|
---|
Category:Regulatory Analysis
MONTHYEARML22250A4722023-04-17017 April 2023 DG 5079 (RG 5.83 Rev 1) Regulatory Analysis ML21155A0042021-07-22022 July 2021 Regulatory Analysis for Regulatory Guide 1.29, Seismic Design Classification for Nuclear Power Plants ML20168A8932021-04-0101 April 2021 Regulatory Analysis for DG-1371, Proposed Revision 6 of RG 1.26, Quality Group Classifications and Standards for Water-, Steam-, and Radioactive-Waste-Containing Components of Nuclear Power Plants ML20192A2302020-12-10010 December 2020 Regulatory Analysis for DG 1361 RG 1.89 Revision 2 RA - Environmental Qualification of Certain Electrical Equipment Important to Safety for Nuclear Power Plants ML20282A2992020-12-0404 December 2020 Regulatory Analysis for DG-3055, Rev 0, Regulatory Guide (RG) 3.76, Implementation of Aging Management Requirements for Spent Fuel Storage Renewals ML20210M0442020-10-28028 October 2020 Regulatory Analysis: Draft Regulatory Guide DG-1288 - an Approach for Plant-Specific, Risk-Informed Decisionmaking for Inservice Inspection of Piping (Proposed Revision 2 of Regulatory Guide 1.178, Dated September 2003) ML20195A1742020-09-17017 September 2020 Regulatory Analysis ML20055G8242020-08-0707 August 2020 Regulatory Analysis for DG 1363 for Rev 4 to Regulatory Guide (RG) 1.105 - Setpoints for Safety-Related Instrumentation ML20078K9252020-08-0505 August 2020 Regulatory Analysis for DG-1370 Proposed Revision 1 of Regulatory Guide (RG) 1.191, Titled, Fire Protection Program for Nuclear Power Plants During Decommissioning ML20105A2162020-07-0101 July 2020 Regulatory Analysis for DG-1372, Rev 4 of RG 1.136 Design Limits, Loading Combinations, Materials, Construction and Testing of Concrete Containments ML14161A6242020-02-12012 February 2020 Regulatory Analysis for Draft Regulatory Guide 3036 ML19213A3432019-09-30030 September 2019 Draft Regulatory Analysis (DG)-1341 - Standard Format and Content for Applications to Renew Nuclear Power Plant Operating Licenses ML19108A4622019-07-31031 July 2019 Regulatory Analysis ML19045A4322019-05-31031 May 2019 Draft Regulatory Guide DG-1356 (Rg 1.187 Rev 2), Guidance for Implementation of 10CFR50.59 Changes, Tests and Experiments - Regulatory Analysis ML19042A1832019-03-31031 March 2019 Regulatory Analysis ML18093A6762019-02-28028 February 2019 DG-1328 Regulatory Analysis ML18158A3012019-01-31031 January 2019 Regulatory Analysis DG-1352 ML18087A1672018-10-31031 October 2018 DG-4019 Reg Analysis ML18016A1302018-08-31031 August 2018 Regulatory Anlaysis DG-5061 ML18086A6852018-06-30030 June 2018 DG-1351 RA ML16358A1562017-03-31031 March 2017 DG-1285 Regulatory Analysis ML15237A3852015-12-0707 December 2015 Regulatory Analysis for DG-4025 ML14310A3382015-09-0303 September 2015 Regulatory Analysis for DG-5049 ML14119A2822015-06-24024 June 2015 Regulatory Analysis DG-1305 ML14356A2472015-04-10010 April 2015 Regulatory Analysis for DG-1314 ML14218A8612014-11-18018 November 2014 Regulatory Analysis, Draft Regulatory Guide DG-5036, Fitness for Duty Programs at New Reactor Construction Sites ML14139A3202014-06-27027 June 2014 Regulatory Analysis for Rg 3.75, Corrective Action Programs for Fuel Cycle Facilities (Proposed New Regulatory Guidance) ML13144A8422013-10-0404 October 2013 Regulatory Analysis for Draft Regulatory Guide 1271 ML12300A3282013-10-0404 October 2013 Regulatory Analysis for Rg 1.79.1, Initial Test Program of Emergency Core Cooling Systems for Boiling-Water Reactors, (Draft Was Issued as DG-1277, Dated June 2012) ML13140A0392013-06-27027 June 2013 Regulatory Analysis for DG-1272, Standard Format and Content for Post-Shutdown Decommissioning Activities Report ML12228A5912012-11-15015 November 2012 Reg Analysis to DG-1294, Pre-Operational Testing of Onsite Electric Power Systems to Verify Proper Load Group Assignments, Electrical Separation, and Redundancy ML12220A0442012-09-21021 September 2012 Regulatory Analysis to Rg 1.92, Rev. 3 Combining Modal Responses and Spatial Components in Seismic Response Analysis. ML12013A0892012-05-31031 May 2012 Regulatory Analysis for DG-1285 ML1035104582012-04-30030 April 2012 Regulatory Analysis to Regulatory Guide 1.218 ML1023803112011-12-31031 December 2011 Regulatory Analysis for DG-4021, General Site Suitability Criteria for Nuclear Power Stations ML1121600132011-10-31031 October 2011 Regulatory Analysis to Rg 1.159, Rev. 2 ML1101300462011-08-0505 August 2011 Regulatory Analysis for DG-4016, Terrestrial Environmental Studies for Nuclear Power Stations (Proposed Revision 2 of Regulatory Guide 4.11, Dated August 1977) ML1121016102011-08-0505 August 2011 Guidance for the Assessment of Beyond-Design-Basis Aircraft Impacts (Draft Was Issued as DG-1176 Dated July 2009) (New Regulatory Guide) ML1033706592011-04-30030 April 2011 Regulatory Analysis, Regulatory Guide 3.67, Standard Format and Content for Emergency Plans for Fuel Cycle and Materials Facilities ML1018005172010-12-31031 December 2010 Regulatory Analysis for Rg 5.80, Pressure-Sensitive and Temper-Indicating Device Seals for Material Control and Accounting of Special Nuclear Material. ML1017203112010-12-15015 December 2010 Regulatory Analysis to Regulatory Guide 4.16, Revision 2 ML1027203352010-10-0404 October 2010 Regulatory Analysis to DG-1196, Qualification for Cement Grouting for Prestressing Tendons in Containment Structures ML1017403272010-08-31031 August 2010 Draft Regulatory Guide 1228, (Revision 1 of Regulatory Guide 1.179), Standard Format and Content of License Termination Plans for Nuclear Power Reactors (Regulatory Analysis) ML1018900472010-07-31031 July 2010 Regulatory Analysis to Regulatory Guide 1.216 Containment Structural Integrity Evaluation for Internal Pressure Loadings Above Design-Basis Pressure. ML1015403482010-06-17017 June 2010 Regulatory Analysis on Rg 1.62, Manual Initiation of Protective Actions, Revision 1 ML1013203172010-06-14014 June 2010 Regulatory Analysis for Revision 3 of Regulatory Guide 1.152 2023-04-17
[Table view]Some use of "" in your query was not closed by a matching "". |
Text
REGULATORY ANALYSIS
DRAFT REGULATORY GUIDE DG5079 CYBERSECURITY EVENT NOTIFICATIONS (Proposed Revision 1 of Regulatory Guide 5.83)
- 1. Statement of the Problem
In 2015, the U.S. Nuclear Regulatory Commission (NRC) promulgat ed Title 10 of the Code of Federal Regulations 73.77, Cyber security event notifications, and published its associated guidance, Regulatory Guide (RG) 5.83, Cyber Securit y Event Notifications. The final rule established requirements regarding the types of cybe rattacks that require notification to the NRC, different timeframes for making notifi cations, how licensees make notifications, and how licensees submit written security follow -up reports to the NRC.
The current version of RG 5.83 does not reflect the lessons lea rned from operating experience and interim cybersecurity milestone inspections, or recent insights gained from international and domestic cybersecurity attacks and new techno logies. In addition, the NRC recently published Revision 1 of RG 5.71, Cybersecurity Progra ms for Nuclear Power Reactors, which includes changes to the definitions in the glo ssary that are also used in RG 5.83. Finally, the Nuclear Energy Institute (NEI) has requested endorsement of NEI 15-09, Cybersecurity Event Notifications, Revision 1 (Agencywide Documents Access and Management System (ADAMS) Accession Number ML22298A228) as an a cceptable method to meet the requirements of 10 CFR 73.77.
- 2. Objective
This revision of the guide would update RG 5.83 to include less ons learned from operating experience since the original publication of the guid e. Specifically, this revision would incorporate editorial changes to align the guide with the current revision of NUREG-1379, Revision 3, NRC Editorial Style Guide; approve NEI 15-0 9, Revision 1 for use as an acceptable method to meet the requirements of 10 CFR 73.77; add discussion regarding eight-hour notifications for incidents involving devices residi ng on the same network as a critical digital asset (CDA) or devices that support CDAs; add examples of malicious activity observed on a boundary device protecting a network containing C DAs; and revise the glossary to align with definitions in RG 5.71, Revision 1.
- 3. Alternative Approaches
The NRC staff considered the following alternative approaches:
- 1. Do not revise RG 5.83.
- 2. Withdraw RG 5.83 without issuing a revised RG.
- 3. Develop a revised RG 5.83 to address the current methods and pr ocedures.
Alternative 1: Do not revise RG 5.83
Under this alternative, the NRC would not revise RG 5.83 or iss ue additional guidance, and the current guidance would be retained. This alte rnative is considered the no-
Page 1 action alternative and provides a baseline condition from whic h any other alternatives will be assessed. If NRC does not act, there would not be any changes i n costs or benefit to the public or the NRC. However, the no-action alternative would n ot address identified concerns with the current version of the RG.
Alternative 2: Withdraw RG 5.83 without issuing a revised RG
Under this alternative, the NRC would withdraw this RG and woul d not issue a revised RG. Withdrawal of the guide would eliminate the important infor mation already provided to commercial nuclear power plant licensees for complying with 10 CFR 73.77. It would also eliminate one of the only readily available descriptions of the methods the NRC staff considers acceptable for demonstrating compliance with 10 CFR 7 3.77. Licensees may, however, use methods other than those described in this guide t o meet NRC regulations, if appropriately justified. Although this alternative would not in volve significant resources, it would eliminate the publics accessibility to the most current NRC guidance available on cybersecurity event notification requirements.
Alternative 3: Develop a revised RG 5.83
Under this alternative, the NRC would develop and publish for comment DG-5079, a proposed revision of RG 5.83. This proposed revision would incorporate the latest information available to the NRC in the form of supporting guidance, practi ces, and lessons learned from operating experience developed since 2015. By revising RG 5.83, the NRC would ensure that the guidance related to cybersecurity event notifications is current, remains robust, and accurately reflects the staffs position.
The impact to the NRC would be the costs associated with preparing and issuing the revised RG. The impact to the public would be the voluntary cos ts associated with reviewing and providing comments to NRC during the public comment period. NRC staff, licensees, and other stakeholders would benefit from the enhanced clarity and effectiveness of using an updated guidance document as a technical basis for demonstratin g compliance with regulatory requirements for reporting cybersecurity events to t he NRC.
Conclusion
Based on this regulatory analysis, the NRC staff concludes that issuance of a revision of RG 5.83 is warranted. The staff concludes that the proposed action will enhance a licensees access to and understanding of the most current info rmation available regarding cybersecurity event notifications required by 10 CFR 73.77 sinc e the guides original issuance.
Page 2