6 of NEI 08-09. The purpose of this public meeting was for the NRC staff to provide feedback following the review of the OM&A white paper for NEIs consideration as it develops Revision 7 to NEI 08-09.

The NRC presentation discussed the takeaways and results from the previous public meeting and discussion with NEI held on September 20, 2023 (ML23248A354). The NRC staff then presented two considerations related to changing any control periodicity. First, an alternate periodicity must meet the intent of the original control periodicity. Second, an alternate periodicity in lieu of implementing the original periodicity must mitigate the consequences of the threat/attack vector the control is intended to protect. Additionally, the basis for implementing an alternate periodicity must be documented.

The NRC staff presentation provided additional feedback and criteria on the periodicity extension due to nuclear safety risk and alignment of periodicity with regularly scheduled maintenance. The NRC staff disagreed with NEIs proposal regarding extending password change periodicity as the approach does not mitigate the consequence of the attack vector.

January 19, 2024 Signed by Siddiky, Tanvir on 01/19/24

Additionally, the NRC staff stated that more details were needed in the guidance regarding continuously staffed and continuously surveilled locations. The NRC staff provided detailed feedback regarding crediting security information and event management (SIEM) for extending control periodicity. The NRC staff stated that generally accepted standard that are credited for alternate period justification must be implemented fully and could not be implemented in part.

Finally, sections on industry operating experience, experience with security control, benchmarking, and audits/assessments lack adequate guidance. At this time, the NRC did not accept the proposed approach for use.

During the Q&A portion of the public meeting, NEI agreed with the feedback and stated that NEI will incorporate the feedback and discussion outcome into the next revision of NEI 08-09 Revision 7. NEI representatives commented they appreciated the opportunity to provide clarification and explore additional opportunities for efficient and effective improvements in the implementation of the cybersecurity program.

Enclosures:

NRC Presentation Slides

ML24018A170; ML24018A176 OFFICE NRC/NSIR/DPCP NSIR/DSO/SOSB NRC/NSIR/DPCP

/CSB /CSB NAME TSiddiky TS JBream JB TSiddiky TS DATE Jan 18, 2024 Jan 19, 2024 Jan 19, 2024