|
|
| (4 intermediate revisions by the same user not shown) |
| Line 2: |
Line 2: |
| | number = ML110540734 | | | number = ML110540734 |
| | issue date = 02/23/2011 | | | issue date = 02/23/2011 |
| | title = Waterford Steam Electric Station, Unit 3 - E-mail, Request for Additional Information, Round 2, License Amendment Request to Revise License Condition and Approve Cyber Security Plan (TAC No. ME4271) | | | title = E-mail, Request for Additional Information, Round 2, License Amendment Request to Revise License Condition and Approve Cyber Security Plan |
| | author name = Kalyanam N K | | | author name = Kalyanam N |
| | author affiliation = NRC/NRR/DORL/LPLIV | | | author affiliation = NRC/NRR/DORL/LPLIV |
| | addressee name = Mosher N B, Steelman W J | | | addressee name = Mosher N, Steelman W |
| | addressee affiliation = Entergy Operations, Inc | | | addressee affiliation = Entergy Operations, Inc |
| | docket = 05000382 | | | docket = 05000382 |
| Line 18: |
Line 18: |
|
| |
|
| =Text= | | =Text= |
| {{#Wiki_filter:From: Kalyanam, Kaly Sent: Wednesday, February 23, 2011 4:55 PM To: MOSHER, NATALIE B; STEELMAN, WILLIAM J Cc: Burkhardt, Janet; Lent, Susan | | {{#Wiki_filter:From: Kalyanam, Kaly Sent: Wednesday, February 23, 2011 4:55 PM To: MOSHER, NATALIE B; STEELMAN, WILLIAM J Cc: Burkhardt, Janet; Lent, Susan |
|
| |
|
| ==Subject:== | | ==Subject:== |
| Request for Additional Information (RAI) on the Cyber Security Plan License Amendment Request (LAR) | | Request for Additional Information (RAI) on the Cyber Security Plan License Amendment Request (LAR) |
| Plant: Waterford Steam Electric Station, Unit 3 Docket No.: 50/382 | | Plant: Waterford Steam Electric Station, Unit 3 Docket No.: 50/382 |
|
| |
|
| ==Subject:== | | ==Subject:== |
| RAI on License Amendment Request, Cyber Security Plan TAC Nos.: ME4271 SUNSI Review Done: Yes. Publicly Available, Normal Release, Non-sensitive, From: N. Kalyanam To: Natalie Mosher / W. Steelman | | RAI on License Amendment Request, Cyber Security Plan TAC Nos.: ME4271 SUNSI Review Done: Yes. Publicly Available, Normal Release, Non-sensitive, From: N. Kalyanam To: Natalie Mosher / W. Steelman Attached is the second set of Cyber Security Plan (CSP) RAIs that the NRC staff has prepared. These RAIs apply to LAR submitted by Entergy Operations Inc. (the licensee) for Arkansas Nuclear One, Unit 1 and Unit 2, on July 15, 2010. A brief background on each RAI is provided below: |
| | | RAI-1 Records Retention This RAI addresses the apparent difference between the NRC staffs and the industrys interpretation of the CSP records retention regulation (10 CFR 73.54(h)). NSIR has been interacting with industrys Nuclear Security Working Group (NSWG) on this aspect of the rule over the past few months. Licensees are being asked to explain further how their submittal (based on NEI 08-09 Rev. 6) complies with the regulation. |
| Attached is the second set of Cyber Security Plan (CSP) RAIs that the NRC staff has prepared. These RAIs apply to LAR submitted by Entergy Operations Inc. (the licensee) for Arkansas Nuclear One, Unit 1 and Unit 2, on July 15, 2010. A brief background on each RAI is provided below: | | RAI-2 Implementation Schedule This RAI requests licensees to resubmit their proposed implementation schedules to align with certain key milestones determined by the staff to be important in the implementation of the CSP. In addition, the staff is informing the licensee of its intention to develop a license condition incorporating the revised CSP implementation schedule. NSIR has been interacting with the NSWG on this issue for some time. |
| | | RAI-3 Scope of Systems This RAI requests licensees to clarify the scope of their CSP, in light of a recent Commission policy decision concerning the structures, systems, and components considered important-to-safety in the balance of plant systems. This issue has had much visibility in the industry, in part because multiple parties (NRC, FERC, NERC) are affected by this. The RAI identifies the key publicly available documents that have been issued by the Commission/staff. |
| RAI-1 Records Retention This RAI addresses the apparent difference between the NRC staff's and the industry's interpretation of the CSP records retention regulation (10 CFR 73.54(h)). NSIR has been interacting with industry's Nuclear Security Working Group (NSWG) on this aspect of the rule over the past few months. Licensee's are being asked to explain further how their submittal (based on NEI 08-09 Rev. 6) complies with the regulation. | | Please advise the staff if you can provide the response in 30 days from the time of the receipt of this request. |
| RAI-2 Implementation Schedule This RAI requests licensees to resubmit their proposed implementation schedules to align with certain key milestones determined by the staff to be important in the implementation of the CSP. In addition, the staff is informing the licensee of its intention to develop a license condition incorporating the revised CSP implementation schedule. NSIR has been interacting with the NSWG on this issue for some time. | |
| | |
| RAI-3 Scope of Systems This RAI requests licensees to clarify the scope of their CSP, in light of a recent Commission policy decision concerning the structures, systems, and components considered important-to-safety in the balance of plant systems. This issue has had much visibility in the industry, in part because multiple parties (NRC, FERC, NERC) are affected by this. The RAI identifies the key publicly available documents that have been issued by the Commission/staff. | |
| Please advise the staff if you can provide the response in 30 days from the time of the receipt of this request. | |
| | |
| Thanks Kaly Generic Request for Additional Information (RAI)
| |
| RAI 1: Records Retention Title 10 of the Code of Federal Regulations (10 CFR) Paragraph 73.54(c)(2) requires licensees to design a cyber security program to ensure the capability to detect, respond to, and recover from cyber attacks. Furthermore, 10 CFR 73.54(e)(2)(i) requires licensees to maintain a cyber security plan that describes how the licensee will maintain the capability for timely detection and response to cyber attacks. The ability for a licensee to detect and respond to cyber attacks requires accurate and complete records and is further supported by 10 CFR 73.54(h), which states that the licensee shall retain all records and supporting technical documentation required to satisfy the requirements of 10 CFR Section 73.54 as a record until the commission terminates the license for which the records were developed, and shall maintain superseded portions of these records for at least 3 years after the record is superseded, unless otherwise specified by the Commission.
| |
| The licensee's Cyber Security Plan (CSP) in Section [4.13] states that Critical Digital Asset (CDA) audit records and audit data (e.g., operating system logs, network device logs) are retained for a period of time that is less than what is required by 10 CFR 73.54(h).
| |
|
| |
|
| | Thanks Kaly Generic Request for Additional Information (RAI) |
| | RAI 1: Records Retention Title 10 of the Code of Federal Regulations (10 CFR) Paragraph 73.54(c)(2) requires licensees to design a cyber security program to ensure the capability to detect, respond to, and recover from cyber attacks. Furthermore, 10 CFR 73.54(e)(2)(i) requires licensees to maintain a cyber security plan that describes how the licensee will maintain the capability for timely detection and response to cyber attacks. The ability for a licensee to detect and respond to cyber attacks requires accurate and complete records and is further supported by 10 CFR 73.54(h), which states that the licensee shall retain all records and supporting technical documentation required to satisfy the requirements of 10 CFR Section 73.54 as a record until the commission terminates the license for which the records were developed, and shall maintain superseded portions of these records for at least 3 years after the record is superseded, unless otherwise specified by the Commission. |
| | The licensees Cyber Security Plan (CSP) in Section [4.13] states that Critical Digital Asset (CDA) audit records and audit data (e.g., operating system logs, network device logs) are retained for a period of time that is less than what is required by 10 CFR 73.54(h). |
| Explain the deviation from the 10 CFR 73.54(h) requirement to retain records and supporting technical documentation until the Commission terminates the license (or to maintain superseded portions of these records for at least 3 years) and how that meets the requirements of 10 CFR 73.54. | | Explain the deviation from the 10 CFR 73.54(h) requirement to retain records and supporting technical documentation until the Commission terminates the license (or to maintain superseded portions of these records for at least 3 years) and how that meets the requirements of 10 CFR 73.54. |
| RAI 2: Implementation Schedule The regulation at 10 CFR 73.54, "Protection of digital computer and communication systems and networks," requires licensees to submit a CSP that satisfies the requirements of this section for Commission review and approval. Furthermore, each submittal must include a proposed implementation schedule and the implementation of the licensee's cyber security program must be consistent with the approved schedule. Paragraph 73.54(a) of 10 CFR requires licensees to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat. | | RAI 2: Implementation Schedule The regulation at 10 CFR 73.54, Protection of digital computer and communication systems and networks, requires licensees to submit a CSP that satisfies the requirements of this section for Commission review and approval. Furthermore, each submittal must include a proposed implementation schedule and the implementation of the licensees cyber security program must be consistent with the approved schedule. Paragraph 73.54(a) of 10 CFR requires licensees to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat. |
| The completion of several key intermediate milestones (Items (a) through (g) below) would demonstrate progress toward meeting the requirements of 10 CFR 73.54. The Nuclear Regulatory Commission (NRC) staff's expectation is that the key intermediate milestones will be completed in a timely manner, but no later than December 31, 2012. The key CSP implementation milestones are as follows: | | The completion of several key intermediate milestones (Items (a) through (g) below) would demonstrate progress toward meeting the requirements of 10 CFR 73.54. The Nuclear Regulatory Commission (NRC) staffs expectation is that the key intermediate milestones will be completed in a timely manner, but no later than December 31, 2012. The key CSP implementation milestones are as follows: |
| | | (a) Establish, train and qualify Cyber Security Assessment Team, as described in Section 3.1.2, Cyber Security Assessment Team, of the CSP. |
| (a) Establish, train and qualify Cyber Security Assessment Team, as described in Section 3.1.2, "Cyber Security Assessment Team," of the CSP. | |
| (b) Identify Critical Systems and CDAs, as described in Section 3.1.3, "Identification of Critical Digital Assets," of the CSP.
| |
| (c) Implement cyber security defense-in-depth architecture by installation of [deterministic one-way] devices, as described in Section 4.3, "Defense-In-Depth Protective Strategies" of the CSP.
| |
| | |
| (d) Implement the management, operational and technical cyber security controls that address attacks promulgated by use of portable media, portable devices, and portable equipment as described in Appendix D Section 1.19 "Access Control for Portable and Mobile Devices," of Nuclear Energy Institute (NEI) 08-09, Revision 6.
| |
| | |
| (e) Implement observation and identification of obvious cyber related tampering to existing insider mitigation rounds as described in Appendix E Section 4.3, "Personnel Performing Maintenance and Testing Activities," and Appendix E Section 10.3, "Baseline Configuration" of NEI 08-09, Revision 6.
| |
| (f) Identify, document, and implement cyber security controls to physical security target set CDAs in accordance with Section 3.1.6, "Mitigation of Vulnerabilities and Application of Cyber Security Controls," of the CSP.
| |
| (g) Ongoing monitoring and assessment activities will commence for those target set CDAs whose security controls have been implemented, as described in Section 4.4, "Ongoing Monitoring and Assessment," of the CSP (h) Full implementation of the CSP for all safety, security, and emergency preparedness functions.
| |
| | |
| Provide a revised CSP implementation schedule that identifies the appropriate milestones, completion dates, supporting rationale, and level of detail to allow the NRC to evaluate the licensee's proposed schedule and associated milestone dates which include the final completion date. It is the NRC's intention to develop a license condition incorporating your revised CSP implementation schedule containing the key milestone dates.
| |
| | |
| RAI 3: Scope of Systems Paragraph 73.54(a) of 10 CFR requires licensees to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat as described in 10 CFR 73.1. In addition, 10 CFR 73.54(a)(1) states that the licensee shall protect digital computer and communication systems and networks associated with:
| |
| (i) Safety-related and important-to-safety functions; (ii) Security functions;
| |
| | |
| (iii) Emergency preparedness functions, including offsite communications; and (iv) Support systems and equipment which, if compromised, would adversely impact safety, security, or emergency preparedness functions.
| |
|
| |
|
| Subsequent to the issuance of the cyber security rule, the NRC stated that 10 CFR 73.54 should be interpreted to include structures, systems, and components (SSCs) in the balance of plant (BOP) that have a nexus to radiological health and safety (Agencywide Documents Access and Management System (ADAMS) Accession No. ML103490344, dated November 19, 2010). The SSCs in the BOP are those that could directly or indirectly affect reactivity of a nuclear power plant and could result in an unplanned reactor shutdown or transient and are therefore, within the scope of important-to-safety functions described in 10 CFR 73.54(a)(1). Furthermore, the NRC issued a letter to NEI dated January 5, 2011 (ADAMS Accession No. ML103550480) that provided licensees with additional guidance on one acceptable approach to comply with the Commission's policy determination.
| | (b) Identify Critical Systems and CDAs, as described in Section 3.1.3, Identification of Critical Digital Assets, of the CSP. |
| | (c) Implement cyber security defense-in-depth architecture by installation of [deterministic one-way] devices, as described in Section 4.3, Defense-In-Depth Protective Strategies of the CSP. |
| | (d) Implement the management, operational and technical cyber security controls that address attacks promulgated by use of portable media, portable devices, and portable equipment as described in Appendix D Section 1.19 Access Control for Portable and Mobile Devices, of Nuclear Energy Institute (NEI) 08-09, Revision 6. |
| | (e) Implement observation and identification of obvious cyber related tampering to existing insider mitigation rounds as described in Appendix E Section 4.3, Personnel Performing Maintenance and Testing Activities, and Appendix E Section 10.3, Baseline Configuration of NEI 08-09, Revision 6. |
| | (f) Identify, document, and implement cyber security controls to physical security target set CDAs in accordance with Section 3.1.6, Mitigation of Vulnerabilities and Application of Cyber Security Controls, of the CSP. |
| | (g) Ongoing monitoring and assessment activities will commence for those target set CDAs whose security controls have been implemented, as described in Section 4.4, Ongoing Monitoring and Assessment, of the CSP (h) Full implementation of the CSP for all safety, security, and emergency preparedness functions. |
| | Provide a revised CSP implementation schedule that identifies the appropriate milestones, completion dates, supporting rationale, and level of detail to allow the NRC to evaluate the licensees proposed schedule and associated milestone dates which include the final completion date. It is the NRCs intention to develop a license condition incorporating your revised CSP implementation schedule containing the key milestone dates. |
| | RAI 3: Scope of Systems Paragraph 73.54(a) of 10 CFR requires licensees to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat as described in 10 CFR 73.1. In addition, 10 CFR 73.54(a)(1) states that the licensee shall protect digital computer and communication systems and networks associated with: |
| | (i) Safety-related and important-to-safety functions; (ii) Security functions; (iii) Emergency preparedness functions, including offsite communications; and (iv) Support systems and equipment which, if compromised, would adversely impact safety, security, or emergency preparedness functions. |
|
| |
|
| Explain how the scoping of systems provided by [site/licensee]'s CSP meets the requirements of 10 CFR 73.54 and the additional guidance provided by the NRC.}} | | Subsequent to the issuance of the cyber security rule, the NRC stated that 10 CFR 73.54 should be interpreted to include structures, systems, and components (SSCs) in the balance of plant (BOP) that have a nexus to radiological health and safety (Agencywide Documents Access and Management System (ADAMS) Accession No. ML103490344, dated November 19, 2010). The SSCs in the BOP are those that could directly or indirectly affect reactivity of a nuclear power plant and could result in an unplanned reactor shutdown or transient and are therefore, within the scope of important-to-safety functions described in 10 CFR 73.54(a)(1). |
| | Furthermore, the NRC issued a letter to NEI dated January 5, 2011 (ADAMS Accession No. ML103550480) that provided licensees with additional guidance on one acceptable approach to comply with the Commissions policy determination. |
| | Explain how the scoping of systems provided by [site/licensee]s CSP meets the requirements of 10 CFR 73.54 and the additional guidance provided by the NRC.}} |
Letter Sequence RAI |
|---|
|
|
MONTHYEARW3F1-2010-0053, License Amendment Request - Cyber Security Plan, Withdrawal & Re-Submittal2010-07-15015 July 2010
License Amendment Request - Cyber Security Plan, Withdrawal & Re-Submittal
Project stage: Request
ML1020902322010-07-28028 July 2010
Acceptance Review Email, License Amendment Request for Approval of Cyber Security Plan
Project stage: Acceptance Review
ML1100307052011-01-0303 January 2011
Email, Request for Additional Information, License Amendment Request to Revise License Condition and Approve Cyber Security Plan
Project stage: RAI
ML1104701842011-02-15015 February 2011
Attachment 2 to W3F1-2011-0016, Waterford, Unit 3, List of Regulatory Commitments
Project stage: Other
W3F1-2011-0016, Response to Request for Additional Information (RAI) on the Cyber Security Plan2011-02-15015 February 2011
Response to Request for Additional Information (RAI) on the Cyber Security Plan
Project stage: Response to RAI
ML1105407342011-02-23023 February 2011
E-mail, Request for Additional Information, Round 2, License Amendment Request to Revise License Condition and Approve Cyber Security Plan
Project stage: RAI
W3F1-2011-0021, Response to Additional Requests for Additional Information (Rais) and Revision to Cyber Security Plan2011-04-0404 April 2011
Response to Additional Requests for Additional Information (Rais) and Revision to Cyber Security Plan
Project stage: Other
ML1118000212011-07-20020 July 2011
Issuance of Amendment No. 234, Revise License Condition and Approval of Cyber Security Plan and Associated Implementation Schedule
Project stage: Approval
W3F1-2012-0049, License Amendment Request - Cyber Security Plan Implementation Schedule Milestones2012-06-28028 June 2012
License Amendment Request - Cyber Security Plan Implementation Schedule Milestones
Project stage: Request
2011-02-15
[Table View] |
|
|---|
Category:E-Mail
MONTHYEARML23348A1222023-12-14014 December 2023
NRR E-mail Capture - Grand Gulf, River Bend, and Waterford, Unit 3 - 2nd Round of Official RAIs for RR EN-RR-22-001, Use ASME Code Case N-752, Risk Informed Categorization for Class 2 and 3 Systems
ML23097A0412023-04-0606 April 2023
June 2023 Emergency Preparedness Exercise Inspection - Request for Information
ML23076A0552023-03-13013 March 2023
EP Program Inspection RFI Hjs 10132022
ML23072A3672023-03-0909 March 2023
NRR E-mail Capture - Entergy Fleet - Acceptance Review of Quality Assurance Program Manual Reduction in Commitment
ML23052A0882023-02-17017 February 2023
Inspection Request for Information
ML22335A4802022-12-0101 December 2022
NRR E-mail Capture - NRC Update Completion Date for Waterford 3 LAR to Adopt TSTF-505
ML22336A0202022-12-0101 December 2022
NRR E-mail Capture - Acceptance Review for Waterford Unit 3 - License Amendment Request to Revise Technical Specification 3/4.3.2
ML22329A0152022-11-0202 November 2022
NRR E-mail Capture - NRC Update Completion Date for Waterford 3 LAR to Adopt TSTF-505
ML22290A0442022-10-13013 October 2022
December 2022 Emergency Preparedness Program Inspection - Request for Information
ML22215A2062022-08-0303 August 2022
NRR E-mail Capture - Waterford 3 - LAR to Adopt Title 10 of the Code of Federal Regulations, Section 50.69: Loe and Completion Date Update
ML22215A1492022-08-0303 August 2022
NRR E-mail Capture - Waterford 3 - LAR to Permit the Use of Risk-Informed Completion Times in Accordance with Technical Specifications Task Force (TSTF) Traveler TSTF-505, Revision 2
ML22206A0172022-07-22022 July 2022
NRR E-mail Capture - Request for Additional Information: Waterford 3 - License Amendment Requests to Adopt 10 CFR 50.69 and TSTF-505
ML22206A0152022-07-21021 July 2022
NRR E-mail Capture - Entergy (Grand Gulf, River Bend, and Waterford-3) - Acceptance Review of the RR EN-RR-22-001, Case N-752, Risk-informed Cat & Treatment for Repair/Replacement Activities in Class 2 & 3 Systems
ML22209A1082022-07-15015 July 2022
NRR E-mail Capture - Draft RAIs to License Amendment Request for Application to Adopt 10 CFR 50.69 and Revise Technical Specifications to Adopt TSTF-505, Revision 2
ML22144A1662022-05-24024 May 2022
PI&R Request for Information and Transmittal e-mail
ML22108A1792022-04-14014 April 2022
WF3 Cpcs Installation Inspection Plan Email
ML22209A1062022-01-20020 January 2022
NRR E-mail Capture - (External_Sender) Options Moving Forward Regarding Waterford TSTF-505 and 50.69
ML22209A1052022-01-0606 January 2022
NRR E-mail Capture - Estimate for Completion of 50.69-TSTF-505 Peer Review
ML22012A1592022-01-0505 January 2022
WF3 2022 EP Exercise Inspection RFI Sdh 010522
ML21356A5872021-12-22022 December 2021
NRR E-mail Capture - Acceptance for Review: Waterford 3 - Proposed Revision to Reactor Vessel Surveillance Capsule Withdrawal Schedule
ML21349A2242021-12-14014 December 2021
NRR E-mail Capture - (External_Sender) Waterford 3 - Request for One-Time Exemption from 10 CFR 50, Appendix E Biennial EP Exercise
ML21312A4792021-11-0505 November 2021
Email: NRC Staff Preliminary Questions Regarding X Energy LLC Xe-100 Topical Report: Risk-Informed Performance-Based Licensing Basis Development
ML21308A5602021-11-0404 November 2021
NRR E-mail Capture - Arkansas Nuclear One, Units 1 and 2, Grand Gulf, River Bend, and Waterford, Unit 3 - Acceptance Review of LAR to Adopt TSTF-554, Revise Reactor Coolant Leakage Requirements
ML21292A0112021-10-18018 October 2021
NRR E-mail Capture - ANO, 1 and 2, Grand Gulf, River Bend, Waterford, 3 - Acceptance Review of LAR to Adopt TSTF-541, Add Exceptions to Surveillance Requirements for Valves and Dampers Locked in the Actuated Position
ML21280A0812021-10-0505 October 2021
Email 10-5-21 - Request for Information_ Waterford EP Inspection (71114.04 & 71151) - Nov-Dec 2021
ML21285A0242021-10-0505 October 2021
Digital Instrumentation and Control Modification Inspection Request for Information
ML22112A1512021-08-0606 August 2021
NRR E-mail Capture - for Review: Draft RAIs to LAR to Relocate Chemical Detection Systems Technical Specifications (TS) to Technical Requirements Manual (TRM)
ML21216A4562021-08-0404 August 2021
WF3 2021 EP Exercise Inspection Request for Information (RFI)
ML21218A0402021-07-26026 July 2021
NRR E-mail Capture - Final RAIs to Entergy Operations, Waterford Steam Electric Station, Unit 3 LAR to Adopt 10 CFR 50.69
ML21201A0062021-07-19019 July 2021
NRR E-mail Capture - Arkansas Nuclear One, Units 1 and 2, and Waterford, Unit 3 - Acceptance Review of LAR to Adopt TSTF-577, Revised Frequencies for Steam Generator Tube Inspections
ML21173A1082021-06-22022 June 2021
NRR E-mail Capture - Acceptance Review for Waterford Unit 3 - License Amendment Request to Adopt TSTF-563
ML21174A0342021-06-22022 June 2021
NRR E-mail Capture - Entergy Fleet (ANO, Ggulf, Rbend, & Waterford) - Acceptance Review for Relief Request to Use a Provision of a Later Edition of the ASME Code, Section XI for Periodic System Pressure Tests Exemptions
ML21160A0852021-06-0404 June 2021
NRR E-mail Capture - (External_Sender) NRC Notification to the State of Louisiana Regarding a Waterford Steam Electric Station, Unit 3 Amendment - Digital Upgrade I&C
ML21145A0062021-05-24024 May 2021
NRR E-mail Capture - Supplement Received - Waterford Unit 3 - License Amendment Request for Boration Systems Tech Specs
ML21120A1192021-04-30030 April 2021
NRR E-mail Capture - Acceptance Review for Waterford Unit 3 - LAR to Relocate Chemical Detection TSs to TRM
ML21105A0512021-04-14014 April 2021
4-14-21 Email - RFI for In-Office Inspection of Recent WF3 Submission of EAL Procedure Revision
ML21104A0382021-04-13013 April 2021
NRR E-mail Capture - Acceptance Review for Waterford Unit 3 - License Amendment Request for TSTF-505
ML21084A2552021-03-22022 March 2021
NRR E-mail Capture - Supplement to Audit Plan Dated October 1, 2020 (Waterford 3, L-2020-LLA-0164)
ML21088A1512021-03-15015 March 2021
NRR E-mail Capture - Draft Waterford Acceptance Review Letter for TSTF-505 LAR
ML21069A1842021-03-0202 March 2021
NRR E-mail Capture - Announcement of QA Inspection
ML21040A3892021-02-0808 February 2021
NRR E-mail Capture - Announcement of QA Inspection
ML21039A6412021-01-28028 January 2021
NRR E-mail Capture - NRC LIC-109 Acceptance Review Results for Waterford 3 50.69 LAR
ML21022A1692021-01-22022 January 2021
NRR E-mail Capture - Entergy Fleet (ANO, Grand Gulf, River Bend, and Waterford) - Acceptance Review for RR EN-20-RR-003, Proposed Alternative to Use ASME Code Case N-711-2
ML20329A1442020-11-20020 November 2020
Terrapower QAPD Preliminary Questions Email
ML20288A2082020-10-0808 October 2020
8Oct2020 Email - Request for Information (RFI) to Support and Prepare for the Emergency Preparedness (EP) Program Inspection at the Waterford 3 Station Scheduled to Occur the Week of December 7, 2020
ML20289A3502020-10-0505 October 2020
NRR E-mail Capture - NRC Request for Additional Information - WF3 EAL Scheme Change - L-2020-LLA-0122
ML20239B0552020-08-26026 August 2020
NRR E-mail Capture - NRC LIC-109 Acceptance Review Results for Waterford U3 Digital Upgrade LAR
ML20197A3122020-07-14014 July 2020
NRR E-mail Capture - NRC Notification of State of Louisiana Re. Waterford Steam Electric Station License Amendments - Changes to Technical Specifications
ML20191A0172020-06-26026 June 2020
NRR E-mail Capture - NRC LIC-109 Acceptance Review Results for Waterford U3 EAL Scheme Change LAR
ML20093C3072020-04-0101 April 2020
NRR E-mail Capture - (External_Sender) Entergy Fleet - Performance-Based Cyber Security Testing Plan Fee Waiver Response Letter (EPID P-2020-PRF-0000; CAC No. 001648)
2023-04-06
[Table view]
Category:Request for Additional Information (RAI)
MONTHYEARML23348A1222023-12-14014 December 2023
NRR E-mail Capture - Grand Gulf, River Bend, and Waterford, Unit 3 - 2nd Round of Official RAIs for RR EN-RR-22-001, Use ASME Code Case N-752, Risk Informed Categorization for Class 2 and 3 Systems
ML23191A4562023-07-10010 July 2023
Notification of Comprehensive Engineering Team Inspection (050003822023010) and Request for Information
ML23097A0412023-04-0606 April 2023
June 2023 Emergency Preparedness Exercise Inspection - Request for Information
ML23076A0552023-03-13013 March 2023
EP Program Inspection RFI Hjs 10132022
ML23052A0882023-02-17017 February 2023
Inspection Request for Information
ML22290A0442022-10-13013 October 2022
December 2022 Emergency Preparedness Program Inspection - Request for Information
ML22206A0172022-07-22022 July 2022
NRR E-mail Capture - Request for Additional Information: Waterford 3 - License Amendment Requests to Adopt 10 CFR 50.69 and TSTF-505
ML22209A1082022-07-15015 July 2022
NRR E-mail Capture - Draft RAIs to License Amendment Request for Application to Adopt 10 CFR 50.69 and Revise Technical Specifications to Adopt TSTF-505, Revision 2
ML22103A1712022-04-13013 April 2022
LAR to Revise TS to Adopt TSTF-505_NRC Request for Additional Information
ML22012A1592022-01-0505 January 2022
WF3 2022 EP Exercise Inspection RFI Sdh 010522
ML21280A0812021-10-0505 October 2021
Email 10-5-21 - Request for Information_ Waterford EP Inspection (71114.04 & 71151) - Nov-Dec 2021
ML21285A0242021-10-0505 October 2021
Digital Instrumentation and Control Modification Inspection Request for Information
ML22112A1512021-08-0606 August 2021
NRR E-mail Capture - for Review: Draft RAIs to LAR to Relocate Chemical Detection Systems Technical Specifications (TS) to Technical Requirements Manual (TRM)
ML21216A4562021-08-0404 August 2021
WF3 2021 EP Exercise Inspection Request for Information (RFI)
ML21218A0402021-07-26026 July 2021
NRR E-mail Capture - Final RAIs to Entergy Operations, Waterford Steam Electric Station, Unit 3 LAR to Adopt 10 CFR 50.69
ML21196A5302021-07-19019 July 2021
Wat 2021010 RFI Letter 21N_05 Gap
ML21195A0692021-07-13013 July 2021
Staton, Unit 3 - Notification of Digital Instrumentation and Control Modification Inspection and Request for Information
ML21125A6522021-05-0606 May 2021
Wat 2021003 Brq RFI- Md, Waterford Steam Electric Station, Unit 3, Notification of Inspection (NRC Inspection Report 05000382/2021003) and Request for Information
ML21112A2542021-04-29029 April 2021
Request for Additional Information Digital Upgrade to the Core Protection and Control Element Assembly Calculator System (EPID L 2020 Lla 0164) - Redacted Version
ML20288A2082020-10-0808 October 2020
8Oct2020 Email - Request for Information (RFI) to Support and Prepare for the Emergency Preparedness (EP) Program Inspection at the Waterford 3 Station Scheduled to Occur the Week of December 7, 2020
ML20289A3502020-10-0505 October 2020
NRR E-mail Capture - NRC Request for Additional Information - WF3 EAL Scheme Change - L-2020-LLA-0122
ML20125A3212020-05-0404 May 2020
WAT2020410 Inspection Document Request
ML20086M3852020-04-0101 April 2020
Request for Additional Information Regarding License Amendment Request to Revise Technical Specification 3/4 8.1, A.C. Sources Operating
W3F1-2020-0014, Response to U. S. Nuclear Regulatory Commission Request for Additional Information Regarding Application for Technical Specification Change to Control Room Air Conditioning System2020-03-20020 March 2020
Response to U. S. Nuclear Regulatory Commission Request for Additional Information Regarding Application for Technical Specification Change to Control Room Air Conditioning System
ML20049A4102020-02-20020 February 2020
Request for Additional Information Regarding License Amendment Request to Revise Surveillance Requirement 4.7.6.1.d, Control Room Air Filtration System
ML19262H0362019-09-0404 September 2019
Ti 2515/194 Request for Information and Email
ML19274D4932019-07-24024 July 2019
Request for Information IR 05000382 2019-003 Occupational Radiation Safety Inspection
ML19203A0062019-07-19019 July 2019
NRR E-mail Capture - Waterford 3 - Final Request for Additional Information (Rais) Re Relief Request WF3-RR-19-2: Alternate Repair of Degraded Drain Line of Chemical and Volume Control System
ML19151A6102019-06-0404 June 2019
Non-Proprietary Second Round RAI Regarding License Amendment Request for Use of the Tranflow Code for Determining Pressure Drops Across the Steam Generator Secondary Side Internal Components
ML19172A0852019-05-24024 May 2019
NRR E-mail Capture - Waterford 3 - Final Request for Additional Information (Rais) Re Relief Request W3-ISI-032: Volumetric Examination Requirements
ML19035A0412019-02-0101 February 2019
NRR E-mail Capture - Waterford 3 - Final Request for Information Regarding Relief Request WF3-RR-19-001 for Application of Dissimilar Metal Weld Full Structural Weld Overlay
ML19018A0102019-01-28028 January 2019
Request for Additional Information Regarding License Amendment Request for Revision of Technical Specification 3/4.7.4,Ultimate Heat Sink
ML18320A0902018-11-26026 November 2018
Request for Additional Information Regarding License Amendment Request for Use of the Transflow Code for Determining Pressure Drops Across the Steam Generator Secondary Side Internal Components
ML18318A4352018-11-14014 November 2018
NRR E-mail Capture - Waterford 3 - Final Request for Additional Information Regarding Request for Alternative to ASME Code Case N-770-2
ML18299A0862018-11-0707 November 2018
Draft Request for Additional Information License Amendment Request Regarding the Revision of UFSAR Section 3.9
ML18262A0412018-09-25025 September 2018
Request for Additional Information Regarding License Amendment Request to Revise Section 15.4.3.1 of the Waterford 3 Updated Final Safety Analysis Report to Account for Fuel Misload
ML18145A2652018-06-0101 June 2018
Supplemental Information Needed for Acceptance of Request for Licensing Action Use of Tranflow Code for Determining Pressure Drops Across Steam Generator Secondary Side Components
ML18085A6942018-03-26026 March 2018
Ref: Waterford Steam Electric Station, Unit 3, License Renewal Application - RAI Set 18
ML18058A0572018-02-23023 February 2018
Enclosurequest for Additional Information (Letter to J. Giddens Request for Additional Information Regarding Entergy Operations, Inc.'S Decommissioning Funding Plan Update)
ML18039A9722018-02-0808 February 2018
Notification of Evaluations of Changes, Tests, and Experiments Inspection (05000382/2018002) and Request for Information
ML17233A2402017-08-14014 August 2017
NRR E-mail Capture - Draft RAI for Waterford Unit 3 Regarding License Amendment Request to Adopt TSTF-501 Relocate Stored Fuel Oil and Lube Oil Volume Values to Licensee Control
ML17170A3012017-06-16016 June 2017
Notification of Inspection (NRC Integrated Inspection Report 05000382/2017003) and Request for Information
ML17101A4432017-04-17017 April 2017
Requests for Additional Information for the Review of the Waterford Steam Electric Station, Unit 3, License Renewal Application - Set 17
ML17086A5852017-03-28028 March 2017
Request for Additional Information for the Environmental Review of Waterford 3
ML17072A0102017-03-14014 March 2017
Requests for Additional Information for the Review of the Waterford Steam Electric Station, Unit 3, License Renewal Application Set - 15
ML17272A3352017-03-0101 March 2017
Request for Additional Information for the Review of the Waterford Steam Electric Station, Unit 3, License Renewal Application - Set 14
ML17040A5382017-02-14014 February 2017
Requests for Additional Information for the Review of the Waterford Steam Electric Station, Unit 3, License Renewal Application - Set 13
ML17018A3592017-01-26026 January 2017
Requests For Additional Information For The Review Of The Waterford Steam Electric Station, Unit 3, License Renewal Application Set 12 (CAC MF7492.)
ML16354A1052016-12-27027 December 2016
RAI License Amendment Request to Revise TS 3/4.3.2 to Relocate Surveillance Frequency Requirements for Engineered Safety Feature Actuation System (ESFAS) Subgroup Relays to the Surveillance Frequency Control Program
ML16356A5942016-12-19019 December 2016
NRR E-mail Capture - MF8325 Draft RAIs Regarding the License Amendment Request to Revise the Table Notation for Table 4.3-2, ESFAS Surveillance Requirements
2023-07-10
[Table view] |
Text
From: Kalyanam, Kaly Sent: Wednesday, February 23, 2011 4:55 PM To: MOSHER, NATALIE B; STEELMAN, WILLIAM J Cc: Burkhardt, Janet; Lent, Susan
Subject:
Request for Additional Information (RAI) on the Cyber Security Plan License Amendment Request (LAR)
Plant: Waterford Steam Electric Station, Unit 3 Docket No.: 50/382
Subject:
RAI on License Amendment Request, Cyber Security Plan TAC Nos.: ME4271 SUNSI Review Done: Yes. Publicly Available, Normal Release, Non-sensitive, From: N. Kalyanam To: Natalie Mosher / W. Steelman Attached is the second set of Cyber Security Plan (CSP) RAIs that the NRC staff has prepared. These RAIs apply to LAR submitted by Entergy Operations Inc. (the licensee) for Arkansas Nuclear One, Unit 1 and Unit 2, on July 15, 2010. A brief background on each RAI is provided below:
RAI-1 Records Retention This RAI addresses the apparent difference between the NRC staffs and the industrys interpretation of the CSP records retention regulation (10 CFR 73.54(h)). NSIR has been interacting with industrys Nuclear Security Working Group (NSWG) on this aspect of the rule over the past few months. Licensees are being asked to explain further how their submittal (based on NEI 08-09 Rev. 6) complies with the regulation.
RAI-2 Implementation Schedule This RAI requests licensees to resubmit their proposed implementation schedules to align with certain key milestones determined by the staff to be important in the implementation of the CSP. In addition, the staff is informing the licensee of its intention to develop a license condition incorporating the revised CSP implementation schedule. NSIR has been interacting with the NSWG on this issue for some time.
RAI-3 Scope of Systems This RAI requests licensees to clarify the scope of their CSP, in light of a recent Commission policy decision concerning the structures, systems, and components considered important-to-safety in the balance of plant systems. This issue has had much visibility in the industry, in part because multiple parties (NRC, FERC, NERC) are affected by this. The RAI identifies the key publicly available documents that have been issued by the Commission/staff.
Please advise the staff if you can provide the response in 30 days from the time of the receipt of this request.
Thanks Kaly Generic Request for Additional Information (RAI)
RAI 1: Records Retention Title 10 of the Code of Federal Regulations (10 CFR) Paragraph 73.54(c)(2) requires licensees to design a cyber security program to ensure the capability to detect, respond to, and recover from cyber attacks. Furthermore, 10 CFR 73.54(e)(2)(i) requires licensees to maintain a cyber security plan that describes how the licensee will maintain the capability for timely detection and response to cyber attacks. The ability for a licensee to detect and respond to cyber attacks requires accurate and complete records and is further supported by 10 CFR 73.54(h), which states that the licensee shall retain all records and supporting technical documentation required to satisfy the requirements of 10 CFR Section 73.54 as a record until the commission terminates the license for which the records were developed, and shall maintain superseded portions of these records for at least 3 years after the record is superseded, unless otherwise specified by the Commission.
The licensees Cyber Security Plan (CSP) in Section [4.13] states that Critical Digital Asset (CDA) audit records and audit data (e.g., operating system logs, network device logs) are retained for a period of time that is less than what is required by 10 CFR 73.54(h).
Explain the deviation from the 10 CFR 73.54(h) requirement to retain records and supporting technical documentation until the Commission terminates the license (or to maintain superseded portions of these records for at least 3 years) and how that meets the requirements of 10 CFR 73.54.
RAI 2: Implementation Schedule The regulation at 10 CFR 73.54, Protection of digital computer and communication systems and networks, requires licensees to submit a CSP that satisfies the requirements of this section for Commission review and approval. Furthermore, each submittal must include a proposed implementation schedule and the implementation of the licensees cyber security program must be consistent with the approved schedule. Paragraph 73.54(a) of 10 CFR requires licensees to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat.
The completion of several key intermediate milestones (Items (a) through (g) below) would demonstrate progress toward meeting the requirements of 10 CFR 73.54. The Nuclear Regulatory Commission (NRC) staffs expectation is that the key intermediate milestones will be completed in a timely manner, but no later than December 31, 2012. The key CSP implementation milestones are as follows:
(a) Establish, train and qualify Cyber Security Assessment Team, as described in Section 3.1.2, Cyber Security Assessment Team, of the CSP.
(b) Identify Critical Systems and CDAs, as described in Section 3.1.3, Identification of Critical Digital Assets, of the CSP.
(c) Implement cyber security defense-in-depth architecture by installation of [deterministic one-way] devices, as described in Section 4.3, Defense-In-Depth Protective Strategies of the CSP.
(d) Implement the management, operational and technical cyber security controls that address attacks promulgated by use of portable media, portable devices, and portable equipment as described in Appendix D Section 1.19 Access Control for Portable and Mobile Devices, of Nuclear Energy Institute (NEI) 08-09, Revision 6.
(e) Implement observation and identification of obvious cyber related tampering to existing insider mitigation rounds as described in Appendix E Section 4.3, Personnel Performing Maintenance and Testing Activities, and Appendix E Section 10.3, Baseline Configuration of NEI 08-09, Revision 6.
(f) Identify, document, and implement cyber security controls to physical security target set CDAs in accordance with Section 3.1.6, Mitigation of Vulnerabilities and Application of Cyber Security Controls, of the CSP.
(g) Ongoing monitoring and assessment activities will commence for those target set CDAs whose security controls have been implemented, as described in Section 4.4, Ongoing Monitoring and Assessment, of the CSP (h) Full implementation of the CSP for all safety, security, and emergency preparedness functions.
Provide a revised CSP implementation schedule that identifies the appropriate milestones, completion dates, supporting rationale, and level of detail to allow the NRC to evaluate the licensees proposed schedule and associated milestone dates which include the final completion date. It is the NRCs intention to develop a license condition incorporating your revised CSP implementation schedule containing the key milestone dates.
RAI 3: Scope of Systems Paragraph 73.54(a) of 10 CFR requires licensees to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat as described in 10 CFR 73.1. In addition, 10 CFR 73.54(a)(1) states that the licensee shall protect digital computer and communication systems and networks associated with:
(i) Safety-related and important-to-safety functions; (ii) Security functions; (iii) Emergency preparedness functions, including offsite communications; and (iv) Support systems and equipment which, if compromised, would adversely impact safety, security, or emergency preparedness functions.
Subsequent to the issuance of the cyber security rule, the NRC stated that 10 CFR 73.54 should be interpreted to include structures, systems, and components (SSCs) in the balance of plant (BOP) that have a nexus to radiological health and safety (Agencywide Documents Access and Management System (ADAMS) Accession No. ML103490344, dated November 19, 2010). The SSCs in the BOP are those that could directly or indirectly affect reactivity of a nuclear power plant and could result in an unplanned reactor shutdown or transient and are therefore, within the scope of important-to-safety functions described in 10 CFR 73.54(a)(1).
Furthermore, the NRC issued a letter to NEI dated January 5, 2011 (ADAMS Accession No. ML103550480) that provided licensees with additional guidance on one acceptable approach to comply with the Commissions policy determination.
Explain how the scoping of systems provided by [site/licensee]s CSP meets the requirements of 10 CFR 73.54 and the additional guidance provided by the NRC.
