ML14206A710: Difference between revisions
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
||
Line 3: | Line 3: | ||
| issue date = 11/12/2014 | | issue date = 11/12/2014 | ||
| title = Issuance of Amendment No. 259, Revise Operating License Condition Related to Cyber Security Plan Milestone 8 Full Implementation Date | | title = Issuance of Amendment No. 259, Revise Operating License Condition Related to Cyber Security Plan Milestone 8 Full Implementation Date | ||
| author name = Kim J | | author name = Kim J | ||
| author affiliation = NRC/NRR/DORL/LPLIV-2 | | author affiliation = NRC/NRR/DORL/LPLIV-2 | ||
| addressee name = | | addressee name = | ||
Line 9: | Line 9: | ||
| docket = 05000271 | | docket = 05000271 | ||
| license number = DPR-028 | | license number = DPR-028 | ||
| contact person = Kim J | | contact person = Kim J | ||
| case reference number = TAC MF3306 | | case reference number = TAC MF3306 | ||
| document type = Letter, License-Operating (New/Renewal/Amendments) DKT 50 | | document type = Letter, License-Operating (New/Renewal/Amendments) DKT 50 | ||
Line 49: | Line 49: | ||
==1.0 INTRODUCTION== | ==1.0 INTRODUCTION== | ||
By application dated December 19, 2013, (Agencywide Documents Access and Management System (ADAMS) Accession No. | By application dated December 19, 2013, (Agencywide Documents Access and Management System (ADAMS) Accession No. ML13358A335) | ||
Entergy Nuclear Operations Inc. (Entergy, the licensee) requested a change to the renewed facility operating license (FOL) for Vermont Yankee Nuclear Power Station (VY). The proposed change would revise the date of Cyber Security Plan (CSP) Implementation Schedule Milestone 8 and the existing license conditions in the facility operating license. Milestone 8 of the CSP implementation schedule is the full implementation of the CSP. The supplement to the application dated June 25, 2014 (ADAMS Accession No. | Entergy Nuclear Operations Inc. (Entergy, the licensee) requested a change to the renewed facility operating license (FOL) for Vermont Yankee Nuclear Power Station (VY). The proposed change would revise the date of Cyber Security Plan (CSP) Implementation Schedule Milestone 8 and the existing license conditions in the facility operating license. Milestone 8 of the CSP implementation schedule is the full implementation of the CSP. The supplement to the application dated June 25, 2014 (ADAMS Accession No. ML14182A145), provided additional information that clarified the application, did not expand the scope of the application as originally noticed, and did not change the U.S. Nuclear Regulatory Commission (NRC) staff's original proposed no significant hazards consideration determination as published in the Federal Register on February 27, 2014 (79 FR 11149). Portions of the letter dated December 19, 2013, contain sensitive unclassified non-safeguards information and, accordingly, those portions have been withheld from public disclosure. | ||
==2.0 REGULATORY EVALUATION== | ==2.0 REGULATORY EVALUATION== | ||
The NRC staff reviewed and approved the licensee's existing CSP implementation schedule by License Amendment No. 247 dated July 20, 2011 (ADAMS Accession No. | The NRC staff reviewed and approved the licensee's existing CSP implementation schedule by License Amendment No. 247 dated July 20, 2011 (ADAMS Accession No. ML11152A013), concurrent with the incorporation of the CSP into the facility's current licensing basis. The NRC staff considered the following regulatory requirements and guidance in its review of the current license amendment request to modify the existing CSP implementation schedule: | ||
* Title 10 of the Code of Federal Regulations (1 0 CFR), Section 73.54 states: "Each [CSP] submittal must include a proposed implementation schedule. | * Title 10 of the Code of Federal Regulations (1 0 CFR), Section 73.54 states: "Each [CSP] submittal must include a proposed implementation schedule. | ||
Implementation of the licensee's cyber security program must be consistent with the approved schedule." | Implementation of the licensee's cyber security program must be consistent with the approved schedule." | ||
Line 61: | Line 61: | ||
The implementation of the CSP, including the key intermediate milestone dates and the full implementation date, shall be in accordance with the implementation schedule submitted by the licensee on July 16, 2010, as supplemented by letters dated February 15 and April 4, 2011, and approved by the NRC staff with this license amendment. | The implementation of the CSP, including the key intermediate milestone dates and the full implementation date, shall be in accordance with the implementation schedule submitted by the licensee on July 16, 2010, as supplemented by letters dated February 15 and April 4, 2011, and approved by the NRC staff with this license amendment. | ||
All subsequent changes to the NRC-approved CSP implementation schedule will require prior NRC approval pursuant to 10 CFR 50.90. | All subsequent changes to the NRC-approved CSP implementation schedule will require prior NRC approval pursuant to 10 CFR 50.90. | ||
* In a publically available NRC memorandum dated October 24, 2013 (ADAMS Accession No. | * In a publically available NRC memorandum dated October 24, 2013 (ADAMS Accession No. ML13295A467), the NRC staff listed criteria to consider during evaluations of licensees' requests to postpone their cyber security program implementation date (commonly known as Milestone 8). 3.0 TECHNICAL EVALUATION Amendment No. 247 to Renewed FOL DPR-28 for VY was issued on July 20, 2011. As part of that amendment, the NRC staff approved the licensee's CSP implementation schedule, as discussed in the safety evaluation issued with the amendment. | ||
The licensee's implementation schedule was based on a template prepared by NEI (ADAMS Accession No. | The licensee's implementation schedule was based on a template prepared by NEI (ADAMS Accession No. ML110600218), which the NRC staff had previously found acceptable for use in developing CSP implementation schedules. | ||
The licensee's CSP implementation schedule identified completion dates and bases for the following eight milestones: | The licensee's CSP implementation schedule identified completion dates and bases for the following eight milestones: | ||
(1) Establish the Cyber Security Assessment Team (CSAT); (2) Identify Critical Systems (CSs) and Critical Digital Assets (CDAs); (3) Install a deterministic one-way device between lower level devices and higher level devices; (4) Implement the security control "Access Control For Portable And Mobile Devices"; | (1) Establish the Cyber Security Assessment Team (CSAT); (2) Identify Critical Systems (CSs) and Critical Digital Assets (CDAs); (3) Install a deterministic one-way device between lower level devices and higher level devices; (4) Implement the security control "Access Control For Portable And Mobile Devices"; | ||
Line 84: | Line 84: | ||
: 6) A discussion of the licensee's cyber security program performance up to the date of the license amendment request. The licensee stated there has been no identified compromise of SSEP functions by cyber means at any Entergy plant. It noted its experience with the scanning of portable devices. It also noted a formal Quality Assurance (QA) audit in the last quarter of 2013 that included review of the cyber security program implementation. | : 6) A discussion of the licensee's cyber security program performance up to the date of the license amendment request. The licensee stated there has been no identified compromise of SSEP functions by cyber means at any Entergy plant. It noted its experience with the scanning of portable devices. It also noted a formal Quality Assurance (QA) audit in the last quarter of 2013 that included review of the cyber security program implementation. | ||
There were no significant findings related to overall cyber security program performance and effectiveness. | There were no significant findings related to overall cyber security program performance and effectiveness. | ||
: 7) A discussion of cyber security issues pending in the licensee's corrective action program (CAP). The licensee stated there are presently no significant (constituting a threat to a CDA via cyber means or calling into question program effectiveness) nuclear cyber security issues pending in the CAP. Several non-significant issues identified during the Quality Assurance audit described above have been entered into CAP. Additionally, when the July 1, 2013 internal NRC memorandum (ADAMS Accession No. | : 7) A discussion of cyber security issues pending in the licensee's corrective action program (CAP). The licensee stated there are presently no significant (constituting a threat to a CDA via cyber means or calling into question program effectiveness) nuclear cyber security issues pending in the CAP. Several non-significant issues identified during the Quality Assurance audit described above have been entered into CAP. Additionally, when the July 1, 2013 internal NRC memorandum (ADAMS Accession No. ML13178A203) was shared with Entergy the actions described regarding cyber security Interim Milestone 4 were entered into CAP for evaluation by the CSAT. Final actions regarding some program activities are pending. 8) A discussion of modifications completed to support the cyber security program and a discussion of pending cyber security modifications. | ||
The NRC staff has evaluated the licensee's application addressing the above criteria. | The NRC staff has evaluated the licensee's application addressing the above criteria. | ||
The NRC staff's evaluation is below. The NRC staff agrees that implementation of CSP Sections 3 and 4 requires the extensive actions the licensee noted. The NRC staff acknowledges implementation issues with large numbers of CDAs and the need to address many security control attributes for each. Based on the information provided by the licensee in its application, the NRC staff concludes that VY would not be able to fully implement its CSP by December 15, 2014. In conclusion, the NRC staff finds the licensee's explanation of the need for additional time compelling. | The NRC staff's evaluation is below. The NRC staff agrees that implementation of CSP Sections 3 and 4 requires the extensive actions the licensee noted. The NRC staff acknowledges implementation issues with large numbers of CDAs and the need to address many security control attributes for each. Based on the information provided by the licensee in its application, the NRC staff concludes that VY would not be able to fully implement its CSP by December 15, 2014. In conclusion, the NRC staff finds the licensee's explanation of the need for additional time compelling. | ||
Line 92: | Line 92: | ||
Entergy Nuclear Operations, Inc. CSP was approved by License Amendment No. 247, as supplemented by changes approved by License Amendment Nos. 251 and 259." 3.4 Summary Based on its review of the licensee's submissions, the NRC staff concludes that the proposed change to the full implementation date of Milestone 8 of the licensee's CSP implementation schedule is acceptable. | Entergy Nuclear Operations, Inc. CSP was approved by License Amendment No. 247, as supplemented by changes approved by License Amendment Nos. 251 and 259." 3.4 Summary Based on its review of the licensee's submissions, the NRC staff concludes that the proposed change to the full implementation date of Milestone 8 of the licensee's CSP implementation schedule is acceptable. | ||
The NRC staff also concludes that, upon full implementation of the licensee's cyber security program, the requirements of the licensee's CSP and 10 CFR 73.54 will be met. Therefore, the NRC staff finds the proposed change acceptable. | The NRC staff also concludes that, upon full implementation of the licensee's cyber security program, the requirements of the licensee's CSP and 10 CFR 73.54 will be met. Therefore, the NRC staff finds the proposed change acceptable. | ||
The NRC staff does not regard the CSP milestone implementation dates as regulatory commitments that can be changed unilaterally by the licensee, particularly in light of the regulatory requirement at 10 CFR 73.54, that "[i]mplementation of the licensee's cyber security program must be consistent with the approved schedule." As the NRC staff explained in its letter to all operating reactor licensees dated May 9, 2011 (ADAMS Accession No. | The NRC staff does not regard the CSP milestone implementation dates as regulatory commitments that can be changed unilaterally by the licensee, particularly in light of the regulatory requirement at 10 CFR 73.54, that "[i]mplementation of the licensee's cyber security program must be consistent with the approved schedule." As the NRC staff explained in its letter to all operating reactor licensees dated May 9, 2011 (ADAMS Accession No. ML110980538), the implementation of the plan, including the key intermediate milestone dates and the full implementation date shall be in accordance with the implementation schedule submitted by the licensee and approved by the NRC. All subsequent changes to the NRC- approved CSP implementation schedule, thus, will require prior NRC approval pursuant in 10 CFR 50.90. | ||
==4.0 STATE CONSULTATION== | ==4.0 STATE CONSULTATION== | ||
Line 116: | Line 116: | ||
==Enclosures:== | ==Enclosures:== | ||
: 1. Amendment No. 259 to License No. DPR-28 2. Safety Evaluation Sincerely, IRA! James Kim, Project Manager Plant Licensing IV-2 and Decommissioning Transition Branch Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation cc w/encls: Distribution via Listserv DISTRIBUTION: | : 1. Amendment No. 259 to License No. DPR-28 2. Safety Evaluation Sincerely, IRA! James Kim, Project Manager Plant Licensing IV-2 and Decommissioning Transition Branch Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation cc w/encls: Distribution via Listserv DISTRIBUTION: | ||
PUBLIC RidsNrrLAKGoldstein RidsNrrPMVermontYankee RidsRgn1 Mail Center RidsNrrDoriDpr RidsAcrsAcnw_MaiiCenter A ccess1on N | PUBLIC RidsNrrLAKGoldstein RidsNrrPMVermontYankee RidsRgn1 Mail Center RidsNrrDoriDpr RidsAcrsAcnw_MaiiCenter A ccess1on N ML14206A710 o.: OFFICE LPL4-2/PM LPL 1-1/LA NSIR/CSD/DD NAME JKim KGoldstein RFelts* DATE 7/30/14 7/29/14 7/21/14 RidsNrrDoriLpl4-2 J. Rycyna, NSIR/CSD R. McKinley, Rgnl *S ee memo d d J I 21 2014 ate uly ' OGC/NLO LPL4-2/BC LPL4-2/PM NStAmore DBroaddus JKim 10/7/14 11/7/14 11/12/14 OFFICIAL RECORD COPY}} |
Revision as of 10:12, 21 June 2019
ML14206A710 | |
Person / Time | |
---|---|
Site: | Vermont Yankee File:NorthStar Vermont Yankee icon.png |
Issue date: | 11/12/2014 |
From: | James Kim Plant Licensing Branch IV |
To: | Entergy Nuclear Operations |
Kim J | |
References | |
TAC MF3306 | |
Download: ML14206A710 (14) | |
Text
UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 Site Vice President Entergy Nuclear Operations, Inc. Vermont Yankee Nuclear Power Station P.O. Box 250 Governor Hunt Road Vernon, VT 05354 November 12, 2014
SUBJECT:
VERMONT YANKEE NUCLEAR POWER STATION-ISSUANCE OF AMENDMENT TO RENEWED FACILTIY OPERATING LICENSE RE: CYBER SECURITY PLAN IMPLEMENTATION SCHEDULE (TAC NO. MF3306)
Dear Sir or Madam:
The U.S. Nuclear Regulatory Commission (the Commission) has issued the enclosed Amendment No. 259 to Renewed Facility Operating License DPR-28 for the Vermont Yankee Nuclear Power Station, in response to your application dated December 19, 2013, as supplemented by letter dated June 25, 2014. The licensee's application requested an extension of full implementation date of the Vermont Yankee Nuclear Power Station Cyber Security Plan Implementation Milestone 8 from December 15, 2014, to June 30, 2016. The amendment grants the requested extension, and also revises the existing operating license Security Plan license condition.
The license amendment is effective as of the date of its issuance and shall be implemented by December 15, 2014. A copy of the related Safety Evaluation is also enclosed.
The Notice of Issuance will be included in the Commission's next biweekly Federal Register notice. Docket No. 50-271
Enclosures:
- 1. Amendment No. 259 to License No. DPR-28 2. Safety Evaluation cc w/encls: Distribution via Listserv Sincerely, James Kim, Project Manager Plant Licensing IV-2 and Decommissioning Transition Branch Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 ENTERGY NUCLEAR VERMONT YANKEE, LLC AND ENTERGY NUCLEAR OPERATIONS, INC. DOCKET NO. 50-271 VERMONT YANKEE NUCLEAR POWER STATION AMENDMENT TO RENEWED FACILITY OPERATING LICENSE Amendment No. 259 License No. DPR-28 1. The U.S. Nuclear Regulatory Commission (the Commission) has found that: A. The application for amendment filed by Entergy Nuclear Vermont Yankee, LLC and Entergy Nuclear Operations, Inc. (the licensee) dated December 19, 2013, as supplemented by letter dated June 25, 2014, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commission's rules and regulations set forth in 10 CFR Chapter I; B. The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C. There is reasonable assurance: (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D. The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E. The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied. 2. Accordingly, the license is amended as indicated in the attachment to this license amendment, and paragraph 3.B. of Renewed Facility Operating License No. DPR-28 is hereby amended to read as follows: (B) Technical Specifications The Technical Specifications contained in Appendix A, as revised through Amendment No. 259, are hereby incorporated in the license. Entergy Nuclear Operations, Inc. shall operate the facility in accordance with the Technical Specifications.
Further, the second paragraph in Paragraph 3.G. is hereby amended to read as follows: "Entergy Nuclear Operations, Inc. shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p).
Entergy Nuclear Operations, Inc. CSP was approved by License Amendment No. 247, as supplemented by changes approved by License Amendment Nos. 251 and 259." 3. This license amendment is effective as of the date of issuance and shall be implemented by December 15, 2014.
Attachment:
Changes to the License Date of Issuance:
November 12, 2014 FOR THE NUCLEAR REGULA TORY COMMISSION Douglas A. Broaddus, Chief Plant Licensing Branch IV-2 and Decommissioning Transition Branch Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation ATTACHMENT TO LICENSE AMENDMENT NO. 259 RENEWED FACILITY OPERATING LICENSE NO. DPR-28 DOCKET NO. 50-271 Replace the following pages of the Renewed Facility Operating License with the attached revised pages. The revised pages are identified by amendment number and contain marginal lines indicating the areas of change. Remove Page 3 Page 6 Page 3 Page 6 D. Entergy Nuclear Operations, Inc., pursuant to the Act and 10 CFR Parts 30, 40 and 70, to receive, possess, and use in amounts as required any Byproduct, source, or special nuclear material without restriction to chemical or physical form, for sample analysis or instrument calibration or associated with radioactive apparatus or components.
E. Entergy Nuclear Operations, Inc., pursuant to the Act and 10 CFR Parts 30 and 70, to possess, but not to separate, such byproduct and special nuclear material as may be produced by operation of the facility.
- 3. This renewed license shall be deemed to contain and is subject to the conditions specified in the following Commission regulations:
10 CFR Part 20, Section 30.34 of 10 CFR Part 30, Section 40.41 of 10 CFR Part 40, Section 50.54 and 50.59 of 10 CFR Part 50, and Section 70.32 of 10 CFR Part 70; and is subject to all applicable provisions of the Act and to the rules, regulations, and orders of the Commission now or hereafter in effect; and is subject to the additional conditions specified below: A. Maximum Power Level Entergy Nuclear Operations, Inc. is authorized to operate the facility at reactor core power levels not to exceed 1912 megawatts thermal in accordance with the Technical Specifications (Appendix A) appended hereto. B. Technical Specifications The Technical Specifications contained in Appendix A, as revised through Amendment No. 259 are hereby incorporated in the license. Entergy Nuclear Operations, Inc. shall operate the facility in accordance with the Technical Specifications.
C. Reports Entergy Nuclear Operations, Inc. shall make reports in accordance With the requirements of the Technical Specifications.
D. This paragraph deleted by Amendment No. 226. E. Environmental Conditions Pursuant to the Initial Decision of the presiding Atomic Safety and Licensing Board issued February 27, 1973, the following conditions for the protection of the environment are incorporated herein: 1. This paragraph deleted by Amendment No. 206, October 22, 2001. 2. This paragraph deleted by Amendment 131, 10/07/91.
Renewed Facility Operating License No. DPR-28 Amendment No. 259 Safety Analysis Report for the facility and as approved in the SER dated January 13, 1978, and supplemental SERs, dated 9/12/79, 2/20/80, 4/15/80, 7/3/80,10/24/80,11/10/81,1/13/83,7/24/84, 3/25/86,12/1/86,12/8/89, 11/29/90,8/30/95,3/23/97,6/9/97,8/12/97,3/6/98,3/31/98,9/2/98, and 2/24/99, subject to the following provisions:
Entergy Nuclear Operations, Inc. may make changes to the approved Fire Protection Program without prior approval of the Commission only if those changes would not adversely affect the ability to achieve and maintain safe shutdown in the event of a fire. G. Security Plan Entergy Nuclear Operations, Inc. shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822), and the authority of 10 CFR 50.90 and 10 CFR 50.54(p).
The combined set of plans\ which contain Safeguards Information protected under 10 CFR 73.21, is entitled: "Vermont Yankee Nuclear Power Station Security Plan, Training and Qualification Plan, and Safeguards Contingency Plan, Revision 0," submitted by letter dated October 18, 2004, as supplemented by letter dated May 16, 2006. Entergy Nuclear Operations, Inc. shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p).
Entergy Nuclear Operations, Inc. CSP was approved by License Amendment No. 247, as supplemented by changes approved by License Amendment Nos. 251 and 259. H. This paragraph deleted by Amendment No. 107, 8/25/88. I. This paragraph deleted by Amendment No. 131, 10/7/91. J. License Transfer Conditions On the closing date of the transfer of Vermont Yankee Nuclear Power Station (Vermont Yankee), Entergy Nuclear Vermont Yankee, LLC shall obtain from Vermont Yankee Nuclear Power Corporation all of the accumulated decommissioning trust funds for the facility, and ensure the deposit of such funds into a decommissioning trust for Vermont Yankee established by Entergy Nuclear Vermont Yankee, LLC. If the amount of such funds does not meet or exceed the minimum amount required for the facility pursuant to 10 CFR 50.75, Entergy Nuclear Vermont Yankee, LLC shall at such time deposit additional funds into the trust and/or obtain a parent company guarantee (to be updated annually) and/or obtain a surety pursuant to 10 CFR 50.75(e)(1)(iii) in a form acceptable to the NRC and in an amount or amounts which, when combined with the decommissioning trust funds for the facility that have been obtained and deposited as required above, equals or 1 The Training and Qualification Plan and Safeguards Contingency Plan are Appendices to the Security Plan. Renewed Facility Operating License No. DPR-28 Amendment 2-M , 259 Corrected by letter dated November 21, 2012 UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO AMENDMENT NO. 259 TO RENEWED FACILITY OPERATING LICENSE NO. DPR-28 ENTERGY NUCLEAR VERMONT YANKEE, LLC AND ENTERGY NUCLEAR OPERATIONS, INC. VERMONT YANKEE NUCLEAR POWER STATION DOCKET NO. 50-271
1.0 INTRODUCTION
By application dated December 19, 2013, (Agencywide Documents Access and Management System (ADAMS) Accession No. ML13358A335)
Entergy Nuclear Operations Inc. (Entergy, the licensee) requested a change to the renewed facility operating license (FOL) for Vermont Yankee Nuclear Power Station (VY). The proposed change would revise the date of Cyber Security Plan (CSP) Implementation Schedule Milestone 8 and the existing license conditions in the facility operating license. Milestone 8 of the CSP implementation schedule is the full implementation of the CSP. The supplement to the application dated June 25, 2014 (ADAMS Accession No. ML14182A145), provided additional information that clarified the application, did not expand the scope of the application as originally noticed, and did not change the U.S. Nuclear Regulatory Commission (NRC) staff's original proposed no significant hazards consideration determination as published in the Federal Register on February 27, 2014 (79 FR 11149). Portions of the letter dated December 19, 2013, contain sensitive unclassified non-safeguards information and, accordingly, those portions have been withheld from public disclosure.
2.0 REGULATORY EVALUATION
The NRC staff reviewed and approved the licensee's existing CSP implementation schedule by License Amendment No. 247 dated July 20, 2011 (ADAMS Accession No. ML11152A013), concurrent with the incorporation of the CSP into the facility's current licensing basis. The NRC staff considered the following regulatory requirements and guidance in its review of the current license amendment request to modify the existing CSP implementation schedule:
- Title 10 of the Code of Federal Regulations (1 0 CFR), Section 73.54 states: "Each [CSP] submittal must include a proposed implementation schedule.
Implementation of the licensee's cyber security program must be consistent with the approved schedule."
- The licensee's renewed facility operating license at Paragraph 3.G. includes a license condition that requires the licensee to fully implement and maintain in effect all provisions of the Commission-approved CSP.
- Amendment No. 247 dated July 20, 2011, which approved the licensee's CSP and implementation schedule, included the following statement:
The implementation of the CSP, including the key intermediate milestone dates and the full implementation date, shall be in accordance with the implementation schedule submitted by the licensee on July 16, 2010, as supplemented by letters dated February 15 and April 4, 2011, and approved by the NRC staff with this license amendment.
All subsequent changes to the NRC-approved CSP implementation schedule will require prior NRC approval pursuant to 10 CFR 50.90.
- In a publically available NRC memorandum dated October 24, 2013 (ADAMS Accession No. ML13295A467), the NRC staff listed criteria to consider during evaluations of licensees' requests to postpone their cyber security program implementation date (commonly known as Milestone 8). 3.0 TECHNICAL EVALUATION Amendment No. 247 to Renewed FOL DPR-28 for VY was issued on July 20, 2011. As part of that amendment, the NRC staff approved the licensee's CSP implementation schedule, as discussed in the safety evaluation issued with the amendment.
The licensee's implementation schedule was based on a template prepared by NEI (ADAMS Accession No. ML110600218), which the NRC staff had previously found acceptable for use in developing CSP implementation schedules.
The licensee's CSP implementation schedule identified completion dates and bases for the following eight milestones:
(1) Establish the Cyber Security Assessment Team (CSAT); (2) Identify Critical Systems (CSs) and Critical Digital Assets (CDAs); (3) Install a deterministic one-way device between lower level devices and higher level devices; (4) Implement the security control "Access Control For Portable And Mobile Devices";
(5) Implement observation and identification of obvious cyber related tampering to existing insider mitigation rounds; {6) Identify, document, and implement cyber security controls as per "Mitigation of Vulnerabilities and Application of Cyber Security Controls" for CDAs that could adversely impact the design function of physical security target set equipment;
{7) Ongoing monitoring and assessment activities for those target set CDAs whose security controls have been implemented; (8) Fully implement the CSP. 3.1 Licensee's Proposed Change Currently, Milestone 8 of the VY CSP requires Entergy to fully implement the CSP by December 15, 2014. In its December 19, 2013, application, Entergy proposed to change the Milestone 8 completion date to June 30, 2016. 3.2 NRC Staff Evaluation The purpose of the cyber security implementation schedule is for licensees to demonstrate ongoing implementation of their cyber security program prior to full implementation (i.e., Milestone 8). The licensee completed the first seven milestones by December 31, 2012. These milestones include establishing a CSAT, identifying CSs and CDAs, installing deterministic way devices between defensive levels, implementing access control for portable and mobile devices, implementing methods to observe and identify obvious cyber related tampering, and conducting ongoing monitoring and assessment activities for target set CDAs. In aggregate, these interim milestones demonstrate ongoing implementation of the cyber security program. On October 24, 2013, the staff published review criteria for evaluating requests to revise Milestone 8 implementation dates. The licensee's application was received after this guidance was published, and addresses all the included criteria.
The review criteria for Milestone 8 extension requests takes into account the licensees' ongoing implementation of the cyber security program through milestones 1 through 7. The criteria which the licensee addressed are: (1) Identification of the specific requirement or requirements of the cyber security plan that the licensee needs additional time to implement.
(2) Detailed justification that describes the reason the licensee requires additional time to implement the specific requirement or requirements identified.
(3) A proposed completion date for Milestone 8 consistent with the remaining scope of work to be conducted and the resources available.
(4) An evaluation of the impact that the additional time to implement the requirements will have on the effectiveness of the licensee's overall cyber security program in the context of milestones already completed.
(5) A description of the licensee's methodology for prioritizing completion of work for critical digital assets associated with significant safety, security, or emergency preparedness consequences and with reactivity effects in the balance of plant. (6) A discussion of the licensee's cyber security program performance up to the date of the license amendment request. (7) A discussion of cyber security issues pending in the licensee's corrective action program. (8) A discussion of modifications completed to support the cyber security program and a discussion of pending cyber security modifications.
The licensee provided information pertinent to each criterion.
It is below. (1) Identification of the specific requirement or requirements of the cyber security plan that the licensee needs additional time to implement. The licensee stated that the requirements of the CSP that it needed additional time to implement are Section 3, Analyzing Digital Computer Systems and Networks and Section 4, Establishing, Implementing and Maintaining the Cyber Security Program. It further noted that these sections describe requirements for application and maintenance of cyber security controls and described the process of addressing security controls.
The licensee also noted specific activities needing additional time including:
final determination of the exact scope of CDAs that will remain subsequent to the final permanent shut-down and defueling of VY, scheduled to commence in December 2014; determining the need for a specific security feature; and change management associated with approximately 40 procedure changes. It also described time needed for additional physical controls for CDAs outside the security protected area. (2) Detailed justification that describes the reason the licensee requires additional time to implement the specific requirement or requirements identified.
The licensee stated the cyber security assessment process is presently projected to be completed by the second quarter of 2014. Since the number of CDAs and existing procedures is in the hundreds and the number of individual cyber security control attributes is also in the hundreds the total of physical, logical and programmatic changes required constitutes a significant project involving plant components and systems and substantial planning and resources.
With this analysis concluding in the second quarter of 2014, it was concluded that insufficient time is left to complete modification and change management planning activities by December 15, 2014. Further the licensee intends to complete planning for the specific security feature mentioned in 1) above in 2014 and implement it in the following 18 months. (3) A proposed completion date for Milestone 8 consistent with the remaining scope of work to be conducted and the resources available.
The licensee proposed a Milestone 8 completion date of June 30, 2016. (4) An evaluation of the impact that the additional time to implement the requirements will have on the effectiveness of the licensee's overall cyber security program in the context of milestones already completed.
The licensee indicated the impact of the requested additional implementation time on the effectiveness of the overall cyber security program is very low. The milestones already completed have resulted in a high degree of protection of safety-related, important-to-safety, and security CDAs against common threat vectors. Additionally, extensive physical and administrative measures are already in place for CDAs because they are plant components, pursuant to the Physical Security Plan and Technical Specification Requirements.
It then briefly described how it had implemented the various milestones.
The licensee supplemented its application to clarify that various milestones had been completed by the due date of December 31, 2012, and that the extension request has no impact on these milestone activities. 5) A description of the licensee's methodology for prioritizing completion of work for critical digital assets associated with significant safety, security, or emergency preparedness consequences and with reactivity effects in the balance of plant. The licensee stated, because CDAs are plant components, prioritization follows the normal work management process that places the highest priority on apparent conditions adverse to quality in system, structure, and component design function and related to factors such as safety risk and nuclear depth, as well as threats to continuity of electric power generation.
- 6) A discussion of the licensee's cyber security program performance up to the date of the license amendment request. The licensee stated there has been no identified compromise of SSEP functions by cyber means at any Entergy plant. It noted its experience with the scanning of portable devices. It also noted a formal Quality Assurance (QA) audit in the last quarter of 2013 that included review of the cyber security program implementation.
There were no significant findings related to overall cyber security program performance and effectiveness.
- 7) A discussion of cyber security issues pending in the licensee's corrective action program (CAP). The licensee stated there are presently no significant (constituting a threat to a CDA via cyber means or calling into question program effectiveness) nuclear cyber security issues pending in the CAP. Several non-significant issues identified during the Quality Assurance audit described above have been entered into CAP. Additionally, when the July 1, 2013 internal NRC memorandum (ADAMS Accession No. ML13178A203) was shared with Entergy the actions described regarding cyber security Interim Milestone 4 were entered into CAP for evaluation by the CSAT. Final actions regarding some program activities are pending. 8) A discussion of modifications completed to support the cyber security program and a discussion of pending cyber security modifications.
The NRC staff has evaluated the licensee's application addressing the above criteria.
The NRC staff's evaluation is below. The NRC staff agrees that implementation of CSP Sections 3 and 4 requires the extensive actions the licensee noted. The NRC staff acknowledges implementation issues with large numbers of CDAs and the need to address many security control attributes for each. Based on the information provided by the licensee in its application, the NRC staff concludes that VY would not be able to fully implement its CSP by December 15, 2014. In conclusion, the NRC staff finds the licensee's explanation of the need for additional time compelling.
The NRC staff concludes the licensee progress toward full implementation is reasonable and that impact of the requested additional implementation time on the effectiveness of the overall cyber security program is being effectively managed. The NRC staff finds the licensee's methodology for prioritizing completion of work for CDAs is appropriate and conservative.
The NRC staff agrees that activities described by the licensee in its LAR provide significant protection against cyber attacks. The NRC staff concludes that the licensee is using the quality tools at its disposal to verify the effectiveness of the cyber security program and that the licensee is using its corrective action program to track issues for the cyber security program. As requested by Criteria 8, the licensee discussed completed modifications and pending modifications.
The NRC staff has reviewed these discussions of the completed and pending modifications to address Criteria 1 through 7 and concluded, as discussed in the LAR, these modifications support the full implementation of the CSP. 3.3 Revision to License Condition By letter dated December 19, 2013, the licensee proposed to modify Paragraph 3.G. of Renewed FOL No. DPR-28, which provides a license condition requiring the licensees to fully implement and maintain in effect all provisions of the NRC-approved CSP. The second paragraph of the license condition in Paragraph 3.G. of Renewed FOL No. DPR-28 for VY is modified as follows: "Entergy Nuclear Operations, Inc. shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p).
Entergy Nuclear Operations, Inc. CSP was approved by License Amendment No. 247, as supplemented by changes approved by License Amendment Nos. 251 and 259." 3.4 Summary Based on its review of the licensee's submissions, the NRC staff concludes that the proposed change to the full implementation date of Milestone 8 of the licensee's CSP implementation schedule is acceptable.
The NRC staff also concludes that, upon full implementation of the licensee's cyber security program, the requirements of the licensee's CSP and 10 CFR 73.54 will be met. Therefore, the NRC staff finds the proposed change acceptable.
The NRC staff does not regard the CSP milestone implementation dates as regulatory commitments that can be changed unilaterally by the licensee, particularly in light of the regulatory requirement at 10 CFR 73.54, that "[i]mplementation of the licensee's cyber security program must be consistent with the approved schedule." As the NRC staff explained in its letter to all operating reactor licensees dated May 9, 2011 (ADAMS Accession No. ML110980538), the implementation of the plan, including the key intermediate milestone dates and the full implementation date shall be in accordance with the implementation schedule submitted by the licensee and approved by the NRC. All subsequent changes to the NRC- approved CSP implementation schedule, thus, will require prior NRC approval pursuant in 10 CFR 50.90.
4.0 STATE CONSULTATION
In accordance with the Commission's regulations, the Vermont State official was notified of the proposed issuance of the amendment.
The State official had no comments.
5.0 ENVIRONMENTAL CONSIDERATION This amendment relates solely to safeguards matters and does not involve any significant construction impacts. Accordingly, the amendment meets the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(12).
Pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the issuance of the amendment.
6.0 CONCLUSION
The Commission has concluded, based on the considerations discussed above, that: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) there is reasonable assurance that such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public. Principal Contributor:
J. Rycyna, NSIR/CSD Date: November 12, 2014 November 12, 2014 Site Vice President Entergy Nuclear Operations, Inc. Vermont Yankee Nuclear Power Station P.O. Box 250 Governor Hunt Road Vernon, VT 05354
SUBJECT:
VERMONT YANKEE NUCLEAR POWER STATION -ISSUANCE OF AMENDMENT TO RENEWED FACIL TIY OPERATING LICENSE RE: CYBER SECURITY PLAN IMPLEMENTATION SCHEDULE (TAC NO. MF3306)
Dear Sir or Madam:
The U.S. Nuclear Regulatory Commission (the Commission) has issued the enclosed Amendment No. 259 to Renewed Facility Operating License DPR-28 for the Vermont Yankee Nuclear Power Station, in response to your application dated December 19, 2013, as supplemented by letter dated June 25, 2014. The licensee's application requested an extension of full implementation date of the Vermont Yankee Nuclear Power Station Cyber Security Plan Implementation Milestone 8 from December 15, 2014, to June 30, 2016. The amendment grants the requested extension, and also revises the existing operating license Security Plan license condition.
The license amendment is effective as of the date of its issuance and shall be implemented by December 15, 2014. A copy of the related Safety Evaluation is also enclosed.
The Notice of Issuance will be included in the Commission's next biweekly Federal Register notice. Docket No. 50-271
Enclosures:
- 1. Amendment No. 259 to License No. DPR-28 2. Safety Evaluation Sincerely, IRA! James Kim, Project Manager Plant Licensing IV-2 and Decommissioning Transition Branch Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation cc w/encls: Distribution via Listserv DISTRIBUTION:
PUBLIC RidsNrrLAKGoldstein RidsNrrPMVermontYankee RidsRgn1 Mail Center RidsNrrDoriDpr RidsAcrsAcnw_MaiiCenter A ccess1on N ML14206A710 o.: OFFICE LPL4-2/PM LPL 1-1/LA NSIR/CSD/DD NAME JKim KGoldstein RFelts* DATE 7/30/14 7/29/14 7/21/14 RidsNrrDoriLpl4-2 J. Rycyna, NSIR/CSD R. McKinley, Rgnl *S ee memo d d J I 21 2014 ate uly ' OGC/NLO LPL4-2/BC LPL4-2/PM NStAmore DBroaddus JKim 10/7/14 11/7/14 11/12/14 OFFICIAL RECORD COPY