NOC-AE-09002480, License Amendment Request for Approval of Cyber Security Plan

From kanterella
Jump to navigation Jump to search

License Amendment Request for Approval of Cyber Security Plan
ML093280720
Person / Time
Site: South Texas  STP Nuclear Operating Company icon.png
Issue date: 11/19/2009
From: Bowman C
South Texas
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
NOC-AE-09002480, STI: 32554802
Download: ML093280720 (18)
v  d  e


Text

Nuclear Operating Company South Teaas Pro/ect Electric Generating Station P0. Box 289 Wadsworth. Texas 77483 _

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 November 19, 2009 NOC-AE-09002480 10CFR50.90 U. S. Nuclear Regulatory Commission Attention: Document Control Desk One White Flint North 11555 Rockville Pike Rockville, MD 20852 South Texas Project Units 1 and 2 Docket Nos. STN 50-498, STN 50-499 License Amendment Request for Approval of Cyber Security Plan In accordance with the provisions of 10 CFR § 50.4 and §50.90, STP Nuclear Operating Company (STPNOC) is submitting a request for an amendment to the Facility Operating Licenses (FOL) for South Texas Project Units 1 and 2. This proposed amendment requests NRC approval of the STPNOC Cyber Security Plan, provides an Implementation Schedule, and adds a sentence to the existing FOL Physical Protection license condition to require STPNOC to fully implement and maintain in effect all provisions of the Commission-approved Cyber Security Plan. provides an evaluation of the proposed change. Enclosure 1 also contains the following attachments:

" Attachment 1 provides the existing FOL pages marked up to show the proposed change.

" Attachment 2 provides the STPNOC Cyber Security Plan Implementation Schedule.

" Attachment 3 provides the STPNOC Cyber Security Plan commitment schedule.

Enclosures 2 and 3 to this letter contain sensitive information.

Withhold from public disclosure under 10 CFR 2.390.

Upon removal of Enclosures 2 and 3, this letter is uncontrolled.

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 STI: 32554802 S A member of the STARS (Strategic Teaming and Resource Sharing) Alliance (:5 Callaway - Comanche Peak - Diablo Canyon - Palo Verde - San Onofre - South Texas Project - Wolf Creek

NOC-AE-09002480 Page 2 of 3 SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 provides a copy of the STPNOC Cyber Security Plan which is a standalone document that will be incorporated by reference into the STPNOC Physical Security Plan upon approval. STPNOC requests that Enclosure 2, which contains sensitiveinformation, be withheld from public disclosure in accordance with 10 CFR 2.390. provides a description of changes to un-bracketed text of NEI 08-09, Revision 3.

The commitments in this letter are contained in Attachment 3 of Enclosure 1.

In accordance with 10 CFR 50.91(b), STPNOC is notifying the State of Texas of this request for license amendment by providing a copy of this letter and its attachments.

STPNOC requests an implementation period of 90 days following NRC approval of the license amendment.

If there are any questions regarding the proposed amendment, please contact Mr. Wayne Harrison at (361) 972-7298 or me at (361) 972-7454.

I declare under penalty of perjury that the foregoing is true and correct.

Executed on Date Charles T. Bowman General Manager, Oversight tck/ - Evaluation of Proposed Change - STPNOC Cyber Security Plan - Description' of Changes to Un-Bracketed Text of NEI 08-09, Revision 3 SECURITY-RELATED INFORMATION - WITHHOLD UNDER10 CFR 2.390

NOC-AE-09002480 Page 3 of 3 SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.3 90 cc:

(paper copy wiout Enclosures 2 and 3 except as (electronic copy w/out Enclosures 2 and 3) noted with asterisk *)

Regional Administrator, Region IV A. H. Gutterman, Esquire U. S. Nuclear Regulatory Commission Morgan, Lewis & Bockius LLP 612 East Lamar Blvd, Suite 400 Arlington, Texas 76011-4125 Mohan C. Thadani U. S. Nuclear Regulatory Commission Mohan C. Thadani

  • Kevin Howell Senior Project Manager Catherine Callaway U.S. Nuclear Regulatory Commission Jim von Suskil One White Flint North (MS 8B1A) NRG South Texas LP 11555 Rockville Pike Rockville, MD 20852 Ed Alarcon Senior Resident Inspector J. J. Nesrsta U. S. Nuclear Regulatory Commission R. K. Temple P.O. Box 289, Mail Code: MN116 Kevin Polio Wadsworth, TX 77483 City Public Service Jon C. Wood Cox Smith Matthews C. Mele City of Austin C. M. Canady Richard A. Ratliff City of Austin Texas Department of State Health Electric Utility Department Services 721 Barton Springs Road Austin, TX 78704 Alice Rogers Texas Department of State Health, Services SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 NOC-AE-09002480 Enclosure 1 Evaluation of Proposed Change Request for Approval of the STPNOC Cyber Security Plan 1.0 Summary Description 2.0 Detailed Description 3.0 Technical Evaluation 4.0 Regulatory Evaluation 4.1 Applicable Regulatory Requirements / Criteria 4.2 Significant Hazards Consideration 5.0 Environmental Consideration 6.0 References ATTACHMENTS - Marked FOL pages - STPNOC Cyber Security Plan Implementation Schedule. - STPNOC Cyber Security Plan commitment schedule.

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 NOC-AE-09002480 Enclosure 1 Page 1 of 5 1.0

SUMMARY

DESCRIPTION The proposed license amendment request (LAR) includes the proposed STPNOC Cyber Security Plan (Plan), an Implementation Schedule, and a proposed sentence to be added to the existing Facility Operating Licenses (FOL) Physical Protection license condition.

1 2.0 DETAILED DESCRIPTION The proposed license amendment request (LAR) includes three parts: the proposed Plan, an Implementation Schedule, and a proposed sentence to be added to the existing FOL Physical Protection license condition to require STPNOC to fully implement and maintain in effect all provisions of the Commission-approved cyber security plan as required by 10 CFR §73.54. The regulations in 10 CFR §73.54, "Protection of digital computer and communication systems and networks," establish the requirements for a cyber security program. This regulation specifically requires each licensee currently licensed to operate a nuclear power plant under Part 50 of this chapter to submit a cyber security plan that satisfies the requirements of the Rule. Each submittal must include a proposed implementation schedule and implementation of the licensee's cyber security program must be consistent with the approved schedule. The background for this application is addressed by the NRC Notice of Availability published on March 27, 2009, 74 FR 13926 (Reference 1).

3.0 TECHMICAL EVALUATION FederalRegister notice 74 FR 13926 issued the final rule that amended 10 CFR Part 73. Cyber security requirements are codified as new §73.54 and are designed to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks up to and including the design-basis threat established by § 73.1 (a)(1)(v). These requirements are substantial improvements upon the requirements imposed by NRC Order EA-02-026 (Reference 2).

This LAR includes the proposed Plan (Enclosure 2) that is derived from the template provided in NEI 08-09, Rev. 3. In addition, the LAR includes the proposed change to the existing FOL license condition for "Physical Protection" (Attachment 1) and the proposed Implementation Schedule (Attachment 2) as required by 10 CFR §73.54.

4.0 REGULATORY EVALUATION

4.1 APPLICABLE REGULATORY REQUIREMENTS / CRITERIA This LAR is submitted pursuant to 10 CFR §73.54 which requires licensees currently licensed to operate a nuclear power plant under 10 CFR Part 50 to submit a Cyber Security Plan as specified in §50.4 and §50.90.

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 NOC-AE-09002480 Enclosure 1 Page 2 of 5 4.2 SIGNIFICANT HAZARDS CONSIDERATION STPNOC has evaluated the proposed changes using the criteria in 10 CFR 50.92 and has determined that the proposed changes do not involve a significant hazards consideration. An analysis of the issue of no significant hazards consideration is presented below:

Criterion1: The proposed change does not involve a significant increase in the probabilityor consequences of an accidentpreviously evaluated.

The proposed change is required by § 73.54 and includes three parts. The first part is the submittal of the Plan for NRC review and approval. The Plan was derived from the template provided in NEI 08-09 and provides a description of how the requirements of the Rule will be implemented at the South Texas Project. The Plan establishes the licensing basis for the STPNOC Cyber Security Program for the South Texas Project. The Plan establishes how to achieve high assurance that nuclear power plant digital computer and communication systems and networks associated with the following are adequately protected against cyber attacks up to and including the design-basis threat:

1. Safety-related and important-to-safety functions,
2. Security functions,
3. Emergency preparedness functions including offsite communications,
4. Support systems and equipment which if compromised, would adversely impact safety, security, or emergency preparedness functions, and Part one of the proposed change is designed to achieve high assurance that the systems are protected from cyber attacks. The Plan itself does not require any plant modifications.

However, the Plan does describe how plant modifications which involve digital computer systems are reviewed to provide high assurance of adequate protection against cyber attacks, up to and including the design-basis threat as defined in the Rule. The proposed change does not alter the plant configuration, require new plant equipment to be installed, alter accident analysis assumptions, add any initiators, or affect the function of plant systems or the manner in which systems are operated, maintained, modified, tested, or inspected. The first part of the proposed change is designed to achieve high assurance that the systems within the scope of the Rule are protected from cyber attacks and has no impact on the probability or consequences of an accident previously evaluated.

The second part of the proposed change is an Implementation Schedule. The third part adds a sentence to the existing FOL license condition for Physical Protection. Both of these changes are administrative and have no impact on the probability or consequences of an accident previously evaluated.

Therefore, it is concluded that this change does not involve a significant increase in the probability or consequences of an accident previously evaluated.

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 NOC-AE-09002480 Enclosure 1 Page 3 of 5 Criterion2: The proposedchange does not create the possibility of a new or different kind of accidentfrom any accidentpreviously evaluated.

The proposed change is required by § 73.54 and includes three parts. The first part is the submittal of the Plan for NRC review and approval. The Plan was derived from the template provided by NEI 08-09 and provides a description of how the requirements of the Rule will be implemented at the South Texas Project. The Plan establishes the licensing basis for the STPNOC Cyber Security Program forthe South Texas Project. The Plan establishes how to achieve high assurance that nuclear power plant digital computer and communication systems and networks associated with the following are adequately protected against cyber attacks up to and including the design basis threat:

1. Safety-related and important-to-safety functions,
2. Security functions,
3. Emergency preparedness functions including offsite communications,
4. Support systems and equipment which if compromised, would adversely impact safety, security, or emergency preparedness functions, and Part one of the proposed change is designed to achieve high assurance that the systems within the scope of the Rule are protected from cyber attacks. The Plan itself does not require any plant modifications. However, the Plan does describe how plant modifications involving digital computer systems are reviewed to provide high assurance of adequate protection against cyber attacks, up to and including the design-basis threat defined in the Rule. The proposed change does not alter the plant configuration, require new plant equipment to be installed, alter accident analysis assumptions, add any initiators, or affect the function of plant systems or the manner in which systems are operated, maintained, modified, tested, or inspected. The first part of the proposed change is designed to achieve high assurance that the systems within the scope of the Rule are protected from cyber attacks and does not create the possibility of a new or different kind of accident from any previously evaluated.

The second part of the proposed change is an Implementation Schedule. The third part adds a sentence to the existing FOL license condition for Physical Protection. Both of these changes are administrative and do not create the possibility of a new or different kind of accident from any previously evaluated.

Therefore, the proposed change does not create the possibility of a new or different kind of accident from any previously evaluated.

Criterion3: The proposed change does not involve a significantreduction in a margin of safety.

The proposed change is required by § 73.54 and includes three parts. The first part is the submittal of the Plan for NRC review and approval. The Plan was derived from the template provided by NEI 08-09 and provides a description of how the requirements of the Rule will be implemented at the South Texas Project. The Plan establishes the licensing basis for the STPNOC Cyber Security Program for the South Texas Project. The Plan establishes how to achieve high assurance that nuclear power plant digital computer and communication systems SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 NOC-AE-09002480 Enclosure 1 Page 4 of 5 and networks associated with the following are adequately protected against cyber attacks up to and including the design basis threat:

1. Safety-related and important-to-safety functions,
2. Security functions,
3. Emergency preparedness functions including offsite communications,
4. Support systems and equipment which if compromised, would adversely impact safety, security, or emergency preparedness functions, and Part one of the proposed change is designed to achieve high assurance that the systems within the scope of the Rule are protected from cyber attacks. Plant safety margins are established through Limiting Conditions for Operation, Limiting Safety System Settings and Safety limits specified in the Technical Specifications. Because there is no change to these established safety margins, the proposed change does not involve a significant reduction in a margin of safety.

The second part of the proposed change is an Implementation Schedule. The third part adds a sentence to the existing FOL license condition for Physical Protection. Both of these changes are administrative and do not involve a significant reduction in a margin of safety.

Therefore, the proposed change does not involve a significant reduction in a margin of safety.

Based on the above, STPNOC concludes that the proposed change presents no significant hazards consideration under the standards set forth in 10 CFR 50.92(c), and accordingly, a finding of no significant hazards consideration is justified.

4.3 CONCLUSION

In conclusion, based on the considerations discussed above: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner; (2) such activities will be conducted in compliance with the Commission's regulations; and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.

5.0 ENVIRONMENTAL CONSIDERATION

The proposed amendment establishes the licensing basis for a Cyber Security Program for the South Texas Project and will be a part of the Physical Security Plan. This proposed amendment will not involve any significant construction impacts. Pursuant to 10 CFR 51.22(b)(12), no environmental impact statement or environmental assessment need be prepared in connection with the issuance of the amendment.

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 NOC-AE-09002480 Enclosure 1 Page 5 of 5

6.0 REFERENCES

1. Federal Register Notice, Final Rule 10 CFR Part 73, Power Reactor Security Requirements, published on March 27, 2009, 74 FR 13926.
2. EA-02-026, Order Modifying Licenses, Safeguards and Security Plan Requirements, issued February 25, 2002.

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 NOC-AE-09002480 Enclosure I Page 1 of 4 Attachment 1 Operating Licenses Marked with Proposed Changes SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 NOC-AE-09002480 Enclosure 1 Page 2 of 4 SOUTH TEXAS LICENSE (1) The facility has been granted a schedular exemption from Section 50.71(e)(3)(i) of 10 CFR 50 to extend the date for submittal of the updated Final Safety Analysis Report to no later than one year after the date of issuance of a low power license for the South Texas Project, Unit 2. This exemption is effective until August 1990. The staff's environmental assessment was published on December 16, 1987 (52 FR 47805).

E. Fire Protection STPNOC shall implement and maintain in effect all provisions of the approved fire protection program as described in the Final Safety Analysis Report through Amendment No. 55 and the Fire Hazards Analysis Report through Amendment No. 18, and submittals dated April 29, May 7, 8 and 29, June 11, 25 and 26, 1987, and as approved in the SER (NUREG-0781) dated April 1986 and its Supplements, subject to the following provision:

STPNOC may make changes to the approved fire protection program without prior approval of the Commission, only if those changes would not adversely affect the ability to achieve and maintain safe shutdown in the event of a fire.

F. Physical Security STPNOC shall fully implement and maintain in effect all provisions of the physical security, guard training and qualification, and safeguards contingency plans previously approved by the Commission and all amendments and revisions to such plans made pursuant to the authority under 10 CFR 50.90 and 10 CFR 50.54(p).

.The licensee shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822), and the authority of 10 CFR 50 .90 and 10 CFR 50.54(p) . The combined set of plans, which contains Safeguards Information protected under 10 CFR 73 .21, is entitled: "South Texas Project Electric Generating Station Security, Training and Qualification, and Safeguards Contingency Plan, Revision 2" submitted by letters dated May 17 and 18, 2006.

tT,-PNOC shall fully implemenit anhd~kiii"ii~i inift'feI iI iscit'also the

'ommission-approved STPNOC CyberSecurity Plan submitted by letterdated No ember XX,29a i d frompublicidisclosure, in accordanfewiCFR Amendment No.

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 NOC-AE-09002480 Enclosure 1 Page 3 of 4 SOUTH TEXAS LICENSE G. Not Used H. Financial Protection The owners shall have and maintain financial protection of such type and in such amounts as the Commission shall require in accordance with Section 170 of the Atomic Energy Act of 1954, as amended, to cover public liability claims.

I. Effective Date and Expiration This license is effective as of the date of issuance and shall expire at midnight on August 20, 2027.

FOR THE NUCLEAR REGULATORY COMMISSION original signed by Thomas E. Murley, Director Office of Nuclear Reactor Regulation

Enclosures:

1. Appendix A, Technical Specifications (NUREG-1305)
2. Appendix B, Environmental Protection Plan Date of Issuance: March 22, 1988 Amendment No.

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 NOC-AE-09002480 Enclosure 1 Page 4 of 4 (2) The facility was previously granted exemption from the criticality monitoring requirements of 10 CFR 70.24 (See Materials License No. SNM-1 983 dated August 30, 1988 and Section III.E. of the SER dated August 30, 1988). The South Texas Project Unit 2 is hereby exempted from the criticality monitoring provisions of 10 CFR 70.24 as applied to fuel assemblies held under this license.

(3) The facility requires a temporary exemption from the schedular requirements of the decommissioning planning rule, 10 CFR 50.33(k) and 10 CFR 50.75. The justification for this exemption is contained in Section 22.2 of Supplement 6 to the Safety Evaluation Report. The staffs environmental assessment was published on December 16, 1988 (53 FR 50604). Therefore, pursuant to 10 CFR 50.12(a)(1),

50.12(a)(2)(ii) and 50.12(a)(2)(v), the South Texas Project, Unit 2 is hereby granted a temporary exemption from the schedular requirements of 10 CFR 50.33(k) and 10 CFR 50.75 and is required to submit the decommissioning plan for both South Texas Project, Units 1 and 2 on or before July 26, 1990.

E. Fire Protection STPNOC shall implement and maintain in effect all provisions of the approved fire protection program as described in the Final Safety Analysis Report through Amendment No. 62 and the Fire Hazards Analysis Report through Amendment No. 18, and submittals' dated April 29, May 7, 8 and 29, June 11, 25, and 26, 1987, and as approved in the SER (NUREG-0781) dated April 1986 and its Supplements, subject to the following provisions:

STPNOC may make changes to the approved fire protection program without prior approval of the Commission, only if those changes would not adversely affect the ability to achieve and maintain safe shutdown in the event of a fire.

F. Physical Security The licensee shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822), and the authority of 10 CFR 50 .90 and 10 CFR 50.54(p) . The combined set of plans, which contain Safeguards Information protected under 10 CFR 73 .21, is entitled: "South Texas Project Electric Generating Station Security, Training and Qualification, and Safeguards Contingency Plan, Revision 2" submitted by letters dated May 17 and 18, 2006.

bfTPNOC shall fully implenment and maintain in effect all provisions f the on STPNOC yber Security Plansubmitted by letter dated November 23, 2009 and with !d from public discloure in nee witli10 CF

_2.390i G. Not Used Amendment No. 4-#

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 NOC-AE-09002480 Attachment 2 Page 1 of 4 Attachment 2 STPNOC Cyber Security Plan Implementation Schedule TASK COMPLETION, DATE The analysis of digital computer systems and networks in accordance 36 months after NRC with Section 3 of the Applicant Cyber Security Plan shall be performed approval of Cyber and results documented as required. Security Plan.

The basis for completion:

a. Establish the cyber security roles and responsibilities to preclude conflict during both normal and emergency conditions. Augment procedures to establish separation of functions amongst divisions as needed to eliminate conflicts of interest, and to ensure independence in the responsibilities.
i. Cyber Security Sponsor ii. Cyber Security Program Manager iii. Cyber Security Specialists
b. Reassess the composition of the Cyber Security Assessment Team.
i. Identify necessary competencies and individuals.

ii. Establish roles and responsibilities.

iii. Train team on the cyber security plan, defensive strategy, cyber security policies and procedures.

c. Reassess the composition of the Cyber Security Incident Response Team (CSIRT).
i. Identify necessary competencies and individuals.

ii. Establish roles and responsibilities.

iii. Train team on the cyber security plan, defensive strategy, cyber security policies and procedures.

d. Modification of STPNOC cyber security oversight processes, procedures and forms including, but not limited to,
i. OPGP03-ZS-0013 Cyber Security Assessment of Digital Assets ii. OPGP03-ZS-0012 Cyber Security Program iii. OPGP03-ZS-0014 Cyber Security Incident Response iv. OPGP07-ZA-0014 Software Quality Assurance Program
v. OPGP07-ZA-0017 Control of Firewalls SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10,CFR 2.390 NOC-AE-09002480 Attachment 2 Page 2 of 4 TASK COMPLETION DATE vi. STP Defensive Strategy vii. OPGP03-ZC-0004 Measuring and Test Equipment Control Program viii. 0PGP04-ZE-0309 Design Change Package

e. Develop policies and implementing procedures for the Technical, Operational, and Management cyber security controls in NEI 08-09 Rev 3 Appendices D & E.
f. Develop contract to perform independent gap analysis of NEI 08-09 Rev 3 andlO CFR 73.54 to our Cyber Security Program, Cyber Security Plan, policies, procedures and the defensive strategy.
g. Identify and document systems, equipment, communication systems and network that are associated with the SSEP (Safety, Important to Safety, Security, Emergency Preparedness and support systems functions described in 10 CFR 73.54(a)(1), as well as the support systems associated with these SSEP functions.
h. Write design basis requirements for STP databases.
i. Conduct reviews and perform validation activities in accordance with the Cyber Security Plan.
j. Conduct detailed assessments for each CDA.
i. Perform CDA 100% CDA walk-downs or electronic validation.

ii. Disposition all security controls and defensive strategy for each CDA.

iii. Identify gaps in the security controls and defensive strategy for each CDA.

iv. Document gaps in security controls and the defensive strategy for each CDA.

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 NOC-AE-09002480 Attachment 2 Page 3 of 4 TASK COMPLETION DATE For cyber security controls that have been identified for implementation 48 months after NRC by the process described in Section 3, an implementation plan shall be approval of Cyber prepared and available for NRC inspection. Security Plan.

The basis for completion:

a. Perform a detailed review of the security control gaps identified during the assessment.
b. Research alternatives and options for remediation.
i. Ensure approval by the CSAT for acceptance ii. Ensure Security Controls are consistent with the Security Control requirements of Appendix D & E of NEI 08-09 Rev 3.
c. Develop a detailed action plan, schedule and budget for remediation of gaps identified for each CDA.
i. Design ii. Implementation iii. Post Implementation verification/validation
d. Obtain Station Management approval for each modification including necessary budgets.
e. A detailed schedule will be available on-site for NRC review. This schedule allows proper planning for design, installation, post implementation verification / validation by CSAT.
f. Cyber security program training is modified and conducted.

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 NOC-AE-09002480 Attachment 2 Page 4 of 4 TASK COMPLETION DATE The elements to establish, implement, and maintain the Cyber Security 60 months after NRC Program as described in Section 4 of the Applicant Cyber Security Plan approval of Cyber for Units I & 2 shall be implemented. Security Plan.

The basis for completion:

a. Execute the remediation plan per schedule.
b. The detailed schedule will be updated and available for on-site NRC inspection, and addresses current status of all mitigation activities.
c. Execute and complete the on-going monitoring and assessment plan for each CDA.
d. This commitment includes, where necessary, the update of existing and/or development of new policies and procedures for the post implementation, operational and maintenance phase including: Incident Handling and Response including threat/vulnerability mitigation; CDA specific monitoring requirements; Operational Experience program; update of the defensive strategy, and necessary training developed and completed.
e. At the conclusion of this commitment period, the cyber security program would be implemented. Those specific mitigations that require completion beyond this commitment period will be planned, budgeted, and scheduled.

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 NOC-AE-09002480 Attachment 3 Page 1 of I Attachment 3 Commitments COMMITMENT DUE DATE CR #

STPNOC will have implemented the requirements of 10 60 months after NRC 09-10761-6 CFR 73.54 approval of the STPNOC Cyber Security Plan SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390

Retrieved from "https://kanterella.com/w/index.php?title=NOC-AE-09002480,_License_Amendment_Request_for_Approval_of_Cyber_Security_Plan&oldid=2139426"