Issuance of Amendment No. 292, Request to Revise Cyber Security Plan Implementation Schedule for Milestone 8 and Associated License Condition (CAC No. MF9550; EPID L-2017-LLA-0193)

ML17289A222
Person / Time
Site:	Oyster Creek
Issue date:	12/22/2017
From:	Lamb J G Special Projects and Process Branch
To:	Bryan Hanson Entergy Nuclear Operations
Lamb J G, NRR/DORL/LSPB, 415-3100
References
CAC MF9550, EPID L-2017-LLA-0193
Download: ML17289A222 (17)
v • d • e

Text

UNITED STATES NUCLEAR REGULATORY COMMISSION Mr. Bryan C. Hanson President and Chief Nuclear Officer Exelon Nuclear 4300 Winfield Road Warrenville, IL 60555 WASHINGTON, D.C. 20555-0001 December 22, 2017

SUBJECT:

OYSTER CREEK NUCLEAR GENERATING STATION-ISSUANCE OF AMENDMENT RE: LICENSE AMENDMENT REQUEST TO REVISE THE CYBER SECURITY MILESTONE 8 COMPLETION DATE (CAC NO. MF9550; EPID L-2017-LLA-0193)

Dear Mr. Hanson:

The U.S. Nuclear Regulatory Commission has issued the enclosed Amendment No. 292 to Renewed Facility Operating License No. DPR-16 for the Oyster Creek Nuclear Generating Station (OCNGS), in response to your application dated April 10, 2017, as supplemented by letters dated October 4 and December 15, 2017. The amendment revises the OCNGS renewed facility operating license for the Cyber Security Plan (CSP) Milestone 8 full implementation completion date, as set forth in the CSP implementation schedule, and the physical protection license condition.

The amendment revises the CSP Milestone 8 completion date from December 31, 2017, to August 31, 2021. A copy of the related Safety Evaluation is also enclosed.

The Notice of Issuance will be included in the Commission's next biweekly Federal Register notice . Docket No. 50-219

Enclosures:

. Lamb, Senior Project Manager Spe i I Projects and Process Branch Divi i n of Operating Reactor Licensing Offic of Nuclear Reactor Regulation

1. Amendment No. 292 to Renewed DPR-16 2. Safety Evaluation cc: Listserv UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 EXELON GENERATION COMPANY, LLC DOCKET NO. 50-219 OYSTER CREEK NUCLEAR GENERA TING STATION AMENDMENT TO RENEWED FACILITY OPERATING LICENSE Amendment No. 292 Renewed License No. DPR-16 1. The Nuclear Regulatory Commission (the Commission) has found that: A. The application for amendment by Exelon Generation Company, LLC (the licensee), dated April 10, 2017, as supplemented by letters dated October 4 and December 15, 2017, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commission's rules and regulations set forth in 10 CFR Chapter I; B. The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C. There is reasonable assurance: (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D. The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E. The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied.

Enclosure 1 2. Accordingly, the license is amended by changes as indicated in the attachment to this license amendment, and paragraph 2.C.(2) of Renewed Facility Operating License No. DPR-16 is hereby amended to read as follows: (2) Technical Specifications The Technical Specifications contained in Appendices A and B, as revised through Amendment No. 292, are hereby incorporated in the license. Exelon Generation Company shall operate the facility in accordance with the Technical Specifications.

Further, paragraph 2.C.(4) is hereby amended, in part, to read as follows: Exelon Generation Company shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p).

The Exelon Generation Company CSP was approved by Renewed License Amendment No. 280 and modified by License Amendment Nos. 288 and 292. 3. This license amendment is effective as of the date of issuance and shall be implemented within 30 days from the date of issuance.

Attachment:

Changes to the Renewed Facility Operating License No. DPR-16 FOR THE NUCLEAR REGULATORY COMMISSION

&,<J~,i Fott DAB Douglas A. Broaddus, Chief Special Projects and Process Branch Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Date of Issuance:

December 22, 2017 ATTACHMENT TO LICENSE AMENDMENT NO. 292 OYSTER CREEK NUCLEAR GENERATING STATION RENEWED FACILITY OPERATING LICENSE NO. DPR-16 DOCKET NO. 50-219 Replace the following pages of the Renewed Facility Operating License DPR-16 with the attached revised pages. The revised pages are identified by amendment number and contains marginal lines indicating the areas of change. Renewed Facility Operating License No. DPR-16 Remove -3 --4 - (3) Pursuant to the Act and 1 O CFR Parts 30, 40, and 70, to receive, possess, and use at any time any byproduct, source, or special nuclear materials as sealed neutron sources for reactor startup, sealed sources for reactor instrumentation and radiation monitoring equipment calibration, and as fission detectors in amounts as required; (4) Pursuant to the Act and 10 CFR Parts 30, 40, and 70, to receive, possess, and use in amounts as required any byproduct, source, or special nuclear materials without restriction to chemical or physical form, for sample analysis or instrument calibration or associated with radioactive apparatus or components; and (5) Pursuant to the Act and 10 CFR Parts 30, 40, and 70, to possess, but not separate such byproduct, source, or special nuclear materials as may be produced by the operation of the facility.

C. This license shall be deemed to contain and is subject to the conditions specified in the Commission's regulations set forth in 10 CFR Chapter I and is subject to all applicable provisions of the Act and to the rules, regulations, and orders of the Commission now or hereafter in effect and is subject to the additional conditions specified or incorporated below: (1) (2) (3) Maximum Power Level Exelon Generation Company is authorized to operate the facility at steady-state power levels not in excess of 1930 megawatts (thermal)

(100 percent rated power) in accordance with the conditions specified herein. Technical Specifications The Technical Specifications contained in Appendices A and B, as revised through Amendment No. 292, are hereby incorporated in the license. Exelon Generation Company shall operate the facility in accordance with the Technical Specifications.

Fire Protection Exelon Generation Company shall implement and maintain in effect all provisions of the approved fire protection program as described in the Updated Final Safety Analysis Report for the facility and as approved in the Safety Evaluation Report dated March 3, 1978, and supplements thereto, subject to the following provision:

The licensee may make changes to the approved fire protection program without prior approval of the Commission only if those changes would not adversely affect the ability to achieve and maintain safe shutdown in the event of a fire. Renewed License No. DPR-16 Amendment No. 292 (4) Exelon Generation Company shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822), and the authority of 10 CFR 50.90 and 10 CFR 50.54(p).

The combined set of plans1, submitted by letter dated May 17, 2006, is entitled: "Oyster Creek Nuclear Generating Station Security Plan, Training and Qualification Plan, and Safeguards Contingency Plan, Revision 5." The set contains Safeguards Information protected under 10 CFR 73.21. Exelon Generation Company shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p).

The Exelon Generation Company CSP was approved by License Amendment No. 280 and modified by License Amendment Nos. 288 and 292. (5) Inspections of core spray spargers, piping and associated components will be performed in accordance with BWRVIP-18, "BWR Core Spray Internals Inspection and Flaw Evaluation Guidelines," as approved by NRC staff's Final Safety Evaluation Report dated December 2, 1999. (6) Long Range Planning Program -Deleted (7) Reactor Vessel Integrated Surveillance Program Exelon Generation Company is authorized to revise the Updated Final Safety Analysis Report (UFSAR) to allow implementation of the Boiling Water Reactor Vessel and Internals Project reactor pressure vessel Integrated Surveillance Program as the basis for demonstrating compliance with the requirements of Appendix H to Title 10 of the Code of Federal Regulations Part 50, "Reactor Vessel Material Surveillance Program Requirements," as set forth in the licensee's application dated December 20, 2002, and as supplemented on May 30, September 10, and November 3, 2003. All capsules in the reactor vessel that are removed and tested must meet the test procedures and reporting requirements of the most recent approved version of the Boiling Water Reactor Vessel and Internals Project Integrated Surveillance Program appropriate for the configuration of the specimens in the capsule. Any changes to the capsule withdrawal schedule, including spare capsules, must be approved by the NRC prior to implementation.

All capsules placed in storage must be maintained for future insertion.

Any changes to storage requirements must be approved by the NRC, as required by 10 CFR Part 50, Appendix H. 1 The Training and Qualification Plan and Safeguards Contingency Plan are Appendices to the Security Plan. Renewed License No. DPR-16 Amendment No. 292 UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, 0.C. 20555-0001 SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO AMENDMENT NO. 292 TO RENEWED FACILITY OPERATING LICENSE NO. DPR-16 EXELON GENERATION COMPANY, LLC OYSTER CREEK NUCLEAR GENERATING STATION DOCKET NO. 50-219

1.0 INTRODUCTION

By application dated April 10, 2017 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML 17100A844), as supplemented by letters dated October 4 and December 15, 2017 (ADAMS Accession Nos. ML 172776136 and ML 17349A634, respectively), Exelon Generation Company, LLC (Exelon or the licensee), requested changes to Renewed Facility Operating License (FOL) No. DPR-16 for the Oyster Creek Nuclear Generating Station (OCNGS). Exelon requested an amendment to revise the OCNGS Renewed FOL for the Cyber Security Plan (CSP) Milestone 8 (MS8) full implementation completion date, as set forth in the CSP implementation schedule, and the physical protection license condition.

The proposed amendment would revise the CSP MS8 completion date from December 31, 2017, to August 31, 2021. The supplemental letters dated October 4 and December 15, 2017, provided additional information that clarified the application, did not expand the scope of the application as originally noticed, and did not change the U.S. Nuclear Regulatory Commission (NRC) staff's original proposed no significant hazards consideration determination as published in the Federal Register on May 23, 2017 (82 FR 23626).

2.0 BACKGROUND

By letter dated January 7, 2011 (ADAMS Accession No. ML 110070507), the licensee submitted Notification of Permanent Cessation of Power Operations for OCNGS. In this letter, Exelon notified the NRC of its intent to permanently cease operations at OCNGS no later than December 31, 2019. After certifications of permanent cessation of power operations and permanent removal of fuel from the reactor vessel for OCNGS are submitted in accordance with Title 10 of the Code of Federal Regulations (10 CFR) Part 50, Sections 82(a)(1 )(i) and (ii), the 1 O CFR Part 50 license will no longer authorize reactor operation or placement or retention of fuel in the reactor vessel. The NRC staff initially reviewed and approved the licensee's original CSP implementation schedule by License Amendment No. 280, dated August 10, 2011 (ADAMS Accession Enclosure 2 No. ML 111861341

), to the OCNGS Renewed FOL concurrent with the incorporation of the CSP into the facility's current licensing basis; this provided the implementation date of December 31, 2015, for MS8. The NRC staff then reviewed and approved the licensee's current CSP implementation schedule by License Amendment No. 288, dated July 30, 2015 (ADAMS Accession No. ML 15153A282).

This schedule required the licensee to fully implement and maintain in effect all provisions of the CSP no later than December 31, 2017. License Amendment No. 288 extended the implementation date for MS8 from December 31, 2015, to December31, 2017.

3.0 REGULATORY EVALUATION

The NRC staff considered the following regulatory requirements and guidance in its review of the license amendment request to modify the existing CSP implementation schedule:

• The regulations in 10 CFR Section 73.54, "Protection of digital computer and communication systems and networks," which states, in part: Each [CSP] submittal must include a proposed implementation schedule.

Implementation of the licensee's cyber security program must be consistent with the approved schedule.

• Review criteria provided by the NRC staff's internal memorandum, "Review Criteria for Title 10 of the Code of Federal Regulations 73.54, Cyber Security Implementation Schedule Milestone 8 License Amendment Requests," dated October 24, 2013 (ADAMS Accession No. ML 13295A467), to be considered for evaluating licensees' requests to postpone their cyber security program implementation date (commonly known as Milestone 8).

• The licensee's Renewed FOL includes a license condition that requires the licensee to fully implement and maintain in effect all provisions of the Commission-approved CSP. The NRC staff does not regard the CSP milestone implementation dates as regulatory commitments that can be changed unilaterally by the licensee, particularly in light of the regulatory requirement at 10 CFR 73.54, which states, in part, that "[i]mplementation of the licensee's cyber security program must be consistent with the approved schedule." As the NRC staff explained in its letter to all operating reactor licensees dated May 9, 2011 (ADAMS Accession No. ML 110980538), the implementation of the plan, including the key intermediate milestone dates and the full implementation date, shall be in accordance with the implementation schedule submitted by the licensee and approved by the NRC. All subsequent changes to the NRG-approved CSP implementation schedule, thus, will require prior NRC approval as required by 10 CFR 50.90, "Application for amendment of license, construction permit, or early site permit." 4.0 TECHNICAL EVALUATION

4.1 Licensee's

Requested Change The NRC staff issued Amendment No. 280 to Renewed FOL No. DPR-16 by letter dated August 10, 2011. This amendment approved the CSP and associated implementation schedule, and added a license condition requiring the licensee to fully implement and maintain the Commission-approved CSP. The licensee's implementation schedule was based on a template prepared by the Nuclear Energy Institute (NEI), which was transmitted to the NRC by letter dated February 28, 2011 (ADAMS Accession No. ML 110600206).

By letter dated March 1, 2011 (ADAMS Accession No. ML 110070348), the NRC staff found the NEI template acceptable for licensees to use to develop their CSP implementation schedules.

The licensee's implementation schedule for the CSP identified completion dates and bases for the following eight milestones:

1. Establish the Cyber Security Assessment Team; 2. Identify Critical Systems (CSs) and Critical Digital Assets (CDAs); 3. Install deterministic one-way devices between lower-level devices and higher-level devices; 4. Implement the security control "Access Control For Portable And Mobile Devices";

5. Implement observation and identification of obvious cyber-related tampering to existing insider mitigation rounds by incorporating the appropriate elements;

6. Identify, document, and implement technical cyber security controls in accordance with "Mitigation of Vulnerabilities and Application of Cyber Security Controls," for CDAs that could adversely impact the design function of physical security target set equipment;

7. Ongoing monitoring and assessment activities for those target set CDAs whose security controls have been implemented; and 8. Fully implement the CSP. Currently, MS8 of the OCNGS CSP requires the licensee to fully implement the CSP by December 31, 2017. By letter dated April 10, 2017, as supplemented by letters dated October 4 and December 15, 2017, the licensee proposed to extend MS8 date to August 31, 2021. The licensee provided the following information pertinent to each of the criteria identified in the NRC guidance memorandum dated October 24, 2013. 1. Identification of the specific requirement or requirements of the cyber security plan that the licensee requests additional time to implement.

The licensee requested an extension of the implementation date from December 31, 2017, to August 31, 2021. The licensee stated that during this additional period, the requirements of Milestones 1 through 7 will be maintained.

2. Detailed justification that describes the reason the licensee requires additional time to implement the specific requirement or requirements identified.

The licensee notified the NRC in a letter dated January 7, 2011 (ADAMS Accession No. ML 110070507), that it plans to permanently cease power operations at OCNGS no later than December 31, 2019. The licensee stated that its computations show that by June 30, 2021, the decay heat for all spent fuel stored in the spent fuel pool should be decayed to a point where a loss of cooling cannot lead to zirconium hydride reactions and offsite releases.

The licensee stated that once this plant condition is achieved, the CSP license condition is no longer required and it plans to submit a license amendment request to remove the condition from its license. The licensee stated that implementation of cyber security protections provided by completed actions for Milestones 1 through 7 of the CSP has been completed, verified, and inspected.

The licensee stated that these substantial protections provide for reduced risk to the public from a design-basis accident or design-basis threat from a potential cyber attack. Additionally, the licensee stated that the OCNGS has no CDAs in any of the target sets, thereby further limiting the risk of radiological consequences from a potential cyber security attack. The cyber security controls implemented for Milestones 1 through 7 will be maintained until August 31, 2021, providing the same level of protection for the threat/attack pathways.

The licensee stated that decommissioning activities that start after December 31, 2019, will be focused on efforts to reduce plant equipment that will further reduce plant risk and potential consequences of a cyber attack. The licensee stated that it has determined that the existing cyber security controls will provide a high degree of protection for the threat/attack vectors and protection against cyber attacks and radiological sabotage until August 31, 2021. 3. A proposed completion date for Milestone 8 consistent with the remaining scope of work to be conducted and the resources available.

The licensee stated that the proposed completion date for MS8 is August 31, 2021. 4. An evaluation of the impact that the additional time to implement the requirements will have on the effectiveness of the licensee's overall cyber security program in the context of milestones already completed.

The licensee stated that the OCNGS cyber security defensive posture and CSP will continue to be effective mitigating the risk of the design-basis threat via cyber means based on the activities completed under Milestones 1-7 in accordance with the "Good Faith Attempt Discretion Letter," dated July 1, 2013 (ADAMS Accession No. ML 13178A203).

The licensee stated that it will continue to ensure that digital computer and communication systems and networks are adequately protected against cyber attacks. For Milestones 1 through 7, Exelon included a brief discussion of the completed activities under Milestones 1 through 7 and the "Good Faith Letter" required actions. 5. A description of the methodology for prioritizing completion of work for CDAs associated with significant safety, security, or emergency preparedness consequences and with reactivity effects in the balance of plant. The licensee stated that the methodology for prioritizing protection of CSs and CDAs is focused on maintaining the existing cyber security protections provided by the Milestones 1 through 7 commitments, continued safe plant operations and, once shut down, on reducing plant equipment that will further reduce plant risk and consequences of a potential cyber attack. The licensee stated that the safety-related, important-to-safety, and security CSs and CDAs will continue to be deterministically isolated from external networks; stringent controls of portable media and mobile devices connected to CDAs will continue, including the use of stand-alone scanning kiosks, and implementation of technical cyber security controls and security officer observation for CDAs that support physical security target set functions (if a target set CDA is identified in the future). The licensee further stated that OCNGS has implemented and will maintain the Exelon fleet procedures governing CDA configuration management, cyber security incident response and recovery, cyber security training, identification of rogue connections and CDA physical protections.

6. A discussion of the licensee's cyber security program performance up to the date of the license amendment request. The licensee stated that Exelon uses the corrective action program (CAP) to document all cyber security issues in order to trend, correct and improve the Exelon cyber security program. The CAP documents and tracks, from initiation through closure, all cyber security required actions including issues identified during ongoing program assessment activities.

The licensee added that adverse trends are monitored for cyber security program improvement and are addressed in the CAP. The licensee stated that a Nuclear Oversight audit of Milestones 1 through 7 was conducted in December 2016 and ongoing Quality Assurance surveillances under the physical security surveillance program have concluded that OCNGS has an effective cyber security program. The licensee noted that ongoing monitoring and time-based periodic actions provide continuing program performance monitoring.

The licensee stated that an NRC inspection of its compliance with Milestones 1 through 7 was completed on August 14, 2014, and resulted in no NRC findings and two licensee identified findings of very low safety significance.

The licensee stated that the two identified findings have been remediated.

7. A discussion of cyber security issues pending in the licensee's corrective action program. The licensee stated that there are no cyber security related issues that would constitute a threat to proper CDA function or that would call into question cyber security program effectiveness that are currently pending in the CAP. The licensee stated that there is one open cyber security related modification pending at OCNGS pertaining to the installation of a software patch for a security computer that is expected to be implemented by December 31, 2017. 8. A discussion of modifications completed to support the cyber security program and discussion of pending cyber security modifications.

The licensee discussed the following two modifications that have been implemented at OCNGS.

• Data diodes segregating Level 3 computer networks from Level 2 networks have been implemented at OCNGS.

• Isolated portable media scanning kiosk stations have been deployed at OCNGS. The licensee stated that these devices will be maintained current with the latest malware detection signatures consistent with the Exelon fleet procedures.

4.2 NRC Staff Evaluation The NRC staff has evaluated the licensee's application using the regulatory requirements and guidance cited in Section 3.0 of this Safety Evaluation.

For the reasons described below, the NRC staff finds that Exelon's implementation of Milestones 1 through 7 and completion of additional activities are effective in significantly mitigating the risk of the design-basis threat via cyber means. On January 7, 2011, the licensee notified the NRC of its intent to permanently cease power operations no later than December 31, 2019. Thus, the extension period requested by Exelon for OCNGS includes 2 years of operation and 1 year and 9 months of decommissioning activities.

Exelon has completed implementation of Milestones 1 through 7. The NRC staff finds that implementation of Milestones 1 through 7 provides a high degree of protection against cyber attacks because the activities completed under Milestones 1 through 7 mitigate the most significant cyber attack vectors for the most significant CDAs. During the extension period, the licensee will continue to comply with Milestones 1 through 7. This includes, for example, continuing to ensure that safety-related, important-to-safety (including BOP), and security CDAs are deterministically isolated from external networks; and continuing the use of controls of portable media and mobile devices connected to CDAs, including controls for the use of alone scanning kiosks and media. This also includes the continuation of security officer observations for CDAs supporting security functions and the implementation of technical cyber security controls.

In addition, Exelon has already implemented some of the required MS8 activities.

Specifically, many of the CDAs deterministically isolated from external networks described above are part of the MS8 scope of work. Additional MS8 activities that Exelon has implemented include (1) CDA configuration management; (2) cyber security incident response and recovery; (3) identification of rogue connections; and (4) CDA physical protections.

Exelon stated that it will continue to implement these MS8 activities during the extension period. The NRC staff finds that implementation of Milestones 1 through 7 and the additional MS8 activities will continue to provide protection against the most significant cyber attack vectors during the extension period. Once OCNGS permanently ceases operation no later than December 31, 2019, and permanently removes the fuel from the reactor vessel, there is a significant reduction in radiological risk and consequences of an accident or security event as compared to when it was operating.

The reactor, reactor coolant system, steam system, turbine generator, and supporting systems will no longer be in operation and will have no function related to the storage of the spent fuel; therefore, the spectrum of possible accidents is significantly smaller. There will be a corresponding decrease in the number of digital computers, communication systems, and networks.

As a result, the NRC staff finds that there will be a reduction in the number of attack pathways for cyber attack and the potential risk from a cyber attack at OCNGS will be reduced. For the reasons described above, the NRC has reasonable assurance that extending the date for implementation of the CSP to August 31, 2021, will provide adequate protection of the public health and safety and common defense and security.

Therefore, the NRC staff finds the proposed change acceptable.

As noted above, Exelon notified the NRC staff of its intent to permanently cease power operations at OCNGS no later than December 31, 2019. Exelon has also notified the NRC staff of its intent to subsequently submit a license amendment request to remove Condition 2.C.(4) from the OCNGS Renewed FOL. Pursuant to this amendment, Exelon will be required to implement MS8 by August 31, 2021, unless the NRC staff reviews and approves a subsequent license amendment to remove the requirement. 4.3 Revision to License Condition 2.C.(4) By letter dated April 10, 2017, the licensee proposed to modify paragraph 2.C.(4) of Renewed FOL No. DPR-16 for OCNGS which provides a license condition to require the licensees to fully implement and maintain in effect all provisions of the NRG-approved CSP. The license condition in paragraph 2.C.(4) of Renewed FOL No. DPR-16 for OCNGS is modified, in part, as follows: Exelon Generation Company shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p).

The Exelon Generation Company CSP was approved by License Amendment No. 280 and modified by License Amendment Nos. 288 and 292. 4.4 NRC Staff Technical Evaluation Conclusion The NRC staff concludes that the licensee's request to extend OCNGS MS8 implementation date to August 31, 2021, provides reasonable assurance that adequate protection of the public health and safety and common defense and security for the following reasons: (i) the licensee's completion of Milestones 1 through 7 activities mitigate the most significant cyber attack vectors for the most significant CDAs; (ii) the licensee stated it will continue to ensure safety-related, important-to-safety, and security CDAs will be deterministically isolated from external networks, controls of portable media and mobile devices connected to CDAs will be continued, including controls for the use of stand-alone scanning kiosks and media; (iii) the implementation of technical cyber security controls and security officer observations by the licensee for CDAs supporting security functions will be continued during the proposed extension; and (iv) Exelon has already implemented certain MS8 activities including CDA configuration management; cyber security incident response and recovery; identification of rogue connections; and CDA physical protections.

5.0 STATE CONSULTATION

In accordance with the Commission's regulations, the New Jersey State official was notified of the proposed issuance of the amendment on September 6, 2017. The State official had no comments.

6.0 ENVIRONMENTAL

CONSIDERATION This amendment relates solely to safeguards matters and does not involve any significant construction impacts. This amendment is an administrative change to extend the date by which the licensee must have its CSP fully implemented.

The Commission has previously issued a proposed finding that the amendment involves no significant hazards consideration, and there has been no public comment on such finding (82 FR 23626; May 23, 2017). Accordingly, the amendment meets the eligibility criteria for categorical exclusion set forth in 1 O CFR 51.22(c)(12).

Pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the issuance of the amendment.

7.0 CONCLUSION

The Commission has concluded, based on the considerations discussed above, that: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) there is reasonable assurance that such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public. Principal Contributor:

S. Coker, NSIR/DPCP/CSB Date: December 22, 2017

SUBJECT:

OYSTER CREEK NUCLEAR GENERATING STATION -ISSUANCE OF AMENDMENT RE: LICENSE AMENDMENT REQUEST TO REVISE THE CYBER SECURITY MILESTONE 8 COMPLETION DATE (CAC NO. MF9550; EPID L-2017-LLA-0193)

DATED DECEMBER 22, 2017 DISTRIBUTION:

PUBLIC PM File Copy RidsACRS_MailCTR Resource RidsNrrDssStsb Resource RidsNrrDorlLspb Resource RidsNrrPMOysterCreek Resource RidsNrrLAJBurkhardt Resource RidsNrrLAIBetts Resource RidsRgn1 MailCenter Resource SCoker, NSIR/DPCP/CSB JBeardsley, NSIR/DPCP/CSB ADAMS Accession No.: ML 17289A222 OFFICE NRR/DORL/LSPB/PM NRR/DORL/LSPB/LAiT NAME Jlamb I Betts DATE 12/21/17 10/23/17 OFFICE OGC-NLO* NRR/DORL/LSPB/BC NAME NNoelliste DBroaddus (EMiller for) DATE 12/21/17 12/22/17 *via email NRR/DORL/LSPB/LA JBurkhardt 10/27/17 NRR/DORL/LSPB/PM JLamb 12/22/17 OFFICIAL RECORD COPY NSIR/DPCP/CSB/BC*

JBeardsley 12/21/17