|
---|
Category:Request for Additional Information (RAI)
MONTHYEARML23338A3172023-12-0606 December 2023 Notification of NRC Baseline Inspection and Request for Information; Inspection Report 05000346/2024001 ML23193A7842023-07-13013 July 2023 Information Request for the Cyber-Security Baseline Inspection, Notification to Perform Inspection 05000346/2023402 ML23131A2732023-05-15015 May 2023 Notification of NRC Supplemental Inspection 95001 and Request for Information ML23033A0322023-02-0101 February 2023 NRR E-mail Capture - Request for Additional Information for Davis-Besse's 2022 Steam Generator Inspection Report (L-2022-LRO-0115) ML22357A0302022-12-23023 December 2022 Request for Information for NRC Commercial Grade Dedication Inspection: Inspection Report 05000346/2023010 ML22266A1102022-09-23023 September 2022 NRR E-mail Capture - Davis-Besse Nuclear Power Station, Unit No. 1 - Request for Additional Information Regarding July 21, 2022, Request for Withholding Information from Public Disclosure ML22214A7042022-08-0202 August 2022 Reissue - Davis-Besse Nuclear Power Station, Unit 1 Notification of Nrc Fire Protection Team Inspection Request for Information: Inspection Report 05000346/2022011 ML22187A0992022-07-0606 July 2022 Notification of NRC Supplemental Inspection (95001) and Request for Information ML22164A8572022-06-13013 June 2022 NRR E-mail Capture - Davis-Besse Nuclear Power Station, Unit No. 1 - Request for Additional Information Regarding License Amendment Request to Revise the Emergency Plan ML22118A6862022-04-28028 April 2022 NRR E-mail Capture - Davis-Besse Nuclear Power Station, Unit No. 1 - Request for Additional Information Regarding Alternative to Extend the Steam Generator Weld Inspection Interval ML22112A1092022-04-22022 April 2022 NRR E-mail Capture - Davis-Besse Nuclear Power Station, Unit No. 1 - Request for Additional Information Regarding License Amendment Request to Revise the Design Basis for the Shield Building ML22055A0872022-02-23023 February 2022 NRR E-mail Capture - Davis-Besse Nuclear Power Station, Unit No. 1 - Request for Additional Information Regarding Relief Request RP-3 IR 05000346/20210912021-12-17017 December 2021 NRC Inspection Report (05000346/2021091) Preliminary Greater than Green Finding ML21321A3792021-11-16016 November 2021 NRR E-mail Capture - Davis-Besse Nuclear Power Station, Unit No. 1 - Request for Additional Information Regarding Alternative to Extend the Steam Generator Weld Inspection Interval ML21301A0992021-10-28028 October 2021 Draft Request for Additional Information: Proposed Alternate for Examination of Steam Generator Welds - Energy Harbor Nuclear Corp., Davis-Besse Nuclear Power Station, Unit No. 1 ML21203A3252021-07-28028 July 2021 Request for Information for an NRC Triennial Baseline Design Bases Assurance Inspection (Team): Inspection Report 05000346/2021011 ML21155A1952021-06-0404 June 2021 Information Request to Support Upcoming Problem Identification and Resolution (Pi&R) Inspection at Davis Besse Nuclear Power Station ML21041A5452021-02-10010 February 2021 NRR E-mail Capture - Davis-Besse Nuclear Power Station, Unit No. 1 - Request for Additional Information Regarding Steam Generator Tube Inspection Reports ML21007A3732021-01-0707 January 2021 NRR E-mail Capture - (External_Sender) (External) Request for Additional Information Regarding License Amendment Request to Incorporate the Applicable Standard Technical Specification 5.2.2, Unit Staff, ML21004A1442020-12-30030 December 2020 NRR E-mail Capture - Request for Additional Information Regarding License Amendment Request to Incorporate the Applicable Standard Technical Specification 5.2.2, Unit Staff ML20300A5592020-10-27027 October 2020 Notification of an NRC Biennial Licensed Operator Requalification Program Inspection and Request for Information ML20154K7642020-06-0202 June 2020 NRR E-mail Capture - Davis-Besse Nuclear Power Station, Unit No. 1 - Request for Additional Information Regarding License Amendment Request to Adopt TSTF-425 ML20133J9792020-05-14014 May 2020 Information Request to Support the NRC Annual Baseline Emergency Action Level and Emergency Plan Changes Inspection ML20127H8672020-05-0606 May 2020 NRR E-mail Capture - Beaver Valley, Davis-Besse, and Perry - Request for Additional Information Regarding Request for Exemptions from Part 73 Security Requalification Requirements ML20021A3162020-01-21021 January 2020 NRR E-mail Capture - Davis-Besse Nuclear Power Station - Request for Additional Information Regarding License Amendment Request to Revise Containment Leakage Rate Testing ML19192A2222019-07-18018 July 2019 Request for Additional Information Regarding Application for Order Consenting to Transfer of Licenses and Conforming License Amendments ML19179A1382019-06-28028 June 2019 NRR E-mail Capture - Davis-Besse - Request for Additional Information Regarding the Decommissioning Quality Assurance Program ML19164A1532019-06-13013 June 2019 NRR E-mail Capture - Davis-Besse Nuclear Power Station - Request for Additional Information Regarding License Amendment Request for Post-Shutdown Emergency Plan ML19162A3922019-06-11011 June 2019 NRR E-mail Capture - Davis-Besse Nuclear Power Station - Request for Additional Information Regarding License Amendment Request for Permanently Defueled Technical Specifications ML19143A0732019-05-29029 May 2019 FENOC Fleet - Beaver Valley, Units 1 and 2; Davis-Besse, Unit 1, Perry, Unit 1 - Supplemental Information Needed for Acceptance of Requested Licensing Action; Application for Order Consenting to License Transfer and Conforming Amendments ML18305B0192018-11-0101 November 2018 18 Davis-Besse Nuclear Power Station - Notification of an NRC Biennial Licensed Operator Requalification Program Inspection and Request for Information(Rdb) ML18201A4122018-07-19019 July 2018 NRR E-mail Capture - Davis-Besse - Request for Additional Information Regarding License Amendment Request to Adopt NFPA 805 ML18190A4902018-07-0909 July 2018 Request for Information for an NRC Triennial Baseline Design Bases Assurance Inspection (Team), Inspection Report 05000346/2018011 (DRP-DXB) ML18102B0852018-04-12012 April 2018 NRR E-mail Capture - Follow-up Request for Additional Information (RAI) FENOC FLEET-- Exemption Request for a Physical Barrier Requirement for Beaver ML18043A0102018-02-0909 February 2018 NRR E-mail Capture - FENOC--MG0010-MG0011, MG-0012, MG0013-- Request for Additional Information (RAI) - Exemption Request Security Barrier in Physical Plans ML17355A3722017-12-21021 December 2017 NRR E-mail Capture - Davis-Besse Nuclear Power Station, Unit No. 1 - Request for Additional Information Regarding License Amendment Request to Adopt NFPA 805 ML17303B1582017-11-0707 November 2017 FENOC-Beaver Valley Power Station, Units 1 and 2, Davis-Besse Nuclear Power Station, Unit 1, Perry Nuclear Power Plant Unit 1 - Generic Letter 2016-01, Request for Supplemental Information ML17257A1402017-09-14014 September 2017 NRR E-mail Capture - Davis-Besse Nuclear Power Station, Unit No. 1 - Request for Additional Information Regarding License Amendment Request to Adopt NFPA 805 ML17135A3612017-05-12012 May 2017 Information Request for NRC Triennial Evaluations of Changes, Tests, and Experiments (50.59) Baseline Inspection 05000346/2017010 (Jvb) ML17129A4112017-05-0909 May 2017 Request for Additional Information Regarding Evaluation Submitted in Response to License Renewal Commitment No. 54 ML17100A1732017-04-19019 April 2017 Request for Additional Information Regarding License Amendment Request to Adopt National Fire Protection Associated Standard 805 ML16364A2792017-01-23023 January 2017 Request for Additional Information Regarding License Renewal Commitment No. 42 ML16355A0352016-12-19019 December 2016 Ltr 12/19/16 Davis-Besse Nuclear Power Station, Unit 1 - Information Request for an NRC Post-Approval Site Inspection for License Renewal 05000346/2017009 (Bxj) ML16256A0662016-10-18018 October 2016 Request for Additional Information Regarding License Amendment Request to Adopt National Fire Protection Associated Standard 805 ML16196A0152016-07-22022 July 2016 Request for Additional Information Regarding Amendment Request to Revise Emergency Action Level Scheme L-16-122, Completion of Required Action by NRC Order EA-12-051, Reliable Spent Fuel Pool Instrumentation2016-06-24024 June 2016 Completion of Required Action by NRC Order EA-12-051, Reliable Spent Fuel Pool Instrumentation ML16060A0122016-02-29029 February 2016 FENOC - Email RAI to Licensee Regarding LAR for Changes to TS 5.3.1 CAC Nos. MF7118, MF7119, and MF7120 ML16047A1452016-02-22022 February 2016 Supplemental Information Needed for Acceptance of License Amendment Request to Adopt National Fire Protection Associated Standard 805 ML16019A3972016-01-20020 January 2016 Request for Additional Information Related to Amendment Request for Emergency Diesel Generator Minimum Voltage Surveillance Requirements ML15222A1792015-09-21021 September 2015 Request for Additional Information Related to Amendment Request for Emergency Diesel Generator Minimum Voltage Surveillance Requirements (TAC No. MF6060)(L-15-117) 2023-07-13
[Table view] Category:Letter
MONTHYEARIR 05000346/20243012024-02-0202 February 2024 NRC Initial License Examination Report 05000346/2024301 IR 05000346/20230042024-01-31031 January 2024 Integrated Inspection Report 05000346/2023004 ML23313A1352024-01-17017 January 2024 Authorization and Safety Evaluation for Alternative Request RP 5 for the Fifth 10 Year Interval Inservice Testing Program ML23353A1192023-12-19019 December 2023 Operator Licensing Examination Approval Davis Besse Nuclear Power Station, January 2024 L-23-260, Corrections to the 2022 Combined Annual Radiological Environmental Operating Report and Radioactive Effluent Release Report for the Davis-Besse Nuclear Power Station2023-12-0707 December 2023 Corrections to the 2022 Combined Annual Radiological Environmental Operating Report and Radioactive Effluent Release Report for the Davis-Besse Nuclear Power Station L-23-243, Independent Spent Fuel Storage Installation - Request for Exemption from Enhanced Weapons, Firearms Background Checks, and Security Event Notifications Implementation2023-12-0606 December 2023 Independent Spent Fuel Storage Installation - Request for Exemption from Enhanced Weapons, Firearms Background Checks, and Security Event Notifications Implementation ML23338A3172023-12-0606 December 2023 Notification of NRC Baseline Inspection and Request for Information; Inspection Report 05000346/2024001 IR 05000346/20234032023-11-0202 November 2023 Security Baseline Inspection Report 05000346/2023403 ML23293A0612023-11-0101 November 2023 Letter to the Honorable Marcy Kaptur, from Chair Hanson Responds to Letter Regarding Follow Up on Concerns Raised by Union Representatives During the June Visit to the Davis-Besse Nuclear Power Plant L-23-215, Changes to Emergency Plan2023-10-19019 October 2023 Changes to Emergency Plan ML23237B4222023-09-28028 September 2023 Energy Harbor Nuclear Corp. - Vistra Operations Company LLC - Letter Regarding Order Approving Transfer of Licenses and Draft Conforming License Amendments ML23269A1242023-09-27027 September 2023 Request for Withholding Information from Public Disclosure IR 05000346/20234012023-09-13013 September 2023 Security Baseline Inspection Report 05000346/2023401 (Public) L-23-205, Supplement to Application for Order Consenting to Transfer of Licenses and Conforming License Amendments2023-09-12012 September 2023 Supplement to Application for Order Consenting to Transfer of Licenses and Conforming License Amendments L-23-172, Quality Assurance Program Manual2023-08-31031 August 2023 Quality Assurance Program Manual IR 05000346/20230112023-08-30030 August 2023 Biennial Problem Identification and Resolution Inspection Report 05000346/2023011 ML23129A1722023-08-25025 August 2023 Request for Withholding Information from Public Disclosure for Beaver Valley Power Station, Units 1 and 2; Davis Besse Nuclear Power Station, Unit 1; and Perry Nuclear Power Plant, Unit 1 IR 05000346/20230052023-08-24024 August 2023 Updated Inspection Plan for Davis-Besse Nuclear Power Station (Report 05000346/2023005) L-23-188, Energy Harbor Nuclear Corp., Supplement to Application for Order Consenting to Transfer of Licenses and Conforming License Amendments2023-08-0707 August 2023 Energy Harbor Nuclear Corp., Supplement to Application for Order Consenting to Transfer of Licenses and Conforming License Amendments IR 05000346/20230502023-08-0303 August 2023 Special Inspection Report 05000346/2023050 IR 05000346/20230902023-08-0101 August 2023 EA-23-002 Davis-Besse Nuclear Power Station - NRC Inspection Report No. 05000346/2023090 (Public) ML23178A2742023-08-0101 August 2023 Letter to the Honorable Marcy Kaptur from Chair Hanson Responds to Letter Regarding the License Transfer Application for the Davis-Besse Nuclear Power Station L-23-175, Submittal of Fifth Ten Year Inservice Testing Program2023-08-0101 August 2023 Submittal of Fifth Ten Year Inservice Testing Program IR 05000346/20230022023-07-27027 July 2023 Integrated Inspection Report 05000346/2023002 ML23193A7842023-07-13013 July 2023 Information Request for the Cyber-Security Baseline Inspection, Notification to Perform Inspection 05000346/2023402 ML23178A2422023-06-28028 June 2023 Reassignment of the U.S. Nuclear Regulatory Commission Branch Chief in the Division of Operating Reactor Licensing for Plant Licensing Branch III ML23160A2342023-06-13013 June 2023 Confirmation of Initial License Examination L-23-034, 2022 Annual 10 CFR 50.46 Report of Changes to or Errors in Emergency Core Cooling System Evaluation Models2023-06-13013 June 2023 2022 Annual 10 CFR 50.46 Report of Changes to or Errors in Emergency Core Cooling System Evaluation Models IR 05000346/20235012023-06-13013 June 2023 Emergency Preparedness Biennial Exercise Inspection Report 05000346/2023501 L-23-135, Response to Regulatory Issue Summary 2023-01, Preparation and Scheduling of Operator Licensing Examinations2023-05-31031 May 2023 Response to Regulatory Issue Summary 2023-01, Preparation and Scheduling of Operator Licensing Examinations L-23-065, Annual Financial Report2023-05-22022 May 2023 Annual Financial Report ML23124A1742023-05-17017 May 2023 Energy Harbor Fleet Vistra License Transfer - Request for Withholding Information from Public Disclosure for Commance Peak Plant, Units 1 & 2, Beaver Valley Station, Units 1 & 2, Davis Besse Station, Unit 1 and Perry Plant, Unit 1 ML23129A0112023-05-16016 May 2023 Notice of Consideration of Approval of Indirect and Direct License Transfer for Comanche Peak Plant, Units 1 & 2, Beaver Valley Station, Units 1 & 2, Davis Besse Station, Unit 1 and Perry Plant, Unit 1 (EPID L-2023-LLM-0000) (Letter) ML23131A2732023-05-15015 May 2023 Notification of NRC Supplemental Inspection 95001 and Request for Information L-23-101, Combined Annual Radiological Environmental Operating Report and Radioactive Effluent Release Report for the Davis-Besse Nuclear Power Station - 20222023-05-12012 May 2023 Combined Annual Radiological Environmental Operating Report and Radioactive Effluent Release Report for the Davis-Besse Nuclear Power Station - 2022 L-23-131, Readiness for Resumption of NRC Supplemental Inspection2023-05-12012 May 2023 Readiness for Resumption of NRC Supplemental Inspection IR 05000346/20230102023-05-0909 May 2023 Commercial Grade Dedication Inspection Report 05000346/2023010 ML23123A1272023-05-0303 May 2023 Information Request to Support Upcoming Problem Identification and Resolution Inspection at Davis-Besse Nuclear Power Station IR 05000346/20230012023-05-0101 May 2023 Integrated Inspection Report 05000346/2023001 and 07200014/2022001 L-23-092, Occupational Radiation Exposure Report for Year 20222023-04-27027 April 2023 Occupational Radiation Exposure Report for Year 2022 ML23111A1972023-04-26026 April 2023 Information Meeting with Question and Answer Session to Discuss NRC 2022 End-of-Cycle Plant Performance Assessment of Davis-Besse Nuclear Power Plant Station ML23114A1062023-04-25025 April 2023 Information Request to Support the NRC Annual Baseline Emergency Action Level and Emergency Plan Changes Inspection CP-202300181, ISFSI, Beaver Valley, Units 1 and 2, ISFSI, Davis-Besse, Unit 1, ISFSI, Perry, Unit 1, ISFSI, Corrected Affidavit for Application for Order Consenting to Transfer of Licenses and Conforming License Amendments2023-04-20020 April 2023 ISFSI, Beaver Valley, Units 1 and 2, ISFSI, Davis-Besse, Unit 1, ISFSI, Perry, Unit 1, ISFSI, Corrected Affidavit for Application for Order Consenting to Transfer of Licenses and Conforming License Amendments CP-202300157, ISFSI, Beaver Valley, Units 1 and 2, ISFSI, Davis-Besse, Unit 1, ISFSI, Perry, Unit 1, and ISFSI, Application for Order Consenting to Transfer of Licenses and Conforming License Amendments2023-04-14014 April 2023 ISFSI, Beaver Valley, Units 1 and 2, ISFSI, Davis-Besse, Unit 1, ISFSI, Perry, Unit 1, and ISFSI, Application for Order Consenting to Transfer of Licenses and Conforming License Amendments ML23096A1382023-04-11011 April 2023 Review of the Spring 2022 Steam Generator Tube Inspection Report L-23-061, Submittal of the Decommissioning Funding Status Reports2023-03-31031 March 2023 Submittal of the Decommissioning Funding Status Reports L-23-037, and Perry Nuclear Power Plant - Independent Spent Fuel Storage Installation Changes, Tests, and Experiments2023-03-29029 March 2023 and Perry Nuclear Power Plant - Independent Spent Fuel Storage Installation Changes, Tests, and Experiments L-23-066, Annual Notification of Property Insurance Coverage2023-03-21021 March 2023 Annual Notification of Property Insurance Coverage ML23066A2892023-03-14014 March 2023 Request for Threshold Determination Under 10 CFR 50.80 and 10 CFR 72.50 for an Amendment to the Voting Agreement ML23066A2592023-03-14014 March 2023 Request for Withholding Information from Public Disclosure for Beaver Valley Power Station, Units 1 and 2, Davis Besse Nuclear Power Station, Unit 1, and Perry Nuclear Power Plant, Unit 1 2024-02-02
[Table view] |
Text
..."R REGUt _ UNITED STATES
,," "i)
NUCLEAR REGULATORY COMMISSION C>,).'" 0'1'....
~ Cl WASHINGTON, D.C. 20555-0001
<< 0 Iii : March 10,2011
~ {;j
\(',. ~
'l-" ~O
Mr. Barry S. Allen Site Vice President FirstEnergy Nuclear Operating Company Davis-Besse Nuclear Power Station Mail Stop A-DB-3080 5501 North State Route 2 Oak Harbor, OH 43449-9760
SUBJECT:
DAVIS-BESSE NUCLEAR POWER STATION, UNIT NO.1 - REQUEST FOR ADDITIONAL INFORMATION RELATED TO THE LICENSE AMENDMENT REQUEST FOR APPROVAL OF DAVIS-BESSE CYBER SECURITY PLAN (TAC NO. ME4341)
Dear Mr. Allen:
By letter to the Nuclear Regulatory Commission (NRC) dated July 16, 2010 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML102020203), as supplemented by letters dated September 28, and November 23,2010 (ADAMS Accession Nos.
ML102740569 and ML103350171, respectively), and February 1,2011 (ADAMS Accession No. ML110390058), FirstEnergy Nuclear Operating Company (FENOC or the licensee), submitted a license amendment request for approval of the Davis-Besse Nuclear Power Station, Unit 1, Cyber Security Plan.
The NRC staff is reviewing your submittal and has determined that additional information is required to complete the review. The specific information requested is addressed in the enclosure to this letter. During a discussion with your staff on March 8, 2011, it was agreed that you would provide a response within 30 days from the date of this letter.
The NRC staff considers that timely responses to requests for additional information help ensure sufficient time is available for NRC staff review and contribute toward the NRC's goal of efficient and effective use of NRC staff resources. If circumstances result in the need to revise the requested response date, please contact me at (301) 415-3867.
Sinrei11JJIA ichael Mahoney, Project Ma Plant Licensing Branch 111-2 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket No. 50-346
Enclosure:
Request for Additional Information cc w/encl: Distribution via Listserv
REQUEST FOR ADDITIONAL INFORMATION (RAI)
DAVIS-BESSE NUCLEAR POWER STATION, UNIT NO.1 DOCKET NO. 50-346 The Nuclear Regulatory Commission (NRC, the Commission) staff has reviewed the July 16, 2010 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML102020203) as supplemented by letters dated September 29, and November 29,2010 (ADAMS Accession Nos. ML192899417) and. ML103350211, respectively), and February 15, 2011 (ADAMS Accession No. ML110540414), FirstEnergy Nuclear Operating Company submittal regarding the request for approval of the Davis-Besse Nuclear Power Station (DBNPS),
Unit 1, Cyber Security Plan (CSP). The NRC staff has determined that the following information is needed in order to complete its review:
RAI 1: Records Retention Title 10 of the Code of Federal Regulations (10 CFR), Paragraph 73.54(c)(2), requires licensees to design a cyber security program to ensure the capability to detect, respond to, and recover from cyber attacks. Furthermore, 10 CFR 73.54(e)(2)(i) requires licensees to maintain a CSP that describes how the licensee will maintain the capability for timely detection and response to cyber attacks. The ability for a licensee to detect and respond to cyber attacks requires accurate and complete records and is further supported by 10 CFR 73.54(h), which states that the licensee shall retain all records and supporting technical documentation required to satisfy the requirements of 10 CFR 73.54 as a record until the Commission terminates the license for which the records were developed and shall maintain superseded portions of these records for at least 3 years after the record is superseded, unless otherwise specified by the Commission.
The licensee's CSP, Section 4.13, states that Critical Digital Asset (CDA) audit records and audit data (e.g., operating system logs, network device logs) are retained for a period of time that is less than what is required by 10 CFR 73.54(h).
Explain the deviation from the 10 CFR 73.54(h) requirement to retain records and supporting technical documentation until the Commission terminates the license (or to maintain superseded portions of these records for at least 3 years) and how that meets the requirements of 10 CFR 73.54.
RAI 2: Implementation Schedule The regulation at 10 CFR 73.54, "Protection of digital computer and communication systems and networks," requires licensees to submit a CSP that satisfies the requirements of this section for Commission review and approval. Furthermore, each submittal must include a proposed implementation schedule and the implementation of the licensee's cyber security program must be consistent with the approved schedule. Paragraph 73.54(a) of 10 CFR requires licensees to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including, the design basis threat.
The completion of several key intermediate milestones, (Items (a) through (g) below), would demonstrate progress toward meeting the requirements of 10 CFR 73.54. The NRC staffs ENCLOSURE
-2 expectation is that the key intermediate milestones will be completed in a timely manner, but no later than December 31,2012. The key CSP implementation milestones are as follows:
Establish, train and qualify Cyber Security Assessment Team, as described in Section 3.1.2, "Cyber Security Assessment Team," of the CSP is as follows:.
(a) Identify Critical Systems and CDAs, as described in Section 3.1.3, "Identification of Critical Digital Assets," of the CSP.
(b) Implement cyber security defense-in-depth architecture by installation of
[deterministic one-way] devices, as described in Section 4.3, "Defense-In-Depth Protective Strategies" of the CSP.
(c) Implement the management, operational and technical cyber security controls that address attacks promulgated by use of portable media, portable devices, and portable equipment as described in Appendix D, Section 1.19, "Access Control for Portable and Mobile Devices," of the Nuclear Energy Institute's (NEI) 08-09, Revision 6.
(d) Implement observation and identification of obvious cyber-related tampering to existing insider mitigation rounds as described in Appendix E, Section 4.3, "Personnel Performing Maintenance and Testing Activities," and Appendix E, Section 10.3, "Baseline Configuration," of NEI 08-09, Revision 6.
(e) Identify, document, and implement cyber security controls to physical security target set CDAs in accordance with Section 3.1.6, "Mitigation of Vulnerabilities and Application of Cyber Security Controls," of the CSP.
(f) Ongoing monitoring and assessment activities will commence for those target set CDAs whose security controls have been implemented, as described in Section 4.4, "Ongoing Monitoring and Assessment," of the CSP (g) Full implementation of the CSP for all safety, security, and emergency preparedness functions.
Provide a revised CSP implementation schedule that identifies the appropriate milestones, completion dates, supporting rationale, and level of detail to allow the NRC to evaluate the licensee's proposed schedule and associated milestone dates which include the final completion date. It is the NRC's intention to develop a license condition incorporating your revised CSP implementation schedule containing the key milestone dates.
RAI 3: Scope of Systems Paragraph 73.54(a) of 10 CFR requires licensees to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including, the design basis threat as described in 10 CFR 73.1. In addition, 10 CFR 73.54(a)(1) states that the licensee shall protect digital computer and communication systems and networks associated with:
-3 (i) Safety-related and important-to-safety functions; (H) Security functions; (iii) Emergency preparedness functions, including offsite communications; and (iv) Support systems and equipment which, if compromised, would adversely impact safety, security, or emergency preparedness functions.
Subsequent to the issuance of the cyber security rule, the NRC stated that 10 CFR 73.54 should be interpreted to include structures, systems, and components (SSCs) in the balance of plant (BOP) that have a nexus to radiological health and safety (ADAMS) Accession No. ML103490344, dated November 19, 2010). The SSCs in the BOP are those that could directly or indirectly affect reactivity of a nuclear power plant and could result in an unplanned reactor shutdown or transient and are therefore, within the scope of important-to-safety functions described in 10 CFR 73.54(a)(1). Furthermore, the NRC issued a letter to NEI, dated January 5, 2011 (ADAMS Accession No. ML103550480), that provided licensees with additional guidance on one acceptable approach to comply with the Commission's policy determination.
Explain how the scoping of systems provided by the Davis-Besse CSP meets the requirements of 10 CFR 73.54 and the additional guidance provided by the NRC.
RAI 4: Definition of Cyber Incident Paragraph 73.54(e)(2) of 10 CFR requires that "the cyber security plan must include measures for incident response and recovery for cyber attacks." The definition of "incident" that the NRC finds acceptable, and as stated in Regulatory Guide 5.71, is as follows: "Occurrence, caused by either human action or natural phenomena that may cause harm and that may require action."
Furthermore, NEI 08-09, Revision 6, Appendix B (Glossary) guidance, defines cyber incident as "a digital-related adverse condition."
In the RAI submitted to the licensee on January 20,2011, the NRC asked the licensee to "please explain why Davis-Besse's CSP does not include a definition for 'cyber incident.'" The licensee's response to the NRC on this question, dated February 1, 2011, states:
"The DBNPS Cyber Security Plan does not include a definition for "cyber incident" because the phrase "cyber incident" is not used in the Cyber Security Plan. The phrase "cyber incident" would be defined within FENOC procedures. No revision to the DBNPS Cyber Security Plan is required."
The Davis-Besse CSP makes 17 references to NEI 08-09 Appendix E (Operational and Management Controls), describing the CSP's implementation of the controls listed in that document. Section 4.6 of the Davis-Besse CSP lists six Incident Response topics that, it notes, are discussed in NEI 08-09, Appendix E. NEI 08-09, Appendix E, discusses controls that describe an organization's responsibilities for addressing cyber incidents (e.g., Section 7, Attack
- 4 Mitigation and Incident Response), and the detailed descriptions use various forms of the term "cyber incident." For example, the term "cyber security incident" or "cyber incident" is used in the following manner:
- Section 7.4 (Incident Handling), the control tasks the organization with "identification of what constitutes a cyber security incident"
- Section 7.6 (Incident Response Assistance), the control states that the organization provides support personnel who offer advice and assistance to users "in response to and reporting of cyber security incidents;"
- Section 9.2 (Awareness Training), the control states that the organization must establish, implement, and document "training to include practical exercises to simulate actual cyber incidents."
Because the CSP references controls that use the term "cyber incidents" in the areas of training, attack mitigation, incident response and recovery, and audit generation, as well as establishing a Computer Security Incident Response Team, it is clear that "cyber incident" is an integral component of the Davis-Besse cyber security program. Please provide a definition of "cyber incident" such that the NRC staff can determine if the associated actions fully comply with 10 CFR Section 73.54.
ML102740569 and ML103350171, respectively), and February 1, 2011 (ADAMS Accession No. ML110390058), FirstEnergy Nuclear Operating Company (FENOC or the licensee), submitted a license amendment request for approval of the Davis-Besse Nuclear Power Station, Unit 1, Cyber Security Plan.
The NRC staff is reviewing your submittal and has determined that additional information is required to complete the review. The specific information requested is addressed in the enclosure to this letter. During a discussion with your staff on March 8, 2011, it was agreed that you would provide a response within 30 days from the date of this letter.
The NRC staff considers that timely responses to requests for additional information help ensure sufficient time is available for NRC staff review and contribute toward the NRC's goal of efficient and effective use of NRC staff resources. If circumstances result in the need to revise the requested response date, please contact me at (301) 415-3867.
Sincerely, IRA!
Michael Mahoney, Project Manager Plant Licensing Branch 111-2 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket No. 50-346
Enclosure:
Request for Additional Information cc w/encl: Distribution via Listserv DISTRIBUTION:
- PUBLIC LPL3-2 RlF RidsNrrDorlLpl3-2 Resource RidsNrrPMDavis-Besse Resource RidsNrrLASRohrer Resource RidsAcrsAcnw_MailCTR Resource RidsOgcRp Resource RidsRgn3MailCenter Resource RidsNrrDorlDpr Resource CErianger, NSIR PPederson, NSIR ADAMS Accession No. ML110670546 *By Memo Dated NRR-088 OFFICE LPL3-2IPM LPL3-2JLA NSIRIDSP/ISCPB LPL3-21BC LPL3-21PM MMahoney NAME SRohrer CErlanger RCarlson MMahoney (NDiFrancesco for) 3/8/11 319111 2/18/11 & 3/4111