ML15133A453: Difference between revisions
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
||
| Line 14: | Line 14: | ||
| page count = 38 | | page count = 38 | ||
| project = TAC:MF5165, TAC:MF5166, TAC:MF5167, TAC:MF5168, TAC:MF5169, TAC:MF5170, TAC:MF5171 | | project = TAC:MF5165, TAC:MF5166, TAC:MF5167, TAC:MF5168, TAC:MF5169, TAC:MF5170, TAC:MF5171 | ||
| stage = | | stage = Approval | ||
}} | }} | ||
Revision as of 18:13, 1 April 2018
| ML15133A453 | |
| Person / Time | |
|---|---|
| Site: | Oconee, Mcguire, Catawba, McGuire  |
| Issue date: | 06/11/2015 |
| From: | Miller G E Plant Licensing Branch II |
| To: | Repko R T Duke Energy Carolinas |
| Miller G E | |
| References | |
| TAC MF5165, TAC MF5166, TAC MF5167, TAC MF5168, TAC MF5169, TAC MF5170, TAC MF5171 | |
| Download: ML15133A453 (38) | |
Text
UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 Mr. Regis T. Repko Senior Vice President Governance, Projects, & Engineering Duke Energy Carolinas, LLC P.O. Box 1006/EC07H Charlotte, NC 28201-1006 June 11, 2015 SUBJECT: CATAWBA NUCLEAR STATION, UNITS 1 AND 2 (CATAWBA 1 AND 2), MCGUIRE NUCLEAR STATION, UNITS 1 AND 2 (MCGUIRE 1 AND 2), AND OCONEE NUCLEAR STATION, UNITS 1, 2, AND 3 (OCONEE 1, 2, AND 3) -ISSUANCE OF AMENDMENTS REGARDING CHANGES TO CYBER SECURITY PLAN IMPLEMENTATION SCHEDULE MILESTONE 8 (TAC NOS. MF5165, MF5166, MF5167, MF5168, MF5169, MF5170, AND MF5171) Dear Mr. Kapopoulos: By letter dated November 6, 2014, Duke Energy Carolinas, LLC (Duke, the licensee), submitted a license amendment request to change the completion date for implementing Milestone 8 of the Duke Cyber Security Plan. Specifically, the proposed change would revise the date from June 30, 2015, to December 31, 2017. The U.S. Nuclear Regulatory Commission (NRC) has issued the enclosed Amendment Nos. 276 and 272 to Renewed Facility Operating License Nos. NPF-35 and NPF-52, respectively, for Catawba 1 and 2; Amendment Nos. 279 and 259 to Renewed Facility Operating License Nos. NPF-9 and NPF-17, respectively, for McGuire 1 and 2; and Amendment Nos. 391, 393, and 392 to Renewed Facility Operating License Nos. DPR-38, DPR-47, DPR-55, respectively, for Oconee 1, 2, and 3. A copy of the related Safety Evaluation is also enclosed. A Notice of Issuance will be included in the Commission's biweekly Federal Register notice.
R. Repko -2 -If you have any questions, please call me at 301-415-2481. G. Edward Miller, Project Manager Plant Licensing Branch 11-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. 50-413, 50-414, 50-369, 50-370 50-269, 50-270, and 50-287 Enclosures: 1. Amendment No. 276 to NPF-35 2. Amendment No. 272 to NPF-52 3. Amendment No. 279 to NPF-9 4. Amendment No. 259 to NPF-17 5. Amendment No. 391 to DPR-38 6. Amendment No. 393 to DPR-47 7. Amendment No. 392 to DPR-55 8. Safety Evaluation cc w/encls: Distribution via Listserv UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 DUKE ENERGY CAROLINAS, LLC DOCKET NO. 50-413 CATAWBA NUCLEAR STATION. UNIT 1 AMENDMENT TO RENEWED FACILITY OPERATING LICENSE Amendment No. 276 Renewed License No. NPF-35 1. The Nuclear Regulatory Commission (the Commission) has found that: A. The application for amendment to the Catawba Nuclear Station, Unit 1 (the facility), Renewed Facility Operating License No. NPF-35, filed by Duke Energy Carolinas, LLC (the licensee), dated November 6, 2014, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commission's rules and regulations as set forth in 10 CFR Chapter I; B. The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C. There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations set forth in 10 CFR Chapter I; D. The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E. The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied. Enclosure 1
-2 -2. Accordingly, Paragraph 2.E of Renewed Facility Operating License No. NPF-35 is hereby amended to read as follows: E. Physical Protection Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contains safeguards information protected under 10 CFR 73.21, is entitled: "Duke Energy Physical Security Plan," Revision 8 submitted by letter dated May 17, 2007. Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The Duke Energy Carolinas, LLC CSP was approved by License Amendment No. 266, as supplemented by a change approved by License Amendment No. 276. 3. This license amendment is effective as of its date of issuance and shall be implemented within 30 days of issuance. Attachment: Changes to License No. NPF-35 and the Technical Specifications Date of Issuance: June 11, 2015 FOR THE NUCLEAR REGULATORY COMMISSION Robert J. Pascarelli, Chief Plant Licensing Branch 11-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 DUKE ENERGY CAROLINAS. LLC DOCKET NO. 50-414 CATAWBA NUCLEAR STATION. UNIT 2 AMENDMENT TO RENEWED FACILITY OPERATING LICENSE Amendment No. 272 Renewed License No. NPF-52 1. The Nuclear Regulatory Commission (the Commission) has found that: A. The application for amendment to the Catawba Nuclear Station, Unit 2 (the facility), Renewed Facility Operating License No. NPF-52, filed by Duke Energy Carolinas, LLC (the licensee), dated November 6, 2014, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commission's rules and regulations as set in 10 CFR Chapter I; B. The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C. There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations set forth in 10 CFR Chapter I; D. The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E. The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied. Enclosure 2
-2 -2. Accordingly, Paragraph 2.E of Renewed Facility Operating License No. NPF-52 is hereby amended to read as follows: E. Physical Protection Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 1 O CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contains safeguards information protected under 10 CFR 73.21, is entitled: "Duke Energy Physical Security Plan," Revision 8 submitted by letter dated May 17, 2007. Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The Duke Energy Carolinas, LLC CSP was approved by License Amendment No. 262, as supplemented by a change approved by License Amendment No. 272. 3. This license amendment is effective as of its date of issuance and shall be implemented within 30 days of issuance. Attachment: Changes to License No. NPF-52 and the Technical Specifications Date of Issuance: June 11, 2015 FOR THE NUCLEAR REGULA TORY COMMISSION Robert J. Pascarelli, Chief Plant Licensing Branch 11-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation ATTACHMENT TO LICENSE AMENDMENT NO. 276 RENEWED FACILITY OPERATING LICENSE NO. NPF-35 DOCKET NO. 50-413 AND LICENSE AMENDMENT NO. 272 RENEWED FACILITY OPERATING LICENSE NO. NPF-52 DOCKET NO. 50-414 Replace the following pages of the Renewed Facility Operating Licenses with the attached revised pages. The revised pages are identified by amendment number and contain marginal lines indicating the areas of change. Remove Licenses NPF-35, page 6 NPF-52, page 6 Licenses NPF-35, page 6 NPF-52, page 6
-6 -E. Physical Protection Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contains safeguards information protected under 10 CFR 73.21, is entitled: "Duke Energy Physical Security Plan," Revision 8 submitted by letter dated May 17, 2007. Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The Duke Energy Carolinas, LLC CSP was approved by License Amendment No. 266, as supplemented by a change approved by License Amendment No. 276. F. Reporting to the Commission Deleted by Amendment No. 230 G. The licensees shall have and maintain financial protection of such type and in such amounts as the Commission shall require in accordance with Section 170 of the Atomic Energy Act of 1954, as amended, to cover public liability claims. 3. This renewed license is effective as of the date of issuance and shall expire at midnight on December 5, 2043. FOR THE NUCLEAR REGULA TORY COMMISSION Original Signed By: J.E. Dyer J. E. Dyer, Director Office of Nuclear Reactor Regulation Attachments: 1. Appendix A -Technical Specifications 2. Appendix B -Additional Conditions 3. Appendix C -Antitrust Conditions Date of Issuance: December 5, 2003 Renewed License No. NPF-35 Amendment No. 276
-6-E. Physical Protection Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contains safeguards information protected under 10 CFR 73.21, is entitled: "Duke Energy Physical Security Plan," Revision 8 submitted by letter dated May 17, 2007. Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The Duke Energy Carolinas, LLC CSP was approved by License Amendment No. 262, as supplemented by a change approved by License Amendment No. 272. F. Reporting to the Commission Deleted by Amendment No. 226 G. The licensees shall have and maintain financial protection of such type and in such amounts as the Commission shall require in accordance with Section 170 of the Atomic Energy Act of 1954, as amended, to cover public liability claims. 3. This renewed license is effective as of the date of issuance and shall expire at midnight on December 5, 2043. FOR THE NUCLEAR REGULA TORY COMMISSION Original Signed By: J.E. Dyer J. E. Dyer, Director Office of Nuclear Reactor Regulation Attachments: 1. Appendix A -Technical Specifications 2. Appendix B -Additional Conditions 3. Appendix C -Antitrust Conditions Date of Issuance: December 5, 2003 Renewed License No. NPF-52 Amendment No. 272 UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 DUKE ENERGY CAROLINAS. LLC DOCKET NO. 50-369 MCGUIRE NUCLEAR STATION, UNIT 1 AMENDMENT TO RENEWED FACILITY OPERATING LICENSE Amendment No. 279 Renewed License No. NPF-9 1. The Nuclear Regulatory Commission (the Commission) has found that: A. The application for amendment to the McGuire Nuclear Station, Unit 1 (the facility), Renewed Facility Operating License No. NPF-9, filed by Duke Energy Carolinas, LLC (the licensee), dated November 6, 2014, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commission's rules and regulations as set forth in 10 CFR Chapter I; B. The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C. There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations set forth in 10 CFR Chapter I; D. The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E. The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied. Enclosure 3
-2 -2. Accordingly, Paragraph 2.D of Renewed Facility Operating License No. NPF-9 is hereby amended to read as follows: D. Physical Protection Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51FR27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contains safeguards information protected under 10 CFR 73.21, is entitled: "Duke Energy Physical Security Plan," submitted by letter dated September 8, 2004, as supplemented on September 30, 2004, October 15, 2004, October 21, 2004, and October 27, 2004. Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The Duke Energy Carolinas, LLC CSP was approved by License Amendment No. 264, as supplemented by a change approved by License Amendment No. 279. 3. This license amendment is effective as of its date of issuance and shall be implemented within 30 days of issuance. Attachment: Changes to License No. NPF-9 and the Technical Specifications Date of Issuance: June 11, 2015 FOR THE NUCLEAR REGULA TORY COMMISSION Robert J. Pascarelli, Chief Plant Licensing Branch 11-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 DUKE ENERGY CAROLINAS. LLC DOCKET NO. 50-370 MCGUIRE NUCLEAR STATION. UNIT 2 AMENDMENT TO RENEWED FACILITY OPERATING LICENSE Amendment No. 259 Renewed License No. NPF-17 1. The Nuclear Regulatory Commission (the Commission) has found that: A. The application for amendment to the McGuire Nuclear Station, Unit 2 (the facility), Renewed Facility Operating License No. NPF-17, filed by Duke Energy Carolinas, LLC (the licensee), dated November 6, 2014, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commission's rules and regulations as set forth in 10 CFR Chapter I; B. The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C. There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations set forth in 10 CFR Chapter I; D. The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E. The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied. Enclosure 4
-2 -2. Accordingly, Paragraph 2.D of Renewed Facility Operating License No. NPF-17 is hereby amended to read as follows: D. Physical Protection Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contains safeguards information protected under 10 CFR 73.21, .is entitled: "Duke Energy Physical Security Plan," submitted by letter dated September 8, 2004, as supplemented on September 30, 2004, October 15, 2004, October 21, 2004, and October 27, 2004. Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The Duke Energy Carolinas, LLC CSP was approved by License Amendment No. 244, as supplemented by a change approved by License Amendment No. 259. 3. This license amendment is effective as of its date of issuance and shall be implemented within 30 days of issuance. Attachment: Changes to License No. NPF-17 and the Technical Specifications Date of Issuance: June 11, 2015 FOR THE NUCLEAR REGULA TORY COMMISSION Robert J. Pascarelli, Chief Plant Licensing Branch 11-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation ATTACHMENT TO LICENSE AMENDMENT NO. 279 RENEWED FACILITY OPERATING LICENSE NO. NPF-9 DOCKET NO. 50-369 AND LICENSE AMENDMENT NO. 259 RENEWED FACILITY OPERATING LICENSE NO. NPF-17 DOCKET NO. 50-370 Replace the following pages of the Renewed Facility Operating Licenses with the attached revised pages. The revised pages are identified by amendment number and contain marginal lines indicating the areas of change. Remove Licenses NPF-9, page 4A NPF-17, page 5 Licenses NPF-9, page 4A NPF-17, page 5
-4A-D. Physical Protection Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contains safeguards information protected under 10 CFR 73.21, is entitled: "Duke Energy Physical Security Plan" submitted by letter dated September 8, 2004, and supplemented on September 30, 2004, October 15, 2004, October 21, 2004, and October 27, 2004. Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The Duke Energy Carolinas, LLC CSP was approved by License Amendment No. 264, as supplemented by a change approved by License Amendment No. 279. E. Deleted by Amendment No. 233. Renewed License No. NPF-9 Amendment No. 279
-5 -4. Procedures for implementing integrated fire response strategy 5. Identification of readily-available pre-staged equipment 6. Training on integrated fire response strategy 7. Spent fuel pool mitigation measures C) Actions to minimize release to include consideration of: 1. Water spray scrubbing 2. Dose to onsite responders D. Physical Protection Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contains safeguards information protected under 10 CFR 73.21, is entitled: "Duke Energy Physical Security Plan" submitted by letter dated September 8, 2004, and supplemented on September 30, 2004, October 15, 2004, October 21, 2004, and October 27, 2004. Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The Duke Energy Carolinas, LLC CSP was approved by License Amendment No. 244, as supplemented by a change approved by License Amendment No. 259. E. Deleted by Amendment No. 215. F. The licensee shall have and maintain financial protection of such type and in such amounts as the Commission shall require in accordance with Section 170 of the Atomic Energy Act of 1954, as amended, to cover public liability claims. G. In accordance with the Commission's direction in its Statement of Policy, Licensing and Regulatory Policy and Procedures for Environmental Protection: Uranium Fuel Cycle Impacts. October 29, 1982, this renewed operating license is subject to the final resolution of the pending litigation involving Table S-3. See, Natural Resources Defense Council v. NRC, No. 74-1586 (D.C. cir. April 27, 1982). H. The licensee is authorized to receive from the Oconee Nuclear Station, Units 1, 2, and 3, possess, and store irradiated Oconee fuel assemblies containing special nuclear material, enriched to not more than 3.24% by weight U-235 subject to the following conditions: a. Oconee fuel assemblies may not be placed in the McGuire Nuclear Station, Unit 1 and 2, reactors. b. Irradiated fuel shipped to McGuire Nuclear Station, Units 1 and 2, from Oconee shall have been removed from the Oconee reactor no less than 270 days prior to shipment. Renewed License No. NPF-17 Amendment No. 259 UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 DUKE ENERGY CAROLINAS, LLC DOCKET NO. 50-269 OCONEE NUCLEAR STATION, UNIT 1 AMENDMENT TO RENEWED FACILITY OPERATING LICENSE Amendment No. 391 Renewed License No. DPR-38 1. The Nuclear Regulatory Commission (the Commission) has found that: A. The application for amendment to the Oconee Nuclear Station, Unit 1 (the facility), Renewed Facility Operating License No. NPF-38, filed by Duke Energy Carolinas, LLC (the licensee), dated November 6, 2014, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commission's rules and regulations as set forth in 10 CFR Chapter I; B. The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C. There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations set forth in 10 CFR Chapter I; D. The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E. The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied. Enclosure 5
-2 -2. Accordingly, Paragraph 3.E of Renewed Facility Operating License No. DPR-38 is hereby amended to read as follows: E. Physical Protection Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contains safeguards information protected under 10 CFR 73.21, is entitled: "Duke Energy Physical Security Plan," submitted by letter dated September 8, 2004, as supplemented on September 30, 2004, October 15, 2004, October 21, 2004, and October 27, 2004. Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The Duke Energy Carolinas, LLC CSP was approved by License Amendment No. 378, as supplemented by a change approved by License Amendment No. 391. 3. This license amendment is effective as of its date of issuance and shall be implemented within 30 days of issuance. Attachment: Changes to License No. DPR-38 and the Technical Specifications Date of Issuance: June 11, 2015 FOR THE NUCLEAR REGULATORY COMMISSION Robert J. Pascarelli, Chief Plant Licensing Branch 11-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 DUKE ENERGY CAROLINAS. LLC DOCKET NO. 50-270 OCONEE NUCLEAR STATION. UNIT 2 AMENDMENT TO RENEWED FACILITY OPERATING LICENSE Amendment No. 393 Renewed License No. DPR-47 1. The Nuclear Regulatory Commission (the Commission) has found that: A. The application for amendment to the Oconee Nuclear Station, Unit 2 (the facility), Renewed Facility Operating License No. DPR-47, filed by Duke Energy Carolinas, LLC (the licensee), dated November 6, 2014, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commission's rules and regulations as set forth in 10 CFR Chapter I; B. The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C. There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations set forth in 10 CFR Chapter I; D. The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E. The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied. Enclosure 6
-2 -2. Accordingly, Paragraph 3.E of Renewed Facility Operating License No. DPR-47 is hereby amended to read as follows: E. Physical Protection Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commissi'on-approved physical security, training and qualification and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contains safeguards information protected under 1 O CFR 73.21, is entitled: "Duke Energy Physical Security Plan," submitted by letter dated September 8, 2004, as supplemented on September 30, 2004, October 15, 2004, October 21, 2004, and October 27, 2004. Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The Duke Energy Carolinas, LLC CSP was approved by License Amendment No. 380, as supplemented by a change approved by License Amendment No. 393. 3. This license amendment is effective as of its date of issuance and shall be implemented within 30 days of issuance. Attachment: Changes to License No. DPR-47 and the Technical Specifications Date of Issuance: June 11, 2015 FOR THE NUCLEAR REGULATORY COMMISSION Robert J. Pascarelli, Chief Plant Licensing Branch 11-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 DUKE ENERGY CAROLINAS, LLC DOCKET NO. 50-287 OCONEE NUCLEAR STATION, UNIT 3 AMENDMENT TO RENEWED FACILITY OPERATING LICENSE Amendment No. 392 Renewed License No. DPR-55 1. The Nuclear Regulatory Commission (the Commission) has found that: A. The application for amendment to the Oconee Nuclear Station, Unit 3 (the facility), Renewed Facility Operating License No. DPR-55, filed by Duke Energy Carolinas, LLC (the licensee), dated November 6, 2014, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commission's rules and regulations as set forth in 1 O CFR Chapter I; B. The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C. There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations set forth in 10 CFR Chapter I; D. The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E. The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied. Enclosure 7
-2 -2. Accordingly, Paragraph 3.E of Renewed Facility Operating License No. DPR-55 is hereby amended to read as follows: E. Physical Protection Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contains safeguards information protected under 10 CFR 73.21, is entitled: "Duke Energy Physical Security Plan," submitted by letter dated September 8, 2004, as supplemented on September 30, 2004, October 15, 2004, October 21, 2004, and October 27, 2004. Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The Duke Energy Carolinas, LLC CSP was approved by License Amendment No. 379, as supplemented by a change approved by License Amendment No. 392. 3. This license amendment is effective as of its date of issuance and shall be implemented within 30 days of issuance. Attachment: Changes to License No. DPR-55 and the Technical Specifications Date of Issuance: June 11 2015 ' FOR THE NUCLEAR REGULATORY COMMISSION Robert J. Pascarelli, Chief Plant Licensing Branch 11-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation ATTACHMENT TO LICENSE AMENDMENT NO. 391 RENEWED FACILITY OPERATING LICENSE NO. DPR-38 DOCKET NO. 50-269 AND LICENSE AMENDMENT NO. 393 RENEWED FACILITY OPERATING LICENSE NO. DPR-47 DOCKET NO. 50-270 AND LICENSE AMENDMENT NO. 392 RENEWED FACILITY OPERATING LICENSE NO. DPR-55 DOCKET NO. 50-287 Replace the following pages of the Renewed Facility Operating Licenses with the attached revised pages. The revised pages are identified by amendment number and contain marginal lines indicating the areas of change. Remove Licenses DPR-38, page 10 DPR-47, page 10 DPR-55, page 10 Insert Licenses DPR-38, page 10 DPR-47, page 10 DPR-55, page 10
-10 -3) The licensee shall maintain appropriate compensatory measures in place until completion of all modifications and implementation items delineated above. E. Physical Protection Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contains safeguards information protected under 10 CFR 73.21, is entitled: "Duke Energy Physical Security Plan" submitted by letter dated September 8, 2004, and supplemented on September 30, 2004, October 15, 2004, October 21, 2004, and October 27, 2004. Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The Duke Energy Carolinas, LLC CSP was approved by License Amendment No. 378, as supplemented by a change approved by License Amendment No. 391. F. In the update to the UFSAR required pursuant to 10 CFR 50.71 (e)(4) scheduled for July, 2001, the licensee shall update the UFSAR to include the UFSAR supplement submitted pursuant to 10 CFR 54.21 (d) as revised on March 27, 2000. Until the UFSAR update is complete, the licensee may make changes to the programs described in its UFSAR supplement without prior Commission approval, provided that the licensee evaluates each such change pursuant to the criteria set forth in 10 CFR 50.59 and otherwise complies with the requirements in that section. G. The licensee's UFSAR supplement submitted pursuant to 10 CFR 54.21(d), as revised on March 27, 2000, describes certain future inspection activities to be completed before the period of extended operation. The licensee shall complete these activities no later than February 6, 2013. H. Mitigation Strategy License Condition Develop and maintain strategies for addressing large fires and explosions and that include the following key areas: (a) Fire fighting response strategy with the following elements: 1. Pre-defined coordinated fire response strategy and guidance 2. Assessment of mutual aid fire fighting assets 3. Designated staging areas for equipment and materials 4. Command and control 5. Training of response personnel Renewed License No. DPR-38 Amendment No. 391
-10 -3) The licensee shall maintain appropriate compensatory measures in place until completion of all modifications and implementation items delineated above. E. Physical Protection Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contains safeguards information protected under 10 CFR 73.21, is entitled: "Duke Energy Physical Security Plan" submitted by letter dated September 8, 2004, and supplemented on September 30, 2004, October 15, 2004, October 21, 2004, and October 27, 2004. Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The Duke Energy Carolinas, LLC CSP was approved by License Amendment No. 380, as supplemented by a change approved by License Amendment No. 393. F. In the update to the UFSAR required pursuant to 10 CFR 50.71 (e)(4) scheduled for July, 2001, the licensee shall update the UFSAR to include the UFSAR supplement submitted pursuant to 10 CFR 54.21 (d) as revised on March 27, 2000. Until the UFSAR update is complete, the licensee may make changes to the programs described in its UFSAR supplement without prior Commission approval, provided that the licensee evaluates each such change pursuant to the criteria set forth in 10 CFR 50.59 and otherwise complies with the requirements in that section. G. The licensee's UFSAR supplement submitted pursuant to 10 CFR 54.21 (d), as revised on March 27, 2000, describes certain future inspection activities to be completed before the period of extended operation. The licensee shall complete these activities no later than February 6, 2013. H. Mitigation Strategy License Condition Develop and maintain strategies for addressing large fires and explosions and that include the following key areas: (a) Fire fighting response strategy with the following elements: 1. Pre-defined coordinated fire response strategy and guidance 2. Assessment of mutual aid fire fighting assets 3. Designated staging areas for equipment and materials 4. Command and control 5. Training of response personnel Renewed License No. DPR-47 Amendment No. 393
-10 -3) The licensee shall maintain appropriate compensatory measures in place until completion of all modifications and implementation items delineated above. E. Physical Protection Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contains safeguards information protected under 10 CFR 73.21, is entitled: "Duke Energy Physical Security Plan" submitted by letter dated September 8, 2004, and supplemented on September 30, 2004, October 15, 2004, October 21, 2004, and October 27, 2004. Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The Duke Energy Carolinas, LLC CSP was approved by License Amendment No. 379, as supplemented by a change approved by License Amendment No. 392. F. In the update to the UFSAR required pursuant to 10 CFR 50.71(e)(4) scheduled for July, 2001, the licensee shall update the UFSAR to include the UFSAR supplement submitted pursuant to 10 CFR 54.21(d) as revised on March 27, 2000. Until the UFSAR update is complete, the licensee may make changes to the programs described in its UFSAR supplement without prior Commission approval, provided that the licensee evaluates each such change pursuant to the criteria set forth in 10 CFR 50.59 and otherwise complies with the requirements in that section. G. The licensee's UFSAR supplement submitted pursuant to 10 CFR 54.21(d), as revised on March 27, 2000, describes certain future inspection activities to be completed before the period of extended operation. The licensee shall complete these activities no later than February 6, 2013. H. Mitigation Strategy License Condition Develop and maintain strategies for addressing large fires and explosions and that include the following key areas: (a) Fire fighting response strategy with the following elements: 1. Pre-defined coordinated fire response strategy and guidance 2. Assessment of mutual aid fire fighting assets 3. Designated staging areas for equipment and materials 4. Command and control 5. Training of response personnel Renewed License No. DPR-55 Amendment No. 392 UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO AMENDMENT NO. 276 TO RENEWED FACILITY OPERATING LICENSE NPF-35; AMENDMENT NO. 272 TO RENEWED FACILITY OPERATING LICENSE NPF-52; AMENDMENT NO. 279 TO RENEWED FACILITY OPERATING LICENSE NPF-9; AMENDMENT NO. 259 TO RENEWED FACILITY OPERATING LICENSE NPF-17; AMENDMENT NO. 391 TO RENEWED FACILITY OPERATING LICENSE DPR-38; AMENDMENT NO. 393 TO RENEWED FACILITY OPERATING LICENSE DPR-47; AND AMENDMENT NO. 392 TO RENEWED FACILITY OPERATING LICENSE DPR-55; DUKE ENERGY CAROLINAS, LLC CATAWBA NUCLEAR STATION, UNITS 1 AND 2 DOCKET NOS. 50-413 AND 50-414 MCGUIRE NUCLEAR STATION, UNITS 1 AND 2 DOCKET NOS. 50-369 AND 50-370 OCONEE NUCLEAR STATION, UNITS 1, 2, AND 3 DOCKET NOS. 50-269, 50-270, AND 50-287 1.0 INTRODUCTION By application dated November 6, 2014 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML 14314A041), Duke Energy Carolina, LLC (Duke, the licensee), requested a change to the renewed facility operating licenses for the Catawba Nuclear Station, Units 1 and 2 (Catawba 1 and 2), McGuire Nuclear Station, Units 1 and 2 (McGuire 1 and 2), and Oconee Nuclear Station, Units 1, 2, and 3 (Oconee 1, 2, and 3). The proposed change would revise the date of Cyber Security Plan (CSP) Implementation Schedule Milestone 8 and the existing license conditions in the facility operating licenses. Milestone 8 of the CSP implementation schedule concerns completion of operational and management controls. Enclosure 8
-2 -Portions of the letter dated November 6, 2014, contain sensitive unclassified non-safeguards information and, accordingly, have been withheld from public disclosure in accordance with Title 10 of the Code of Federal Regulations (10 CFR) paragraph 2.390(d)(1 ). 2.0 REGULATORY EVALUATION By letter dated August 31, 2011 (ADAMS Accession No. ML 11216A064), the U.S. Nuclear Regulatory Commission (NRC) staff reviewed and approved the licensee's existing CSP implementation schedule via License Amendment Nos. 266 and 262 to Renewed Facility Operating License Nos. NPF-35 and NPF-52, respectively, for Catawba 1 and 2; Amendment Nos. 264 and 244 to Renewed Facility Operating License Nos. NPF-9 and NPF-17, respectively, for McGuire 1 and 2; and Amendment Nos. 378, 380, and 379 to Renewed Facility Operating License Nos. DPR-38, DPR-47, and DPR-55, respectively, for Oconee 1, 2, and 3, concurrent with the incorporation of the CSP into the facilities' current licensing bases. The NRC staff considered the following regulatory requirements and guidance in its review of the November 6, 2014, license amendment request (LAR) to modify the existing CSP implementation schedule:
- The regulations in 10 CFR Section 73.54 state, in part, that: "Each [CSP] submittal must include a proposed implementation schedule. Implementation of the licensee's cyber security program must be consistent with the approved schedule."
- The licensee's renewed facility operating licenses include a license condition that requires the licensee to fully implement and maintain in effect all provisions of the Commission-approved CSP including changes made pursuant to the authority of 10 CFR Sections 50.90 and 50.54(p).
- The amendments dated August 31, 2011, which approved the licensee's CSP and implementation schedule, included the following statement: "The implementation of the CSP, including the key intermediate milestone dates and the full implementation date, shall be in accordance with the implementation schedule submitted by the licensee on August 16, 2010, as supplemented by letters dated September 27, 2010, March 7, 2011, April 15, 2011, and August 9, 2011, and approved by the NRC staff with this license amendment. All subsequent changes to the NRG-approved CSP implementation schedule will require prior NRC approval pursuant to 10 CFR 50.90."
- In a publicly-available NRC memorandum dated October 24, 2013 (ADAMS Accession No. ML 13295A467), the NRC staff listed criteria that it would consider during its evaluations of licensees' requests to postpone their cyber security program implementation date (commonly known as Milestone 8). The NRC staff regards the CSP milestone implementation dates as obligations that cannot be changed unilaterally by the licensee, particularly in light of the regulatory requirement at 10 CFR 73.54, that "[i]mplementation of the licensee's cyber security program must be consistent with the approved schedule." As the NRC staff explained in its letter to all operating reactor licensees dated May 9, 2011 (ADAMS Accession No. ML 110980538), the implementation of the
-3 -plan, including the key intermediate milestone dates and the full implementation date shall be in accordance with the implementation schedule submitted by the licensee and approved by the NRC staff. All subsequent changes to the NRG-approved CSP implementation schedule, thus, will require prior NRC approval pursuant in 10 CFR 50.90. 3.0 TECHNICAL EVALUATION 3.1 Licensee's Requested Change License Amendment No. 266 to Renewed Facility Operating License NPF-35 and Amendment No. 262 to Renewed Facility Operating License NPF-52 for Catawba 1 and 2, Amendment No. 264 to Renewed Facility Operating License NPF-9 and Amendment No. 244 to Renewed Facility Operating License NPF-17 for McGuire 1 and 2, and Amendment Nos. 378, 380, and 379 to Renewed Facility Operating Licenses DPR-38, DPR-47, and DPR-55 for Oconee 1, 2, and 3, respectively; were issued on August 31, 2011. The NRC staff also approved the licensee's CSP implementation schedule, as discussed in the safety evaluation issued with the amendments. The implementation schedule had been submitted by the licensee based on a template prepared by the Nuclear Energy Institute (NEI), which the NRC staff found acceptable for licensees to use to develop their CSP implementation schedules (ADAMS Accession No. ML 110070348). The licensee's proposed implementation schedule for the cyber security program identified completion dates and bases for the following nine milestones: 1) Establish the Cyber Security Assessment Team; 2) Identify Critical Systems and Critical Digital Assets (CDAs); 3) Install a deterministic one-way device between lower level devices and higher level devices; 4) Implement the security control "Access Control For Portable And Mobile Devices"; 5) Implement observation and identification of obvious cyber related tampering to existing insider mitigation rounds; 6) Identify, document, and implement cyber security controls as per "Mitigation of Vulnerabilities and Application of Cyber Security Controls" for CDAs that could adversely impact the design function of physical security target set equipment; 7) Ongoing monitoring and assessment activities for those target set CDAs whose security controls have been implemented; 8) Complete operational and management controls; 9) Fully implement the CSP. Currently, Milestone 8 of the Duke CSP requires the licensee to have complete implementation of operational and management controls by June 30, 2015. In its application dated November 6, 2014, Duke proposed to change the Milestone 8 completion date to December 31, 2017. The
-4 -licensee's application addressed the eight criteria in the NRC's October 24, 2013, guidance memorandum. The licensee provided the following information pertinent to each of the criteria identified in the NRC October 24, 2013, guidance memorandum. 1) Identification of the specific requirement or requirements of the CSP that the licensee needs additional time to implement. The licensee stated that the CSP establishes a means to achieve assurance that certain digital computer and communication systems and networks designated as CDAs are adequately protected against cyber attacks. The Milestone 8 completion date was established prior to any significant work being performed on program implementation; therefore, the scope of the assessment activities was not fully appreciated. The scope of the CDA assessment activities was also not fully understood by the industry in general, as evidenced by the need for additional industry guidance. NEI 13-10, Cyber Security Control Assessments, wc:is developed to streamline the process for addressing the application of cyber security controls to the large number of CDAs identified by licensees when conducting the analysis required by 10 CFR 73.54(b). The purpose of NEI 13-10 is to minimize the burden on licensees of complying with their NRG-approved CSP, while continuing to ensure that the adequate protection criteria of 10 CFR 73.54 are met. 2) Detailed justification that describes the reason the licensee requires additional time to implement the specific requirement or requirements identified. The licensee stated most of the CDAs which have been identified are not classic information technology equipment (e.g., servers, workstations, and network switches). The majority of the equipment is digital instrumentation (e.g., smart transmitters, digital valve controllers, etc.). For these devices, most of the controls described in NEI 08-09, "Cyber Security Plan for Nuclear Power Reactors, Appendix D (Technical Cyber Security Controls) and Appendix E (Operational and Management Cyber Security Controls), are not directly applicable and alternate controls are required per CSP Section 3.1.6, Mitigation of Vulnerabilities and Application of Cyber Security Controls. Additionally, the scope of the CDA assessment activities was not fully appreciated. Thus, it is taking longer than expected to perform those CDA assessments. All CDAs for safety functions, important to safety functions, security functions, emergency preparedness functions, and balance of plant functions to the first inter-tie (bus-line breaker) with the offsite distribution system, are given equal importance in the planning and execution of the assessment activities. 3) A proposed completion date for Milestone 8 consistent with the remaining scope of work to be conducted and the resources available. The licensee proposed a Milestone 8 completion date of December 31, 2017.
-5 -4) An evaluation of the impact that the additional time to implement the requirements will have on the effectiveness of the licensee's overall cyber security program in the context of milestones already completed. The licensee indicated that interim actions taken in accordance with Milestones 1 through 7 provide a high degree of protection against cyber attacks during the period of full program implementation. It then briefly described how it had implemented the various milestones and its use of the corrective action program (CAP) for cyber security. 5) A description of the licensee's methodology for prioritizing completion of work for critical digital assets associated with significant safety consequences and with reactivity effects in the balance of plant. The licensee stated all critical digital assets for safety functions, important to safety functions, security functions, emergency preparedness functions, and balance of plant functions to the first inter-tie (bus-line breaker) with offsite distribution system, are given equal importance in the planning and execution of the assessment activities. 6) A discussion of the licensee's cyber security program performance up to the date of the LAR. The licensee stated that interim actions taken in accordance with Milestones 1 through 7 provide a high degree of protection against cyber-attacks during the period that the full program is being implemented. It provided details about the effectiveness of some of the completed work. It also noted an audit at three of the sites with issues being placed in the CAP for resolution. 7) A discussion of cyber security issues pending in the licensee's CAP. The licensee stated Catawba, McGuire, and Oconee use the CAP to document cyber security issues in order to trend, correct and improve the cyber security program. The licensee listed cyber security program actions pending in the CAP. 8) A discussion of modifications completed to support the cyber security program and a discussion of pending cyber security modifications. The licensee discussed completed modifications and pending modifications and noted additional modifications may be identified as assessment work continues. 3.2 NRC Staff Evaluation The NRC staff evaluated the licensee's application using the regulatory requirements and the guidance cited in Section 2.0 above. The licensee stated that the CSP requirement regarding additional time to implement the CSP is found in CSP Section 3.1, "Analyzing Digital Computer Systems and Networks in Applying Cyber Security Controls." The licensee provided a list of additional activities required to implement the CSP requirement.
-6 -The licensee indicated that completion of the activities associated with the CSP, as described in Milestones 1 through 7 and completed prior to the November 6, 2014 application, provide a high degree of protection to ensure that the most significant digital computer and communication systems and networks associated with safety, security, and emergency preparedness systems are already protected against cyber-attacks. It detailed activities completed for each milestone and noted that several elements of Milestone 8 have already been implemented. It provided details about the completed milestones and elements. On such basis, the NRC staff finds that the licensee's sites are much more secure after implementation of Milestones 1 through 7, because the activities the licensee completed will mitigate the most significant cyber-attack vectors for the most significant CDAs. The licensee proposed a Milestone 8 completion date of December 31, 2017. The licensee stated that changing the completion date of Milestone 8 provides adequate time to complete the CDA assessment, implement design modifications based on assessment results, update existing procedures, and develop new procedures to complete full implementation of the CSP. The NRC staff has had extensive interaction with the nuclear industry since licensees first developed their CSP implementation schedules. Based on this interaction, the NRC staff recognizes that CDA assessment work is much more complex and resource-intensive than originally anticipated. The licensee has a large number of CDAs and underestimated the level of effort to address security controls for each of the CDAs when developing its CSP implementation schedule. The NRC staff finds that the licensee's request for additional time to implement Milestone 8 is reasonable, given the unanticipated complexity and scope of the work required to come into full compliance with its CSP. The licensee stated that its methodology for prioritizing the Milestone activities is centered on considerations for safety, security, emergency preparedness, and balance-of-plant (continuity of power) consequences. The methodology is based on defense-in-depth installed configuration of the CDA and susceptibility to five commonly identified threat vectors. Prioritization of CDA assessments begins with safety-related CDAs and continues through the lower priority non-safety-related CDAs. The NRC staff finds that based on the large number of digital assets described above, and the limited resources with the appropriate expertise to perform these activities, the licensee's methodology for prioritizing work on CDAs is appropriate. The NRC staff further finds that the licensee's request to delay completion of Milestone 8 until December 31, 2017, is reasonable, given the complexity of the remaining unanticipated work and the need to perform certain work, including design changes, during scheduled fuel outages. 3.3 Revision to License Conditions By letter dated November 6, 2014, the licensee proposed to modify Paragraph 2.E of Renewed Facility Operating License Nos. NPF-35 and NPF-52 for Catawba 1 and 2, respectively, which provides a license condition to require the licensee to fully implement and maintain in effect all provisions of the NRG-approved CSP.
-7 -The license condition in Paragraph 2.E of Renewed Operating License No. NPF-35 for Catawba 1 is modified as follows: E. Physical Protection Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contains safeguards information protected under 10 CFR 73.21, is entitled: "Duke Energy Physical Security Plan," Revision 8 submitted by letter dated May 17, 2007. Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The Duke Energy Carolinas, LLC CSP was approved by License Amendment No. 266, as supplemented by a change approved by License Amendment No. 276. The license condition in Paragraph 2.E of Renewed Operating License No. NPF-52 for Catawba 2 is modified as follows: E. Physical Protection Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contains safeguards information protected under 10 CFR 73.21, is entitled: "Duke Energy Physical Security Plan," Revision 8 submitted by letter dated May 17, 2007. Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The Duke Energy Carolinas, LLC CSP was approved by License Amendment No. 262, as supplemented by a change approved by License Amendment No. 272. By letter dated November 6, 2014, the licensee proposed to modify Paragraph 2.D of Renewed Facility Operating License Nos. NPF-9 and NPF-17 for McGuire 1 and 2, respectively, which provides a license condition to require the licensee to fully implement and maintain in effect all provisions of the NRG-approved CSP.
-8 -The license condition in Paragraph 2.0 of Renewed Operating License No. NPF-9 for McGuire 1, is modified as follows: D. Physical Protection Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contains safeguards information protected under 10 CFR 73.21, is entitled: "Duke Energy Physical Security Plan," submitted by letter dated September 8, 2004, and supplemented on September 30, 2004, October 15, 2004, October 21, 2004, and October 27, 2004. Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 1 O CFR 50.54(p). The Duke Energy Carolinas, LLC CSP was approved by License Amendment No. 264, as supplemented by a change approved by License Amendment No. 279. The license condition in Paragraph 2.D of Renewed Operating License No. NPF-17 for McGuire 2 is modified as follows: D. Physical Protection Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contains safeguards information protected under 10 CFR 73.21, is entitled: "Duke Energy Physical Security Plan," submitted by letter dated September 8, 2004, and supplemented on September 30, 2004, October 15, 2004, October 21, 2004, and October 27, 2004. Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 1 O CFR 50.54(p). The Duke Energy Carolinas, LLC CSP was approved by License Amendment No. 244, as supplemented by a change approved by License Amendment No. 259.
-9 -By letter dated November 6, 2014, the licensee proposed to modify Paragraph 3.E of Renewed Facility Operating License Nos. DPR-38, DPR-47, and DPR-55 for Oconee 1, 2, and 3, respectively, which provides a license condition to require the licensee to fully implement and maintain in effect all provisions of the NRG-approved CSP. The license condition in Paragraph 3.E of Renewed Operating License No. DPR-38 for Oconee 1, is modified as follows: E. Physical Protection Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contains safeguards information protected under 10 CFR 73.21, is entitled: "Duke Energy Physical Security Plan," submitted by letter dated September 8, 2004, and supplemented on September 30, 2004, October 15, 2004, October 21, 2004, and October 27, 2004. Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The Duke Energy Carolinas, LLC CSP was approved by License Amendment No. 378, as supplemented by a change approved by License Amendment No. 391. The license condition in Paragraph 3.E of Renewed Operating License No. DPR-47 for Oconee 2, is modified as follows: E. Physical Protection Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contains safeguards information protected under 10 CFR 73.21, is entitled: "Duke Energy Physical Security Plan," submitted by letter dated September 8, 2004, and supplemented on September 30, 2004, October 15, 2004, October 21, 2004, and October 27, 2004.
-10 -Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 1 O CFR 50.54(p). The Duke Energy Carolinas, LLC CSP was approved by License Amendment No. 380, as supplemented by a change approved by License Amendment No. 393. The license condition in Paragraph 3.E of Renewed Operating License No. DPR-55 for Oconee 3, is modified as follows: E. Physical Protection Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contains safeguards information protected under 10 CFR 73.21, is entitled: "Duke Energy Physical Security Plan," submitted by letter dated September 8, 2004, and supplemented on September 30, 2004, October 15, 2004, October 21, 2004, and October 27, 2004. Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The Duke Energy Carolinas, LLC CSP was approved by License Amendment No. 379, as supplemented by a change approved by License Amendment No. 392. 3.4 Summary Based on its review of the licensee's submission, the NRC staff concludes: (i) that the licensee's implementation of Milestones 1 through 7 adds additional protection, which provides mitigation for significant cyber-attack vectors for the most significant CDAs; (ii) that the scope of the work required to come into full compliance with the CSP implementation schedule was much more complicated than anticipated and not reasonably foreseeable; and, therefore, (iii) that it is acceptable for Duke to complete implementation of Milestone 8 by December 31, 2017. The NRC staff also concludes that, upon full implementation of the licensee's cyber security program, the requirements of the licensee's CSP and 10 CFR 73.54 will be met and will provide adequate protection of the public health and safety and the common defense and security. Therefore, the NRC staff finds the proposed change acceptable.
-11 -4.0 STATE CONSULTATION In accordance with the Commission's regulations, the North Carolina and South Carolina State officials were notified of the proposed issuance of the amendments. The State officials had no comments. 5.0 ENVIRONMENTAL CONSIDERATION The amendments relate solely to safeguards requirements and do not involve any significant construction impacts. The amendments are administrative changes to extend the date by which the licensee must have its CSP fully implemented. The Commission has previously issued a proposed finding that the amendments involve no significant hazards consideration, and there has been no public comment on such finding, which was published in the Federal Register on February 3, 2015 (80 FR 5818). Accordingly, the amendments meet the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(12). Pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the issuance of the amendments. 6.0 CONCLUSION The Commission has concluded, based on the considerations discussed above, that: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) there is reasonable assurance that such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendments will not be inimical to the common defense and security or to the health and safety of the public. Principal Contributor: J. Rycyna Date of issuance: June 11, 2015 R. Repko -2 -If you have any questions, please call me at 301-415-2481. Sincerely, IRA/ G. Edward Miller, Project Manager Plant Licensing Branch 11-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. 50-413, 50-414, 50-369, 50-370 50-269, 50-270, and 50-287 Enclosures: 1. Amendment No. 276 to NPF-35 2. Amendment No. 272 to NPF-52 3. Amendment No. 279 to NPF-9 4. Amendment No. 259 to NPF-17 5. Amendment No. 391 to DPR-38 6. Amendment No. 393 to DPR-47 7. Amendment No. 392 to DPR-55 8. Safety Evaluation cc w/encls: Distribution via Listserv DISTRIBUTION: Public LPL2-1 R/F RidsAcrsAcnw_MailCTR Resource RidsNrrDorlDpr Resource RidsNrrDorllpl2-1 Resource RidsNrrLASFigueroa Resource RidsNrrPMCatawba Resource RidsNrrPMMcGuire Resource RidsNrrPMOconee Resource RidsNsirOd Resource RidsRgn2MailCenter Resource JRycyna, NSIR ADAMS Accession No. ML 15133A453 OFFICE DORL/LPL2-1 /PM DORL/LPL2-1 /LA NSIR/CSD/BC* NAME GEMiller SFigueroa BWestreich (JBurkhardt for) DATE 6/11/15 6/10/15 5/18/15 OGC-NLO DLenehan 6/8/15 OFFICIAL RECORD COPY *SE input DORL/LPL2-1 /BC DORL/LPL2-1 /PM RPascarelli GEMiller 6/11/15 6/11/15