Text

October 8, 2014 Mr. Christopher E. Earls Senior Director, Engineering and Licensing Nuclear Energy Institute 1201 F Street, NW, Suite 1100 Washington, DC 20004

SUBJECT:

NUCLEAR ENERGY INSTITUTE 13-10, CYBER SECURITY CONTROL ASSESSMENTS, REVISION 1, DATED JANUARY 2014

Dear Mr. Earls:

In your letter dated September 30, 2014, you requested that the U.S. Nuclear Regulatory Commission (NRC) staff review and endorse the Nuclear Energy Institutes (NEIs) guidance document NEI 13-10, Cyber Security Control Assessments Revision 1, dated September 2014 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML14276A126). The letter stated that the submitted NEI 13-10, Revision 1 did not change the body of NEI 13-10, but included the industry-developed template and examples for performing the NEI 13-10 analysis. The NRC staff completed its review of the template and the examples based on NEI 13-10, Revision 0 that the NRC found acceptable in its February 3, 2014 letter (ADAM Accession No. ML14031A158) and NEI 08-09, Cyber Security Plan for Nuclear Power Reactors, Revision 6, dated April 2010.

Based on the review, the staff concluded that the template and the examples included in NEI 13-10, Revision 1, are acceptable for use by licensees to document their determinations of whether a critical digital asset is direct or indirect. The licensees determinations are subject to NRC inspection after the licensees complete the implementation of their cyber security programs as described in their cyber security plans.

Please contact Eric Lee at (301) 287-3461 if you have any questions.

Sincerely,

/RA/

Barry Westreich, Director Cyber Security Directorate Office of Nuclear Security and Incident Response

ML14276A110 OFFICE CSD/NSIR DD:CSD/NSIR D:CSD/NSIR NAME ELee RFelts BWestreich DATE 10/03/14 10/06/14 10/8/14