ML24351A021
| ML24351A021 | |
| Person / Time | |
|---|---|
| Issue date: | 01/31/2025 |
| From: | Siddiky T NRC/NSIR/DPCP/CSB |
| To: | Mario Fernandez NRC/NSIR/DPCP/CSB |
| Shared Package | |
| ML24351A020 | List: |
| References | |
| ML24351A020 | |
| Download: ML24351A021 (1) | |
Text
MEMORANDUM TO: Mario Fernandez, Chief Cyber Security Branch Division of Physical and Cyber Security Policy Office of Nuclear Security and Incident Response FROM:
Tanvir Siddiky, IT Specialist Cyber Security Branch Division of Physical and Cyber Security Policy Office of Nuclear Security and Incident Response
SUBJECT:
SUMMARY
OF OCTOBER 21, 2024, PUBLIC MEETING TO PROPOSE CHANGES TO THE CYBERSECURITY BASELINE INSPECTION On October 21, 2024, the U.S. Nuclear Regulatory Commission (NRC) held an open public meeting to provide Nuclear Energy Institute (NEI) an opportunity to explain the technical basis for their proposed option on changing the frequency of baseline cybersecurity inspections. The meeting notice is available at ADAMS Accession ML24115A044. Approximately 73 participants, representing the NRC, the industry, and members of the public attended the meeting.
The NEI presentation discussed the background and rationale behind considering their proposed option and team composition for the cybersecurity inspections. NEI proposed a one-week triennial inspection with one NRC inspector. NEIs justification of the proposal leans heavily on pre-inspection activities such as scope development, request for information (RFI) phase and planning activities. NEI also mentioned that the proposal supports the Accelerating Deployment of Versatile Advanced Nuclear for Clean Energy (ADVANCE) Act, specifically section 507 by providing oversight in inspection program areas such as planning and preparation for inspections as well as elimination of redundant areas and unnecessary activities.
NEI also discussed potential changes in the RFI document and inspection scope adjustments according to the complexity and grouping of CDAs.
After the presentation, NRC staff asked questions about implementation of emerging technologies and how the reduced scope and smaller number of inspectors would effectively evaluate the cybersecurity program. NEI responded that refining the scope to focus on the maintenance phase of the cybersecurity program would enable inspectors to concentrate on emerging technologies. NRC staff then asked how NEI determined that 35 hours4.050926e-4 days <br />0.00972 hours <br />5.787037e-5 weeks <br />1.33175e-5 months <br /> of direct inspection effort would be sufficient to complete the inspection's scope. NEI responded that the hours were calculated based on similar security inspections and noted that the number of NRC contractors was not factored into the estimate.
January 31, 2025 Fernandez, Mario signing on behalf of Siddiky, Tanvir on 01/31/25 Another member of the public sought clarification on the reduction of inspection hours and scope. NEI explained that the scope reduction would be based on pre-inspection activities.
Another member of the public from the Union of Concerned Scientists mentioned that there is no justification for reducing the scope and frequency of cybersecurity inspections, especially given the significant increase in cyber threats and attacks the world is facing, as well as the large number of cybersecurity inspection violations in 2023.
At the end, NEI representatives thanked the NRC for the opportunity to present the justification and basis of their inspection frequency proposal and explored options for efficient and effective improvements in the implementation of the cybersecurity program.
Enclosures:
1.
NRC Presentation Slides 2.
Attendance Report
ML24351A020; ML24351A021 OFFICE NRC/NSIR/DPCP
/CSB NSIR/DPCP/CSB NRC/NSIR/DPCP/CSB NAME TSiddiky MFernandez TSiddiky MFernandez for DATE Dec 16, 2024 Jan 28, 2025 Jan 31, 2025