ML110630359: Difference between revisions
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
||
| (One intermediate revision by the same user not shown) | |||
| Line 3: | Line 3: | ||
| issue date = 03/07/2011 | | issue date = 03/07/2011 | ||
| title = Request for Additional Information Related to License Amendment Request for Approval of Cyber Security Plan | | title = Request for Additional Information Related to License Amendment Request for Approval of Cyber Security Plan | ||
| author name = Feintuch K | | author name = Feintuch K | ||
| author affiliation = NRC/NRR/DORL/LPLIII-1 | | author affiliation = NRC/NRR/DORL/LPLIII-1 | ||
| addressee name = Heacock D | | addressee name = Heacock D | ||
| addressee affiliation = Dominion Energy Kewaunee, Inc, Dominion Nuclear Connecticut, Inc, Dominion Nuclear North Anna, LLC | | addressee affiliation = Dominion Energy Kewaunee, Inc, Dominion Nuclear Connecticut, Inc, Dominion Nuclear North Anna, LLC | ||
| docket = 05000305, 05000280, 05000281, 05000336, 05000338, 05000339, 05000423 | | docket = 05000305, 05000280, 05000281, 05000336, 05000338, 05000339, 05000423 | ||
| license number = DPR-043, DPR-032, DPR-037, DPR-065, NPF-004, NPF-007, NPF-049 | | license number = DPR-043, DPR-032, DPR-037, DPR-065, NPF-004, NPF-007, NPF-049 | ||
| contact person = Feintuch K | | contact person = Feintuch K, NRR/DORL/LPL3-1, 415-3079 | ||
| case reference number = TAC ME4319, TAC ME4320, TAC ME4321, TAC ME4322, TAC ME4323, TAC ME4324, TAC ME4325, FOIA/PA-2011-0115 | | case reference number = TAC ME4319, TAC ME4320, TAC ME4321, TAC ME4322, TAC ME4323, TAC ME4324, TAC ME4325, FOIA/PA-2011-0115 | ||
| document type = Request for Additional Information (RAI), Letter | | document type = Request for Additional Information (RAI), Letter | ||
| Line 18: | Line 18: | ||
=Text= | =Text= | ||
{{#Wiki_filter:UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555*0001 March 7, 2011 Mr. David A. Heacock President and Chief Nuclear Officer Dominion Nuclear 5000 Dominion Blvd. Glen Allen, VA 23060-6711 KEWAUNEE POWER STATION, MILLSTONE POWER STATION UNITS 2 AND 3, NORTH ANNA POWER STATION UNITS 1 AND 2, SURRY POWER STATION UNITS 1 AND 2 -REQUEST FOR ADDITIONAL INFORMATION RELATED TO LICENSE AMENDMENT REQUEST FOR APPROVAL OF CYBER SECURITY PLAN (TAC NOS. ME4319, ME4320, ME4321, ME4322, ME4323, ME4324, AND ME4325) | {{#Wiki_filter:UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555*0001 March 7, 2011 Mr. David A. Heacock President and Chief Nuclear Officer Dominion Nuclear 5000 Dominion Blvd. | ||
Glen Allen, VA 23060-6711 | |||
==SUBJECT:== | |||
KEWAUNEE POWER STATION, MILLSTONE POWER STATION UNITS 2 AND 3, NORTH ANNA POWER STATION UNITS 1 AND 2, SURRY POWER STATION UNITS 1 AND 2 - REQUEST FOR ADDITIONAL INFORMATION RELATED TO LICENSE AMENDMENT REQUEST FOR APPROVAL OF CYBER SECURITY PLAN (TAC NOS. ME4319, ME4320, ME4321, ME4322, ME4323, ME4324, AND ME4325) | |||
==Dear Mr. Heacock:== | ==Dear Mr. Heacock:== | ||
By letter to the U.S. Nuclear Regulatory Commission (NRC) dated November 20, 2009 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML093360247), as supplemented by letters dated July 12, 2010 (ADAMS Accession No. | |||
The enclosed RAI items were reviewed in accordance with the guidance provided in 10 CFR Section 2.390. The NRC staff has determined that no security related or proprietary information is contained therein. Further, it was agreed that you would include the full text of each RAI item with your response as a record of these RAI items. | By letter to the U.S. Nuclear Regulatory Commission (NRC) dated November 20, 2009 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML093360247), as supplemented by letters dated July 12, 2010 (ADAMS Accession No. ML102010091), August 5,2010 (ADAMS Accession No. ML102210284), September 23, 2010 (ADAMS Accession No. ML102670641), November 10,2010 (ADAMS Accession No. ML103160422) and December 13,2010 (ADAMS Accession No. ML103560083), Dominion Electric Kewaunee, Inc., Dominion Nuclear Connecticut, Inc., and Virginia Electric and Power Company (collectively, the Dominion licensees) submitted amendments requesting NRC approval of a common fleet Cyber Security Plan. | ||
D. -2 The NRC staff considers that timely responses to requests for additional information help ensure that sufficient time is available for staff review and contribute toward the NRC's goal of efficient and effective use of staff resources. | The NRC staff is reviewing your submittal and has determined that additional information is required to complete the review. By monitored fax transmission on February 22, 2011, the draft Request for Additional Information (RAI) items were sent to Margaret Earle, a member of your staff. | ||
If circumstances result in the need to revise the requested response date, please contact me at (301) 415-3079. | Subsequent to that transmittal we are confirming that those RAI items (see Enclosure) are the final version to which to respond and that the requested date for the response is 30 days after the date of this letter (or the first workday thereafter, if the date falls on a weekend). The enclosed RAI items were reviewed in accordance with the guidance provided in 10 CFR Section 2.390. The NRC staff has determined that no security related or proprietary information is contained therein. Further, it was agreed that you would include the full text of each RAI item with your response as a record of these RAI items. | ||
Sincerely, Karl D. Feintuch, Project Plant Licensing Branch Division of Operating Reactor Office of Nuclear Reactor Docket 50-305, 50-336, 50-338, 50-339, 50-280, | |||
D. Heacock -2 The NRC staff considers that timely responses to requests for additional information help ensure that sufficient time is available for staff review and contribute toward the NRC's goal of efficient and effective use of staff resources. If circumstances result in the need to revise the requested response date, please contact me at (301) 415-3079. | |||
Sincerely, Karl D. Feintuch, Project Manager Plant Licensing Branch 111-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. 50-305, 50-336, 50-423, 50-338, 50-339, 50-280, and 50-281 | |||
==Enclosure:== | ==Enclosure:== | ||
As stated cc w/encl: Distribution via ListServ | |||
REQUEST FOR ADDITIONAL INFORMATION (RAI) | |||
REGARDING APPROVAL OF THE CYBER SECURITY PLAN KEWAUNEE POWER STATION, MILLSTONE POWER STATION UNITS 2 AND 3, NORTH ANNA POWER STATION UNITS 1 AND 2. | |||
SURRY POWER STATION UNITS 1 AND 2 DOCKET NOS. 50-305, 50-336, 50-423. 50-338, 50-339, 50-280, AND 50-281 RAI 1: Records Retention Title 10 of the Code of Federal Regulations (10 CFR) Paragraph 73.54(c)(2) requires licensees to design a cyber security program to ensure the capability to detect, respond to, and recover from cyber attacks. Furthermore, 10 CFR 73.54(e)(2)(i) requires licensees to maintain a cyber security plan that describes how the licensee will maintain the capability for timely detection and response to cyber attacks. The ability for a licensee to detect and respond to cyber attacks requires accurate and complete records and is further supported by 10 CFR 73.54(h), which states that the licensee shall retain all records and supporting technical documentation required to satisfy the requirements of 10 CFR Section 73.54 as a record until the Commission terminates the license for which the records were developed, and shall maintain superseded portions of these records for at least 3 years after the record is superseded, unless otherwise specified by the Commission. | |||
The licensee's Cyber Security Plan (CSP) in Section 4.13 states that Critical Digital Asset (CDA) audit records and audit data (e.g., operating system logs, network device logs) are retained for a period of time that is less than what is required by 10 CFR 73.54(h}. | The licensee's Cyber Security Plan (CSP) in Section 4.13 states that Critical Digital Asset (CDA) audit records and audit data (e.g., operating system logs, network device logs) are retained for a period of time that is less than what is required by 10 CFR 73.54(h}. | ||
Explain the deviation from the 10 CFR 73.54(h} requirement to retain records and supporting technical documentation until the Commission terminates the license (or to maintain superseded portions of these records for at least 3 years) and how that meets the requirements of 10 CFR 73.54. RAI 2: Implementation Schedule The regulation at 10 CFR 73.54, "Protection of digital computer and communication systems and networks," requires licensees to submit a CSP that satisfies the requirements of this section for Commission review and approval. | Explain the deviation from the 10 CFR 73.54(h} requirement to retain records and supporting technical documentation until the Commission terminates the license (or to maintain superseded portions of these records for at least 3 years) and how that meets the requirements of 10 CFR 73.54. | ||
Furthermore, each submittal must include a proposed implementation schedule and the implementation of the licensee's cyber security program must be consistent with the approved schedule. | RAI 2: Implementation Schedule The regulation at 10 CFR 73.54, "Protection of digital computer and communication systems and networks," requires licensees to submit a CSP that satisfies the requirements of this section for Commission review and approval. Furthermore, each submittal must include a proposed implementation schedule and the implementation of the licensee's cyber security program must be consistent with the approved schedule. Paragraph 73.54(a) of 10 CFR requires licensees to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat. | ||
Paragraph 73.54(a) of 10 CFR requires licensees to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat. Enclosure | Enclosure | ||
-The completion of several key intermediate milestones (Items (a) through (g) below) would demonstrate progress toward meeting the requirements of 10 CFR 73.54. The Nuclear Regulatory Commission (NRC) staff's expectation is that the key intermediate milestones will be completed in a timely manner, but no later than December 31, 2012. The key CSP implementation milestones are as follows: Establish, train and qualify Cyber Security Assessment Team, as described in Section 3.1.2, "Cyber Security Assessment Team," of the CSP Identify Critical Systems and CDAs, as described in Section 3.1.3, "Identification of Critical Digital Assets," of the CSP. Implement cyber security defense-in-depth architecture by installation of [deterministic one-way devices], as described in Section 4.3, "Defense-In-Depth Protective Strategies" of the CSP. Implement the management, operational and technical cyber security controls that address attacks promulgated by use of portable media, portable devices, and portable equipment as described in Appendix D Section 1.19 "Access Control for Portable and Mobile Devices," of Nuclear Energy Institute (NEI) 08-09, Revision 6. Implement observation and identification of obvious cyber related tampering to existing insider mitigation rounds as described in Appendix E Section 4.3, "Personnel Performing Maintenance and Testing Activities," and Appendix E Section 10.3, "Baseline Configuration" of NEI 08-09, Revision 6. Identify, document, and implement cyber security controls to physical security target set CDAs in accordance with Section 3.1.6, "Mitigation of Vulnerabilities and Application of Cyber Security Controls," of the CSP. Ongoing monitoring and assessment activities will commence for those target set CDAs whose security controls have been implemented, as described in Section 4.4, "Ongoing Monitoring and Assessment," of the CSP. Full implementation of the CSP for all safety, security, and emergency preparedness functions. | |||
Provide a revised CSP implementation schedule that identifies the appropriate milestones, completion dates, supporting rationale, and level of detail to allow the NRC to evaluate the licensee's proposed schedule and associated milestone dates which include the final completion date. It is the NRC's intention to develop a license condition incorporating your revised CSP implementation schedule containing the key milestone dates. RAI Scope of Systems Paragraph 73.54(a) of 10 CFR requires licensees to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat as described in 10 CFR 73.1. In addition, | - 2 The completion of several key intermediate milestones (Items (a) through (g) below) would demonstrate progress toward meeting the requirements of 10 CFR 73.54. The Nuclear Regulatory Commission (NRC) staff's expectation is that the key intermediate milestones will be completed in a timely manner, but no later than December 31, 2012. The key CSP implementation milestones are as follows: | ||
-3 10 CFR 73.54(a)( 1) states that the licensee shall protect digital computer and communication systems and networks associated with: (i) Safety-related and important-to-safety functions; (ii) Security functions; (iii) Emergency preparedness functions, including offsite communications; and (iv) Support systems and equipment which, if compromised, would adversely impact safety, security, or emergency preparedness functions. | (a) Establish, train and qualify Cyber Security Assessment Team, as described in Section 3.1.2, "Cyber Security Assessment Team," of the CSP (b) Identify Critical Systems and CDAs, as described in Section 3.1.3, "Identification of Critical Digital Assets," of the CSP. | ||
Subsequent to the issuance of the cyber security rule, the NRC stated that 10 CFR 73.54 should be interpreted to include structures, systems, and components (SSCs) in the balance of plant (BOP) that have a nexus to radiological health and safety (Agencywide Documents Access and Management System (ADAMS) Accession No. | (c) Implement cyber security defense-in-depth architecture by installation of | ||
Furthermore, the NRC issued a letter to NEI dated January 5, 2011 (ADAMS Accession No. | [deterministic one-way devices], as described in Section 4.3, "Defense-In-Depth Protective Strategies" of the CSP. | ||
(d) Implement the management, operational and technical cyber security controls that address attacks promulgated by use of portable media, portable devices, and portable equipment as described in Appendix D Section 1.19 "Access Control for Portable and Mobile Devices," of Nuclear Energy Institute (NEI) 08-09, Revision 6. | |||
(e) Implement observation and identification of obvious cyber related tampering to existing insider mitigation rounds as described in Appendix E Section 4.3, "Personnel Performing Maintenance and Testing Activities," and Appendix E Section 10.3, "Baseline Configuration" of NEI 08-09, Revision 6. | |||
(f) Identify, document, and implement cyber security controls to physical security target set CDAs in accordance with Section 3.1.6, "Mitigation of Vulnerabilities and Application of Cyber Security Controls," of the CSP. | |||
(g) Ongoing monitoring and assessment activities will commence for those target set CDAs whose security controls have been implemented, as described in Section 4.4, "Ongoing Monitoring and Assessment," of the CSP. | |||
(h) Full implementation of the CSP for all safety, security, and emergency preparedness functions. | |||
Provide a revised CSP implementation schedule that identifies the appropriate milestones, completion dates, supporting rationale, and level of detail to allow the NRC to evaluate the licensee's proposed schedule and associated milestone dates which include the final completion date. It is the NRC's intention to develop a license condition incorporating your revised CSP implementation schedule containing the key milestone dates. | |||
RAI 3: Scope of Systems Paragraph 73.54(a) of 10 CFR requires licensees to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat as described in 10 CFR 73.1. In addition, | |||
-3 10 CFR 73.54(a)( 1) states that the licensee shall protect digital computer and communication systems and networks associated with: | |||
(i) Safety-related and important-to-safety functions; (ii) Security functions; (iii) Emergency preparedness functions, including offsite communications; and (iv) Support systems and equipment which, if compromised, would adversely impact safety, security, or emergency preparedness functions. | |||
Subsequent to the issuance of the cyber security rule, the NRC stated that 10 CFR 73.54 should be interpreted to include structures, systems, and components (SSCs) in the balance of plant (BOP) that have a nexus to radiological health and safety (Agencywide Documents Access and Management System (ADAMS) Accession No. ML103490344, dated November 19, 2010). The SSCs in the BOP are those that could directly or indirectly affect reactivity of a nuclear power plant and could result in an unplanned reactor shutdown or transient and are therefore, within the scope of important-to-safety functions described in 10 CFR 73.54(a)(1). | |||
Furthermore, the NRC issued a letter to NEI dated January 5, 2011 (ADAMS Accession No. ML103550480) that provided licensees with additional guidance on one acceptable approach to comply with the Commission's policy determination. | |||
Explain how the scoping of systems provided by licensee's CSP meets the requirements of 10 CFR 73.54 and the additional guidance provided by the NRC. | Explain how the scoping of systems provided by licensee's CSP meets the requirements of 10 CFR 73.54 and the additional guidance provided by the NRC. | ||
D. -2 The NRC staff considers that timely responses to requests for additional information help ensure that sufficient time is available for staff review and contribute toward the NRC's goal of efficient and effective use of staff resources. | |||
If circumstances result in the need to revise the requested response date, please contact me at (301) 415-3079. | D. Heacock -2 The NRC staff considers that timely responses to requests for additional information help ensure that sufficient time is available for staff review and contribute toward the NRC's goal of efficient and effective use of staff resources. If circumstances result in the need to revise the requested response date, please contact me at (301) 415-3079. | ||
Sincerely, /RA/ Karl D. Feintuch, Project Manager Plant Licensing Branch 111-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket 50-305, 50-336, 50-423, 50-338, 50-339, 50-280, and 50-281 | Sincerely, | ||
/RA/ | |||
Karl D. Feintuch, Project Manager Plant Licensing Branch 111-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. 50-305, 50-336, 50-423, 50-338, 50-339, 50-280, and 50-281 | |||
==Enclosure:== | ==Enclosure:== | ||
As stated cc w/encl: Distribution via ListServ DISTRI BUTION: | |||
As stated cc w/encl: Distribution via ListServ DISTRI BUTION: PUBLIC LPL3-1 R/F Ridsl\lrrDorlDpr Resource PPederson, NSIR RidsNrrDorlLpl3-1 Resource RidsAcrsAcnw_MailCTR Resource RidsNRRPMMilstone Resource RidsNRRPMKewaunee Resource RidsOgcRp Resource RidsNRRPMNorthAnna Resource RidsNrrLABTully Resource RidsRgn3MailCenter Resource RidsNRRPMSurry Resource ADAMS Accession Number* | PUBLIC LPL3-1 R/F Ridsl\lrrDorlDpr Resource PPederson, NSIR RidsNrrDorlLpl3-1 Resource RidsAcrsAcnw_MailCTR Resource RidsNRRPMMilstone Resource RidsNRRPMKewaunee Resource RidsOgcRp Resource RidsNRRPMNorthAnna Resource RidsNrrLABTully Resource RidsRgn3MailCenter Resource RidsNRRPMSurry Resource ADAMS Accession Number* ML110630359 *via memo dated 2/18/11 OFFICE LPL3-1/PM LPL3-1/LA NSIR/DSP/ISCPB/BC LPL3-1/BC NAME KFeintuch BTuily CErlanger* RPascarelli DATE 03/04/11 03/04/11 02/18/11 03/07/11 OFFICIAL RECORD COpy}} | ||
*via memo dated 2/18/11 OFFICE LPL3-1/PM LPL3-1/LA NSIR/DSP/ISCPB/BC LPL3-1/BC NAME KFeintuch BTuily CErlanger* | |||
RPascarelli DATE 03/04/11 03/04/11 02/18/11 03/07/11 OFFICIAL RECORD COpy}} | |||
Latest revision as of 03:26, 13 November 2019
| ML110630359 | |
| Person / Time | |
|---|---|
| Site: | Millstone, Kewaunee, Surry, North Anna  |
| Issue date: | 03/07/2011 |
| From: | Feintuch K Plant Licensing Branch III |
| To: | Heacock D Dominion Energy Kewaunee, Dominion Nuclear Connecticut, Dominion Nuclear North Anna |
| Feintuch K, NRR/DORL/LPL3-1, 415-3079 | |
| References | |
| TAC ME4319, TAC ME4320, TAC ME4321, TAC ME4322, TAC ME4323, TAC ME4324, TAC ME4325, FOIA/PA-2011-0115 | |
| Download: ML110630359 (6) | |
Text
UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555*0001 March 7, 2011 Mr. David A. Heacock President and Chief Nuclear Officer Dominion Nuclear 5000 Dominion Blvd.
Glen Allen, VA 23060-6711
SUBJECT:
KEWAUNEE POWER STATION, MILLSTONE POWER STATION UNITS 2 AND 3, NORTH ANNA POWER STATION UNITS 1 AND 2, SURRY POWER STATION UNITS 1 AND 2 - REQUEST FOR ADDITIONAL INFORMATION RELATED TO LICENSE AMENDMENT REQUEST FOR APPROVAL OF CYBER SECURITY PLAN (TAC NOS. ME4319, ME4320, ME4321, ME4322, ME4323, ME4324, AND ME4325)
Dear Mr. Heacock:
By letter to the U.S. Nuclear Regulatory Commission (NRC) dated November 20, 2009 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML093360247), as supplemented by letters dated July 12, 2010 (ADAMS Accession No. ML102010091), August 5,2010 (ADAMS Accession No. ML102210284), September 23, 2010 (ADAMS Accession No. ML102670641), November 10,2010 (ADAMS Accession No. ML103160422) and December 13,2010 (ADAMS Accession No. ML103560083), Dominion Electric Kewaunee, Inc., Dominion Nuclear Connecticut, Inc., and Virginia Electric and Power Company (collectively, the Dominion licensees) submitted amendments requesting NRC approval of a common fleet Cyber Security Plan.
The NRC staff is reviewing your submittal and has determined that additional information is required to complete the review. By monitored fax transmission on February 22, 2011, the draft Request for Additional Information (RAI) items were sent to Margaret Earle, a member of your staff.
Subsequent to that transmittal we are confirming that those RAI items (see Enclosure) are the final version to which to respond and that the requested date for the response is 30 days after the date of this letter (or the first workday thereafter, if the date falls on a weekend). The enclosed RAI items were reviewed in accordance with the guidance provided in 10 CFR Section 2.390. The NRC staff has determined that no security related or proprietary information is contained therein. Further, it was agreed that you would include the full text of each RAI item with your response as a record of these RAI items.
D. Heacock -2 The NRC staff considers that timely responses to requests for additional information help ensure that sufficient time is available for staff review and contribute toward the NRC's goal of efficient and effective use of staff resources. If circumstances result in the need to revise the requested response date, please contact me at (301) 415-3079.
Sincerely, Karl D. Feintuch, Project Manager Plant Licensing Branch 111-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. 50-305, 50-336, 50-423, 50-338, 50-339, 50-280, and 50-281
Enclosure:
As stated cc w/encl: Distribution via ListServ
REQUEST FOR ADDITIONAL INFORMATION (RAI)
REGARDING APPROVAL OF THE CYBER SECURITY PLAN KEWAUNEE POWER STATION, MILLSTONE POWER STATION UNITS 2 AND 3, NORTH ANNA POWER STATION UNITS 1 AND 2.
SURRY POWER STATION UNITS 1 AND 2 DOCKET NOS. 50-305, 50-336, 50-423. 50-338, 50-339, 50-280, AND 50-281 RAI 1: Records Retention Title 10 of the Code of Federal Regulations (10 CFR) Paragraph 73.54(c)(2) requires licensees to design a cyber security program to ensure the capability to detect, respond to, and recover from cyber attacks. Furthermore, 10 CFR 73.54(e)(2)(i) requires licensees to maintain a cyber security plan that describes how the licensee will maintain the capability for timely detection and response to cyber attacks. The ability for a licensee to detect and respond to cyber attacks requires accurate and complete records and is further supported by 10 CFR 73.54(h), which states that the licensee shall retain all records and supporting technical documentation required to satisfy the requirements of 10 CFR Section 73.54 as a record until the Commission terminates the license for which the records were developed, and shall maintain superseded portions of these records for at least 3 years after the record is superseded, unless otherwise specified by the Commission.
The licensee's Cyber Security Plan (CSP) in Section 4.13 states that Critical Digital Asset (CDA) audit records and audit data (e.g., operating system logs, network device logs) are retained for a period of time that is less than what is required by 10 CFR 73.54(h}.
Explain the deviation from the 10 CFR 73.54(h} requirement to retain records and supporting technical documentation until the Commission terminates the license (or to maintain superseded portions of these records for at least 3 years) and how that meets the requirements of 10 CFR 73.54.
RAI 2: Implementation Schedule The regulation at 10 CFR 73.54, "Protection of digital computer and communication systems and networks," requires licensees to submit a CSP that satisfies the requirements of this section for Commission review and approval. Furthermore, each submittal must include a proposed implementation schedule and the implementation of the licensee's cyber security program must be consistent with the approved schedule. Paragraph 73.54(a) of 10 CFR requires licensees to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat.
Enclosure
- 2 The completion of several key intermediate milestones (Items (a) through (g) below) would demonstrate progress toward meeting the requirements of 10 CFR 73.54. The Nuclear Regulatory Commission (NRC) staff's expectation is that the key intermediate milestones will be completed in a timely manner, but no later than December 31, 2012. The key CSP implementation milestones are as follows:
(a) Establish, train and qualify Cyber Security Assessment Team, as described in Section 3.1.2, "Cyber Security Assessment Team," of the CSP (b) Identify Critical Systems and CDAs, as described in Section 3.1.3, "Identification of Critical Digital Assets," of the CSP.
(c) Implement cyber security defense-in-depth architecture by installation of
[deterministic one-way devices], as described in Section 4.3, "Defense-In-Depth Protective Strategies" of the CSP.
(d) Implement the management, operational and technical cyber security controls that address attacks promulgated by use of portable media, portable devices, and portable equipment as described in Appendix D Section 1.19 "Access Control for Portable and Mobile Devices," of Nuclear Energy Institute (NEI) 08-09, Revision 6.
(e) Implement observation and identification of obvious cyber related tampering to existing insider mitigation rounds as described in Appendix E Section 4.3, "Personnel Performing Maintenance and Testing Activities," and Appendix E Section 10.3, "Baseline Configuration" of NEI 08-09, Revision 6.
(f) Identify, document, and implement cyber security controls to physical security target set CDAs in accordance with Section 3.1.6, "Mitigation of Vulnerabilities and Application of Cyber Security Controls," of the CSP.
(g) Ongoing monitoring and assessment activities will commence for those target set CDAs whose security controls have been implemented, as described in Section 4.4, "Ongoing Monitoring and Assessment," of the CSP.
(h) Full implementation of the CSP for all safety, security, and emergency preparedness functions.
Provide a revised CSP implementation schedule that identifies the appropriate milestones, completion dates, supporting rationale, and level of detail to allow the NRC to evaluate the licensee's proposed schedule and associated milestone dates which include the final completion date. It is the NRC's intention to develop a license condition incorporating your revised CSP implementation schedule containing the key milestone dates.
RAI 3: Scope of Systems Paragraph 73.54(a) of 10 CFR requires licensees to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat as described in 10 CFR 73.1. In addition,
-3 10 CFR 73.54(a)( 1) states that the licensee shall protect digital computer and communication systems and networks associated with:
(i) Safety-related and important-to-safety functions; (ii) Security functions; (iii) Emergency preparedness functions, including offsite communications; and (iv) Support systems and equipment which, if compromised, would adversely impact safety, security, or emergency preparedness functions.
Subsequent to the issuance of the cyber security rule, the NRC stated that 10 CFR 73.54 should be interpreted to include structures, systems, and components (SSCs) in the balance of plant (BOP) that have a nexus to radiological health and safety (Agencywide Documents Access and Management System (ADAMS) Accession No. ML103490344, dated November 19, 2010). The SSCs in the BOP are those that could directly or indirectly affect reactivity of a nuclear power plant and could result in an unplanned reactor shutdown or transient and are therefore, within the scope of important-to-safety functions described in 10 CFR 73.54(a)(1).
Furthermore, the NRC issued a letter to NEI dated January 5, 2011 (ADAMS Accession No. ML103550480) that provided licensees with additional guidance on one acceptable approach to comply with the Commission's policy determination.
Explain how the scoping of systems provided by licensee's CSP meets the requirements of 10 CFR 73.54 and the additional guidance provided by the NRC.
D. Heacock -2 The NRC staff considers that timely responses to requests for additional information help ensure that sufficient time is available for staff review and contribute toward the NRC's goal of efficient and effective use of staff resources. If circumstances result in the need to revise the requested response date, please contact me at (301) 415-3079.
Sincerely,
/RA/
Karl D. Feintuch, Project Manager Plant Licensing Branch 111-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. 50-305, 50-336, 50-423, 50-338, 50-339, 50-280, and 50-281
Enclosure:
As stated cc w/encl: Distribution via ListServ DISTRI BUTION:
PUBLIC LPL3-1 R/F Ridsl\lrrDorlDpr Resource PPederson, NSIR RidsNrrDorlLpl3-1 Resource RidsAcrsAcnw_MailCTR Resource RidsNRRPMMilstone Resource RidsNRRPMKewaunee Resource RidsOgcRp Resource RidsNRRPMNorthAnna Resource RidsNrrLABTully Resource RidsRgn3MailCenter Resource RidsNRRPMSurry Resource ADAMS Accession Number* ML110630359 *via memo dated 2/18/11 OFFICE LPL3-1/PM LPL3-1/LA NSIR/DSP/ISCPB/BC LPL3-1/BC NAME KFeintuch BTuily CErlanger* RPascarelli DATE 03/04/11 03/04/11 02/18/11 03/07/11 OFFICIAL RECORD COpy