NEI 08-09, Re-Submittal of the Exelon Cyber Security Plan

From kanterella
Jump to navigation Jump to search

Re-Submittal of the Exelon Cyber Security Plan
ML102070168
Person / Time
Site: Dresden, Peach Bottom, Oyster Creek, Byron, Three Mile Island, Braidwood, Limerick, Clinton, Quad Cities, LaSalle
Issue date: 07/23/2010
From: Cowan P
Exelon Generation Co, Exelon Nuclear
To:
Document Control Desk, Office of Nuclear Reactor Regulation, Office of Nuclear Security and Incident Response
Shared Package
ML102070166 List:
References
NEI 08-09, Rev 6
Download: ML102070168 (10)


Text

ExeIn ENCLOSURES 1 AND 2 TRANSMITTED HEREWITH CONTAIN SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2 390 July 23, 2010 U.S. Nuclear Regulatory Commission Attn: Document Control Desk Washington, D.C. 20555-0001 Braidwood Station, Units 1 and 2 Facility Operating License Nos. NPF-72 and NPF-77 NRC Docket Nos, STN 50-456 and STN 50-457 Byron Station, Units 1 and 2 Facility Operating License Nos. NPF-37 and NPF-66 NRC Docket Nos. STN 50-454 and STN 50-455 Clinton Power Station, Unit 1 Facility Operating License No. NPF-62 NRC Docket No. 50-461 Dresden Nuclear Power Station, Units 2 and 3 Renewed Facility Operating License Nos. DPR-19 and DPR-25 NRC Docket Nos. 50-237 and 50-249 LaSaIIe County Station, Units 1 and 2 Facility Operating License Nos. NPF-1 1 and NPF-1 8 NRC Docket Nos. 50-373 and 50-374 Limerick Generating Station, Units 1 and 2 Facility Operating License Nos. NPF-39 and NPF-85 NRC Docket Nos. 50-352 and 50-353 Oyster Creek Nuclear Generating Station Renewed Facility Operating License No. DPR-16 NRC Docket No. 50-219 10 CFR 50.90 Enclosures 1 and 2 transmitted herewith contain Security-Related Information When separated from Enclosures 1 and 2, this document is decontrolled.

Exelon Nuclear 200 Exelon Way Kennett Square. PA 19348 www.exeloncorp.com Exelon.

Nuclear ENCLOSURES 1 AND 2 TRANSMITTED HEREWITH CONTAIN SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 10 CFR 50.90 July 23, 2010 U.S. Nuclear Regulatory Commission Attn: Document Control Desk Washington, D.C. 20555-0001 Braidwood Station, Units 1 and 2 Facility Operating License Nos. NPF-72 and NPF-77 NRC Docket Nos. STN 50-456 and STN 50-457 Byron Station, Units 1 and 2 Facility Operating License Nos. NPF-37 and NPF-66 NRC Docket Nos. STN 50-454 and STN 50-455 Clinton Power Station, Unit 1 Facility Operating License No. NPF-62 NRC Docket No. 50-461 Dresden Nuclear Power Station, Units 2 and 3 Renewed Facility Operating License Nos. DPR-19 and DPR-25 NRC Docket Nos. 50-237 and 50-249 LaSalle County Station, Units 1 and 2 Facility Operating License Nos. NPF-11 and NPF-18 NRC Docket Nos. 50-373 and 50-374 Limerick Generating Station, Units 1 and 2 Facility Operating License Nos. NPF-39 and NPF-85 NRC Docket Nos. 50-352 and 50-353 Oyster Creek Nuclear Generating Station Renewed Facility Operating License No. DPR-16 NRC Docket No. 50-219 Enclosures 1 and 2 transmitted herewith contain Security-Related Information When separated from Enclosures 1 and 2, this document is decontrolled.

Exelon Nuclear 200 Exelon Way Kennett Square. PA 19348 www.exeloncorp.com Exelon.

Nuclear ENCLOSURES 1 AND 2 TRANSMITTED HEREWITH CONTAIN SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 10 CFR 50.90 July 23, 2010 U.S. Nuclear Regulatory Commission Attn: Document Control Desk Washington, D.C. 20555-0001 Braidwood Station, Units 1 and 2 Facility Operating License Nos. NPF-72 and NPF-77 NRC Docket Nos. STN 50-456 and STN 50-457 Byron Station, Units 1 and 2 Facility Operating License Nos. NPF-37 and NPF-66 NRC Docket Nos. STN 50-454 and STN 50-455 Clinton Power Station, Unit 1 Facility Operating License No. NPF-62 NRC Docket No. 50-461 Dresden Nuclear Power Station, Units 2 and 3 Renewed Facility Operating License Nos. DPR-19 and DPR-25 NRC Docket Nos. 50-237 and 50-249 LaSalle County Station, Units 1 and 2 Facility Operating License Nos. NPF-11 and NPF-18 NRC Docket Nos. 50-373 and 50-374 Limerick Generating Station, Units 1 and 2 Facility Operating License Nos. NPF-39 and NPF-85 NRC Docket Nos. 50-352 and 50-353 Oyster Creek Nuclear Generating Station Renewed Facility Operating License No. DPR-16 NRC Docket No. 50-219 Enclosures 1 and 2 transmitted herewith contain Security-Related Information When separated from Enclosures 1 and 2, this document is decontrolled.

U.S. Nuclear Regulatory Commission July23, 2010 Page 2 Peach Bottom Atomic Power Station, Units 2 and 3 Renewed Facility Operating License Nos. DPR-44 and DPR-56 NRC Docket Nos. 50-277 and 50-278 Quad Cities Nuclear Power Station, Units 1 and 2 Renewed Facility Operating License Nos. DPR-29 and DPR-30 NRC Docket Nos. 50-254 and 50-265 Three Mile Island Nuclear Station, Unit 1 Renewed Facility Operating License No. DPR-50 NRC Docket No. 50-289

Subject:

Re-submittal of the Exelon Cyber Security Plan

Reference:

(1)

Letter from Nicholas J. DiFrancesco (U.S. Nuclear Regulatory Commission) to Mr. Charles G. Pardee (Exelon Nuclear), License Amendment Request for Approval of the Cyber Security Plan, dated June 4, 2010 On November 23, 2009, in accordance with the provisions of 10 CFR 50.4 and 10 CFR 50.90, Exelon Generation Company, LLC (Exelon) submitted a request for an amendment to the Facility Operating Licenses (FOL) for Braidwood Station, Units 1 and 2; Byron Station, Units 1 and 2; Clinton Power Station, Unit 1; Dresden Nuclear Power Station, Units 2 and 3; LaSalle County Station, Units 1 and 2; Limerick Generating Station, Units 1 and 2; Oyster Creek Nuclear Generating Station; Peach Bottom Atomic Power Station, Units 2 and 3; Quad Cities Nuclear Power Station, Units 1 and 2; and Three Mile Island Nuclear Station, Unit 1. This proposed amendment requested U.S. Nuclear Regulatory Commission (NRC) approval of the Exelon Cyber Security Plan, provided an Implementation Schedule, and added a sentence to the existing FOL Physical Protection license condition to require Exelon to fully implement and maintain in effect all provisions of the Commission-approved Cyber Security Plan. This proposed amendment conformed to the model application contained in NEI 08-09, Revision 3, submitted to the NRC for endorsement on September 15, 2009. This amendment request was supplemented on January 15, 2010, with a revised No Significant Hazards Consideration (NSHC) Determination.

By letter dated April 28, 2010, NEI submitted to the NRC, Revision 6 to NEI 08-09, which contains changes that address NRC staff concerns associated with previous versions. Based on a technical review of the document, the Office of Nuclear Security and Incident Response, in its letter dated May 5, 2010, concluded that submission of a cyber security plan using the template provided in NEI 08-09, Revision 6, dated April 2010, would be acceptable for use by licensees to comply with the requirements of 10 CFR 73.54, with the exception of the definition of Cyber Attack. A revised definition for Cyber Attack to be utilized in the Exelon Cyber Security Program is provided in the attached Evaluation of NEI 08-09, Revision 6 Deviations.

Therefore, to resolve the NRC staffs concerns with Revision 3 to NEI 08-09 and with the NEI 08-09, Revision 6 definition of Cyber Attack, Exelon is providing a revised Cyber Security Plan consistent with NEI 08-09, Revision 6 for Braidwood Station, Units 1 and 2; Byron Station, Units 1 and 2; Clinton Power Station, Unit 1; Dresden Nuclear Power Station, Units 2 and 3; LaSalle U.S. Nuclear Regulatory Commission July 23, 2010 Page 2 Peach Bottom Atomic Power Station, Units 2 and 3 Renewed Facility Operating License Nos. DPR-44 and DPR-56 NRC Docket Nos. 50-277 and 50-278 Quad Cities Nuclear Power Station, Units 1 and 2 Renewed Facility Operating License Nos. DPR-29 and DPR-30 NRC Docket Nos. 50-254 and 50-265 Three Mile Island Nuclear Station, Unit 1 Renewed Facility Operating License No. DPR-50 NRC Docket No. 50-289

Subject:

Re-submittal of the Exelon Cyber Security Plan

Reference:

(1)

Letter from Nicholas J. DiFrancesco (U.S. Nuclear Regulatory Commission) to Mr. Charles G. Pardee (Exelon Nuclear), "License Amendment Request for Approval of the Cyber Security Plan," dated June 4, 2010 On November 23, 2009, in accordance with the provisions of 10 CFR 50.4 and 10 CFR 50.90, Exelon Generation Company, LLC (Exelon) submitted a request for an amendment to the Facility Operating Licenses (FOL) for Braidwood Station, Units 1 and 2; Byron Station, Units 1 and 2; Clinton Power Station, Unit 1; Dresden Nuclear Power Station, Units 2 and 3; LaSalle County Station, Units 1 and 2; Limerick Generating Station, Units 1 and 2; Oyster Creek Nuclear Generating Station; Peach Bottom Atomic Power Station, Units 2 and 3; Quad Cities Nuclear Power Station, Units 1 and 2; and Three Mile Island Nuclear Station, Unit 1. This proposed amendment requested U.S. Nuclear Regulatory Commission (NRC) approval of the Exelon Cyber Security Plan, provided an Implementation Schedule, and added a sentence to the existing FOL Physical Protection license condition to require Exelon to fully implement and maintain in effect all provisions of the Commission-approved Cyber Security Plan. This proposed amendment conformed to the model application contained in NEI 08-09, Revision 3, submitted to the NRC for endorsement on September 15, 2009. This amendment request was supplemented on January 15, 2010, with a revised No Significant Hazards Consideration (NSHC) Determination.

By letter dated April 28, 2010, NEI submitted to the NRC, Revision 6 to NEI 08-09, which contains changes that address NRC staff concerns associated with previous versions. Based on a technical review of the document, the Office of Nuclear Security and Incident Response, in its letter dated May 5, 2010, concluded that submission of a cyber security plan using the template provided in NEI 08-09, Revision 6, dated April 2010, would be acceptable for use by licensees to comply with the requirements of 10 CFR 73.54, with the exception of the definition of "Cyber Attack." A revised definition for Cyber Attack to be utilized in the Exelon Cyber Security Program is provided in the attached Evaluation of NEI 08-09, Revision 6 Deviations.

Therefore, to resolve the NRC staff's concerns with Revision 3 to NEI 08-09 and with the NEI 08-09, Revision 6 definition of "Cyber Attack," Exelon is providing a revised Cyber Security Plan consistent with NEI 08-09, Revision 6 for Braidwood Station, Units 1 and 2; Byron Station, Units 1 and 2; Clinton Power Station, Unit 1; Dresden Nuclear Power Station, Units 2 and 3; LaSalle U.S. Nuclear Regulatory Commission July 23, 2010 Page 2 Peach Bottom Atomic Power Station, Units 2 and 3 Renewed Facility Operating License Nos. DPR-44 and DPR-56 NRC Docket Nos. 50-277 and 50-278 Quad Cities Nuclear Power Station, Units 1 and 2 Renewed Facility Operating License Nos. DPR-29 and DPR-30 NRC Docket Nos. 50-254 and 50-265 Three Mile Island Nuclear Station, Unit 1 Renewed Facility Operating License No. DPR-50 NRC Docket No. 50-289

Subject:

Re-submittal of the Exelon Cyber Security Plan

Reference:

(1)

Letter from Nicholas J. DiFrancesco (U.S. Nuclear Regulatory Commission) to Mr. Charles G. Pardee (Exelon Nuclear), "License Amendment Request for Approval of the Cyber Security Plan," dated June 4, 2010 On November 23, 2009, in accordance with the provisions of 10 CFR 50.4 and 10 CFR 50.90, Exelon Generation Company, LLC (Exelon) submitted a request for an amendment to the Facility Operating Licenses (FOL) for Braidwood Station, Units 1 and 2; Byron Station, Units 1 and 2; Clinton Power Station, Unit 1; Dresden Nuclear Power Station, Units 2 and 3; LaSalle County Station, Units 1 and 2; Limerick Generating Station, Units 1 and 2; Oyster Creek Nuclear Generating Station; Peach Bottom Atomic Power Station, Units 2 and 3; Quad Cities Nuclear Power Station, Units 1 and 2; and Three Mile Island Nuclear Station, Unit 1. This proposed amendment requested U.S. Nuclear Regulatory Commission (NRC) approval of the Exelon Cyber Security Plan, provided an Implementation Schedule, and added a sentence to the existing FOL Physical Protection license condition to require Exelon to fully implement and maintain in effect all provisions of the Commission-approved Cyber Security Plan. This proposed amendment conformed to the model application contained in NEI 08-09, Revision 3, submitted to the NRC for endorsement on September 15, 2009. This amendment request was supplemented on January 15, 2010, with a revised No Significant Hazards Consideration (NSHC) Determination.

By letter dated April 28, 2010, NEI submitted to the NRC, Revision 6 to NEI 08-09, which contains changes that address NRC staff concerns associated with previous versions. Based on a technical review of the document, the Office of Nuclear Security and Incident Response, in its letter dated May 5, 2010, concluded that submission of a cyber security plan using the template provided in NEI 08-09, Revision 6, dated April 2010, would be acceptable for use by licensees to comply with the requirements of 10 CFR 73.54, with the exception of the definition of "Cyber Attack." A revised definition for Cyber Attack to be utilized in the Exelon Cyber Security Program is provided in the attached Evaluation of NEI 08-09, Revision 6 Deviations.

Therefore, to resolve the NRC staff's concerns with Revision 3 to NEI 08-09 and with the NEI 08-09, Revision 6 definition of "Cyber Attack," Exelon is providing a revised Cyber Security Plan consistent with NEI 08-09, Revision 6 for Braidwood Station, Units 1 and 2; Byron Station, Units 1 and 2; Clinton Power Station, Unit 1; Dresden Nuclear Power Station, Units 2 and 3; LaSalle

U.S. Nuclear Regulatory Commission July 23, 2010 Page 3 County Station, Units 1 and 2; Limerick Generating Station, Units 1 and 2; Oyster Creek Nuclear Generating Station; Peach Bottom Atomic Power Station Units 2 and 3; Quad Cities Nuclear Power Station, Units 1 and 2; and Three Mile Island Nuclear Station, Unit 1. The attached Cyber Security Plan, Implementation Schedule/Summary of Regulatory Commitments and Evaluation of Deviations supersede, in its entirety, the previous Cyber Security Plan, Implementation Schedule/Summary of Regulatory Commitments and Evaluation of Deviations submitted on November 23, 2009. provides a copy of the Exelon Cyber Security Plan which supersedes in its entirety the November 23, 2009, Cyber Security Plan. This is a standalone document that will be incorporated by reference into the Exelon Physical Security Plan upon approval. Enclosure 2 provides a response to NRCs generic question #29 provided to NEI regarding NEI 08-09, Revision 3, and Implementation Schedule/Summary of Regulatory Commitments. This question was not directly addressed on an industry level and is therefore provided as part of this supplement. Enclosure 3 provides an evaluation of deviations from NEI 08-09, Revision 6.

Exelon requests that Enclosures 1 and 2, which contain sensitive information, be withheld from public disclosure in accordance with 10 CFR 2.390.

In accordance with 10 CFR 50.91, a copy of this application with attachments is being provided to the designated State Officials, If you should have any questions regarding this submittal, please contact Mr. Doug Walker at 610-765-5952.

I declare under penalty of perjury that the foregoing is true and correct. Executed on the 23 id day of July 2010.

Respectfully, g

Pamela B. Cowan Director

- Licensing and Regulatory Affairs

- Cyber Security Plan For Exelon Nuclear

- Evaluation of NRCs Generic Question #29 on NEt 08-09, Revision 3 and Implementation Schedule/Summary of Regulatory Commitments

- Evaluation of NEI 08-09, Revision 6 Deviations cc:

USNRC Region I, Regional Administrator USNRC Region Ill, Regional Administrator NRC Project Manager, NRR

- Braidwood Station NRC Project Manager, NRR

- Byron Station NRC Project Manager, NRR

- Clinton Power Station NRC Project Manager, NRR

- Dresden Nuclear Power Station NRC Project Manager, NRR

- LaSalle County Station NRC Project Manager, NRR

- Limerick Generating Station NRC Project Manager, NRR

- Oyster Creek Nuclear Generating Station NRC Project Manager, NRR

- Peach Bottom Atomic Power Station NRC Project Manager, NRR

- Quad Cities Nuclear Power Station NRC Project Manager, NRR -Three Mile Island Nuclear Station u.s. Nuclear Regulatory Commission July 23, 2010 Page 3 County Station, Units 1 and 2; Limerick Generating Station, Units 1 and 2; Oyster Creek Nuclear Generating Station; Peach Bottom Atomic Power Station Units 2 and 3; Quad Cities Nuclear Power Station, Units 1 and 2; and Three Mile Island Nuclear Station, Unit 1. The attached Cyber Security Plan, Implementation Schedule/Summary of Regulatory Commitments and Evaluation of Deviations supersede, in its entirety, the previous Cyber Security Plan, Implementation Schedule/Summary of Regulatory Commitments and Evaluation of Deviations submitted on November 23, 2009. provides a copy of the Exelon Cyber Security Plan which supersedes in its entirety the November 23,2009, Cyber Security Plan. This is a standalone document that will be incorporated by reference into the Exelon Physical Security Plan upon approval. Enclosure 2 provides a response to NRC's generic question #29 provided to NEI regarding NEI 08-09, Revision 3, and Implementation Schedule/Summary of Regulatory Commitments. This question was not directly addressed on an industry level and is therefore provided as part of this supplement. Enclosure 3 provides an evaluation of deviations from NEI 08-09, Revision 6.

Exelon requests that Enclosures 1 and 2, which contain sensitive information, be withheld from public disclosure in accordance with 10 CFR 2.390.

In accordance with 10 CFR 50.91, a copy of this application with attachments is being provided to the designated State Officials. If you should have any questions regarding this submittal, please contact Mr. Doug Walker at 610-765-5952.

I declare under penalty of perjury that the foregoing is true and correct. Executed on the 23rd day of July 2010.

Respectfully, ff 01f U?r~LL1J<<

Pamela B. Cowan Director - Licensing and Regulatory Affairs - Cyber Security Plan For Exelon Nuclear - Evaluation of NRC's Generic Question #29 on NEI 08-09, Revision 3 and Implementation Schedule/Summary of Regulatory Commitments - Evaluation of NEI 08-09, Revision 6 Deviations cc:

USNRC Region I, Regional Administrator USNRC Region III, Regional Administrator NRC Project Manager, NRR - Braidwood Station NRC Project Manager, NRR - Byron Station NRC Project Manager, NRR - Clinton Power Station NRC Project Manager, NRR - Dresden Nuclear Power Station NRC Project Manager, NRR - LaSalle County Station NRC Project Manager, NRR - Limerick Generating Station NRC Project Manager, NRR - Oyster Creek Nuclear Generating Station NRC Project Manager, NRR - Peach Bottom Atomic Power Station NRC Project Manager, NRR - Quad Cities Nuclear Power Station NRC Project Manager, NRR -Three Mile Island Nuclear Station u.s. Nuclear Regulatory Commission July 23, 2010 Page 3 County Station, Units 1 and 2; Limerick Generating Station, Units 1 and 2; Oyster Creek Nuclear Generating Station; Peach Bottom Atomic Power Station Units 2 and 3; Quad Cities Nuclear Power Station, Units 1 and 2; and Three Mile Island Nuclear Station, Unit 1. The attached Cyber Security Plan, Implementation Schedule/Summary of Regulatory Commitments and Evaluation of Deviations supersede, in its entirety, the previous Cyber Security Plan, Implementation Schedule/Summary of Regulatory Commitments and Evaluation of Deviations submitted on November 23, 2009. provides a copy of the Exelon Cyber Security Plan which supersedes in its entirety the November 23,2009, Cyber Security Plan. This is a standalone document that will be incorporated by reference into the Exelon Physical Security Plan upon approval. Enclosure 2 provides a response to NRC's generic question #29 provided to NEI regarding NEI 08-09, Revision 3, and Implementation Schedule/Summary of Regulatory Commitments. This question was not directly addressed on an industry level and is therefore provided as part of this supplement. Enclosure 3 provides an evaluation of deviations from NEI 08-09, Revision 6.

Exelon requests that Enclosures 1 and 2, which contain sensitive information, be withheld from public disclosure in accordance with 10 CFR 2.390.

In accordance with 10 CFR 50.91, a copy of this application with attachments is being provided to the designated State Officials. If you should have any questions regarding this submittal, please contact Mr. Doug Walker at 610-765-5952.

I declare under penalty of perjury that the foregoing is true and correct. Executed on the 23rd day of July 2010.

Respectfully, ff 01f U?r~LL1J<<

Pamela B. Cowan Director - Licensing and Regulatory Affairs - Cyber Security Plan For Exelon Nuclear - Evaluation of NRC's Generic Question #29 on NEI 08-09, Revision 3 and Implementation Schedule/Summary of Regulatory Commitments - Evaluation of NEI 08-09, Revision 6 Deviations cc:

USNRC Region I, Regional Administrator USNRC Region III, Regional Administrator NRC Project Manager, NRR - Braidwood Station NRC Project Manager, NRR - Byron Station NRC Project Manager, NRR - Clinton Power Station NRC Project Manager, NRR - Dresden Nuclear Power Station NRC Project Manager, NRR - LaSalle County Station NRC Project Manager, NRR - Limerick Generating Station NRC Project Manager, NRR - Oyster Creek Nuclear Generating Station NRC Project Manager, NRR - Peach Bottom Atomic Power Station NRC Project Manager, NRR - Quad Cities Nuclear Power Station NRC Project Manager, NRR -Three Mile Island Nuclear Station

U.S. Nuclear Regulatory Commission July 23, 2010 Page 4 cc-continued USNRC Senior Resident Inspector

- Braidwood Station USNRC Senior Resident Inspector

- Byron Station USNRC Senior Resident Inspector

- Clinton Power Station USNRC Senior Resident Inspector

- Dresden Nuclear Power Station USNRC Senior Resident Inspector

- LaSalle County Station USNRC Senior Resident Inspector - Limerick Generating Station USNRC Senior Resident Inspector - Oyster Creek Nuclear Generating Station USNRC Senior Resident Inspector

- Peach Bottom Atomic Power Station USNRC Senior Resident Inspector

- Quad Cities Nuclear Power Station USNRC Senior Resident Inspector -Three Mile Island Nuclear Station S. T. Gray, State of Maryland Illinois Emergency Management Agency

- Division of Nuclear Safety R. R. Janati

- Bureau of Radiation Protection, Commonwealth of Pennsylvania u.s. Nuclear Regulatory Commission July 23, 2010 Page 4 cc-continued USNRC Senior Resident Inspector - Braidwood Station USNRC Senior Resident Inspector - Byron Station USNRC Senior Resident Inspector - Clinton Power Station USNRC Senior Resident Inspector - Dresden Nuclear Power Station USNRC Senior Resident Inspector - LaSalle County Station USNRC Senior Resident Inspector - Limerick Generating Station USNRC Senior Resident Inspector - Oyster Creek Nuclear Generating Station USNRC Senior Resident Inspector - Peach Bottom Atomic Power Station USNRC Senior Resident Inspector - Quad Cities Nuclear Power Station USNRC Senior Resident Inspector -Three Mile Island Nuclear Station S. T. Gray, State of Maryland Illinois Emergency Management Agency - Division of Nuclear Safety R. A. Janati - Bureau of Radiation Protection, Commonwealth of Pennsylvania u.s. Nuclear Regulatory Commission July 23, 2010 Page 4 cc-continued USNRC Senior Resident Inspector - Braidwood Station USNRC Senior Resident Inspector - Byron Station USNRC Senior Resident Inspector - Clinton Power Station USNRC Senior Resident Inspector - Dresden Nuclear Power Station USNRC Senior Resident Inspector - LaSalle County Station USNRC Senior Resident Inspector - Limerick Generating Station USNRC Senior Resident Inspector - Oyster Creek Nuclear Generating Station USNRC Senior Resident Inspector - Peach Bottom Atomic Power Station USNRC Senior Resident Inspector - Quad Cities Nuclear Power Station USNRC Senior Resident Inspector -Three Mile Island Nuclear Station S. T. Gray, State of Maryland Illinois Emergency Management Agency - Division of Nuclear Safety R. A. Janati - Bureau of Radiation Protection, Commonwealth of Pennsylvania

ENCLOSURE 3 Evaluation of NEI 08-09, Revision 6 Deviations ENCLOSURE 3 Evaluation of NEI 08-09, Revision 6 Deviations ENCLOSURE 3 Evaluation of NEI 08-09, Revision 6 Deviations

Evaluation of NEI 08-09, Revision 6 Deviations Page 1 NEI 08-09 NEI 08-09 Rev 6 Text Exelon Text Discussion Location Appendix A, The roles and responsibilities of the The roles and responsibilities of the This deviation deletes the CSAT Section 3.1.2, CSAT include such activities as:

CSAT include such activities as:

responsibility for estimating cyber 6th bullet last security risk since there is no basis for phrase Evaluating assumptions and Evaluating assumptions and performing this action (e g how to conclusions about cyber security conclusions about cyber security perform this function when this is threats, potential vulnerabilities threats, potential vulnerabilities performed, or how the information is to, and consequences from an to, and consequences from an used)

This bullet has been revised and attack, the effectiveness of attack, the effectiveness of now reads consistent with Reg Guide existing cyber security controls, existing cyber security controls, 5

defensive strategies, and attack defensive strategies, and attack mitigation methods; cyber mitigation methods; cyber security awareness and training security awareness and training of those working with, or of those working with, or responsible for CDAs and cyber responsible for CDAs and cyber security controls throughout their security controls throughout their system life cycles; and estimates system life cycles; a4&stat&s of cyber security risk 2

Appendix A, The CSAT collects, examines, and The CSAT collects, examines, and The word evaluates has been replaced Section 3.1.4, documents the existing cyber documents the existing cyber by examines to be consistent with both first paragraph security policies, procedures, and security policies, procedures, and the Title of the section and other uses of practices; existing cyber security practices; existing cyber security the word in the section.

It is clear that controls; detailed descriptions of controls; detailed descriptions of there is no additional evaluation implied network and communication network and communication with this requirement and the text should architectures (or network!

architectures (or network!

be revised to read examine to avoid communication architecture communication architecture unintended meaning.

drawings); information on security drawings); information on security devices; and any other information devices; and any other information that may be helpful during the cyber that may be helpful during the cyber security assessment process. The security assessment process. The team collects, documents by team collects, documents by reference and evauates the following reference and evak*a4e examines as they apply to CDAs the following as they apply to CDAs Evaluation of NEI 08-09, Revision 6 Deviations Page 1 NE108-09 NEI 08-09 Rev 6 Text Exelon Text Discussion Location 1

Appendix A, The roles and responsibilities of the The roles and responsibilities of the This deviation deletes the GSAT Section 3.1.2, GSAT include such activities as:

GSAT include such activities as:

responsibility for estimating cyber 6th bullet, last Evaluating assumptions and Evaluating assumptions and security risk since there is no basis for phrase performing this action (e.g., how to conclusions about cyber security conclusions about cyber security perform this function, when this is threats; potential vulnerabilities threats; potential vulnerabilities performed, or how the information is to, and consequences from an to, and consequences from an used). This bullet has been revised and attack; the effectiveness of attack; the effectiveness of now reads consistent with Reg Guide existing cyber security controls, existing cyber security controls, 5.71.

defensive strategies, and attack defensive strategies, and attack mitigation methods; cyber mitigation methods; cyber security awareness and training security awareness and training of those working with, or of those working with, or responsible for CDAs and cyber responsible for CDAs and cyber security controls throughout their security controls throughout their system life cycles; and estimates system life cycles; and estimates of cyber security risk of cyber security risk 2

Appendix A, The GSAT collects, examines, and The GSAT collects, examines, and The word "evaluates" has been replaced Section 3.1.4, documents the existing cyber documents the existing cyber by "examines" to be consistent with both first paragraph security policies, procedures, and security policies, procedures, and the Title of the section and other uses of practices; existing cyber security practices; existing cyber security the word in the section. It is clear that controls; detailed descriptions of controls; detailed descriptions of there is no additional evaluation implied network and communication network and communication with this requirement and the text should architectures (or network!

architectures (or network!

be revised to read "examine" to avoid communication architecture communication architecture unintended meaning.

drawings); information on security drawings); information on security devices; and any other information devices; and any other information that may be helpful during the cyber that may be helpful during the cyber security assessment process. The security assessment process. The team collects, documents by team collects, documents by reference and evaluates the following reference and evaluates examines as they apply to CDAs the following as they apply to CDAs Evaluation of NEI 08-09, Revision 6 Deviations Page 1 NE108-09 NEI 08-09 Rev 6 Text Exelon Text Discussion Location 1

Appendix A, The roles and responsibilities of the The roles and responsibilities of the This deviation deletes the GSAT Section 3.1.2, GSAT include such activities as:

GSAT include such activities as:

responsibility for estimating cyber 6th bullet, last Evaluating assumptions and Evaluating assumptions and security risk since there is no basis for phrase performing this action (e.g., how to conclusions about cyber security conclusions about cyber security perform this function, when this is threats; potential vulnerabilities threats; potential vulnerabilities performed, or how the information is to, and consequences from an to, and consequences from an used). This bullet has been revised and attack; the effectiveness of attack; the effectiveness of now reads consistent with Reg Guide existing cyber security controls, existing cyber security controls, 5.71.

defensive strategies, and attack defensive strategies, and attack mitigation methods; cyber mitigation methods; cyber security awareness and training security awareness and training of those working with, or of those working with, or responsible for CDAs and cyber responsible for CDAs and cyber security controls throughout their security controls throughout their system life cycles; and estimates system life cycles; and estimates of cyber security risk of cyber security risk 2

Appendix A, The GSAT collects, examines, and The GSAT collects, examines, and The word "evaluates" has been replaced Section 3.1.4, documents the existing cyber documents the existing cyber by "examines" to be consistent with both first paragraph security policies, procedures, and security policies, procedures, and the Title of the section and other uses of practices; existing cyber security practices; existing cyber security the word in the section. It is clear that controls; detailed descriptions of controls; detailed descriptions of there is no additional evaluation implied network and communication network and communication with this requirement and the text should architectures (or network!

architectures (or network!

be revised to read "examine" to avoid communication architecture communication architecture unintended meaning.

drawings); information on security drawings); information on security devices; and any other information devices; and any other information that may be helpful during the cyber that may be helpful during the cyber security assessment process. The security assessment process. The team collects, documents by team collects, documents by reference and evaluates the following reference and evaluates examines as they apply to CDAs the following as they apply to CDAs

Evaluation of NEI 08-09, Revision 6 Deviations Page 2 NEI 08-09 NEI 08-09 Rev 6 Text Exelon Text Discussion Location 3

Appendix A, A vulnerability assessment may be A vulnerability assessment may be There are many CDAs that operate as Section 4.4.3.2, used as a substitute for vulnerability used as a substitute for vulnerability single-function, isolated instruments.

last paragraph, scanning where there is a risk of an scanning where there is a risk of an It is technically inappropriate to scan first sentence adverse impact to SSEP functions, adverse impact to SSEP functions, isolated instruments such as transmitters and when off-line, replicated, or and when off-line, replicated, or recorders indicators controllers and vendor test beds are not available, vendor test beds are not available or programmable logic controllers (PLCs).

when a scan is technically Vulnerability scans on these instruments inappropriate to be performed.

will not provide valid/usable results.

4 Appendix A Procedures for operating the Procedures for severing Deleted operating the CDAs in manual Section 4.7 CDAs in manual mode with external electronic mode based on its conflict with the external electronic communications connections, Technical Specification Limiting communications connections where allowed ea+j Conditions for Operation as defined severed until secure conditions As-rn a-rn4-w43 under 10 CFR 50.36.

can be restored There may be conditions and CDAs in a E4I55 nuclear power plant that are not seved, until secure conditions permitted to be operated in manual mode can be restored with external communication connections severed. This deviation revises the requirement to sever the communication connections where allowed and deletes the requirement to operate the CDA in a manual mode.

5 Appendix B, Any event in which there is reason to Any event in which there is reason to This revision to the definition of Cyber definition of believe that an adversary has believe that an adversary has Attack results from comments provided Cyber Attack committed or caused, or attempted to committed or caused, or attempted to by NRC following their review of NEI 08-commit or cause, or has made a commit or cause, or has made a 09, Rev 6. Reference letter from NEI credible threat to commit or cause credible threat to commit or cause Christopher E. Earls to NRC Richard P.

malicious exploitation of a SSEP malicious exploitation of a Correla dated June 2, 2010.

function.

rn4o CDA.

Evaluation of NEI 08-09, Revision 6 Deviations Page 2 NE108-09 NEI 08-09 Rev 6 Text Exelon Text Discussion Location 3

Appendix A, A vulnerability assessment may be A vulnerability assessment may be There are many CDAs that operate as Section 4.4.3.2, used as a substitute for vulnerability used as a substitute for vulnerability single-function, isolated instruments.

last paragraph, scanning where there is a risk of an scanning where there is a risk of an It is technically inappropriate to scan first sentence adverse impact to SSEP functions, adverse impact to SSEP functions, isolated instruments such as transmitters, and when off-line, replicated, or and when off-line, replicated, or recorders, indicators, controllers, and vendor test beds are not available.

vendor test beds are not available or programmable logic controllers (PLCs).

when a scan is technically inappropriate to be performed.

Vulnerability scans on these instruments will not provide valid/usable results.

4 Appendix A Procedures for operating the Procedures for severing Deleted "operating the CDAs in manual Section 4.7 CDAs in manual mode with external electronic mode" based on its conflict with the external electronic communications connections, Technical Specification Limiting communications connections where allowed operating the Conditions for Operation as defined severed until secure conditions CDAs in manual mode with under 10 CFR 50.36.

can be restored external electrenic communications connections There may be conditions and CDAs in a severed, until secure conditions nuclear power plant that are not permitted to be operated in manual mode can be restored with external communication connections severed. This deviation revises the requirement to sever the communication connections where allowed and deletes the requirement to operate the CDA in a manual mode.

5 Appendix B, Any event in which there is reason to Any event in which there is reason to This revision to the definition of Cyber definition of believe that an adversary has believe that an adversary has Attack results from comments provided Cyber Attack committed or caused, or attempted to committed or caused, or attempted to by NRC following their review of NEI 08-commit or cause, or has made a commit or cause, or has made a 09, Rev 6. Reference letter from NEI credible threat to commit or cause credible threat to commit or cause Christopher E. Earls to NRC Richard P.

malicious exploitation of a SSEP malicious exploitation of a SSP Correia dated June 2, 2010.

function.

function CDA.

Evaluation of NEI 08-09, Revision 6 Deviations Page 2 NEt 08-09 NEt 08-09 Rev 6 Text Exelon Text Discussion Location 3

Appendix A, A vulnerability assessment may be A vulnerability assessment may be There are many CDAs that operate as Section 4.4.3.2, used as a substitute for vulnerability used as a substitute for vulnerability single-function, isolated instruments.

last paragraph, scanning where there is a risk of an scanning where there is a risk of an It is technically inappropriate to scan first sentence adverse impact to SSEP functions, adverse impact to SSEP functions, isolated instruments such as transmitters, and when off-line, replicated, or and when off-line, replicated, or recorders, indicators, controllers, and vendor test beds are not available.

vendor test beds are not available or programmable logic controllers (PLCs).

when a scan is technically inappropriate to be performed.

Vulnerability scans on these instruments will not provide valid/usable results.

4 Appendix A Procedures for operating the Procedures for severing Deleted "operating the CDAs in manual Section 4.7 CDAs in manual mode with external electronic mode" based on its conflict with the external electronic communications connections, Technical Specification Limiting communications connections where allowed operating tho Conditions for Operation as defined severed until secure conditions CDAs in manual mode with under 10 CFR 50.36.

can be restored external electronic communications connections There may be conditions and CDAs in a severed, until secure conditions nuclear power plant that are not permitted to be operated in manual mode can be restored with external communication connections severed. This deviation revises the requirement to sever the communication connections where allowed and deletes the requirement to operate the CDA in a manual mode.

5 Appendix B, Any event in which there is reason to Any event in which there is reason to This revision to the definition of Cyber definition of believe that an adversary has believe that an adversary has Attack results from comments provided Cyber Attack committed or caused, or attempted to committed or caused, or attempted to by NRC following their review of NEI 08-commit or cause, or has made a commit or cause, or has made a 09, Rev 6. Reference letter from NEI credible threat to commit or cause credible threat to commit or cause Christopher E. Earls to NRC Richard P.

malicious exploitation of a SSEP malicious exploitation of a SS£I2 Correia dated June 2, 2010.

function.

function CDA.

Evaluation of NEI 08-09, Revision 6 Deviations Page 3 NEI 08-09 NEI 08-09 Rev 6 Text Exelon Text Discussion Location 6

Appendix D, 1 A Information Flow Enforcement 1 A Information Flow Enforcement The two bulleted controls here are being ControIi4,6U This Technical cyber security control This Technical cyber security control Implements one-way data flows For Deterministic devices:

firewalls and deterministic data diodes, using hardware mechanisms, Implements one-way data flows Both types of devices are being implementing dynamic using hardware mechanisms implemented as part of Exelons information flow control based on imatingy4arnio defensive architecture.

policy that allows or disallows information flows based on o-poy4Paaws-o4&a44ows changing conditions or operational considerations.

Implements information flow control enforcement using For Nondeterministic dynamic security policy devices: Implements mechanisms as a basis for flow information flow control control decisions.

enforcement using dynamic security policy mechanisms as a basis for flow control decisions.

7 Appendix D, o

Ensures CDAs with auditing o

Ensures CDAs with auditing Appendix D, Control 2.5 discusses Control 2.5, 4 th failures take the following failures take the following Response To Audit Processing bullet, 3 sub-additional actions:

additional actions:

Failures. The Control states that CDAs bullet 1.

Shut down the CDA

1. Shut down the CDA should be shut down when auditing failures occur. Depending on the function 2.

Failover to a redundant CDA,

of the CDA in a nuclear power plant, it where necessary to prevent

2. Failover to a redundant CDA, may not be possible in all circumstances adverse impact to safety, where necessary to prevent to shut down a CDA. The control is being security or emergency adverse impact to safety, revised to acknowledge the CDA may not preparedness functions, security or emergency be able to be immediately shut down.

3.

Overwrite, when necessary, preparedness functions, the oldest audit record(s), and

3. Overwrite, when necessary, 4.

Stop generating audit records.

the oldest audit record(s), and

4. Stop generating audit records.

Evaluation of NEI 08-09, Revision 6 Deviations Page 3 NE108-09 NEI 08-09 Rev 6 Text Exelon Text Discussion Location 6

Appendix D, 1.4 Information Flow Enforcement 1.4 Information Flow Enforcement The two bulleted controls here are being Control 1.4, 6th This Technical cyber security control:

This Technical cyber security control:

revised to remove ambiguity in how they and 7th bullets are applied to both non-deterministic Implements one-way data flows For Deterministic devices:

firewalls and deterministic data diodes.

using hardware mechanisms, Implements one-way data flows Both types of devices are being implementing dynamic using hardware mechanisms, implemented as part of Exelon's information flow control based on implementing dynamic defensive architecture.

policy that allows or disallows information flow control based information flows based on on policy that allows or disallows changing conditions or information flows based on operational considerations.

changing conditions or Implements information flow operational considerations.

control enforcement using For Non-deterministic dynamic security policy devices: Implements mechanisms as a basis for flow information flow control control decisions.

enforcement using dynamic security policy mechanisms as a basis for flow control decisions.

7 Appendix D, 0

Ensures CDAs with auditing 0

Ensures CDAs with auditing Appendix D, Control 2.5 discusses Control 2.5, 4th failures take the following failures take the following "Response To Audit Processing bullet, 3rd sub-additional actions:

additional actions:

Failures." The Control states that CDAs bullet 1.

Shut down the CDA,

1. Shut down the CDA (if should be shut down when auditing appropriate),

failures occur. Depending on the function 2.

Failover to a redundant CDA, of the CDA in a nuclear power plant, it where necessary to prevent

2. Failover to a redundant CDA, may not be possible in all circumstances adverse impact to safety, where necessary to prevent to shut down a CDA. The control is being security or emergency adverse impact to safety, revised to acknowledge the CDA may not preparedness functions, security or emergency be able to be immediately shut down.

3.

Overwrite, when necessary, preparedness functions, the oldest audit record(s), and

3. Overwrite, when necessary, 4.

Stop generating audit records.

the oldest audit record(s}, and 4.

Stop generating audit records.

Evaluation of NEI 08-09, Revision 6 Deviations Page 3 NE108-09 NEI 08-09 Rev 6 Text Exelon Text Discussion Location 6

Appendix 0, 1.4 Information Flow Enforcement 1.4 Information Flow Enforcement The two bulleted controls here are being Control 1.4, 6th This Technical cyber security control:

This Technical cyber security control:

revised to remove ambiguity in how they and 7th bullets are applied to both non-deterministic Implements one-way data flows For Deterministic devices:

firewalls and deterministic data diodes.

using hardware mechanisms, Implements one-way data flows Both types of devices are being implementing dynamic using hardware mechanisms, implemented as part of Exelon's information flow control based on implementing dynamic defensive architecture.

policy that allows or disallows information f1o llt' control based information flows based on on policy that allows or disallows changing conditions or information flows based on operational considerations.

changing conditions or Implements information flow operational considerations.

control enforcement using For Non-deterministic dynamic security policy devices: Implements mechanisms as a basis for flow information flow control control decisions.

enforcement using dynamic security policy mechanisms as a basis for flow control decisions.

7 Appendix 0, 0

Ensures CDAs with auditing 0

Ensures CDAs with auditing Appendix 0, Control 2.5 discusses Control 2.5, 4th failures take the following failures take the following "Response To Audit Processing bullet, 3rd sub-additional actions:

additional actions:

Failures." The Control states that CDAs bullet 1.

Shut down the CDA,

1. Shut down the CDA (if should be shut down when auditing appropriate),

failures occur. Depending on the function 2.

Failover to a redundant CDA, of the CDA in a nuclear power plant, it where necessary to prevent

2. Failover to a redundant CDA, may not be possible in all circumstances adverse impact to safety, where necessary to prevent to shut down a CDA. The control is being security or emergency adverse impact to safety, revised to acknowledge the CDA may not preparedness functions, security or emergency be able to be immediately shut down.

3.

Overwrite, when necessary, preparedness functions, the oldest audit record(s), and

3. Overwrite, when necessary, 4.

Stop generating audit records.

the oldest audit record(s), and 4.

Stop generating audit records.

Evaluation of NEI 08-09, Revision 6 Deviations Page 4 This security control implements and documents a defensive strategy that:

Allows only one-way direct data flow from higher security levels to lower security levels.

In addition, this security control implements and documents security boundary control devices between higher security levels and lower security levels that:

o Except in the case of data diodes, contain a rule set that at a minimum Allows no information of any kind, including handshaking protocols, to be transferred directly from networks or systems existing at the lower security level to networks or systems existing at the higher security level; This security control implements and documents a defensive strategy that:

For deterministic devices (eg data diodes), allows only one-way direct data flow from higher security levels to lower security levels.

In addition, this security control implements and documents security boundary control devices between higher security levels and lower security levels that:

o Except in the case of data diodes, contain a rule set that at a minimum For Exelon, the boundary between Level 3 and Level 2 is implemented by one or more deterministic devices (i.e., data diodes, air gaps) that isolate CDAs in or above level 3. The boundary between level 4 and level 3 is implemented by either one or more deterministic devices (Le., data diodes, air gaps) that isolate CDAs in level 4, or one or more non-deterministic network isolation devices.

Information flows between level 3 and 4 are restricted through the use of a firewall and network-based intrusion detection system.

The first revised bullet discusses the restriction to one-way communication between levels. Exelons defensive architecture allows use of a firewall within the boundary of a deterministic device (i.e., level 3 to level 4) which under controlled conditions may allow some transfer of information from lower to higher level.

The second revised bullet is deleted.

This bullet discusses boundary devices other than diodes (e.g., firewalls). The restriction of no data transfer is removed and not necessary in Exelons architecture which employs a data diode or air gap between level 2 and level 3.

8 Appendix E, Section 6, 4

th bullet and next to last sub bullet.

NEI 08-09 Location NEI 08-09 Rev 6 Text Exelon Text Discussion Evaluation of NEI 08-09, Revision 6 Deviations Page 4 NEt 08-09 NEI 08-09 Rev 6 Text Exelon Text Discussion Location 8

Appendix E, This security control implements and This security control implements and For Exelon, the boundary between Level Section 6, documents a defensive strategy that:

documents a defensive strategy that:

3 and Level 2 is implemented by one or 4th bullet and Ie Allows only one-way direct data Ie For deterministic devices (e.g.,

more deterministic devices (Le., data diodes, air gaps) that isolate CDAs in or next to last sub-flow from higher security levels to data diodes), allows only one-way above level 3. The boundary between bullet.

lower security levels.

direct data flow from higher level 4 and level 3 is implemented by In addition, this security control security levels to lower security either one or more deterministic devices implements and documents security levels.

(Le., data diodes, air gaps) that isolate boundary control devices between In addition, this security control CDAs in level 4, or one or more non-higher security levels and lower implements and documents security deterministic network isolation devices.

security levels that:

boundary control devices between Information flows between level 3 and 4 0

Except in the case of data diodes, higher security levels and lower are restricted through the use of a firewall contain a rule set that at a security levels that:

and network-based intrusion detection minimum 0

Except in the case of data diodes, system.

Allows no information of any contain a rule set that at a The first revised bullet discusses the kind, including handshaking minimum restriction to one-way communication protocols, to be transferred Allows no information of any between levels. Exelon's defensive directly from networks or kind, including handshaking architecture allows use of a firewall within systems existing at the lower protocols, to be transferred the boundary of a deterministic device security level to networks or directly from networks-Bf (Le., level 3 to level 4) which under systems existing at the higher systems existing at the lower controlled conditions may allow some security level; security level to networks or transfer of information from lower to systems existing at the higher higher level.

security level-;-

The second revised bullet is deleted.

This bullet discusses boundary devices other than diodes (e.g., firewalls). The restriction of no data transfer is removed and not necessary in Exelon's architecture which employs a data diode or air gap between level 2 and level 3.

Evaluation of NEI 08-09, Revision 6 Deviations Page 4 NEt 08-09 NEI 08-09 Rev 6 Text Exelon Text Discussion Location 8

Appendix E, This security control implements and This security control implements and For Exelon, the boundary between Level Section 6, documents a defensive strategy that:

documents a defensive strategy that:

3 and Level 2 is implemented by one or 4th bullet and Allows only one-way direct data For deterministic devices (e.g.,

more deterministic devices (Le., data diodes, air gaps) that isolate CDAs in or next to last sub-flow from higher security levels to data diodes), allows only one-way above level 3. The boundary between bullet.

lower security levels.

direct data flow from higher level 4 and level 3 is implemented by In addition, this security control security levels to lower security either one or more deterministic devices implements and documents security levels.

(Le., data diodes, air gaps) that isolate boundary control devices between In addition, this security control CDAs in level 4, or one or more non-higher security levels and lower implements and documents security deterministic network isolation devices.

security levels that:

boundary control devices between Information flows between level 3 and 4 0

Except in the case of data diodes, higher security levels and lower are restricted through the use of a firewall contain a rule set that at a security levels that:

and network-based intrusion detection minimum 0

Except in the case of data diodes, system.

Allows no information of any contain a rule set that at a The first revised bullet discusses the kind, including handshaking minimum restriction to one-way communication protocols, to be transferred Allows no information of any between levels. Exelon's defensive directly from networks or kind, including handshaking architecture allows use of a firewall within systems existing at the lower protocols, to be transferred the boundary of a deterministic device security level to networks or directly from networks or (Le., level 3 to level 4) which under systems existing at the higher systems existing at the lower controlled conditions may allow some security level; security level to networks or transfer of information from lower to systems existing at the higher higher level.

security level; The second revised bullet is deleted.

This bullet discusses boundary devices other than diodes (e.g., firewalls). The restriction of no data transfer is removed and not necessary in Exelon's architecture which employs a data diode or air gap between level 2 and level 3.

Evaluation of NEI 08-09, Revision 6 Deviations Page 5 Stakeholders are included in the development of incident response policies, procedures and plans, including the following groups:

Physical security Cyber security team Operations Engineering Information Technology Human resources System support vendors Management Legal Safety Stakeholders are included in the development of incident response policies, procedures and plans.

the4

-cois For example:

Physical security Cyber security team Operations Engineering Information Technology Human resources System support vendors Management Legal Safety Appendix E, Control 71 is revised to recognize that all groups listed in the control are provided for example and not necessarily all required for the development of the incident response policies, procedures and plans.

9 Appendix E Control 71, last paragraph NEI 08-09 NEI 08-09 Rev 6 Text Exelon Text Discussion Location Evaluation of NEI 08-09, Revision 6 Deviations PageS NE108-09 NEI 08-09 Rev 6 Text Exelon Text Discussion Location 9

Appendix E Stakeholders are included in the Stakeholders are included in the Appendix E, Control 7.1 is revised to Control 7.1, last development of incident response development of incident response recognize that all groups listed in the paragraph policies, procedures and plans, policies, procedures and plans.

control are provided for example and not including the following groups:

including the following groups For necessarily all required for the Physical security example:

development of the incident response Physical security policies, procedures and plans.

Cyber security team Operations Cyber security team Operations Engineering Engineering Information Technology Information Technology Human resources System support vendors Human resources System support vendors Management Management Legal Safety Legal Safety Evaluation of NEI 08-09, Revision 6 Deviations PageS NE108-09 NEI 08-09 Rev 6 Text Exelon Text Discussion Location 9

Appendix E Stakeholders are included in the Stakeholders are included in the Appendix E, Control 7.1 is revised to Control 7.1, last development of incident response development of incident response recognize that all groups listed in the paragraph policies, procedures and plans, policies, procedures and plans.

control are provided for example and not including the following groups:

including the following groups For necessarily all required for the Physical security example:

development of the incident response Physical security policies, procedures and plans.

Cyber security team Operations Cyber security team Operations Engineering Information Technology Engineering Human resources Information Technology System support vendors Human resources System support vendors Management Legal Management Safety Legal Safety