ML22301A099
| ML22301A099 | |
| Person / Time | |
|---|---|
| Issue date: | 11/07/2022 |
| From: | Alexander Prada NRC/NSIR/DPCP/CSB |
| To: | Brian Yip Office of Nuclear Security and Incident Response |
| References | |
| Download: ML22301A099 (3) | |
Text
November 7, 2022 MEMORANDUM TO: Brian M. Yip, Chief Cyber Security Branch Division of Physical and Cyber Security Policy Office of Nuclear Security and Incident Response FROM: Alexander Prada, IT Specialist (Cyber) Signed by Prada, Alexander Cyber Security Branch on 11/07/22 Division of Physical and Cyber Security Policy Office of Nuclear Security and Incident Response
SUBJECT:
SUMMARY
OF OCTOBER 19, 2022, PUBLIC MEETING TO DISCUSS THE NUCLEAR ENERGY INSTITUTES PROJECT PLAN TO REVISE NEI 08-09, CYBER SECURITY PLAN FOR NUCLEAR POWER REACTORS On October 19, 2022, the U.S. Nuclear Regulatory Commission (NRC) held an observation meeting to discuss the Nuclear Energy Institutes (NEIs) project plan on the proposed changes to NEI 08-09, Revision 6, Cyber Security Plan for Nuclear Power Reactors, (Agencywide Documents Access and Management System (ADAMS) Accession No. ML17079A422). The meeting notice is available at ADAMS Accession No. ML22280A016. Approximately 60 participants, including NRC staff, industry representatives, and members of the public attended the meeting.
The NRC approved use of NEI 08-09, Revision 6, on April 25, 2017 (ML17086A407). The purpose of this public meeting was to give NEI representatives an opportunity to discuss future development plans for the proposed changes and provide NRC staff and members of the public an opportunity to ask questions and provide feedback.
Following introductory remarks from the NRC and NEI, NEI provided an overview of its timeline for several milestones for the proposed revision to NEI 08-09. NEI provided the NRC an overview of the project plan schedule that includes the following key milestones:
April - October 2022: Document development and information NRC reviews; October 2022: Public meeting; November 2022: Initial submittal of white papers to NRC; December 2022: Public meetings on white papers submitted to the NRC; January 2023: Public meeting comments incorporated; CONTACT: Alexander Prada, NSIR/DPCP 301-415-0875
B. Yip February 2023: Final submittal of all white papers; April 2023: All white papers approved; June 2023: All sections assembled into NEI 08-09, Revision 7; August 2023: Initial submittal of NEI 08-09, Revision 7, to NRC; September 2023: Public meeting to review NEI 08-09, Revision 7; October 2023: Public meeting comments incorporated; November 2023: Final submittal to NRC; May 2024: NRC approval.
NEI intends to develop white papers to revise guidance for vulnerability management and to develop new guidance for alternate security controls, ongoing monitoring and assessment, and implementation of wireless technologies for safety-related and important-to-safety equipment.
NEI created two teams for the revision of NEI 08-09. Core Team A will be responsible for NRC-approved addendums, security frequently asked questions (SFAQs), integration of NRC approved letters, integrating all of Core Team Bs final outputs, and integrating all initiative white papers. Core Team B will be responsible for approved white papers, NEI 10-04 Revision 3 (CDA determination), NEI 13-10 Revision 7 (CDA security control assessments), NEI 15-09 Revision 1 (cybersecurity event reporting), and updated definitions in Appendix B of NEI 08-09.
NEI stated that the industry was interested in receiving NRC approval of the white papers to allow the licensees to implement the revised or new guidance prior to final approval of the next revision of NEI 08-09. NRC staff stated that full approval of the white papers for implementation may require a Congressional Review Act (CRA) review if the white papers are treading new ground from a policy/guidance perspective. As a result, this approach would require the content to undergo CRA review twice, once as a white paper and again during the review and approval of NEI 08-09. NRC noted other options to receive NRC review of the white papers short of full approval, including providing feedback during a public meeting or providing written feedback on the approaches proposed.
In response to a question from NEI on the review time required for the white papers, NRC staff noted that if the white papers required full staff review and were subject to the CRA, this would likely impact NEIs proposed schedule. The NRC stated that any major change or revision to NEI guidance must be reviewed by the appropriate NRC staff to determine if the proposed changes to NEI 08-09 Revision 6, Addendum 1 will be subject to the CRA review.
Regarding wireless technology, NEI noted that this technical report will be a separate but related effort. NEI plans to propose removing the prohibition on the use of wireless technology in NEI 08-09. The technical report will propose an approach for introducing wireless technology for safety-related or important-to-safety systems that applies the alternative control provisions in section 3.1.6 of the current cybersecurity plans. NRC staff noted that since the staff had not yet seen NEIs proposed approach, it had not yet determined whether the approach could be implemented as an alternative control.
The staff concluded the meeting by noting that it plans to review the various white papers and revision to NEI 08-09 at a level of effort requested by NEI, but recommended that NEI consider the NRC staff output requested as this could significantly impact the level of effort and review time.
Memo ML22301A099 OFFICE NSIR/DPCP/CSB NSIR/DPCP/CSB NSIR/DPCP/CSB NAME APrada AP BYip BY APrada AP DATE Nov 3, 2022 Nov 3, 2022 Nov 7, 2022