ML093080517

From kanterella
Jump to navigation Jump to search
Letter, Proposed Implementation Schedule Required by the Title 10 of the Code of Federal Regulation 73.54 for Cyber Security Plans
ML093080517
Person / Time
Site: Beaver Valley, Millstone, Hatch, Monticello, Calvert Cliffs, Dresden, Davis Besse, Peach Bottom, Browns Ferry, Salem, Oconee, Mcguire, Nine Mile Point, Palisades, Palo Verde, Perry, Indian Point, Fermi, Kewaunee, Catawba, Harris, Wolf Creek, Saint Lucie, Point Beach, Oyster Creek, Watts Bar, Hope Creek, Grand Gulf, Cooper, Sequoyah, Byron, Pilgrim, Arkansas Nuclear, Braidwood, Susquehanna, Summer, Prairie Island, Columbia, Seabrook, Brunswick, Surry, Limerick, North Anna, Turkey Point, River Bend, Vermont Yankee, Crystal River, Ginna, Diablo Canyon, Callaway, Vogtle, Waterford, Duane Arnold, Farley, Robinson, Clinton, South Texas, San Onofre, Cook, Comanche Peak, Quad Cities, Fort Calhoun, FitzPatrick, McGuire, LaSalle, Crane
Issue date: 12/14/2009
From: Correia R
Division of Security Policy
To: Roe J
Nuclear Energy Institute
References
FOIA/PA-2011-0115
Download: ML093080517 (3)
v  d  e


Text

December 14, 2009 Mr. Jack W. Roe Director, Security Nuclear Generation Division Nuclear Energy Institute 1776 I Street NW, Suite 400 Washington, DC 20006-3708

SUBJECT:

PROPOSED IMPLEMENTATION SCHEDULE REQUIRED BY TITLE 10 OF THE CODE OF FEDERAL REGULATIONS 73.54 FOR CYBER SECURITY PLANS

Dear Mr. Roe:

On October 27, 2009, the U.S. Nuclear Regulatory Commission (NRC) staff conducted a telephone conference with members of the Nuclear Energy Institute (NEI), in part to discuss the site-specific cyber security plan proposed implementation schedules required by Title10 of the Code of Federal Regulations (10 CFR) 73.54. This letter summarizes the NRC staffs position on this matter.

In accordance with 10 CFR 73.54, by November 23, 2009, each nuclear power plant licensee submitted a license amendment request for approval of its cyber security plan and proposed implementation schedule. The NRC recognizes that discussions on this subject have been ongoing, and having reviewed several proposed implementation schedules, is now in a position to provide NRC expectations for the proposed implementation schedules.

To facilitate a timely and effective NRC review of the proposed implementation schedule, the following information should be contained in the proposed implementation schedule:

1. The date when the licensee proposes to complete the implementation and will enter the maintenance phase of its NRC approved cyber security program. The staffs final approval of the amendment request will, in part, be contingent upon the final implementation date. Note that after staff has issued the amendment, deviations from the approved final date can only be made with prior NRC approval by way of a license amendment requested pursuant to 10 CFR 50.90.
2. Interim milestones that are designed to convey licensee progress toward the implementation date provided above. Examples of interim milestones include, but are not limited to: the date when the licensee intends to complete the establishment of its Cyber Security Team; the date when the licensee intends to complete identification of its Critical Digital Assets (CDAs); and the date when the licensee intends to complete mapping of controls to CDAs in the context of the defensive architecture. These examples are only intended to be descriptive of the type of milestones the NRC staff would find acceptable. However, each licensee should determine the appropriate interim milestones for their program on a site-by-site basis. Note that interim milestones may be managed through the licensees commitment management program.
3. Information sufficient to allow NRC to perform its independent review and support the staffs findings on the adequacy and rationale for the proposed schedule.

The provisions of 10 CFR 73.54 are not significantly different from any of the previous requirements that mandate that digital assets supporting safety, security and emergency preparedness (SSEP) functions be protected. The 2002 Interim Compensatory Measures Order, required that licensees identify all of their digital systems associated with SSEP and institute appropriate protective measures. In 2005, NRC endorsed NEI 04-04 Cyber Security Program for Nuclear Power Plants, which provided a structured process for identifying digital assets that need to be protected from cyber attack and licensees were to implement this program by 2008.

While full implementation of the cyber security program required by 10 CFR 73.54 may take some time, much of the work has already begun, and many aspects of the program should already be in place. Licensees should not wait until issuance of the license amendment for the Cyber Security Plan to begin implementing their cyber security programs.

Leveraging the work that has been done in response to related initiatives, licensees should determine the appropriate amount of time necessary to complete implementation of their cyber security programs on a site-specific basis, and provide an adequate justification as part of their application.

Please contact me if you need further clarification of this matter.

Sincerely,

/RA/

Richard Correia, Director Division of Security Policy Office of Nuclear Security and Incident Response cc: All Operating Reactor License Holders J. Giitter, NRR D. Matthews, NRO S. Collins, RI L. Reyes, RII M. Satorius, RIII E. Collins, IV

3. Information sufficient to allow NRC to perform its independent review and support the staffs findings on the adequacy and rationale for the proposed schedule.

The provisions of 10 CFR 73.54 are not significantly different from any of the previous requirements that mandate that digital assets supporting safety, security and emergency preparedness (SSEP) functions be protected. The 2002 Interim Compensatory Measures Order, required that licensees identify all of their digital systems associated with SSEP and institute appropriate protective measures. In 2005, NRC endorsed NEI 04-04 Cyber Security Program for Nuclear Power Plants, which provided a structured process for identifying digital assets that need to be protected from cyber attack and licensees were to implement this program by 2008.

While full implementation of the cyber security program required by 10 CFR 73.54 may take some time, much of the work has already begun, and many aspects of the program should already be in place. Licensees should not wait until issuance of the license amendment for the Cyber Security Plan to begin implementing their cyber security programs.

Leveraging the work that has been done in response to related initiatives, licensees should determine the appropriate amount of time necessary to complete implementation of their cyber security programs on a site-specific basis, and provide an adequate justification as part of their application.

Please contact me if you need further clarification of this matter.

Sincerely,

/RA/

Richard Correia, Director Division of Security Policy Office of Nuclear Security and Incident Response cc: All Operating Reactor License Holders J. Giitter, NRR D. Matthews, NRO S. Collins, RI L. Reyes, RII M. Satorius, RIII E. Collins, IV ADAMS ACCESSION NO.: ML093080517 OFFICE ISCPB/DDRS/DSP/NSIR ISCPB/DDRS/DSP/NSIR DDRS/DSP/NSIR RSOB/DDSO/DSO/NSIR LPL3-1/ADRO/DORL/NRR NAME P. Pederson C. Erlanger S. Morris R. Costello T. Wengert DATE 11/6/09 11/9/09 11/12/09 11/19/09 11/19/09 OFFICE DD/ADRO/DORL/NRR RFC//GCLR/OGC DD/ADRO/DORL/NRR DSP/NSIR NAME A. Howe J. Zorn A. Howe via e-mail R. Correia DATE 11/19/09 11/23/09 12/11/09 1214/09 OFFICIAL RECORD COPY

Retrieved from "https://kanterella.com/w/index.php?title=ML093080517&oldid=5308422"