|
|
(2 intermediate revisions by the same user not shown) |
Line 3: |
Line 3: |
| | issue date = 02/24/2011 | | | issue date = 02/24/2011 |
| | title = Revised Cyber Security Plan - Request for Additional Information | | | title = Revised Cyber Security Plan - Request for Additional Information |
| | author name = Chawla M L | | | author name = Chawla M |
| | author affiliation = NRC/NRR/DORL/LPLIII-1 | | | author affiliation = NRC/NRR/DORL/LPLIII-1 |
| | addressee name = Hassoun A I | | | addressee name = Hassoun A |
| | addressee affiliation = Detroit Edison | | | addressee affiliation = Detroit Edison |
| | docket = 05000341 | | | docket = 05000341 |
Line 17: |
Line 17: |
|
| |
|
| =Text= | | =Text= |
| {{#Wiki_filter:From: Chawla, Mahesh Sent: Thursday, February 24, 2011 2:19 PM To: Alan I Hassoun Cc: Erlanger, Craig; Pederson, Perry; Wengert, Thomas; Singal, Balwant; Pascarelli, Robert | | {{#Wiki_filter:From: Chawla, Mahesh Sent: Thursday, February 24, 2011 2:19 PM To: Alan I Hassoun Cc: Erlanger, Craig; Pederson, Perry; Wengert, Thomas; Singal, Balwant; Pascarelli, Robert |
|
| |
|
| ==Subject:== | | ==Subject:== |
| Fermi 2 - Revised Cyber Security Plan - Request for Additional Information This is in reference to your revised application dated July 27, 2010 (ADAMs Accession No. ML102110113). The NRC staff would need the following information to process the subject application. A letter documenting this additional request will be sent to you shortly. Please review the information request below and let us know if you need to have a teleconference with the staff: RAI 1: Records Retention Title 10 of the Code of Federal Regulations (10 CFR) Paragraph 73.54(c)(2) requires licensees to design a cyber security program to ensure the capability to detect, respond to, and recover from cyber attacks. Furthermore, 10 CFR 73.54(e)(2)(i) requires licensees to maintain a cyber security plan that describes how the licensee will maintain the capability for timely detection and response to cyber attacks. The ability for a licensee to detect and respond to cyber attacks requires accurate and complete records and is further supported by 10 CFR 73.54(h), which states that the licensee shall retain all records and supporting technical documentation required to satisfy the requirements of 10 CFR Section 73.54 as a record until the Commission terminates the license for which the records were developed, and shall maintain superseded portions of these records for at least 3 years after the record is superseded, unless otherwise specified by the Commission. The licensee's Cyber Security Plan (CSP) in Section [4.13] states that Critical Digital Asset (CDA) audit records and audit data (e.g., operating system logs, network device logs) are retained for a period of time that is less than what is required by 10 CFR 73.54(h). Explain the deviation from the 10 CFR 73.54(h) requirement to retain records and supporting technical documentation until the Commission terminates the license (or to maintain superseded portions of these records for at least 3 years) and how that meets the requirements of 10 CFR 73.54. RAI 2: Implementation Schedule The regulation at 10 CFR 73.54, "Protection of digital computer and communication systems and networks," requires licensees to submit a CSP that satisfies the requirements of this section for Commission review and approval. Furthermore, each submittal must include a proposed implementation schedule and the implementation of the licensee's cyber security program must be consistent with the approved schedule. Paragraph 73.54(a) of 10 CFR requires licensees to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat. The completion of several key intermediate milestones (Items (a) through (g) below) would demonstrate progress toward meeting the requirements of 10 CFR 73.54. The Nuclear Regulatory Commission (NRC) staff's expectation is that the key intermediate milestones will be completed in a timely manner, but no later than December 31, 2012. The key CSP implementation milestones are as follows: (a) Establish, train and qualify Cyber Security Assessment Team, as described in Section 3.1.2, "Cyber Security Assessment Team," of the CSP. (b) Identify Critical Systems and CDAs, as described in Section 3.1.3, "Identification of Critical Digital Assets," of the CSP. | | Fermi 2 - Revised Cyber Security Plan - Request for Additional Information This is in reference to your revised application dated July 27, 2010 (ADAMs Accession No. ML102110113). The NRC staff would need the following information to process the subject application. A letter documenting this additional request will be sent to you shortly. Please review the information request below and let us know if you need to have a teleconference with the staff: |
| (c) Implement cyber security defense-in-depth architecture by installation of [deterministic one-way] devices, as described in Section 4.3, "Defense-In-Depth Protective Strategies" of the CSP. (d) Implement the management, operational and technical cyber security controls that address attacks promulgated by use of portable media, portable devices, and portable equipment as described in Appendix D Section 1.19 "Access Control for Portable and Mobile Devices," of Nuclear Energy Institute (NEI) 08-09, Revision 6. (e) Implement observation and identification of obvious cyber related tampering to existing insider mitigation rounds as described in Appendix E Section 4.3, "Personnel Performing Maintenance and Testing Activities," and Appendix E Section 10.3, "Baseline Configuration" of NEI 08-09, Revision 6. (f) Identify, document, and implement cyber security controls to physical security target set CDAs in accordance with Section 3.1.6, "Mitigation of Vulnerabilities and Application of Cyber Security Controls," of the CSP. (g) Ongoing monitoring and assessment activities will commence for those target set CDAs whose security controls have been implemented, as described in Section 4.4, "Ongoing Monitoring and Assessment," of the CSP (h) Full implementation of the CSP for all safety, security, and emergency preparedness functions. | | RAI 1: Records Retention Title 10 of the Code of Federal Regulations (10 CFR) Paragraph 73.54(c)(2) requires licensees to design a cyber security program to ensure the capability to detect, respond to, and recover from cyber attacks. Furthermore, 10 CFR 73.54(e)(2)(i) requires licensees to maintain a cyber security plan that describes how the licensee will maintain the capability for timely detection and response to cyber attacks. The ability for a licensee to detect and respond to cyber attacks requires accurate and complete records and is further supported by 10 CFR 73.54(h), which states that the licensee shall retain all records and supporting technical documentation required to satisfy the requirements of 10 CFR Section 73.54 as a record until the Commission terminates the license for which the records were developed, and shall maintain superseded portions of these records for at least 3 years after the record is superseded, unless otherwise specified by the Commission. |
| Provide a revised CSP implementation schedule that identifies the appropriate milestones, completion dates, supporting rationale, and level of detail to allow the NRC to evaluate the licensee's proposed schedule and associated milestone dates which include the final completion date. It is the NRC's intention to develop a license condition incorporating your revised CSP implementation schedule containing the key milestone dates. RAI 3: Scope of Systems Paragraph 73.54(a) of 10 CFR requires licensees to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat as described in 10 CFR 73.1. In addition, 10 CFR 73.54(a)(1) states that the licensee shall protect digital computer and communication systems and networks associated with: (i) Safety-related and important-to-safety functions; (ii) Security functions; (iii) Emergency preparedness functions, including offsite communications; and (iv) Support systems and equipment which, if compromised, would adversely impact safety, security, or emergency preparedness functions. | | The licensees Cyber Security Plan (CSP) in Section [4.13] states that Critical Digital Asset (CDA) audit records and audit data (e.g., operating system logs, network device logs) are retained for a period of time that is less than what is required by 10 CFR 73.54(h). |
| Subsequent to the issuance of the cyber security rule, the NRC stated that 10 CFR 73.54 should be interpreted to include structures, systems, and components (SSCs) in the balance of plant (BOP) that have a nexus to radiological health and safety (Agencywide Documents Access and Management System (ADAMS) Accession No. ML103490344, dated November 19, 2010). The SSCs in the BOP are those that could directly or indirectly affect reactivity of a nuclear power plant and could result in an unplanned reactor shutdown or transient and are therefore, within the scope of important-to-safety functions described in 10 CFR 73.54(a)(1). Furthermore, the NRC issued a letter to NEI dated January 5, 2011 (ADAMS Accession No. ML103550480) that provided licensees with additional guidance on one acceptable approach to comply with the Commission's policy determination. Explain how the scoping of systems provided by [site/licensee]'s CSP meets the requirements of 10 CFR 73.54 and the additional guidance provided by the NRC.}} | | Explain the deviation from the 10 CFR 73.54(h) requirement to retain records and supporting technical documentation until the Commission terminates the license (or to maintain superseded portions of these records for at least 3 years) and how that meets the requirements of 10 CFR 73.54. |
| | RAI 2: Implementation Schedule The regulation at 10 CFR 73.54, Protection of digital computer and communication systems and networks, requires licensees to submit a CSP that satisfies the requirements of this section for Commission review and approval. Furthermore, each submittal must include a proposed implementation schedule and the implementation of the licensees cyber security program must be consistent with the approved schedule. Paragraph 73.54(a) of 10 CFR requires licensees to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat. |
| | The completion of several key intermediate milestones (Items (a) through (g) below) would demonstrate progress toward meeting the requirements of 10 CFR 73.54. The Nuclear Regulatory Commission (NRC) staffs expectation is that the key intermediate milestones will be |
| | |
| | completed in a timely manner, but no later than December 31, 2012. The key CSP implementation milestones are as follows: |
| | (a) Establish, train and qualify Cyber Security Assessment Team, as described in Section 3.1.2, Cyber Security Assessment Team, of the CSP. |
| | (b) Identify Critical Systems and CDAs, as described in Section 3.1.3, Identification of Critical Digital Assets, of the CSP. |
| | (c) Implement cyber security defense-in-depth architecture by installation of [deterministic one-way] devices, as described in Section 4.3, Defense-In-Depth Protective Strategies of the CSP. |
| | (d) Implement the management, operational and technical cyber security controls that address attacks promulgated by use of portable media, portable devices, and portable equipment as described in Appendix D Section 1.19 Access Control for Portable and Mobile Devices, of Nuclear Energy Institute (NEI) 08-09, Revision 6. |
| | (e) Implement observation and identification of obvious cyber related tampering to existing insider mitigation rounds as described in Appendix E Section 4.3, Personnel Performing Maintenance and Testing Activities, and Appendix E Section 10.3, Baseline Configuration of NEI 08-09, Revision 6. |
| | (f) Identify, document, and implement cyber security controls to physical security target set CDAs in accordance with Section 3.1.6, Mitigation of Vulnerabilities and Application of Cyber Security Controls, of the CSP. |
| | (g) Ongoing monitoring and assessment activities will commence for those target set CDAs whose security controls have been implemented, as described in Section 4.4, Ongoing Monitoring and Assessment, of the CSP (h) Full implementation of the CSP for all safety, security, and emergency preparedness functions. |
| | Provide a revised CSP implementation schedule that identifies the appropriate milestones, completion dates, supporting rationale, and level of detail to allow the NRC to evaluate the licensees proposed schedule and associated milestone dates which include the final completion date. It is the NRCs intention to develop a license condition incorporating your revised CSP implementation schedule containing the key milestone dates. |
| | RAI 3: Scope of Systems Paragraph 73.54(a) of 10 CFR requires licensees to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat as described in 10 CFR 73.1. In addition, 10 CFR 73.54(a)(1) states that the licensee shall protect digital computer and communication systems and networks associated with: |
| | (i) Safety-related and important-to-safety functions; (ii) Security functions; |
| | |
| | (iii) Emergency preparedness functions, including offsite communications; and (iv) Support systems and equipment which, if compromised, would adversely impact safety, security, or emergency preparedness functions. |
| | |
| | Subsequent to the issuance of the cyber security rule, the NRC stated that 10 CFR 73.54 should be interpreted to include structures, systems, and components (SSCs) in the balance of plant (BOP) that have a nexus to radiological health and safety (Agencywide Documents Access and Management System (ADAMS) Accession No. ML103490344, dated November 19, 2010). The SSCs in the BOP are those that could directly or indirectly affect reactivity of a nuclear power plant and could result in an unplanned reactor shutdown or transient and are therefore, within the scope of important-to-safety functions described in 10 CFR 73.54(a)(1). |
| | Furthermore, the NRC issued a letter to NEI dated January 5, 2011 (ADAMS Accession No. ML103550480) that provided licensees with additional guidance on one acceptable approach to comply with the Commissions policy determination. |
| | Explain how the scoping of systems provided by [site/licensee]s CSP meets the requirements of 10 CFR 73.54 and the additional guidance provided by the NRC.}} |
Similar Documents at Fermi |
---|
Category:E-Mail
MONTHYEARML24213A3222024-07-30030 July 2024 NRR E-mail Capture - Fermi 2 Audit Questions from the Audit Team Supporting Review of the LAR to Adopt TSTF-505 ML24102A2462024-04-11011 April 2024 NRR E-mail Capture - Fermi 2 Acceptance of Requested Licensing Action Re Amendment to Adopt TSTF-505, TSTF-439, and TSTF-591 ML24080A3912024-03-20020 March 2024 NRR E-mail Capture - Fermi 2 - Request for Additional Information for License Amendment Request Regarding Risk-Informed ECCS Strainer Performance Evaluation (Final) (L-2023-LLA-0092) ML24080A3902024-03-19019 March 2024 NRR E-mail Capture - (External_Sender) Fermi 2 - Request for Additional Information for License Amendment Request Regarding Risk-Informed ECCS Strainer Performance Evaluation (DRAFT)(L-2023-LLA-0092) ML23340A1322023-12-0606 December 2023 NRR E-mail Capture - (External_Sender) Fermi 2 Audit Clarifications - EPID L-2023-LLA-0092 ML24044A1492023-12-0404 December 2023 NRR E-mail Capture - Follow Up of Our Phone Call - Fermi 2 Exemption Request ML24011A2072023-11-17017 November 2023 Approval to Conduct NRC Appendix C Inspection Procedure 93100 at Fermi-2 ML23277A1332023-10-0303 October 2023 NRR E-mail Capture - ECCS Strainer Risk Informed Licensing Amendment - Audit Questions ML23276A0052023-10-0202 October 2023 NRR E-mail Capture - (External_Sender) Fermi EDG Crankcase Trip LAR RAI Response ML23250A2732023-09-0707 September 2023 NRR E-mail Capture - Fermi 2 - Request for Additional Information for License Amendment Request to Revise TS 3.8.1, AC Sources - Operating, Surveillance Requirement 3.8.1.12 ML23244A0022023-08-30030 August 2023 NRR E-mail Capture - Fermi 2 - Acceptance of Relief Request RR-A25 for Extended License Period ML23241B0162023-08-24024 August 2023 Exigent License Amendment Request for Additional Information RAI-12 (EPID L-2023-LLA-0112) (Email) ML23235A1822023-08-23023 August 2023 Exigent LAR Request for Additional Information NRC-23-0055, NRR E-mail Capture - (External Sender) Fermi 2 Power Plant, Emergency Application to Revise Technical Specifications to Adopt TSTF 568, Revise Applicability of BWR TS 3.6.2.5 and TS 3.6.3.2 - Updated Clean Sheet for NRC-23-00552023-08-16016 August 2023 NRR E-mail Capture - (External_Sender) Fermi 2 Power Plant, Emergency Application to Revise Technical Specifications to Adopt TSTF 568, Revise Applicability of BWR TS 3.6.2.5 and TS 3.6.3.2 - Updated Clean Sheet for NRC-23-0055 NRC-23-0028, NRR E-mail Capture - (External Sender) Fermi Relief Request RR-A25 (NRC-23-0028)2023-08-0707 August 2023 NRR E-mail Capture - (External_Sender) Fermi Relief Request RR-A25 (NRC-23-0028) ML23199A2472023-07-14014 July 2023 – Acceptance Review License Amendment Pertaining to ECCS Strainer Performance Evaluation ML23163A1742023-06-12012 June 2023 NRR E-mail Capture - Fermi 2 - Acceptance of Requested Licensing Action Regarding Amendment to Revise SR 3.8.1.2 in TS 3.8.1, AC Sources - Operating NRC-23-0037, 56542-EN 56542 - Fermi2023-05-26026 May 2023 56542-EN 56542 - Fermi ML23146A0622023-05-25025 May 2023 Acceptance of Requested Licensing Action Regarding Amendment to Correct Non-Conservative TS 3.4.5, RCS Pressure Isolation Valve (PIV) Leakage ML23131A1912023-05-11011 May 2023 NRR E-mail Capture - (External_Sender) Fermi 2 LAR (EDG Crankcase Trip) - 6-Month Review ML23115A1452023-04-25025 April 2023 NRR E-mail Capture - Fermi 2 - Request for Additional Information for Changes to TS 3.8.1, AC Sources - Operating ML23076A0222023-03-14014 March 2023 Email SUNSI Action Related to Fermi Unit 1 Safety Hazards Summary Report (ML23066A135) ML23010A0962023-01-10010 January 2023 NRR E-mail Capture - Fermi 2 - Acceptance Review of the Requested Licensing Action Re License Amendment Request to Revise TS 3.8.1 ML22241A0622022-08-29029 August 2022 NRR E-mail Capture - Fermi 2: Acceptance Review of LAR Regarding Adoption of TSTF-582 ML22027A3612022-01-26026 January 2022 U1: CY2022 Inspection Plan, Docket No. 05000016, License No. DPR-9 ML21350A0482021-11-18018 November 2021 NRR E-mail Capture - (External_Sender) Request for Comments on the Proposed Issuance of Amendment to Technical Specifications for Fermi Nuclear Power Plant, Unit 2 ML21266A4342021-09-20020 September 2021 Acceptance of DTE Request for Exemption from 10 CFR 72.44(d)(3) for Fermi 2 ML21214A1492021-08-0202 August 2021 License Amendment Request: Request for Additional Information ML21209A0132021-07-27027 July 2021 NRR E-mail Capture - Petition Review Board Initial Assessment of 2.206 Petition Regarding Fermi Unit 2 - Follow-Up to July 12, 2021 Email ML21194A0282021-07-12012 July 2021 NRR E-mail Capture - Petition Review Board Initial Assessment of 2.206 Petition Regarding Fermi Unit 2 - Continuance on Fall 2020 Emails ML21126A0532021-05-0404 May 2021 NRR E-mail Capture - Fermi 2 - Request for Additional Information for Revised Relief Request RR A-39 ML21116A2572021-04-21021 April 2021 NRR E-mail Capture - Fermi 2 - Acceptance Review Licensing Amendment Request to Revise Technical Specifications ML21089A3962021-03-30030 March 2021 NRR E-mail Capture - (External_Sender) Request for Comments on the Proposed Issuance of Amendment to Technical Specifications for Fermi Nuclear Power Plant, Unit 2 ML21084A1322021-03-19019 March 2021 NRR E-mail Capture - (External_Sender) Request for Comments on the Proposed Issuance of Amendment to Technical Specifications for Fermi Nuclear Power Plant, Unit 2 ML21026A1372021-01-25025 January 2021 NRR E-mail Capture - Acceptance Review: Fermi 2 Revised Relief Request RR-A39 ML20329A3802020-11-23023 November 2020 NRR E-mail Capture - Fermi 2 (COVID-19) Part 73 Exemption Request ML20275A2962020-09-30030 September 2020 NRR E-mail Capture - (External_Sender) Action - Request for Comments on the Proposed Issuance of Amendment to Technical Specifications for Fermi 2 Nuclear Power Plant ML20289A1032020-09-29029 September 2020 NRR E-mail Capture - Petition Review Board Initial Assessment of 2.206 Petition Regarding Fermi Unit 2 ML20289A1052020-09-24024 September 2020 NRR E-mail Capture - Status Update on 2.206 Petition Regarding Fermi Unit 2 ML20261H9282020-08-14014 August 2020 NRR E-mail Capture - (External_Sender) Action - Request for Comments on the Proposed Issuance of Amendments to Technical Specifications for Fermi 2 Nuclear Power Plant ML20239A9682020-08-12012 August 2020 NRR E-mail Capture - Fermi 2 LAR: RAI for Revision to Technical Specifications to Change the Surveillance Intervals to Accommodate a 24-Month Fuel Cycle ML20195A2762020-07-0909 July 2020 NRR E-mail Capture - Your Request for Extension of Part 26 Exemption Date - Documentation of Our Discussion on July 8, 2020 ML20181A4102020-06-29029 June 2020 NRR E-mail Capture - Acceptance Review: Fermi 2 Licensing Amendment Request to Adopt TSTF-563 ML20239A7962020-06-26026 June 2020 NRR E-mail Capture - Screening Result of 2.206 Petition Regarding Fermi Unit 2 ML20149K4242020-05-19019 May 2020 NRR E-mail Capture - Acceptance Review: Fermi 2 Relief Request RR-A42 ML20073E4222020-03-12012 March 2020 NRR E-mail Capture - Fermi 2: Relief Request VRR-004, Minor Clarifications to Ensure Consistency with the Specific Language in the ASME Code ML20029F0232020-01-29029 January 2020 NRR E-mail Capture - Acceptance Review: Fermi 2 Relief Requests (Proposed Alternatives), VRR-010 and VRR-011 for the Fourth 10-year IST Program ML20017A1782020-01-17017 January 2020 Relief Request #1 for Four RHR Valves (E1150F006A/B/C/D) ML20015A3012020-01-14014 January 2020 E-mail Fermi 1: CY2020 Master Inspection Plan ML20008D5752020-01-0808 January 2020 NRR E-mail Capture - Acceptance Review: Fermi 2 - LAR to Revise Technical Specification for Secondary Containment Surveillance Requirements 2024-07-30
[Table view] Category:Request for Additional Information (RAI)
MONTHYEARML24141A2072024-05-20020 May 2024 Plant—Information Request to Support the NRC Annual Baseline Emergency Action Level and Emergency Plan Changes Inspection ML24080A3912024-03-20020 March 2024 NRR E-mail Capture - Fermi 2 - Request for Additional Information for License Amendment Request Regarding Risk-Informed ECCS Strainer Performance Evaluation (Final) (L-2023-LLA-0092) ML24080A3902024-03-19019 March 2024 NRR E-mail Capture - (External_Sender) Fermi 2 - Request for Additional Information for License Amendment Request Regarding Risk-Informed ECCS Strainer Performance Evaluation (DRAFT)(L-2023-LLA-0092) ML23335A0062023-12-0101 December 2023 Notification of NRC Baseline Inspection and Request for Information; Inspection Report 05000341/2024002 ML23276A0052023-10-0202 October 2023 NRR E-mail Capture - (External_Sender) Fermi EDG Crankcase Trip LAR RAI Response ML23250A2732023-09-0707 September 2023 NRR E-mail Capture - Fermi 2 - Request for Additional Information for License Amendment Request to Revise TS 3.8.1, AC Sources - Operating, Surveillance Requirement 3.8.1.12 ML23241B0162023-08-24024 August 2023 Exigent License Amendment Request for Additional Information RAI-12 (EPID L-2023-LLA-0112) (Email) ML23235A1822023-08-23023 August 2023 Exigent LAR Request for Additional Information ML23115A1452023-04-25025 April 2023 NRR E-mail Capture - Fermi 2 - Request for Additional Information for Changes to TS 3.8.1, AC Sources - Operating ML22362A0712022-12-28028 December 2022 Notification of NRC Fire Protection Team Inspection Request for Information Inspection Report Numbers 05000341/2023010 ML22130A5162022-05-12012 May 2022 Information Request to Support the NRC Annual Baseline Emergency Action Level and Emergency Plan Changes Inspection ML21214A1492021-08-0202 August 2021 License Amendment Request: Request for Additional Information ML21126A0532021-05-0404 May 2021 NRR E-mail Capture - Fermi 2 - Request for Additional Information for Revised Relief Request RR A-39 ML21099A1012021-04-0909 April 2021 Information Request to Support Upcoming Temporary Instruction 2515/194 Inspection; Inspection Report 05000341/2021013 ML21078A4832021-03-19019 March 2021 Information Request for NRC Triennial Evaluations of Changes, Tests, and Experiments (50.59) Baseline Inspection; Inspection Report 05000341/2021011 ML20303A2872020-10-29029 October 2020 Notification of NRC Design Bases Assurance Inspection (Programs) and Initial Request for Information: Inspection Report 05000341/2021012 ML20239A9682020-08-12012 August 2020 NRR E-mail Capture - Fermi 2 LAR: RAI for Revision to Technical Specifications to Change the Surveillance Intervals to Accommodate a 24-Month Fuel Cycle ML20133K0502020-05-14014 May 2020 Information Request to Support the NRC Annual Baseline Emergency Action Level and Emergency Plan Changes Inspection ML20079J0972020-03-19019 March 2020 Notification of NRC Fire Protection Team Inspection Request for Information; Inspection Report Number 05000341/2020011 ML18206B0632018-07-25025 July 2018 NRR E-mail Capture - Draft Request for Additional Information Regarding Fermi LAR to Adopt TSTF -542 ML18129A3992018-05-0909 May 2018 NRR E-mail Capture - Request for Additional Information Regarding Fermi LAR to Adopt TSTF - 542 ML18065A3962018-03-0606 March 2018 NRR E-mail Capture - Request for Additional Information Regarding Fermi LAR to Adopt TSTF-542 ML18029A1262018-01-29029 January 2018 NRR E-mail Capture - Fermi 2 LAR to Revise TS to Eliminate MSLRM Reactor Trip and PCIS Group 1 Isolation Functions ML18022A9452018-01-22022 January 2018 NRR E-mail Capture - Fermi RAI for LAR Regarding TS to Eliminate Steam Line Radiation ML18022A1092018-01-19019 January 2018 NRR E-mail Capture - Request for Additional Information Regarding Fermi RR-A37 ML17346A8012017-12-12012 December 2017 NRR E-mail Capture - Final Fermi RAI for LAR Regarding Uhc (TS 3.7.2) ML17157B6702017-06-0505 June 2017 Notification of NRC Triennial Fire Protection Baseline Inspection Request for Information 05000341/2017012 ML17087A4572017-03-28028 March 2017 NRR E-mail Capture - RAI for Fermi 2 - LAR Regarding the Availability of HPCI and Rici at Low Pressure Conditions ML16357A1152016-12-22022 December 2016 Notification of NRC Baseline Inspection and Request for Information (Jvb) ML16188A1922016-07-0707 July 2016 Request for Additional Information on Severe Accident Mitigation Alternatives for Review of License Renewal Application Environmental Review ML16125A1742016-05-0303 May 2016 Request for Additional Information - Alternative Request PRR-007, Revision 1 ML16090A1032016-03-29029 March 2016 Ltr. 03/29/16 Fermi Power Plant - Notification of an NRC Triennial Heat Sink Performance Inspection and Request for Information Inspection Report 05000341/2016002 (Maj) ML16011A0442016-01-14014 January 2016 Request for Additional Information for the Review of the Fermi 2 License Renewal Application - Set 38 ML15237A0442015-09-0101 September 2015 Request for Additional Information for the Review of the Fermi, Unit 2, License Renewal Application-Set 37 ML15231A1612015-08-17017 August 2015 Ltr. 08/17/15 Fermi Power Plant - Notification of NRC Inspection and Request for Information (Txb) ML15149A3642015-05-28028 May 2015 Information Request to Support NRC Annual Baseline Emergency Action Level and Emergency Plan Changes Inspection (Mxg) ML15134A0722015-05-21021 May 2015 Request for Additional Information for the Review of the Fermi, Unit 2 License Renewal Application-Set 35 ML15139A4612015-05-20020 May 2015 Request for Additional Information for the Review of the Fermi 2 License Renewal Application-Set 33 ML15132A4272015-05-18018 May 2015 March 27, 2015 Summary of Telephone Conference Call Held Between the U.S. NRC and DTE Electric Company Concerning Requests for Additional Information Pertaining to the Severe Accident Mitigation Alternatives Review of the Fermi, Unit 2 ML15126A0042015-05-15015 May 2015 Requests for Additional Information for the Review of the Fermi 2 License Renewal Application-Set 34 ML15114A3692015-05-0606 May 2015 Request for Additional Information Associated with Near-Term Task Force Recommendation 2.1, Seismic Hazard and Screening Report ML15099A0162015-04-22022 April 2015 Requests for Additional Information for the Review of the Fermi 2 License Renewal Application Set 32 ML15092A9452015-04-0909 April 2015 Request for Additional Information for the Environmental Review of the Fermi 2 License Renewal Application - Severe Accident Mitigation Alternatives ML15085A5132015-04-0202 April 2015 Request for Additional Information for the Review of the Fermi 2 License Renewal Application - Set 31 ML15077A1082015-03-26026 March 2015 Requests for Additional Information for the Review of the Fermi 2 License Renewal Application - Set 27 ML15082A0462015-03-26026 March 2015 Requests for Additional Information for the Review of the Fermi, Unit 2 License Renewal Application - Set 29, ML15078A3372015-03-26026 March 2015 Request for Additional Information for the Review of the Fermi, Unit 2 License Renewal Application - Set 28 ML15072A0812015-03-19019 March 2015 Request for Additional Information for the Review of the Fermi 2 License Renewal Application - Set 25 ML15051A4202015-03-13013 March 2015 Request for Additional Information for the Review of the Fermi 2 License Renewal Application - Set 23 ML15062A3362015-03-13013 March 2015 Request for Additional Information for the Review of the Fermi 2 License Renewal Application - Set 26 2024-05-20
[Table view] |
Text
From: Chawla, Mahesh Sent: Thursday, February 24, 2011 2:19 PM To: Alan I Hassoun Cc: Erlanger, Craig; Pederson, Perry; Wengert, Thomas; Singal, Balwant; Pascarelli, Robert
Subject:
Fermi 2 - Revised Cyber Security Plan - Request for Additional Information This is in reference to your revised application dated July 27, 2010 (ADAMs Accession No. ML102110113). The NRC staff would need the following information to process the subject application. A letter documenting this additional request will be sent to you shortly. Please review the information request below and let us know if you need to have a teleconference with the staff:
RAI 1: Records Retention Title 10 of the Code of Federal Regulations (10 CFR) Paragraph 73.54(c)(2) requires licensees to design a cyber security program to ensure the capability to detect, respond to, and recover from cyber attacks. Furthermore, 10 CFR 73.54(e)(2)(i) requires licensees to maintain a cyber security plan that describes how the licensee will maintain the capability for timely detection and response to cyber attacks. The ability for a licensee to detect and respond to cyber attacks requires accurate and complete records and is further supported by 10 CFR 73.54(h), which states that the licensee shall retain all records and supporting technical documentation required to satisfy the requirements of 10 CFR Section 73.54 as a record until the Commission terminates the license for which the records were developed, and shall maintain superseded portions of these records for at least 3 years after the record is superseded, unless otherwise specified by the Commission.
The licensees Cyber Security Plan (CSP) in Section [4.13] states that Critical Digital Asset (CDA) audit records and audit data (e.g., operating system logs, network device logs) are retained for a period of time that is less than what is required by 10 CFR 73.54(h).
Explain the deviation from the 10 CFR 73.54(h) requirement to retain records and supporting technical documentation until the Commission terminates the license (or to maintain superseded portions of these records for at least 3 years) and how that meets the requirements of 10 CFR 73.54.
RAI 2: Implementation Schedule The regulation at 10 CFR 73.54, Protection of digital computer and communication systems and networks, requires licensees to submit a CSP that satisfies the requirements of this section for Commission review and approval. Furthermore, each submittal must include a proposed implementation schedule and the implementation of the licensees cyber security program must be consistent with the approved schedule. Paragraph 73.54(a) of 10 CFR requires licensees to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat.
The completion of several key intermediate milestones (Items (a) through (g) below) would demonstrate progress toward meeting the requirements of 10 CFR 73.54. The Nuclear Regulatory Commission (NRC) staffs expectation is that the key intermediate milestones will be
completed in a timely manner, but no later than December 31, 2012. The key CSP implementation milestones are as follows:
(a) Establish, train and qualify Cyber Security Assessment Team, as described in Section 3.1.2, Cyber Security Assessment Team, of the CSP.
(b) Identify Critical Systems and CDAs, as described in Section 3.1.3, Identification of Critical Digital Assets, of the CSP.
(c) Implement cyber security defense-in-depth architecture by installation of [deterministic one-way] devices, as described in Section 4.3, Defense-In-Depth Protective Strategies of the CSP.
(d) Implement the management, operational and technical cyber security controls that address attacks promulgated by use of portable media, portable devices, and portable equipment as described in Appendix D Section 1.19 Access Control for Portable and Mobile Devices, of Nuclear Energy Institute (NEI) 08-09, Revision 6.
(e) Implement observation and identification of obvious cyber related tampering to existing insider mitigation rounds as described in Appendix E Section 4.3, Personnel Performing Maintenance and Testing Activities, and Appendix E Section 10.3, Baseline Configuration of NEI 08-09, Revision 6.
(f) Identify, document, and implement cyber security controls to physical security target set CDAs in accordance with Section 3.1.6, Mitigation of Vulnerabilities and Application of Cyber Security Controls, of the CSP.
(g) Ongoing monitoring and assessment activities will commence for those target set CDAs whose security controls have been implemented, as described in Section 4.4, Ongoing Monitoring and Assessment, of the CSP (h) Full implementation of the CSP for all safety, security, and emergency preparedness functions.
Provide a revised CSP implementation schedule that identifies the appropriate milestones, completion dates, supporting rationale, and level of detail to allow the NRC to evaluate the licensees proposed schedule and associated milestone dates which include the final completion date. It is the NRCs intention to develop a license condition incorporating your revised CSP implementation schedule containing the key milestone dates.
RAI 3: Scope of Systems Paragraph 73.54(a) of 10 CFR requires licensees to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat as described in 10 CFR 73.1. In addition, 10 CFR 73.54(a)(1) states that the licensee shall protect digital computer and communication systems and networks associated with:
(i) Safety-related and important-to-safety functions; (ii) Security functions;
(iii) Emergency preparedness functions, including offsite communications; and (iv) Support systems and equipment which, if compromised, would adversely impact safety, security, or emergency preparedness functions.
Subsequent to the issuance of the cyber security rule, the NRC stated that 10 CFR 73.54 should be interpreted to include structures, systems, and components (SSCs) in the balance of plant (BOP) that have a nexus to radiological health and safety (Agencywide Documents Access and Management System (ADAMS) Accession No. ML103490344, dated November 19, 2010). The SSCs in the BOP are those that could directly or indirectly affect reactivity of a nuclear power plant and could result in an unplanned reactor shutdown or transient and are therefore, within the scope of important-to-safety functions described in 10 CFR 73.54(a)(1).
Furthermore, the NRC issued a letter to NEI dated January 5, 2011 (ADAMS Accession No. ML103550480) that provided licensees with additional guidance on one acceptable approach to comply with the Commissions policy determination.
Explain how the scoping of systems provided by [site/licensee]s CSP meets the requirements of 10 CFR 73.54 and the additional guidance provided by the NRC.