ML15173A380: Difference between revisions

From kanterella
Jump to navigation Jump to search
(Created page by program invented by StriderTol)
(Created page by program invented by StriderTol)
Line 16: Line 16:


=Text=
=Text=
{{#Wiki_filter:JAFP-15-0068 June 22, 2015
{{#Wiki_filter:JAFP-15-0068  


U.S. Nuclear Regulatory Commission Attn: Document Control Desk Washington, DC  20555-0001  
June 22, 2015
 
U.S. Nuclear Regulatory Commission  
 
Attn: Document Control Desk  
 
Washington, DC  20555-0001  


==Subject:==
==Subject:==
License Amendment Request - Cyber Security Plan Implementation Schedule James A. FitzPatrick Nuclear Power Plant Docket No. 50-333 License No. DPR-59
License Amendment Request - Cyber Security Plan Implementation Schedule James A. FitzPatrick Nuclear Power Plant Docket No. 50-333  
 
License No. DPR-59  


==References:==
==References:==
: 1. NRC Internal Memorandum to Barry Westreich from Russell Felts, Review Criteria for 10 CFR 73.54, Cyber Security Implementation Schedule Milestone 8 License Amendment Requests, ML13295A467, dated October 24, 2013 2. NRC letter to Entergy, Issuance of Amendment Re: License Amendment Request - Cyber Security Plan (TAC No. ME4267), ML11152A011, dated August 19, 2011 3. NRC letter to Entergy, Issuance of Amendment Re: Cyber Security Plan Implementation Schedule Milestone 8 (TAC No. MF3456),
: 1. NRC Internal Memorandum to Barry Westreich from Russell Felts, Review Criteria for 10 CFR 73.54, Cyber Security Implementation  
ML14202A372, dated December 1, 2014  
 
Schedule Milestone 8 License Amendment Requests, ML13295A467,  
 
dated October 24, 2013 2. NRC letter to Entergy, Issuance of Amendment Re: License Amendment Request - Cyber Security Plan (TAC No. ME4267), ML11152A011, dated  
 
August 19, 2011 3. NRC letter to Entergy, Issuance of Amendment Re: Cyber Security Plan Implementation Schedule Milestone 8 (TAC No. MF3456),  
 
ML14202A372, dated December 1, 2014  


==Dear Sir or Madam:==
==Dear Sir or Madam:==


Pursuant to 10 CFR 50.4 and 10 CFR 50.90, Entergy Operations, Inc. (Entergy) hereby requests an amendment to the Renewed Facility Operating Licenses for James A. FitzPatrick Nuclear Power Plant (JAF), Unit 1. In accordance with the guidelines provided by Reference 1, this request proposes a change to the JAF Cyber Security Plan Milestone 8 full implementation date as set forth in the Cyber Security Plan Implementation Schedule approved by References 2 and 3. Attachment 1 provides an evaluation of the proposed change. Attachment 2 contains proposed marked-up operating license page for the Physical Protection license condition for JAF to reference the commitment change provided in this submittal. Attachment 3 contains the proposed revised operating license pages. Attachment 4 contains a change to the date of Implementation Milestone 8. The proposed changes have been evaluated in accordance with 10 CFR 50.91(a)(1) using criteria in 10 CFR 50.92(c), and it has been determined that the changes involve no significant hazards consideration. The bases for these determinations are included in Attachment 1. Entergy Nuclear Northeast Entergy Nuclear Operations, Inc. James A. FitzPatrick NPP P.O. Box 110 Lycoming, NY  13093 Tel 315-342-3840  Brian R. Sullivan Site Vice President - JAF JAFP-15-0068 Page 2 of 2 Entergy requests this license amendment be effective as of its date of issuance. Although this request is neither exigent nor emergency, your review and approval is requested prior to June 30, 2016. The revised commitment contained in this submittal is summarized in Attachment 5. Should you have any questions concerning this letter, or require additional information, please contact Chris M. Adner at 315-349-6766. I declare under penalty of perjury that the foregoing is true and correct. Executed on June 22, 2015. Sincerely, Brian R. Sullivan Site Vice President BRS/CMA/mh Attachments: 1. Analysis of Proposed Operating License Change 2. Proposed JAF Operating License Changes (mark-up) 3. Revised JAF Operating License Pages 4. Revised Cyber Security Plan Implementation Schedule 5. List of Revised Regulatory Commitments cc: Regional Administrator, Region 1 Resident Inspector NRR Project Manager New York State Department of Public Service NYSERDA President and CEO 
Pursuant to 10 CFR 50.4 and 10 CFR 50.90, Entergy Operations, Inc. (Entergy) hereby  
 
requests an amendment to the Renewed Facility Operating Licenses for James A. FitzPatrick  
 
Nuclear Power Plant (JAF), Unit 1. In accordance with the guidelines provided by Reference 1,  
 
this request proposes a change to the JAF Cyber Security Plan Milestone 8 full implementation date as set forth in the Cyber Securi ty Plan Implementation Schedule approved by References 2 and 3. provides an evaluation of the proposed change. Attachment 2 contains proposed marked-up operating license page for the Physical Protection license condition for JAF to  


JAFP-15-0068  Attachment 1 Analysis of Proposed Operating License Change (Pages 7)
reference the commitment change provided in this submittal
JAFP-15-0068 Attachment 1 Analysis of Proposed Operating License Change Page 1 of 7 1.0 SUMMARY DESCRIPTION This license amendment request (LAR) includes a proposed change to the James A. FitzPatrick Nuclear Power Plant (JAF) Cyber Security Plan (CSP) Implementation Schedule Milestone 8 full implementation date and a proposed revision to the existing operating license Physical Protection license condition. 2.0 DETAILED DESCRIPTION In Reference 1, the NRC provided criteria to be used for evaluation of a license amendment request to revise the Cyber Security Implementation Schedule Milestone 8 date. In Reference 2, the NRC issued license amendments that approved the JAF CSP and associated implementation milestone schedule. The CSP Implementation Schedule approved by Reference 2 was utilized as a portion of the basis for the NRC's safety evaluation report provided in Reference 2. In Reference 3, the NRC issued license amendments that approved a revised implementation milestone schedule. Entergy Operations, Inc. (Entergy) is proposing a change to the Milestone 8 date from June 30, 2016, to December 15, 2017, for full implementation of the CSP for all applicable safety, security, and emergency preparedness (SSEP) functions.  
. Attachment 3 contains the proposed revised operating license pages. Attachment 4 contains a change to the date of
 
Implementation Milestone 8.
The proposed changes have been evaluated in accordance with 10 CFR 50.91(a)(1) using criteria in 10 CFR 50.92(c), and it has been determined that the changes involve no significant
 
hazards consideration. The bases for these determinations are included in Attachment 1. Entergy Nuclear Northeast Entergy Nuclear Operations,
 
Inc. James A. FitzPatrick NPP
 
P.O. Box 110 Lycoming, NY  13093
 
Tel 315-342-3840 Brian R. Sullivan Site Vice President - JAF
 
JAFP-15-0068 Page 2 of 2 Entergy requests this license amendment be effective as of its date of issuance.
Although this request is neither exigent nor emergency, your review and approval is requested prior to June 30, 2016. The revised commitment contained in this submittal is summarized in Attachment
: 5. Should you have any questions concerning this letter, or require additional information, please contact Chris M. Adner at 315-349-6766.
I declare under penalty of perjury that the foregoing is true and correct.
Executed on June 22, 2015. Sincerely, Brian R. Sullivan Site Vice President BRS/CMA/mh Attachments:
: 1. Analysis of Proposed Operating License Change 2. Proposed JAF Operating License Changes (mark-up)
: 3. Revised JAF Operating License Pages 4. Revised Cyber Security Plan Implementation Schedule
: 5. List of Revised Regulatory Commitments cc: Regional Administrator, Region 1 Resident Inspector NRR Project Manager New York State Department of Public Service NYSERDA President and CEO  
 
JAFP-15-0068 Attachment 1  
 
Analysis of Proposed Operating License Change (Pages 7)
JAFP-15-0068   Analysis of Proposed Operating License Change Page 1 of 7 1.0 SUMMARY DESCRIPTION This license amendment request (LAR) includes a proposed change to the James A. FitzPatrick Nuclear Power Plant (JAF) Cyber Security Plan (CSP) Implementation Schedule Milestone 8 full  
 
implementation date and a proposed revision to the existing operating license Physical  
 
Protection license condition. 2.0 DETAILED DESCRIPTION In Reference 1, the NRC provided criteria to be used for evaluation of a license amendment request to revise the Cyber Security Implementation Schedule Milestone 8 date. In Reference 2,  
 
the NRC issued license amendments that approved the JAF CSP and associated  
 
implementation milestone schedule. The CSP Im plementation Schedule approved by Reference 2 was utilized as a portion of the basis for the NRC's safety evaluation report provided in  
 
Reference 2. In Reference 3, the NRC issued license amendments that approved a revised  
 
implementation milestone schedule. Entergy Operat ions, Inc. (Entergy) is proposing a change to the Milestone 8 date from June 30, 2016, to December 15, 2017, for full implementation of the  
 
CSP for all applicable safety, security, and emergency preparedness (SSEP) functions.  


==3.0 TECHNICAL EVALUATION==
==3.0 TECHNICAL EVALUATION==
In November 2009, in accordance with 10 CFR 73.54 (nuclear cyber security rule), each Entergy licensee submitted a proposed schedule for achieving full compliance with the rule. The schedule was approved (Reference 2) and consists of eight milestones, with interim Milestones 1 through 7 being completed by December 31, 2012, and Milestone 8 (full compliance) to be completed by December 15, 2014. During the process of accomplishing Interim Milestones 1 through 7 and commencing Milestone 8 work, it became evident to Entergy that additional time would be required, and a schedule extension request to June 30, 2016, was approved by the NRC (Reference 3). However, it has subsequently become evident that an additional extension is necessary. The extension requested herein is for a Milestone 8 date of December 15, 2017. Below is Entergy's discussion of the eight evaluation criteria provided by Reference 1. 1 Identification of the specific requirement or requirements of the CSP that the licensee needs additional time to implement. The CSP Sections 3 and 4 describe requirements for application and maintenance of cyber security controls listed in Nuclear Energy Institute (NEI) 08-09, Revision 6, Cyber Security Plan for Nuclear Power Reactors, Appendices D and E. Application of the controls is accomplished after completion of detailed analyses (the cyber security assessment process) that identify "gaps," or the difference between current configuration and a configuration that satisfies each cyber security control. Gap closure can require any combination of physical, logical (software-related), or programmatic/procedural changes. 2 Detailed justification that describes the reason additional time is required to implement the specific requirement or requirements identified. a. Entergy hosted a "pilot" Milestone 8 inspection at the Indian Point site in March 2014. During the pilot, insight was gained into NRC interpretation on how to apply the cyber security controls listed in NEI 08-09, Revision 6. These interpretations were not previously available. During the pilot inspection, the NRC team reviewed several examples of critical digital assets (CDAs) with Entergy and indicated the level of detail and depth expected for the technical analyses against cyber security controls referenced in NEI 08-09. Based on this review, it is evident to Entergy that the detail and depth of JAFP-15-0068 Attachment 1 Analysis of Proposed Operating License Change Page 2 of 7 the technical analysis exceeds Entergy's prior understanding and requires a considerably greater effort to achieve than initially anticipated. b. During 2015, each operating Entergy licensee has an inspection of compliance with interim Milestones 1 through 7. The preparation for and support of these inspections has required a significant commitment of time from Entergy's most knowledgeable subject matter experts on nuclear cyber security, exceeding the estimate previously developed and therefore, drawing those resources away from Milestone 8 implementation activities. c. Development of an endorsed written standard for interpreting and applying the NEI 08-09 cyber security controls has continued to be a work-in-progress over the past five years. NEI 13-10, Revision 2, a guideline intended to provide some reduction of controls implementation based on equipment safety significance, has been endorsed.
 
However, an initial screening of Entergy CDAs using this guideline indicates the reduction in both analytical work and actual application of controls would not be significant. d. In June 2014, NEI submitted a petition for rulemaking to the Commission. The petition was subsequently found acceptable for review. The petition proposes a change to the rule to more precisely align the scope of the rule with the underlying objective of preventing radiological sabotage, which NEI estimates could potentially result in a reduction in the scope of cyber security implementation. While Entergy does not intend to suspend any implementation work in anticipation of the petition being approved, the petition being submitted is indicative that the final process for implementing the rule has not stabilized, and therefore, Entergy requires additional time to receive any implementation benefit from such rulemaking. e. Benchmarking data gathered on Milestone 8 implementation schedules for non-Entergy licensees indicates that a significant number of licensees have either gained approval for a new Milestone 8 date or submitted an extension request significantly beyond Entergy's current due date; therefore, Entergy's request is consistent with the industry. 3 Proposed completion date for Milestone 8 consistent with the remaining scope of work to be conducted and the resources available. The proposed completion date for Milestone 8 is December 15, 2017. 4 Evaluation of the impact that the additional time to implement the requirements will have on the effectiveness of the overall cyber security program in the context of milestones already completed. The impact of the requested additional implementation time on the effectiveness of the overall cyber security program is considered to be very low, because the Interim Milestones already completed have resulted in a high degree of protection of safety-related, important-to-safety, and security CDAs against threat vectors associated with external connectivity (both wired and wireless), and portable digital media and devices. Additionally, extensive physical and administrative measures are already in place for CDAs pursuant to the JAF Security Plan and Technical Specification requirements. In the context of cyber security milestones already completed, the following is noted: a. An Entergy Cyber Security Assessment Team (CSAT) has been implemented consisting of highly experienced personnel knowledgeable in reactor and balance-of-plant design, licensing, safety, security, emergency preparedness, information technology, and cyber security. The CSAT is provided with the authority, via written procedure, to perform the JAFP-15-0068 Attachment 1 Analysis of Proposed Operating License Change Page 3 of 7 analyses and oversight activities described in the CSP. Entergy employs a single overall fleet-wide CSAT to ensure consistency of results among the fleet. b. Critical systems and CDAs have been identified, documented, and entered in a controlled database. c. The plant process computer network and the plant security computer network have been deterministically isolated per the requirements of cyber security Interim Milestone 3. d. Safety-related, important-to-safety, and security CDAs have been extensively reviewed and verified (or modified) to be deterministically isolated and not to employ wireless network technology. e. Procedures have been implemented for portable digital media and devices periodically connected to CDAs, per NEI 08-09, Revision 6, Appendix D, Section 1.19. f. CDAs associated with physical security target sets have been analyzed per the requirements of the CSP Section 3.1.6 and either (1) verified to satisfy the Technical Cyber Security Controls described in NEI 08-09, Revision 6, Appendix D or (2) actions required to satisfy the Technical Cyber Security Controls described in NEI 08-09, Revision 6, Appendix D, are captured in the Corrective Action Program (CAP). g. Employees have been provided with training on cyber security awareness, tampering, and control of portable digital media and devices periodically connected to CDAs. h. Entergy has transitioned from the previous cyber security program described by NEI 04-04. Revisions have been made to procedures that control plant modifications, planning, and maintenance, establishing ties to cyber security procedures for CDA analysis and control of portable digital media and devices periodically connected to CDAs. 5 Description of the methodology for prioritizing completion of work for CDAs associated with significant SSEP consequences and with reactivity effects in the balance of plant. Because CDAs are plant components, prioritization follows the normal work management process that places the highest priority on apparent conditions adverse to quality in system, structure, and component design function and related factors such as safety risk and nuclear defense-in-depth, as well as threats to continuity of electric power generation in the balance-of-plant (BOP). Further, in regard to deterministic isolation and control of portable media devices (PMD) for safety-related, important-to-safety (including BOP), and security CDAs, maintenance of one-way or air-gapped configurations and implementation of control of PMD remains a high priority. This prioritization enabled completion of cyber security Interim Milestones 3 and 4. High focus continues to be maintained on prompt attention to any emergent issue with these CDAs that would potentially challenge the established cyber protective barriers. Additionally it should be noted that these CDAs encompass those associated with physical security target sets. 6 Discussion of the cyber security program performance up to the date of the license amendment request. No compromise of SSEP function by cyber means has been identified. Additionally, a Quality Assurance (QA) audit was conducted in the fourth quarter of 2014 pursuant to the physical security program review required by 10 CFR 73.55(m). The QA audit included JAFP-15-0068 Attachment 1 Analysis of Proposed Operating License Change Page 4 of 7 review of cyber security program implementation. There were no significant findings related to overall cyber security program performance and effectiveness. 7 Discussion of cyber security issues pending in the CAP. No significant (with 'significant' meaning constituting a threat to a CDA via cyber means or calling into question program effectiveness) nuclear cyber security issues are currently pending in the CAP. Several non-significant issues identified during the QA audit described above and identified during NRC inspections of compliance with nuclear cyber security Interim Milestones 1 through 7 have been entered into CAP. When Reference 4 internal NRC memorandum was shared with Entergy, the actions described regarding cyber security Interim Milestone 4 were entered into CAP for evaluation by the CSAT. 8 Discussion of modifications completed to support the cyber security program and a discussion of pending cyber security modifications. Modifications completed include those required to deterministically isolate the Level 3 and 4 CDAs, as required by Interim Milestone 3, by data diode or air gap. Potential modifications not yet implemented include automated security information event monitoring systems for monitoring activity on networks of CDAs, pursuant to NEI 08-09, Revision 6, Appendix D-2 (Audit and Accountability), and Appendices E-3.4 (Monitoring Tools and Techniques), 3.5 (Security Alerts and Advisories), and 4.3 (Personnel Performing maintenance and Testing Activities), and additional physical controls for CDAs outside the Protected Area pursuant to NEI 08-09, Revision 6, Appendix E-5.1 (Physical and Operational Environment Protection Policies and Procedures).
In November 2009, in accordance with 10 CFR 73.54 (nuclear cyber security rule), each Entergy licensee submitted a proposed schedule for achieving full compliance with the rule. The  
JAFP-15-0068 Attachment 1 Analysis of Proposed Operating License Change Page 5 of 7 This LAR includes the proposed change to the existing operating license condition for "Physical Protection" (Attachments 2 and 3) for JAF, respectively. This LAR also contains the proposed Revised CSP Implementation Schedule (Attachment 4) and revised list of regulatory commitments (Attachment 5).  
 
schedule was approved (Reference 2) and consists of eight milestones, with interim Milestones  
 
1 through 7 being completed by December 31, 2012, and Milestone 8 (full compliance) to be  
 
completed by December 15, 2014. During the process of accomplishing Interim Milestones 1  
 
through 7 and commencing Milestone 8 work, it became evident to Entergy that additional time  
 
would be required, and a schedule extension request to June 30, 2016, was approved by the  
 
NRC (Reference 3). However, it has subsequently become evident that an additional extension  
 
is necessary. The extension requested herein is for a Milestone 8 date of December 15, 2017.
Below is Entergy's discussion of the eight evaluation criteria provided by Reference 1. 1 Identification of the specific requirement or requirements of the CSP that the licensee needs additional time to implement.
The CSP Sections 3 and 4 describe requirements for application and maintenance of cyber security controls listed in Nuclear Energy Institute (NEI) 08-09, Revision 6, Cyber Security Plan for Nuclear Power Reactors
, Appendices D and E. Application of the controls is accomplished after completion of detailed analyses (the cyber security assessment process)  
 
that identify "gaps," or the difference between current configuration and a configuration that  
 
satisfies each cyber security control. Gap clos ure can require any combination of physical, logical (software-related), or programmatic/procedural changes. 2 Detailed justification that describes the reason additional time is required to implement the specific requirement or requirements identified. a. Entergy hosted a "pilot" Milestone 8 inspection at the Indian Point site in March 2014.
During the pilot, insight was gained into NRC interpretation on how to apply the cyber  
 
security controls listed in NEI 08-09, Revision 6. These interpretations were not  
 
previously available. During the pilot inspection, the NRC team reviewed several  
 
examples of critical digital assets (CDAs) with Entergy and indicated the level of detail  
 
and depth expected for the technical analyses against cyber security controls referenced  
 
in NEI 08-09. Based on this review, it is evident to Entergy that the detail and depth of JAFP-15-0068   Analysis of Proposed Operating License Change Page 2 of 7 the technical analysis exceeds Entergy's prior understanding and requires a considerably greater effort to achieve than initially anticipated. b. During 2015, each operating Entergy licensee has an inspection of compliance with interim Milestones 1 through 7. The preparation for and support of these inspections has  
 
required a significant commitment of time from Entergy's most knowledgeable subject  
 
matter experts on nuclear cyber security, exceeding the estimate previously developed and therefore, drawing those resources away from Milestone 8 implementation activities. c. Development of an endorsed written standard for interpreting and applying the NEI 08-09 cyber security controls has continued to be a work-in-progress over the past  
 
five years. NEI 13-10, Revision 2, a guideline intended to provide some reduction of  
 
controls implementation based on equipment safety significance, has been endorsed.  
 
However, an initial screening of Entergy CDAs using this guideline indicates the  
 
reduction in both analytical work and actual application of controls would not be  
 
significant. d. In June 2014, NEI submitted a petition for rulemaking to the Commission. The petition was subsequently found acceptable for review. The petition proposes a change to the  
 
rule to more precisely align the scope of the rule with the underlying objective of  
 
preventing radiological sabotage, which NEI estimates could potentially result in a  
 
reduction in the scope of cyber security implementation. While Entergy does not intend  
 
to suspend any implementation work in anticipation of the petition being approved, the  
 
petition being submitted is indicative that the final process for implementing the rule has  
 
not stabilized, and therefore, Entergy requires additional time to receive any  
 
implementation benefit from such rulemaking. e. Benchmarking data gathered on Milestone 8 implementation schedules for non-Entergy licensees indicates that a significant number of licensees have either gained approval for  
 
a new Milestone 8 date or submitted an ext ension request significantly beyond Entergy's current due date; therefore, Entergy's request is consistent with the industry. 3 Proposed completion date for Milestone 8 consistent with the remaining scope of work to be conducted and the resources available.
The proposed completion date for Milestone 8 is December 15, 2017. 4 Evaluation of the impact that the additional time to implement the requirements will have on the effectiveness of the overall cyber security program in the context of milestones already completed.
The impact of the requested additional implementation time on the effectiveness of the overall cyber security program is considered to be very low, because the Interim Milestones already completed have resulted in a high degree of protection of safety-related,  
 
important-to-safety, and security CDAs against threat vectors associated with external  
 
connectivity (both wired and wireless), and portable digital media and devices. Additionally,  
 
extensive physical and administrat ive measures are already in place for CDAs pursuant to the JAF Security Plan and Technical Specificati on requirements. In the context of cyber security milestones already completed, the following is noted: a. An Entergy Cyber Security Assessment Team (CSAT) has been implemented consisting of highly experienced personnel knowledgeable in reactor and balance-of-plant design,  
 
licensing, safety, security, emergency pr eparedness, information technology, and cyber security. The CSAT is provided with the authority, via written procedure, to perform the JAFP-15-0068   Analysis of Proposed Operating License Change Page 3 of 7 analyses and oversight activities described in the CSP. Entergy employs a single overall fleet-wide CSAT to ensure consistency of results among the fleet. b. Critical systems and CDAs have been identified, documented, and entered in a controlled database. c. The plant process computer network and the plant security computer network have been deterministically isolated per the requirement s of cyber security Interim Milestone 3. d. Safety-related, important-to-safety, and security CDAs have been extensively reviewed and verified (or modified) to be deterministically isolated and not to employ wireless  
 
network technology. e. Procedures have been implemented for portabl e digital media and devices periodically connected to CDAs, per NEI 08-09, Revision 6, Appendix D, Section 1.19. f. CDAs associated with physical security target sets have been analyzed per the requirements of the CSP Section 3.1.6 and either (1) verified to satisfy the Technical  
 
Cyber Security Controls described in NEI 08-09, Revision 6, Appendix D or (2) actions  
 
required to satisfy the Technical Cyber Security Controls described in NEI 08-09, Revision 6, Appendix D, are captured in the Corrective Action Program (CAP). g. Employees have been provided with training on cyber security awareness, tampering, and control of portable digital media and devices periodically connected to CDAs. h. Entergy has transitioned from the previ ous cyber security program described by NEI 04-04. Revisions have been made to procedures that control plant modifications,  
 
planning, and maintenance, establishing ties to cyber security procedures for CDA  
 
analysis and control of portable digital media and devices periodically connected to  
 
CDAs. 5 Description of the methodology for prioritizing completion of work for CDAs associated with significant SSEP consequences and with reactivity effects in the  
 
balance of plant.
Because CDAs are plant components, prioritization follows the normal work management process that places the highest priority on apparent conditions adverse to quality in system,  
 
structure, and component design function and related factors such as safety risk and  
 
nuclear defense-in-depth, as well as threats to continuity of electric power generation in the  
 
balance-of-plant (BOP). Further, in regard to deterministic isolation and control of portable  
 
media devices (PMD) for safety-related, impor tant-to-safety (including BOP), and security CDAs, maintenance of one-way or air-gapped configurations and implementation of control  
 
of PMD remains a high priority. This prioritization enabled completion of cyber security  
 
Interim Milestones 3 and 4. High focus continues to be maintained on prompt attention to  
 
any emergent issue with these CDAs that w ould potentially challenge the established cyber protective barriers. Additionally it should be noted that these CDAs encompass those associated with physical security target sets. 6 Discussion of the cyber security program performance up to the date of the license amendment request.
No compromise of SSEP function by cyber means has been identified. Additionally, a Quality Assurance (QA) audit was conducted in the fourth quarter of 2014 pursuant to the  
 
physical security program review required by 10 CFR 73.55(m). The QA audit included JAFP-15-0068   Analysis of Proposed Operating License Change Page 4 of 7 review of cyber security program implementat ion. There were no significant findings related to overall cyber security progr am performance and effectiveness. 7 Discussion of cyber security issues pending in the CAP.
No significant (with 'significant' meaning constituting a threat to a CDA via cyber means or calling into question program effectiveness) nucl ear cyber security issues are currently pending in the CAP.
Several non-significant issues identified during the QA audit described above and identified during NRC inspections of compliance with nuclear cyber security Interim Milestones 1  
 
through 7 have been entered into CAP. When Reference 4 internal NRC memorandum was  
 
shared with Entergy, the actions described regarding cyber security Interim Milestone 4  
 
were entered into CAP for evaluation by the CSAT. 8 Discussion of modifications completed to support the cyber security program and a discussion of pending cyber security modifications.
Modifications completed include those required to deterministically isolate the Level 3 and 4 CDAs, as required by Interim Milestone 3, by data diode or air gap. Potential modifications  
 
not yet implemented include automated security information event monitoring systems for monitoring activity on networks of CDAs, pursuant to NEI 08-09, Revision 6, Appendix D-2  
 
(Audit and Accountability), and Appendices E-3.4 (Monitoring Tools and Techniques), 3.5  
 
(Security Alerts and Advisories), and 4.3 (Personnel Performing maintenance and Testing  
 
Activities), and additional physical controls for CDAs outside the Protected Area pursuant to  
 
NEI 08-09, Revision 6, Appendix E-5.1 (Physical and Operational Environment Protection  
 
Policies and Procedures).
JAFP-15-0068   Analysis of Proposed Operating License Change Page 5 of 7 This LAR includes the proposed change to the existing operating license condition for "Physical Protection" (Attachments 2 and 3) for JAF, respectively. This LAR also contains the proposed  
 
Revised CSP Implementation Schedule (Attachment 4) and revised list of regulatory  
 
commitments (Attachment 5).  


==4.0 REGULATORY EVALUATION==
==4.0 REGULATORY EVALUATION==
4.1 Applicable Regulatory Requirements/Criteria 10 CFR 73.54 requires licensees to maintain and implement a cyber security plan (CSP). James A. FitzPatrick Nuclear Power Plant (JAF) Facility Operating License Nos. DPR-59, includes a Physical Protection license condition that requires Entergy Operations, Inc. (Entergy) to fully implement and maintain in effect all provisions of the Commission-approved CSP, including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). 4.2 Significant Safety Hazards Consideration Entergy is requesting an amendment to the JAF Facility Operating License to revise the Physical Protection license condition as it relates to the CSP. This change includes a proposed change to a CSP Implementation Schedule milestone date and a proposed revision to the JAF Facility Operating License to include the proposed deviation. Specifically, Entergy is proposing a change to the Implementation Milestone 8 completion date. Entergy has evaluated whether or not a significant hazards consideration is involved with the proposed amendment by focusing on the three standards set forth in 10 CFR 50.92, "Issuance of Amendment," as discussed below: 1. Does the proposed change involve a significant increase in the probability or consequences of an accident previously evaluated? Response: No.
4.1 Applicable Regulatory Requirements/Criteria 10 CFR 73.54 requires licensees to maintain and implement a cyber security plan (CSP). James A. FitzPatrick Nuclear Power Plant (JAF) Facility Operating License Nos. DPR-59, includes a  
The proposed change to the CSP Implementation Schedule is administrative in nature. This change does not alter accident analysis assumptions, add any initiators, or affect the function of plant systems or the manner in which systems are operated, maintained, modified, tested, or inspected. The proposed change does not require any plant modifications which affect the performance capability of the structures, systems, and components relied upon to mitigate the consequences of postulated accidents and has no impact on the probability or consequences of an accident previously evaluated. Therefore, the proposed change does not involve a significant increase in the probability or consequences of an accident previously evaluated.
 
JAFP-15-0068 Attachment 1 Analysis of Proposed Operating License Change Page 6 of 7 2. Does the proposed change create the possibility of a new or different kind of accident from any accident previously evaluated? Response: No.
Physical Protection license condition that requires Entergy Operations, Inc. (Entergy) to fully  
The proposed change to the CSP Implementation Schedule is administrative in nature. This proposed change does not alter accident analysis assumptions, add any initiators, or affect the function of plant systems or the manner in which systems are operated, maintained, modified, tested, or inspected. The proposed change does not require any plant modifications which affect the performance capability of the structures, systems, and components relied upon to mitigate the consequences of postulated accidents and does not create the possibility of a new or different kind of accident from any accident previously evaluated. Therefore, the proposed change does not create the possibility of a new or different kind of accident from any accident previously evaluated. 3. Does the proposed change involve a significant reduction in a margin of safety? Response: No.
 
Plant safety margins are established through limiting conditions for operation, limiting safety system settings, and safety limits specified in the technical specifications. The proposed change to the CSP Implementation Schedule is administrative in nature. In addition, the milestone date delay for full implementation of the CSP has no substantive impact because other measures have been taken which provide adequate protection during this period of time. Because there is no change to established safety margins as a result of this change, the proposed change does not involve a significant reduction in a margin of safety. Therefore, the proposed change does not involve a significant reduction in a margin of safety. Based on the above, Entergy concludes that the proposed change presents no significant hazards consideration under the standards set forth in 10 CFR 50.92(c), and accordingly, a finding of "no significant hazards consideration" is justified. 4.3 Conclusion In conclusion, based on the considerations discussed above: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner; (2) such activities will be conducted in compliance with the Commission's regulations; and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.
implement and maintain in effect all provisions of the Commission-approved CSP, including  
JAFP-15-0068 Attachment 1 Analysis of Proposed Operating License Change Page 7 of 7  
 
changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). 4.2 Significant Safety Hazards Consideration Entergy is requesting an amendment to the JAF Facility Operating License to revise the Physical Protection license condition as it relates to the CSP. This change includes a proposed  
 
change to a CSP Implementation Schedule milestone date and a proposed revision to the JAF  
 
Facility Operating License to include the proposed deviation. Specifically, Entergy is proposing  
 
a change to the Implementation Milestone 8 completion date.
Entergy has evaluated whether or not a significant hazards consideration is involved with the proposed amendment by focusing on the three standards set forth in 10 CFR 50.92, "Issuance  
 
of Amendment," as discussed below: 1. Does the proposed change involve a significant increase in the probability or consequences of an accident previously evaluated?
Response: No.  
 
The proposed change to the CSP Implementation Schedule is administrative in nature.
This change does not alter accident analysis assumptions, add any initiators, or affect  
 
the function of plant systems or the manner in which systems are operated, maintained, modified, tested, or inspected. The proposed change does not require any plant  
 
modifications which affect the performance capability of the structures, systems, and  
 
components relied upon to mitigate the consequences of postulated accidents and has  
 
no impact on the probability or consequences of an accident previously evaluated.
Therefore, the proposed change does not involve a significant increase in the probability or consequences of an accident previously evaluated.
JAFP-15-0068   Analysis of Proposed Operating License Change Page 6 of 7 2. Does the proposed change create the possibility of a new or different kind of accident from any accident previously evaluated?
Response: No.  
 
The proposed change to the CSP Implementation Schedule is administrative in nature.
This proposed change does not alter accident analysis assumptions, add any initiators,  
 
or affect the function of plant systems or the manner in which systems are operated, maintained, modified, tested, or inspected. The proposed change does not require any  
 
plant modifications which affect the performance capability of the structures, systems,  
 
and components relied upon to mitigate the consequences of postulated accidents and  
 
does not create the possibility of a new or different kind of accident from any accident  
 
previously evaluated.
Therefore, the proposed change does not create the possibility of a new or different kind of accident from any accident previously evaluated. 3. Does the proposed change involve a significant reduction in a margin of safety?
Response: No.  
 
Plant safety margins are established through limiting conditions for operation, limiting safety system settings, and safety limits spec ified in the technical specifications. The proposed change to the CSP Implementation Schedule is administrative in nature. In  
 
addition, the milestone date delay for full impl ementation of the CSP has no substantive impact because other measures have been taken which provide adequate protection  
 
during this period of time. Because there is no change to established safety margins as  
 
a result of this change, the proposed change does not involve a significant reduction in a margin of safety.
Therefore, the proposed change does not involve a significant reduction in a margin of safety. Based on the above, Entergy concludes that the proposed change presents no significant hazards consideration under the standards set forth in 10 CFR 50.92(c), and accordingly, a  
 
finding of "no significant hazards consideration" is justified.
4.3 Conclusion In conclusion, based on the considerations discussed above: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed  
 
manner; (2) such activities will be conducted in compliance with the Commission's regulations;  
 
and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.
JAFP-15-0068   Analysis of Proposed Operating License Change Page 7 of 7  


==5.0 ENVIRONMENTAL CONSIDERATION==
==5.0 ENVIRONMENTAL CONSIDERATION==
The proposed amendment provides a change to the CSP Implementation Schedule. The proposed amendment meets the eligibility criterion for a categorical exclusion set forth in 10 CFR 51.22(c)(12). Therefore, pursuant to 10 CFR 51.22(b) no environmental impact statement or environmental assessment need be prepared in connection with the issuance of the amendment.  
 
The proposed amendment provides a change to the CSP Implementation Schedule. The proposed amendment meets the eligibility criterion for a categorical exclusion set forth in  
 
10 CFR 51.22(c)(12). Therefore, pursuant to 10 CFR 51.22(b) no environmental impact  
 
statement or environmental assessment need be prepared in connection with the issuance of  
 
the amendment.  


==6.0 REFERENCES==
==6.0 REFERENCES==
: 1. NRC Internal Memorandum to Barry Westreich from Russell Felts, Review Criteria for 10 CFR 73.54, Cyber Security Implementation Schedule Milestone 8 License Amendment Requests, dated October 24, 2013 (ML13295A467) 2. NRC letter to Entergy, Issuance of Amendment Re: License Amendment Request - Cyber Security Plan (TAC No. ME4267), dated August 19, 2011 (ML11152A011) 3. NRC letter to Entergy, Issuance of Amendment Re: Cyber Security Plan Implementation Schedule Milestone 8 (TAC No. MF3456), dated December 1, 2014 (ML14202A372) 4. NRC internal memorandum from the Director Cyber Security Directorate, Office of Nuclear Security and Incident Response, to the Region I through IV Directors of Reactor Safety, Enhanced Guidance for Licensee Near-Term Corrective Actions to Address Cyber Security Inspection Findings and Licensee Eligibility for "Good-Faith" Attempt Discretion,  , Milestone 4 Resolution Actions, dated July 1, 2013 (ML13178A203)  
: 1. NRC Internal Memorandum to Barry Westreich from Russell Felts, Review Criteria for 10 CFR 73.54, Cyber Security Implementat ion Schedule Milestone 8 License Amendment Requests, dated October 24, 2013 (ML13295A467) 2. NRC letter to Entergy, Issuance of Amendment Re: License Amendment Request - Cyber Security Plan (TAC No. ME4267), dated August 19, 2011 (ML11152A011) 3. NRC letter to Entergy, Issuance of Amendment Re: Cyber Security Plan Implementation Schedule Milestone 8 (TAC No. MF3456), dated December 1, 2014 (ML14202A372) 4. NRC internal memorandum from the Director Cyber Security Directorate, Office of Nuclear Security and Incident Response, to the Region I through IV Directors of Reactor Safety,  
 
Enhanced Guidance for Licensee Near-Term Corrective Actions to Address Cyber Security  
 
Inspection Findings and Licensee Eligibility for "Good-Faith" Attempt Discretion,  
  , Milestone 4 Resolution Actions, dated July 1, 2013 (ML13178A203)  


JAFP-15-0068 Attachment 2 Proposed JAF Operating License Changes (mark-up) (Pages 2)
JAFP-15-0068 Attachment 2 Proposed JAF Operating License Changes (mark-up)  
(Pages 2)
Amendment 309   
Amendment 309   


  (4) ENO pursuant to the Act and 10 CFR Parts 30, 40, and 70 to receive, possess, and use, at any time, any byproduct, source and special nuclear material without restriction to chemical or physical form, for sample analysis or instrument calibration; or associated with radioactive apparatus, components or tools..
  (4) ENO pursuant to the Act and 10 CFR Parts 30, 40, and 70 to receive, possess, and use, at any time, any byproduct, source and special nuclear material without  
  (5) Pursuant to the Act and 10 CFR Parts 30 and 70, to possess, but not separate, such byproduct and special nuclear materials as may be produced by the operation of the facility.
 
C. This renewed operating  license shall be deemed to contain and is subject to the conditions specified in the following Commission regulations in 10 CFR Chapter I: Part 20, Section 30.34 of Part 30, Section 40.41 of Part 40, Sections 50.54 and 50.59 of Part 50, and Section 70.32 of Part 70; and is subject to all applicable provisions of the Act and to the rules, regulations, and orders of the Commission now or hereafter in effect; and is subject to the additional conditions specified or incorporated below:
restriction to chemical or physical form, for sample analysis or instrument  
  (1) Maximum Power Level ENO is authorized to operate the facility at steady state reactor core power levels not in excess of 2536 megawatts (thermal).
 
  (2) Technical Specifications The Technical Specifications contained in Appendix A, as revised through Amendment No. 309, are hereby incorporated in the renewed operating license. The licensee shall operate the facility in accordance with the Technical Specifications.  (3) Fire Protection ENO shall implement and maintain in effect all provisions of the approved fire protections program as described in the Final Safety Analysis Report for the facility and as approved in the SER dated November 20, 1972; the SER Supplement No. 1 dated February 1, 1973; the SER Supplement No. 2 dated October 4, 1974; the SER dated August 1, 1979; the SER Supplement dated October 3, 1980; the SER Supplement dated February 13, 1981; the NRC Letter dated February 24, 1981; Technical Specification Amendments 34 (dated January 31, 1978), 80 (dated May 22, 1984), 134 (dated July 19, 1989), 135 (dated September 5, 1989), 142 (dated October 23, 1989), 164 (dated August 10, 1990), 176 (dated January 16, 1992), 177 (dated February 10, 1992), 186 (dated February 19, 1993), 190 (dated June 29, 1993), 191 (dated July 7, 1993), 206 (dated February 28, 1994) and 214 (dated June 27, 1994); and NRC Exemptions and associated safety evaluations dated April 26, 1983, July 1, 1983, January 11, 1985, April 30, 1986, September 15, 1986 and September 10, 1992 subject to the following provision:
calibration; or associated with radioactive apparatus, components or tools..  
Amendment 309  Safeguards Contingency Plan, Revision 0," submitted by letter dated October 26, 2004, as supplemented by letter dated May 17, 2006.  
 
  (5) Pursuant to the Act and 10 CFR Parts 30 and 70, to possess, but not separate, such byproduct and special nuclear materials as may be produced by the operation of the facility.  
 
C. This renewed operating  license shall be deemed to contain and is subject to the conditions specified in the following Commission regulations in 10 CFR Chapter I: Part 20, Section  
 
30.34 of Part 30, Section 40.41 of Part 40, Sections 50.54 and 50.59 of Part 50, and Section 70.32 of Part 70; and is subject to all applicable provisions of the Act and to the  
 
rules, regulations, and orders of the Commission now or hereafter in effect; and is subject to the additional conditions specified or incorporated below:  
 
  (1) Maximum Power Level ENO is authorized to operate the facility at steady state reactor core power levels not  
 
in excess of 2536 megawatts (thermal).  
 
  (2) Technical Specifications The Technical Specifications contained in Appendix A, as revised through  
 
Amendment No.
309, are hereby incorporated in the renewed operating license.
The licensee shall operate the facility in accordance with the Technical Specifications.  
  (3) Fire Protection ENO shall implement and maintain in effect all provisions of the approved fire  
 
protections program as described in the Final Safety Analysis Report for the facility  
 
and as approved in the SER dated November 20, 1972; the SER Supplement No. 1  
 
dated February 1, 1973; the SER Supplement No. 2 dated October 4, 1974; the SER  
 
dated August 1, 1979; the SER Supplement dated October 3, 1980; the SER  
 
Supplement dated February 13, 1981; the NRC Letter dated February 24, 1981;  
 
Technical Specification Amendments 34 (dated January 31, 1978), 80 (dated May 22, 1984), 134 (dated July 19, 1989)
, 135 (dated September 5, 1989), 142 (dated October 23, 1989), 164 (dat ed August 10, 1990), 176 (dated January 16, 1992), 177 (dated February 10, 1992), 186 (dated February 19, 1993),
190 (dated June 29, 1993), 191 (dated Ju ly 7, 1993), 206 (dated February 28, 1994) and 214 (dated June 27, 1994); and NRC Exemptions and associated safety  
 
evaluations dated April 26, 1983, July 1, 1983, January 11, 1985, April 30, 1986, September 15, 1986 and September 10, 1992 subject to the following provision:
Amendment 309  Safeguards Contingency Plan, Revision 0," submitted by letter dated October 26, 2004, as  
 
supplemented by letter dated May 17, 2006.  
 
ENO shall fully implement and maintain in effect all provisions of the Commission-approved
 
cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR
 
50.90 and 10 CFR 50.54(p). ENO CSP was approved by License Amendment No. 300, as
 
supplemented by changes approved by License Amendment Nos. 303, and 308, and        . E. Power Uprate License Amendment Implementation The licensee shall complete the following actions as a condition of the approval of the power uprate license amendment.  (1) Recirculation Pump Motor Vibration Perform monitoring of recirculation pump motor vibration during initial Cycle 13 power ascension for uprated power conditions. (2) Startup Test Program The licensee will follow a startup testing program, during Cycle 13 power ascension, as described in GE Licensing Topical Report NEDC-31897P-1, "Generic Guidelines for General
 
Electric Boiling Water Reactor Power Uprate."  The Startup test program includes system
 
testing of such process control systems as the feedwater flow and main steam pressure control systems. The licensee will collect steady-state operational data during various
 
portions of the power ascension to the higher licensed power level so that predicted
 
equipment performance characteristics can be verified. The licensee will do the startup
 
testing program in accordance with its procedures. The licensee's approach is in
 
conformance with the test guidelines of GE Licensing Topical Report NEDC-31897P-1,
 
"Generic Guidelines for General Electric Boiling Water Reactor Power Uprate." June 1991
 
(proprietary), GE Licensing Topical Report NEDO-31897, "Generic Guidelines for General
 
Electric Boiling Water Reactor Power Uprate." February 1992 (nonproprietary), and NEDC-
 
31897P-AA, Class III (proprietary), May 1992. (3) Human Factors The licensee will review the results of the Cycle 13 startup test program to determine any potential effects on operator training. Traini ng issues identified will be incorporated in Licensed Operator training during 1997. Simulator discrepancies identified will be
 
addressed in accordance with simulator Configuration Management procedural
 
requirements. F. Additional Conditions The Additional Conditions contained in Appendix C, as revised through Amendment No. 289, are herby incorporated into this renewed operat ing license. ENO shall operate the facility in accordance with the Additional Conditions. 
 
JAFP-15-0068 Attachment 3 Revised JAF Operating License Pages (Pages 2)
Amendment
 
(4) ENO pursuant to the Act and 10 CFR Parts 30, 40, and 70 to receive, possess, and use, at any time, any byproduct, source and special nuclear material without
 
restriction to chemical or physical form, for sample analysis or instrument
 
calibration; or associated with radioactive apparatus, components or tools.
(5) Pursuant to the Act and 10 CFR Parts 30 and 70, to possess, but not separate, such byproduct and special nuclear materials as may be produced by the operation of the facility.
 
C. This renewed operating  license shall be deemed to contain and is subject to the conditions specified in the following Commission regulations in 10 CFR Chapter I: Part 20, Section
 
30.34 of Part 30, Section 40.41 of Part 40, Sections 50.54 and 50.59 of Part 50, and Section 70.32 of Part 70; and is subject to all applicable provisions of the Act and to the
 
rules, regulations, and orders of the Commission now or hereafter in effect; and is subject to the additional conditions specified or incorporated below:
(1) Maximum Power Level ENO is authorized to operate the facility at steady state reactor core power levels not
 
in excess of 2536 megawatts (thermal).
(2) Technical Specifications The Technical Specifications contained in Appendix A, as revised through
 
Amendment No.      , are hereby incorpor ated in the renewed operating license. The licensee shall operate the facility in acco rdance with the Technical Specifications.
(3) Fire Protection ENO shall implement and maintain in effect all provisions of the approved fire
 
protections program as described in the Final Safety Analysis Report for the facility
 
and as approved in the SER dated November 20, 1972; the SER Supplement No. 1
 
dated February 1, 1973; the SER Supplement No. 2 dated October 4, 1974; the SER
 
dated August 1, 1979; the SER Supplement dated October 3, 1980; the SER
 
Supplement dated February 13, 1981; the NRC Letter dated February 24, 1981;
 
Technical Specification Amendments 34 (dated January 31, 1978), 80 (dated May 22, 1984), 134 (dated July 19, 1989)
, 135 (dated September 5, 1989), 142 (dated October 23, 1989), 164 (dat ed August 10, 1990), 176 (dated January 16, 1992), 177 (dated February 10, 1992), 186 (dated February 19, 1993),
190 (dated June 29, 1993), 191 (dated Ju ly 7, 1993), 206 (dated February 28, 1994) and 214 (dated June 27, 1994); and NRC Exemptions and associated safety
 
evaluations dated April 26, 1983, July 1, 1983, January 11, 1985, April 30, 1986, September 15, 1986 and September 10, 1992 subject to the following provision:
 
Amendment    Safeguards Contingency Plan, Revision 0," submitted by letter dated October 26, 2004, as
 
supplemented by letter dated May 17, 2006.
 
ENO shall fully implement and maintain in effect all provisions of the Commission approved
 
cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR
 
50.90 and 10 CFR 50.54(p). ENO CSP was approved by License Amendment No. 300, as
 
supplemented by changes approved by License Amendment Nos. 303, 308, and      . E. Power Uprate License Amendment Implementation The licensee shall complete the following actions as a condition of the approval of the power uprate license amendment.  (1) Recirculation Pump Motor Vibration Perform monitoring of recirculation pump motor vibration during initial Cycle 13 power ascension for uprated power conditions. (2) Startup Test Program The licensee will follow a startup testing program, during Cycle 13 power ascension, as described in GE Licensing Topical Report NEDC-31897P-1, "Generic Guidelines for General
 
Electric Boiling Water Reactor Power Uprate."  The Startup test program includes system
 
testing of such process control systems as the feedwater flow and main steam pressure control systems. The licensee will collect steady-state operational data during various
 
portions of the power ascension to the higher licensed power level so that predicted
 
equipment performance characteristics can be verified. The licensee will do the startup
 
testing program in accordance with its procedures. The licensee's approach is in
 
conformance with the test guidelines of GE Licensing Topical Report NEDC-31897P-1,
 
"Generic Guidelines for General Electric Boiling Water Reactor Power Uprate." June 1991
 
(proprietary), GE Licensing Topical Report NEDO-31897, "Generic Guidelines for General
 
Electric Boiling Water Reactor Power Uprate." February 1992 (nonproprietary), and NEDC-
 
31897P-AA, Class III (proprietary), May 1992. (3) Human Factors The licensee will review the results of the Cycle 13 startup test program to determine any potential effects on operator training. Traini ng issues identified will be incorporated in Licensed Operator training during 1997. Simulator discrepancies identified will be
 
addressed in accordance with simulator Configuration Management procedural
 
requirements. F. Additional Conditions The Additional Conditions contained in Appendix C, as revised through Amendment No. 289, are herby incorporated into this renewed operat ing license. ENO shall operate the facility in accordance with the Additional Conditions. 
 
JAFP-15-0068 Attachment 4 Revised Cyber Security Plan Implementation Schedule (Page 1)
JAFP-15-0068 Revised Cyber Security Plan Implementation Schedule Page 1 of 1 # Implementation Milestone Completion Date Basis 8 Full implementation of James A. FitzPatrick (JAF) Cyber
 
Security Plan for all safety,
 
security, and emergency
 
preparedness (SSEP) functions
 
will be achieved. Dec. 15, 2017 By the completion date, the JAF Cyber Security Plan will be fully implemented
 
for all SSEP functions in accordance
 
with 10 CFR 73.54. This date also
 
bounds the completion of all individual
 
asset security control design
 
remediation actions including those
 
that require a refueling outage for


ENO shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). ENO CSP was approved by License Amendment No. 300, as supplemented by changes approved by License Amendment Nos. 303, and 308, and        . E. Power Uprate License Amendment Implementation The licensee shall complete the following actions as a condition of the approval of the power uprate license amendment.  (1) Recirculation Pump Motor Vibration Perform monitoring of recirculation pump motor vibration during initial Cycle 13 power ascension for uprated power conditions. (2) Startup Test Program The licensee will follow a startup testing program, during Cycle 13 power ascension, as described in GE Licensing Topical Report NEDC-31897P-1, "Generic Guidelines for General Electric Boiling Water Reactor Power Uprate."  The Startup test program includes system testing of such process control systems as the feedwater flow and main steam pressure control systems. The licensee will collect steady-state operational data during various portions of the power ascension to the higher licensed power level so that predicted equipment performance characteristics can be verified. The licensee will do the startup testing program in accordance with its procedures. The licensee's approach is in conformance with the test guidelines of GE Licensing Topical Report NEDC-31897P-1, "Generic Guidelines for General Electric Boiling Water Reactor Power Uprate." June 1991 (proprietary), GE Licensing Topical Report NEDO-31897, "Generic Guidelines for General Electric Boiling Water Reactor Power Uprate." February 1992 (nonproprietary), and NEDC-31897P-AA, Class III (proprietary), May 1992. (3) Human Factors The licensee will review the results of the Cycle 13 startup test program to determine any potential effects on operator training. Training issues identified will be incorporated in Licensed Operator training during 1997. Simulator discrepancies identified will be addressed in accordance with simulator Configuration Management procedural requirements. F. Additional Conditions The Additional Conditions contained in Appendix C, as revised through Amendment No. 289, are herby incorporated into this renewed operating license. ENO shall operate the facility in accordance with the Additional Conditions. 
implementation.  


JAFP-15-0068 Attachment Revised JAF Operating License Pages (Pages 2)
JAFP-15-0068 Attachment 5 List of Revised Regulatory Commitments (Page 1)
Amendment (4) ENO pursuant to the Act and 10 CFR Parts 30, 40, and 70 to receive, possess, and use, at any time, any byproduct, source and special nuclear material without restriction to chemical or physical form, for sample analysis or instrument calibration; or associated with radioactive apparatus, components or tools.  (5) Pursuant to the Act and 10 CFR Parts 30 and 70, to possess, but not separate, such byproduct and special nuclear materials as may be produced by the operation of the facility.
JAFP-15-0068  List of Revised Regulatory Commitments Page 1 of 1 The following table identifies those actions committed to by Entergy in this document. Any other statements in this submittal are provided for information purposes and are not considered to be
C. This renewed operating  license shall be deemed to contain and is subject to the conditions specified in the following Commission regulations in 10 CFR Chapter I: Part 20, Section 30.34 of Part 30, Section 40.41 of Part 40, Sections 50.54 and 50.59 of Part 50, and Section 70.32 of Part 70; and is subject to all applicable provisions of the Act and to the rules, regulations, and orders of the Commission now or hereafter in effect; and is subject to the additional conditions specified or incorporated below:  (1) Maximum Power Level  ENO is authorized to operate the facility at steady state reactor core power levels not in excess of 2536 megawatts (thermal). (2) Technical Specifications  The Technical Specifications contained in Appendix A, as revised through Amendment No.      , are hereby incorporated in the renewed operating license. The licensee shall operate the facility in accordance with the Technical Specifications.  (3) Fire Protection  ENO shall implement and maintain in effect all provisions of the approved fire protections program as described in the Final Safety Analysis Report for the facility and as approved in the SER dated November 20, 1972; the SER Supplement No. 1 dated February 1, 1973; the SER Supplement No. 2 dated October 4, 1974; the SER dated August 1, 1979; the SER Supplement dated October 3, 1980; the SER Supplement dated February 13, 1981; the NRC Letter dated February 24, 1981; Technical Specification Amendments 34 (dated January 31, 1978), 80 (dated May 22, 1984), 134 (dated July 19, 1989), 135 (dated September 5, 1989), 142 (dated October 23, 1989), 164 (dated August 10, 1990), 176 (dated January 16, 1992), 177 (dated February 10, 1992), 186 (dated February 19, 1993), 190 (dated June 29, 1993), 191 (dated July 7, 1993), 206 (dated February 28, 1994) and 214 (dated June 27, 1994); and NRC Exemptions and associated safety evaluations dated April 26, 1983, July 1, 1983, January 11, 1985, April 30, 1986, September 15, 1986 and September 10, 1992 subject to the following provision:
Amendment  Safeguards Contingency Plan, Revision 0," submitted by letter dated October 26, 2004, as supplemented by letter dated May 17, 2006.


ENO shall fully implement and maintain in effect all provisions of the Commission approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). ENO CSP was approved by License Amendment No. 300, as supplemented by changes approved by License Amendment Nos. 303, 308, and      . E. Power Uprate License Amendment Implementation The licensee shall complete the following actions as a condition of the approval of the power uprate license amendment.  (1) Recirculation Pump Motor Vibration Perform monitoring of recirculation pump motor vibration during initial Cycle 13 power ascension for uprated power conditions. (2) Startup Test Program The licensee will follow a startup testing program, during Cycle 13 power ascension, as described in GE Licensing Topical Report NEDC-31897P-1, "Generic Guidelines for General Electric Boiling Water Reactor Power Uprate."  The Startup test program includes system testing of such process control systems as the feedwater flow and main steam pressure control systems. The licensee will collect steady-state operational data during various portions of the power ascension to the higher licensed power level so that predicted equipment performance characteristics can be verified. The licensee will do the startup testing program in accordance with its procedures. The licensee's approach is in conformance with the test guidelines of GE Licensing Topical Report NEDC-31897P-1, "Generic Guidelines for General Electric Boiling Water Reactor Power Uprate." June 1991 (proprietary), GE Licensing Topical Report NEDO-31897, "Generic Guidelines for General Electric Boiling Water Reactor Power Uprate." February 1992 (nonproprietary), and NEDC-31897P-AA, Class III (proprietary), May 1992. (3) Human Factors The licensee will review the results of the Cycle 13 startup test program to determine any potential effects on operator training. Training issues identified will be incorporated in Licensed Operator training during 1997. Simulator discrepancies identified will be addressed in accordance with simulator Configuration Management procedural requirements. F. Additional Conditions The Additional Conditions contained in Appendix C, as revised through Amendment No. 289, are herby incorporated into this renewed operating license. ENO shall operate the facility in accordance with the Additional Conditions. 
regulatory commitments.
COMMITMENT TYPE (Check One)
SCHEDULED COMPLETION DATE (If Required)
ONE-TIME ACTION CONTINUING COMPLIANCE Full implementation of JAF Cyber Security Plan for all safety, security, and  


JAFP-15-0068  Attachment 4  Revised Cyber Security Plan Implementation Schedule (Page 1)
emergency preparedness functions will be  
JAFP-15-0068 Attachment 4 Revised Cyber Security Plan Implementation Schedule Page 1 of 1 # Implementation Milestone Completion Date Basis 8 Full implementation of James A. FitzPatrick (JAF) Cyber Security Plan for all safety, security, and emergency preparedness (SSEP) functions will be achieved. Dec. 15, 2017 By the completion date, the JAF Cyber Security Plan will be fully implemented for all SSEP functions in accordance with 10 CFR 73.54. This date also bounds the completion of all individual asset security control design remediation actions including those that require a refueling outage for implementation. 


JAFP-15-0068  Attachment 5  List of Revised Regulatory Commitments (Page 1)
achieved. X  Dec. 15, 2017}}
JAFP-15-0068 Attachment 5 List of Revised Regulatory Commitments Page 1 of 1 The following table identifies those actions committed to by Entergy in this document. Any other statements in this submittal are provided for information purposes and are not considered to be regulatory commitments. COMMITMENT TYPE (Check One) SCHEDULED COMPLETION DATE (If Required) ONE-TIME ACTION CONTINUING COMPLIANCE Full implementation of JAF Cyber Security Plan for all safety, security, and emergency preparedness functions will be achieved. X  Dec. 15, 2017}}

Revision as of 22:47, 30 June 2018

J. A. FitzPatrick - License Amendment Request - Cyber Security Plan Implementation Schedule
ML15173A380
Person / Time
Site: FitzPatrick Constellation icon.png
Issue date: 06/22/2015
From: Brian Sullivan
Entergy Nuclear Northeast, Entergy Nuclear Operations
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
JAFP-15-0068
Download: ML15173A380 (20)


Text

JAFP-15-0068

June 22, 2015

U.S. Nuclear Regulatory Commission

Attn: Document Control Desk

Washington, DC 20555-0001

Subject:

License Amendment Request - Cyber Security Plan Implementation Schedule James A. FitzPatrick Nuclear Power Plant Docket No. 50-333

License No. DPR-59

References:

1. NRC Internal Memorandum to Barry Westreich from Russell Felts, Review Criteria for 10 CFR 73.54, Cyber Security Implementation

Schedule Milestone 8 License Amendment Requests, ML13295A467,

dated October 24, 2013 2. NRC letter to Entergy, Issuance of Amendment Re: License Amendment Request - Cyber Security Plan (TAC No. ME4267), ML11152A011, dated

August 19, 2011 3. NRC letter to Entergy, Issuance of Amendment Re: Cyber Security Plan Implementation Schedule Milestone 8 (TAC No. MF3456),

ML14202A372, dated December 1, 2014

Dear Sir or Madam:

Pursuant to 10 CFR 50.4 and 10 CFR 50.90, Entergy Operations, Inc. (Entergy) hereby

requests an amendment to the Renewed Facility Operating Licenses for James A. FitzPatrick

Nuclear Power Plant (JAF), Unit 1. In accordance with the guidelines provided by Reference 1,

this request proposes a change to the JAF Cyber Security Plan Milestone 8 full implementation date as set forth in the Cyber Securi ty Plan Implementation Schedule approved by References 2 and 3. provides an evaluation of the proposed change. Attachment 2 contains proposed marked-up operating license page for the Physical Protection license condition for JAF to

reference the commitment change provided in this submittal

. Attachment 3 contains the proposed revised operating license pages. Attachment 4 contains a change to the date of

Implementation Milestone 8.

The proposed changes have been evaluated in accordance with 10 CFR 50.91(a)(1) using criteria in 10 CFR 50.92(c), and it has been determined that the changes involve no significant

hazards consideration. The bases for these determinations are included in Attachment 1. Entergy Nuclear Northeast Entergy Nuclear Operations,

Inc. James A. FitzPatrick NPP

P.O. Box 110 Lycoming, NY 13093

Tel 315-342-3840 Brian R. Sullivan Site Vice President - JAF

JAFP-15-0068 Page 2 of 2 Entergy requests this license amendment be effective as of its date of issuance.

Although this request is neither exigent nor emergency, your review and approval is requested prior to June 30, 2016. The revised commitment contained in this submittal is summarized in Attachment

5. Should you have any questions concerning this letter, or require additional information, please contact Chris M. Adner at 315-349-6766.

I declare under penalty of perjury that the foregoing is true and correct.

Executed on June 22, 2015. Sincerely, Brian R. Sullivan Site Vice President BRS/CMA/mh Attachments:

1. Analysis of Proposed Operating License Change 2. Proposed JAF Operating License Changes (mark-up)
3. Revised JAF Operating License Pages 4. Revised Cyber Security Plan Implementation Schedule
5. List of Revised Regulatory Commitments cc: Regional Administrator, Region 1 Resident Inspector NRR Project Manager New York State Department of Public Service NYSERDA President and CEO

JAFP-15-0068 Attachment 1

Analysis of Proposed Operating License Change (Pages 7)

JAFP-15-0068 Analysis of Proposed Operating License Change Page 1 of 7 1.0 SUMMARY DESCRIPTION This license amendment request (LAR) includes a proposed change to the James A. FitzPatrick Nuclear Power Plant (JAF) Cyber Security Plan (CSP) Implementation Schedule Milestone 8 full

implementation date and a proposed revision to the existing operating license Physical

Protection license condition. 2.0 DETAILED DESCRIPTION In Reference 1, the NRC provided criteria to be used for evaluation of a license amendment request to revise the Cyber Security Implementation Schedule Milestone 8 date. In Reference 2,

the NRC issued license amendments that approved the JAF CSP and associated

implementation milestone schedule. The CSP Im plementation Schedule approved by Reference 2 was utilized as a portion of the basis for the NRC's safety evaluation report provided in

Reference 2. In Reference 3, the NRC issued license amendments that approved a revised

implementation milestone schedule. Entergy Operat ions, Inc. (Entergy) is proposing a change to the Milestone 8 date from June 30, 2016, to December 15, 2017, for full implementation of the

CSP for all applicable safety, security, and emergency preparedness (SSEP) functions.

3.0 TECHNICAL EVALUATION

In November 2009, in accordance with 10 CFR 73.54 (nuclear cyber security rule), each Entergy licensee submitted a proposed schedule for achieving full compliance with the rule. The

schedule was approved (Reference 2) and consists of eight milestones, with interim Milestones

1 through 7 being completed by December 31, 2012, and Milestone 8 (full compliance) to be

completed by December 15, 2014. During the process of accomplishing Interim Milestones 1

through 7 and commencing Milestone 8 work, it became evident to Entergy that additional time

would be required, and a schedule extension request to June 30, 2016, was approved by the

NRC (Reference 3). However, it has subsequently become evident that an additional extension

is necessary. The extension requested herein is for a Milestone 8 date of December 15, 2017.

Below is Entergy's discussion of the eight evaluation criteria provided by Reference 1. 1 Identification of the specific requirement or requirements of the CSP that the licensee needs additional time to implement.

The CSP Sections 3 and 4 describe requirements for application and maintenance of cyber security controls listed in Nuclear Energy Institute (NEI) 08-09, Revision 6, Cyber Security Plan for Nuclear Power Reactors

, Appendices D and E. Application of the controls is accomplished after completion of detailed analyses (the cyber security assessment process)

that identify "gaps," or the difference between current configuration and a configuration that

satisfies each cyber security control. Gap clos ure can require any combination of physical, logical (software-related), or programmatic/procedural changes. 2 Detailed justification that describes the reason additional time is required to implement the specific requirement or requirements identified. a. Entergy hosted a "pilot" Milestone 8 inspection at the Indian Point site in March 2014.

During the pilot, insight was gained into NRC interpretation on how to apply the cyber

security controls listed in NEI 08-09, Revision 6. These interpretations were not

previously available. During the pilot inspection, the NRC team reviewed several

examples of critical digital assets (CDAs) with Entergy and indicated the level of detail

and depth expected for the technical analyses against cyber security controls referenced

in NEI 08-09. Based on this review, it is evident to Entergy that the detail and depth of JAFP-15-0068 Analysis of Proposed Operating License Change Page 2 of 7 the technical analysis exceeds Entergy's prior understanding and requires a considerably greater effort to achieve than initially anticipated. b. During 2015, each operating Entergy licensee has an inspection of compliance with interim Milestones 1 through 7. The preparation for and support of these inspections has

required a significant commitment of time from Entergy's most knowledgeable subject

matter experts on nuclear cyber security, exceeding the estimate previously developed and therefore, drawing those resources away from Milestone 8 implementation activities. c. Development of an endorsed written standard for interpreting and applying the NEI 08-09 cyber security controls has continued to be a work-in-progress over the past

five years. NEI 13-10, Revision 2, a guideline intended to provide some reduction of

controls implementation based on equipment safety significance, has been endorsed.

However, an initial screening of Entergy CDAs using this guideline indicates the

reduction in both analytical work and actual application of controls would not be

significant. d. In June 2014, NEI submitted a petition for rulemaking to the Commission. The petition was subsequently found acceptable for review. The petition proposes a change to the

rule to more precisely align the scope of the rule with the underlying objective of

preventing radiological sabotage, which NEI estimates could potentially result in a

reduction in the scope of cyber security implementation. While Entergy does not intend

to suspend any implementation work in anticipation of the petition being approved, the

petition being submitted is indicative that the final process for implementing the rule has

not stabilized, and therefore, Entergy requires additional time to receive any

implementation benefit from such rulemaking. e. Benchmarking data gathered on Milestone 8 implementation schedules for non-Entergy licensees indicates that a significant number of licensees have either gained approval for

a new Milestone 8 date or submitted an ext ension request significantly beyond Entergy's current due date; therefore, Entergy's request is consistent with the industry. 3 Proposed completion date for Milestone 8 consistent with the remaining scope of work to be conducted and the resources available.

The proposed completion date for Milestone 8 is December 15, 2017. 4 Evaluation of the impact that the additional time to implement the requirements will have on the effectiveness of the overall cyber security program in the context of milestones already completed.

The impact of the requested additional implementation time on the effectiveness of the overall cyber security program is considered to be very low, because the Interim Milestones already completed have resulted in a high degree of protection of safety-related,

important-to-safety, and security CDAs against threat vectors associated with external

connectivity (both wired and wireless), and portable digital media and devices. Additionally,

extensive physical and administrat ive measures are already in place for CDAs pursuant to the JAF Security Plan and Technical Specificati on requirements. In the context of cyber security milestones already completed, the following is noted: a. An Entergy Cyber Security Assessment Team (CSAT) has been implemented consisting of highly experienced personnel knowledgeable in reactor and balance-of-plant design,

licensing, safety, security, emergency pr eparedness, information technology, and cyber security. The CSAT is provided with the authority, via written procedure, to perform the JAFP-15-0068 Analysis of Proposed Operating License Change Page 3 of 7 analyses and oversight activities described in the CSP. Entergy employs a single overall fleet-wide CSAT to ensure consistency of results among the fleet. b. Critical systems and CDAs have been identified, documented, and entered in a controlled database. c. The plant process computer network and the plant security computer network have been deterministically isolated per the requirement s of cyber security Interim Milestone 3. d. Safety-related, important-to-safety, and security CDAs have been extensively reviewed and verified (or modified) to be deterministically isolated and not to employ wireless

network technology. e. Procedures have been implemented for portabl e digital media and devices periodically connected to CDAs, per NEI 08-09, Revision 6, Appendix D, Section 1.19. f. CDAs associated with physical security target sets have been analyzed per the requirements of the CSP Section 3.1.6 and either (1) verified to satisfy the Technical

Cyber Security Controls described in NEI 08-09, Revision 6, Appendix D or (2) actions

required to satisfy the Technical Cyber Security Controls described in NEI 08-09, Revision 6, Appendix D, are captured in the Corrective Action Program (CAP). g. Employees have been provided with training on cyber security awareness, tampering, and control of portable digital media and devices periodically connected to CDAs. h. Entergy has transitioned from the previ ous cyber security program described by NEI 04-04. Revisions have been made to procedures that control plant modifications,

planning, and maintenance, establishing ties to cyber security procedures for CDA

analysis and control of portable digital media and devices periodically connected to

CDAs. 5 Description of the methodology for prioritizing completion of work for CDAs associated with significant SSEP consequences and with reactivity effects in the

balance of plant.

Because CDAs are plant components, prioritization follows the normal work management process that places the highest priority on apparent conditions adverse to quality in system,

structure, and component design function and related factors such as safety risk and

nuclear defense-in-depth, as well as threats to continuity of electric power generation in the

balance-of-plant (BOP). Further, in regard to deterministic isolation and control of portable

media devices (PMD) for safety-related, impor tant-to-safety (including BOP), and security CDAs, maintenance of one-way or air-gapped configurations and implementation of control

of PMD remains a high priority. This prioritization enabled completion of cyber security

Interim Milestones 3 and 4. High focus continues to be maintained on prompt attention to

any emergent issue with these CDAs that w ould potentially challenge the established cyber protective barriers. Additionally it should be noted that these CDAs encompass those associated with physical security target sets. 6 Discussion of the cyber security program performance up to the date of the license amendment request.

No compromise of SSEP function by cyber means has been identified. Additionally, a Quality Assurance (QA) audit was conducted in the fourth quarter of 2014 pursuant to the

physical security program review required by 10 CFR 73.55(m). The QA audit included JAFP-15-0068 Analysis of Proposed Operating License Change Page 4 of 7 review of cyber security program implementat ion. There were no significant findings related to overall cyber security progr am performance and effectiveness. 7 Discussion of cyber security issues pending in the CAP.

No significant (with 'significant' meaning constituting a threat to a CDA via cyber means or calling into question program effectiveness) nucl ear cyber security issues are currently pending in the CAP.

Several non-significant issues identified during the QA audit described above and identified during NRC inspections of compliance with nuclear cyber security Interim Milestones 1

through 7 have been entered into CAP. When Reference 4 internal NRC memorandum was

shared with Entergy, the actions described regarding cyber security Interim Milestone 4

were entered into CAP for evaluation by the CSAT. 8 Discussion of modifications completed to support the cyber security program and a discussion of pending cyber security modifications.

Modifications completed include those required to deterministically isolate the Level 3 and 4 CDAs, as required by Interim Milestone 3, by data diode or air gap. Potential modifications

not yet implemented include automated security information event monitoring systems for monitoring activity on networks of CDAs, pursuant to NEI 08-09, Revision 6, Appendix D-2

(Audit and Accountability), and Appendices E-3.4 (Monitoring Tools and Techniques), 3.5

(Security Alerts and Advisories), and 4.3 (Personnel Performing maintenance and Testing

Activities), and additional physical controls for CDAs outside the Protected Area pursuant to

NEI 08-09, Revision 6, Appendix E-5.1 (Physical and Operational Environment Protection

Policies and Procedures).

JAFP-15-0068 Analysis of Proposed Operating License Change Page 5 of 7 This LAR includes the proposed change to the existing operating license condition for "Physical Protection" (Attachments 2 and 3) for JAF, respectively. This LAR also contains the proposed

Revised CSP Implementation Schedule (Attachment 4) and revised list of regulatory

commitments (Attachment 5).

4.0 REGULATORY EVALUATION

4.1 Applicable Regulatory Requirements/Criteria 10 CFR 73.54 requires licensees to maintain and implement a cyber security plan (CSP). James A. FitzPatrick Nuclear Power Plant (JAF) Facility Operating License Nos. DPR-59, includes a

Physical Protection license condition that requires Entergy Operations, Inc. (Entergy) to fully

implement and maintain in effect all provisions of the Commission-approved CSP, including

changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). 4.2 Significant Safety Hazards Consideration Entergy is requesting an amendment to the JAF Facility Operating License to revise the Physical Protection license condition as it relates to the CSP. This change includes a proposed

change to a CSP Implementation Schedule milestone date and a proposed revision to the JAF

Facility Operating License to include the proposed deviation. Specifically, Entergy is proposing

a change to the Implementation Milestone 8 completion date.

Entergy has evaluated whether or not a significant hazards consideration is involved with the proposed amendment by focusing on the three standards set forth in 10 CFR 50.92, "Issuance

of Amendment," as discussed below: 1. Does the proposed change involve a significant increase in the probability or consequences of an accident previously evaluated?

Response: No.

The proposed change to the CSP Implementation Schedule is administrative in nature.

This change does not alter accident analysis assumptions, add any initiators, or affect

the function of plant systems or the manner in which systems are operated, maintained, modified, tested, or inspected. The proposed change does not require any plant

modifications which affect the performance capability of the structures, systems, and

components relied upon to mitigate the consequences of postulated accidents and has

no impact on the probability or consequences of an accident previously evaluated.

Therefore, the proposed change does not involve a significant increase in the probability or consequences of an accident previously evaluated.

JAFP-15-0068 Analysis of Proposed Operating License Change Page 6 of 7 2. Does the proposed change create the possibility of a new or different kind of accident from any accident previously evaluated?

Response: No.

The proposed change to the CSP Implementation Schedule is administrative in nature.

This proposed change does not alter accident analysis assumptions, add any initiators,

or affect the function of plant systems or the manner in which systems are operated, maintained, modified, tested, or inspected. The proposed change does not require any

plant modifications which affect the performance capability of the structures, systems,

and components relied upon to mitigate the consequences of postulated accidents and

does not create the possibility of a new or different kind of accident from any accident

previously evaluated.

Therefore, the proposed change does not create the possibility of a new or different kind of accident from any accident previously evaluated. 3. Does the proposed change involve a significant reduction in a margin of safety?

Response: No.

Plant safety margins are established through limiting conditions for operation, limiting safety system settings, and safety limits spec ified in the technical specifications. The proposed change to the CSP Implementation Schedule is administrative in nature. In

addition, the milestone date delay for full impl ementation of the CSP has no substantive impact because other measures have been taken which provide adequate protection

during this period of time. Because there is no change to established safety margins as

a result of this change, the proposed change does not involve a significant reduction in a margin of safety.

Therefore, the proposed change does not involve a significant reduction in a margin of safety. Based on the above, Entergy concludes that the proposed change presents no significant hazards consideration under the standards set forth in 10 CFR 50.92(c), and accordingly, a

finding of "no significant hazards consideration" is justified.

4.3 Conclusion In conclusion, based on the considerations discussed above: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed

manner; (2) such activities will be conducted in compliance with the Commission's regulations;

and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.

JAFP-15-0068 Analysis of Proposed Operating License Change Page 7 of 7

5.0 ENVIRONMENTAL CONSIDERATION

The proposed amendment provides a change to the CSP Implementation Schedule. The proposed amendment meets the eligibility criterion for a categorical exclusion set forth in

10 CFR 51.22(c)(12). Therefore, pursuant to 10 CFR 51.22(b) no environmental impact

statement or environmental assessment need be prepared in connection with the issuance of

the amendment.

6.0 REFERENCES

1. NRC Internal Memorandum to Barry Westreich from Russell Felts, Review Criteria for 10 CFR 73.54, Cyber Security Implementat ion Schedule Milestone 8 License Amendment Requests, dated October 24, 2013 (ML13295A467) 2. NRC letter to Entergy, Issuance of Amendment Re: License Amendment Request - Cyber Security Plan (TAC No. ME4267), dated August 19, 2011 (ML11152A011) 3. NRC letter to Entergy, Issuance of Amendment Re: Cyber Security Plan Implementation Schedule Milestone 8 (TAC No. MF3456), dated December 1, 2014 (ML14202A372) 4. NRC internal memorandum from the Director Cyber Security Directorate, Office of Nuclear Security and Incident Response, to the Region I through IV Directors of Reactor Safety,

Enhanced Guidance for Licensee Near-Term Corrective Actions to Address Cyber Security

Inspection Findings and Licensee Eligibility for "Good-Faith" Attempt Discretion,

, Milestone 4 Resolution Actions, dated July 1, 2013 (ML13178A203)

JAFP-15-0068 Attachment 2 Proposed JAF Operating License Changes (mark-up)

(Pages 2)

Amendment 309

(4) ENO pursuant to the Act and 10 CFR Parts 30, 40, and 70 to receive, possess, and use, at any time, any byproduct, source and special nuclear material without

restriction to chemical or physical form, for sample analysis or instrument

calibration; or associated with radioactive apparatus, components or tools..

(5) Pursuant to the Act and 10 CFR Parts 30 and 70, to possess, but not separate, such byproduct and special nuclear materials as may be produced by the operation of the facility.

C. This renewed operating license shall be deemed to contain and is subject to the conditions specified in the following Commission regulations in 10 CFR Chapter I: Part 20, Section

30.34 of Part 30, Section 40.41 of Part 40, Sections 50.54 and 50.59 of Part 50, and Section 70.32 of Part 70; and is subject to all applicable provisions of the Act and to the

rules, regulations, and orders of the Commission now or hereafter in effect; and is subject to the additional conditions specified or incorporated below:

(1) Maximum Power Level ENO is authorized to operate the facility at steady state reactor core power levels not

in excess of 2536 megawatts (thermal).

(2) Technical Specifications The Technical Specifications contained in Appendix A, as revised through

Amendment No.

309, are hereby incorporated in the renewed operating license.

The licensee shall operate the facility in accordance with the Technical Specifications.

(3) Fire Protection ENO shall implement and maintain in effect all provisions of the approved fire

protections program as described in the Final Safety Analysis Report for the facility

and as approved in the SER dated November 20, 1972; the SER Supplement No. 1

dated February 1, 1973; the SER Supplement No. 2 dated October 4, 1974; the SER

dated August 1, 1979; the SER Supplement dated October 3, 1980; the SER

Supplement dated February 13, 1981; the NRC Letter dated February 24, 1981;

Technical Specification Amendments 34 (dated January 31, 1978), 80 (dated May 22, 1984), 134 (dated July 19, 1989)

, 135 (dated September 5, 1989), 142 (dated October 23, 1989), 164 (dat ed August 10, 1990), 176 (dated January 16, 1992), 177 (dated February 10, 1992), 186 (dated February 19, 1993),

190 (dated June 29, 1993), 191 (dated Ju ly 7, 1993), 206 (dated February 28, 1994) and 214 (dated June 27, 1994); and NRC Exemptions and associated safety

evaluations dated April 26, 1983, July 1, 1983, January 11, 1985, April 30, 1986, September 15, 1986 and September 10, 1992 subject to the following provision:

Amendment 309 Safeguards Contingency Plan, Revision 0," submitted by letter dated October 26, 2004, as

supplemented by letter dated May 17, 2006.

ENO shall fully implement and maintain in effect all provisions of the Commission-approved

cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR

50.90 and 10 CFR 50.54(p). ENO CSP was approved by License Amendment No. 300, as

supplemented by changes approved by License Amendment Nos. 303, and 308, and . E. Power Uprate License Amendment Implementation The licensee shall complete the following actions as a condition of the approval of the power uprate license amendment. (1) Recirculation Pump Motor Vibration Perform monitoring of recirculation pump motor vibration during initial Cycle 13 power ascension for uprated power conditions. (2) Startup Test Program The licensee will follow a startup testing program, during Cycle 13 power ascension, as described in GE Licensing Topical Report NEDC-31897P-1, "Generic Guidelines for General

Electric Boiling Water Reactor Power Uprate." The Startup test program includes system

testing of such process control systems as the feedwater flow and main steam pressure control systems. The licensee will collect steady-state operational data during various

portions of the power ascension to the higher licensed power level so that predicted

equipment performance characteristics can be verified. The licensee will do the startup

testing program in accordance with its procedures. The licensee's approach is in

conformance with the test guidelines of GE Licensing Topical Report NEDC-31897P-1,

"Generic Guidelines for General Electric Boiling Water Reactor Power Uprate." June 1991

(proprietary), GE Licensing Topical Report NEDO-31897, "Generic Guidelines for General

Electric Boiling Water Reactor Power Uprate." February 1992 (nonproprietary), and NEDC- 31897P-AA, Class III (proprietary), May 1992. (3) Human Factors The licensee will review the results of the Cycle 13 startup test program to determine any potential effects on operator training. Traini ng issues identified will be incorporated in Licensed Operator training during 1997. Simulator discrepancies identified will be

addressed in accordance with simulator Configuration Management procedural

requirements. F. Additional Conditions The Additional Conditions contained in Appendix C, as revised through Amendment No. 289, are herby incorporated into this renewed operat ing license. ENO shall operate the facility in accordance with the Additional Conditions.

JAFP-15-0068 Attachment 3 Revised JAF Operating License Pages (Pages 2)

Amendment

(4) ENO pursuant to the Act and 10 CFR Parts 30, 40, and 70 to receive, possess, and use, at any time, any byproduct, source and special nuclear material without

restriction to chemical or physical form, for sample analysis or instrument

calibration; or associated with radioactive apparatus, components or tools.

(5) Pursuant to the Act and 10 CFR Parts 30 and 70, to possess, but not separate, such byproduct and special nuclear materials as may be produced by the operation of the facility.

C. This renewed operating license shall be deemed to contain and is subject to the conditions specified in the following Commission regulations in 10 CFR Chapter I: Part 20, Section

30.34 of Part 30, Section 40.41 of Part 40, Sections 50.54 and 50.59 of Part 50, and Section 70.32 of Part 70; and is subject to all applicable provisions of the Act and to the

rules, regulations, and orders of the Commission now or hereafter in effect; and is subject to the additional conditions specified or incorporated below:

(1) Maximum Power Level ENO is authorized to operate the facility at steady state reactor core power levels not

in excess of 2536 megawatts (thermal).

(2) Technical Specifications The Technical Specifications contained in Appendix A, as revised through

Amendment No. , are hereby incorpor ated in the renewed operating license. The licensee shall operate the facility in acco rdance with the Technical Specifications.

(3) Fire Protection ENO shall implement and maintain in effect all provisions of the approved fire

protections program as described in the Final Safety Analysis Report for the facility

and as approved in the SER dated November 20, 1972; the SER Supplement No. 1

dated February 1, 1973; the SER Supplement No. 2 dated October 4, 1974; the SER

dated August 1, 1979; the SER Supplement dated October 3, 1980; the SER

Supplement dated February 13, 1981; the NRC Letter dated February 24, 1981;

Technical Specification Amendments 34 (dated January 31, 1978), 80 (dated May 22, 1984), 134 (dated July 19, 1989)

, 135 (dated September 5, 1989), 142 (dated October 23, 1989), 164 (dat ed August 10, 1990), 176 (dated January 16, 1992), 177 (dated February 10, 1992), 186 (dated February 19, 1993),

190 (dated June 29, 1993), 191 (dated Ju ly 7, 1993), 206 (dated February 28, 1994) and 214 (dated June 27, 1994); and NRC Exemptions and associated safety

evaluations dated April 26, 1983, July 1, 1983, January 11, 1985, April 30, 1986, September 15, 1986 and September 10, 1992 subject to the following provision:

Amendment Safeguards Contingency Plan, Revision 0," submitted by letter dated October 26, 2004, as

supplemented by letter dated May 17, 2006.

ENO shall fully implement and maintain in effect all provisions of the Commission approved

cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR

50.90 and 10 CFR 50.54(p). ENO CSP was approved by License Amendment No. 300, as

supplemented by changes approved by License Amendment Nos. 303, 308, and . E. Power Uprate License Amendment Implementation The licensee shall complete the following actions as a condition of the approval of the power uprate license amendment. (1) Recirculation Pump Motor Vibration Perform monitoring of recirculation pump motor vibration during initial Cycle 13 power ascension for uprated power conditions. (2) Startup Test Program The licensee will follow a startup testing program, during Cycle 13 power ascension, as described in GE Licensing Topical Report NEDC-31897P-1, "Generic Guidelines for General

Electric Boiling Water Reactor Power Uprate." The Startup test program includes system

testing of such process control systems as the feedwater flow and main steam pressure control systems. The licensee will collect steady-state operational data during various

portions of the power ascension to the higher licensed power level so that predicted

equipment performance characteristics can be verified. The licensee will do the startup

testing program in accordance with its procedures. The licensee's approach is in

conformance with the test guidelines of GE Licensing Topical Report NEDC-31897P-1,

"Generic Guidelines for General Electric Boiling Water Reactor Power Uprate." June 1991

(proprietary), GE Licensing Topical Report NEDO-31897, "Generic Guidelines for General

Electric Boiling Water Reactor Power Uprate." February 1992 (nonproprietary), and NEDC- 31897P-AA, Class III (proprietary), May 1992. (3) Human Factors The licensee will review the results of the Cycle 13 startup test program to determine any potential effects on operator training. Traini ng issues identified will be incorporated in Licensed Operator training during 1997. Simulator discrepancies identified will be

addressed in accordance with simulator Configuration Management procedural

requirements. F. Additional Conditions The Additional Conditions contained in Appendix C, as revised through Amendment No. 289, are herby incorporated into this renewed operat ing license. ENO shall operate the facility in accordance with the Additional Conditions.

JAFP-15-0068 Attachment 4 Revised Cyber Security Plan Implementation Schedule (Page 1)

JAFP-15-0068 Revised Cyber Security Plan Implementation Schedule Page 1 of 1 # Implementation Milestone Completion Date Basis 8 Full implementation of James A. FitzPatrick (JAF) Cyber

Security Plan for all safety,

security, and emergency

preparedness (SSEP) functions

will be achieved. Dec. 15, 2017 By the completion date, the JAF Cyber Security Plan will be fully implemented

for all SSEP functions in accordance

with 10 CFR 73.54. This date also

bounds the completion of all individual

asset security control design

remediation actions including those

that require a refueling outage for

implementation.

JAFP-15-0068 Attachment 5 List of Revised Regulatory Commitments (Page 1)

JAFP-15-0068 List of Revised Regulatory Commitments Page 1 of 1 The following table identifies those actions committed to by Entergy in this document. Any other statements in this submittal are provided for information purposes and are not considered to be

regulatory commitments.

COMMITMENT TYPE (Check One)

SCHEDULED COMPLETION DATE (If Required)

ONE-TIME ACTION CONTINUING COMPLIANCE Full implementation of JAF Cyber Security Plan for all safety, security, and

emergency preparedness functions will be

achieved. X Dec. 15, 2017