Text

October 8, 2014

Mr. Christopher E. Earls Senior Director, Engineering and Licensing

Nuclear Energy Institute

1201 F Street, NW, Suite 1100 Washington, DC 20004

SUBJECT:

NUCLEAR ENERGY INSTITUTE 13-10, "CYBER SECURITY CONTROL ASSESSMENTS," REVISION 1, DATED JANUARY 2014

Dear Mr. Earls:

In your letter dated September 30, 2014, you requested that the U.S. Nuclear Regulatory

Commission (NRC) staff review and endorse the Nuclear Energy Institute's (NEI's) guidance document NEI 13-10, "Cyber Security Control Assessments" Revision 1, dated September 2014 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML14276A126). The letter stated that the submitted NEI 13-10, Revision 1 did not change the body of NEI 13-10, but included the industry-dev eloped template and examples for performing the NEI 13-10 analysis. The NRC staff completed its review of the template and the examples based on NEI 13-10, Revision 0 that the NRC f ound acceptable in its February 3, 2014 letter (ADAM Accession No. ML14031A158) and NEI 08-09, "Cyber Security Plan for Nuclear Power Reactors", Revision 6, dated April 2010.

Based on the review, the staff concluded that the template and the examples included in NEI 13-10, Revision 1, are acceptable for use by licensees to document their determinations of whether a critical digital asset is direct or indirect. The licensees' determinations are subject to NRC inspection after the licensees complete the implementation of their cyber security programs as described in their cyber security plans.

Please contact Eric Lee at (301) 287-3461 if you have any questions.

Sincerely, /RA/ Barry Westreich, Director Cyber Security Directorate Office of Nuclear Security and Incident Response

ML14276A110 OFFICE CSD/NSIR DD:CSD/NSIR D:CSD/NSIR NAME ELee RFelts BWestreich DATE 10/03/14 10/06/14 10/8/14