Issuance of Amendment Nos. 204, 204, and 204 to Modify the Completion Date for Implementation of Milestone 8 of the Cyber Security Plan

ML17254A499
Person / Time
Site:	Palo Verde
Issue date:	09/27/2017
From:	Siva Lingam Plant Licensing Branch IV
To:	Bement R Arizona Public Service Co
Lingam S, NRR/DORL/LPLIV, 301-415-1564
References
CAC MF9833, CAC MF9834, CAC MF9835
Download: ML17254A499 (20)
v • d • e

Text

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 Mr. Robert S. Bement Executive Vice President Nuclear/

Chief Nuclear Officer Mail Station 7602 Arizona Public Service Company P.O. Box 52034 Phoenix, AZ 85072-2034 September 27, 2017

SUBJECT:

PALO VERDE NUCLEAR GENERATING STATION, UNITS 1, 2, AND 3 -

ISSUANCE OF AMENDMENTS TO MODIFY THE COMPLETION DATE FOR IMPLEMENTATION OF MILESTONE 8 OF THE CYBER SECURITY PLAN (CAC NOS. MF9833, MF9834, AND MF9835)

Dear Mr. Bement:

The U.S. Nuclear Regulatory Commission (the Commission) has issued the enclosed Amendment No. 204 to Renewed Facility Operating License No. NPF-41, Amendment No. 204 to Renewed Facility Operating License No. NPF-51, and Amendment No. 204 to Renewed Facility Operating License No. NPF-74 for the Palo Verde Nuclear Generating Station (PVNGS),

Units 1, 2, and 3, respectively. The amendments consist of changes to modify the completion date for implementation of Milestone 8 of the Cyber Security Plan (CSP) in response to your application dated June 14, 2017.

The NRC staff initially reviewed and approved the licensee's original CSP implementation schedule by Amendment No. 185 dated July 26, 2011, to Renewed Facility Operating Licenses NPF-41, NPF-51, and NPF-74 for PVNGS, Units 1, 2, and 3, concurrent with the incorporation of the CSP into the facility's current licensing basis. Subsequently, the NRC staff reviewed and approved the licensee's current CSP implementation schedule by Amendment No. 190 dated December 13, 2013. This schedule required PVNGS to fully implement and maintain all provisions of the CSP no later than September 30, 2017.

The proposed amendments extend the CSP Milestone 8 completion date from September 30, 2017, to December 31, 2017. The amendments revise paragraph 2.E of Renewed Facility Operating License Nos. NPF-41, NPF-51, and NPF-74 for PVNGS, Units 1, 2, and 3, respectively, to incorporate the revised CSP implementation schedule.

A copy of the related Safety Evaluation is also enclosed. The Notice of Issuance will be included in the Commission's next biweekly Federal Register notice.

Docket Nos. STN 50-528, STN 50-529, and STN 50-530

Enclosures:

1. Amendment No. 204 to NPF-41

2. Amendment No. 204 to NPF-51

3. Amendment No. 204 to NPF-74

4. Safety Evaluation cc w/encls: Distribution via Listserv Sincerely,

~~r*~

Siva P. Lingam, Project Manager Plant Licensing Branch IV Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 ARIZONA PUBLIC SERVICE COMPANY, ET AL.

DOCKET NO. STN 50-528 PALO VERDE NUCLEAR GENERATING STATION, UNIT 1 AMENDMENT TO RENEWED FACILITY OPERATING LICENSE Amendment No. 204 License No. NPF-41

1.

The Nuclear Regulatory Commission (the Commission) has found that:

A.

The application for amendment by the Arizona Public Service Company (APS or the licensee) on behalf of itself and the Salt River Project Agricultural Improvement and Power District, El Paso Electric Company, Southern California Edison Company, Public Service Company of New Mexico, Los Angeles Department of Water and Power, and Southern California Public Power Authority dated June 14, 2017, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act) and the Commission's regulations set forth in 10 CFR Chapter I; B.

The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C.

There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D.

The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E.

The issuance of this amendment is in accordance with 1 O CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied.

2.

Accordingly, the license is amended by changes as indicated in the attachment to this license amendment, and paragraph 2.E. of Renewed Facility Operating License No. NPF-41 is hereby amended to read as follows:

E.

The licensees shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 1 O CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contains Safeguards Information protected under 10 CFR 73.21, is entitled: "Palo Verde Nuclear Station Security Plan, Training and Qualification Plan, Safeguards Contingency Plan and Independent Spent Fuel Storage Installation Security Program Revision 3," submitted by letter dated May 16, 2006.

APS shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 1 O CFR 50.90 and 10 CFR 50.54(p). The APS CSP was approved by License Amendment No. 185 as supplemented by a change approved by License Amendment No. 190 and a change approved by License Amendment No. 204.

3.

This license amendment is effective as of the date of issuance and shall be implemented by September 30, 2017. The full implementation of CSP shall be in accordance with the implementation schedule submitted by the licensee on August 10, 2012, and approved by the NRC staff with this license amendment. All subsequent changes to the NRC-approved CSP implementation schedule will require NRC approval pursuant to 10 CFR 50.90.

Attachment:

Changes to the Renewed Facility Operating License No. NPF-41 FOR THE NUCLEAR REGULATORY COMMISSION Robert J. Pascarelli, Chief Plant Licensing Branch IV Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Date of Issuance:

September 27, 2017

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 ARIZONA PUBLIC SERVICE COMPANY, ET AL.

DOCKET NO. STN 50-529 PALO VERDE NUCLEAR GENERATING STATION, UNIT 2 AMENDMENT TO RENEWED FACILITY OPERATING LICENSE Amendment No. 204 License No. NPF-51

1.

The Nuclear Regulatory Commission (the Commission) has found that:

A.

The application for amendment by the Arizona Public Service Company (APS or the licensee) on behalf of itself and the Salt River Project Agricultural Improvement and Power District, El Paso Electric Company, Southern California Edison Company, Public Service Company of New Mexico, Los Angeles Department of Water and Power, and Southern California Public Power Authority dated June 14, 2017, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act) and the Commission's regulations set forth in 1 O CFR Chapter I; B.

The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C.

There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D.

The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E.

The issuance of this amendment is in accordance with 1 O CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied.

2.

Accordingly, the license is amended by changes as indicated in the attachment to this license amendment, and paragraph 2.E. of Renewed Facility Operating License No. NPF-51 is hereby amended to read as follows:

E.

The licensees shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contains Safeguards Information protected under 1 O CFR 73.21, is entitled: "Palo Verde Nuclear Station Security Plan, Training and Qualification Plan, Safeguards Contingency Plan and Independent Spent Fuel Storage Installation Security Program Revision 3," submitted by letter dated May 16, 2006.

APS shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 1 O CFR 50.90 and 10 CFR 50.54(p). The APS CSP was approved by License Amendment No. 185 as supplemented by a change approved by License Amendment No. 190 and a change approved by License Amendment No. 204.

3.

This license amendment is effective as of the date of issuance and shall be implemented by September 30, 2017. The full implementation of CSP shall be in accordance with the implementation schedule submitted by the licensee on August 10, 2012, and approved by the NRC staff with this license amendment. All subsequent changes to the NRC-approved CSP implementation schedule will require NRC approval pursuant to 10 CFR 50.90.

Attachment:

Changes to the Renewed Facility Operating License No. NPF-51 FOR THE NUCLEAR REGULATORY COMMISSION Robert J. Pascarelli, Chief Plant Licensing Branch IV Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Date of Issuance: September 2 7, 2O1 7

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 ARIZONA PUBLIC SERVICE COMPANY, ET AL.

DOCKET NO. STN 50-530 PALO VERDE NUCLEAR GENERATING STATION, UNIT 3 AMENDMENT TO RENEWED FACILITY OPERATING LICENSE Amendment No. 204 License No. NPF-74

1.

The Nuclear Regulatory Commission (the Commission) has found that:

A.

The application for amendment by the Arizona Public Service Company (APS or the licensee) on behalf of itself and the Salt River Project Agricultural Improvement and Power District, El Paso Electric Company, Southern California Edison Company, Public Service Company of New Mexico, Los Angeles Department of Water and Power, and Southern California Public Power Authority dated June 14, 2017, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act) and the Commission's regulations set forth in 1 O CFR Chapter I; B.

The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C.

There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D.

The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E.

The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied.

2.

Accordingly, the license is amended by changes as indicated in the attachment to this license amendment, and paragraph 2.E. of Renewed Facility Operating License No. NPF-74 is hereby amended to read as follows:

E.

The licensees shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contains Safeguards Information protected under 10 CFR 73.21, is entitled: "Palo Verde Nuclear Station Security Plan, Training and Qualification Plan, Safeguards Contingency Plan and Independent Spent Fuel Storage Installation Security Program Revision 3," submitted by letter dated May 16, 2006.

APS shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 1 O CFR 50.90 and 10 CFR 50.54(p). The APS CSP was approved by License Amendment No. 185 as supplemented by a change approved by License Amendment No. 190 and a change approved by License Amendment No. 204.

3.

This license amendment is effective as of the date of issuance and shall be implemented by September 30, 2017. The full implementation of CSP shall be in accordance with the implementation schedule submitted by the licensee on August 10, 2012, and approved by the NRC staff with this license amendment. All subsequent changes to the NRC-approved CSP implementation schedule will require NRC approval pursuant to 10 CFR 50.90.

Attachment:

Changes to the Renewed Facility Operating License No. NPF-74 FOR THE NUCLEAR REGULATORY COMMISSION Robert J. Pascarelli, Chief Plant Licensing Branch IV Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Date of Issuance:

September 2 7, 201 7

ATTACHMENT TO LICENSE AMENDMENT NOS. 204, 204, AND 204 TO RENEWED FACILITY OPERATING LICENSE NOS. NPF-41, NPF-51, AND NPF-74 PALO VERDE NUCLEAR GENERATING STATION, UNITS 1, 2, AND 3 DOCKET NOS. STN 50-528, STN 50-529. AND STN 50-530 Replace the following pages of the Renewed Facility Operating License Nos. NPF-41, NPF-51, and NPF-74 with the attached revised pages. The revised pages are identified by amendment number and contain marginal lines indicating the areas of change.

Renewed Facility Operating License No. NPF-41 REMOVE INSERT 8

8 Renewed Facility Operating License No. NPF-51 REMOVE INSERT 9

9 Renewed Facility Operating License No. NPF-74 REMOVE INSERT 6

6 and will not endanger life or property or the common defense and security and is otherwise in the public interest. This exemption is, therefore, hereby granted pursuant to 10 CFR 50.12. With the granting of this exemption, the facility will operate, to the extent authorized herein, in conformity with the application, as amended, the provisions of the Act, and the rules and regulations of the Commission.

E.

The licensees shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR50.54(p). The combined set of plans, which contains Safeguards Information protected under 1 O CFR 73.21, is entitled: "Palo Verde Nuclear Station Security Plan, Training and Qualification Plan, Safeguards Contingency Plan and Independent Spent Fuel Storage Installation Security Program Revision 3," submitted by letter dated May 16, 2006.

APS shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The APS CSP was approved by License Amendment No. 185 as supplemented by a change approved by License Amendment No. 190 and a change approved by License Amendment No. 204.

F.

Deleted G.

The licensees shall have and maintain financial protection of such type and in such amounts as the Commission shall require in accordance with Section 170 of the Atomic Energy Act of 1954, as amended, to cover public liability claims; and H.

This renewed operating license is effective as of the date of issuance and shall expire at midnight on June 1, 2045.

FOR THE NUCLEAR REGULATORY COMMISSION IRA/

Eric J. Leeds, Director Office of Nuclear Reactor Regulation Attachments:

1. Attachment 1 - [Requirements for Initial Mode 1 Entry] - Deleted

2. Attachment 2 - [Operating Staff Experience Requirements] - Deleted

3. Attachment 3 - [Emergency Response Capabilities] - Deleted

4. Appendix A - Technical Specifications

5. Appendix B - Environmental Protection Plan

6. Appendix C - Antitrust Conditions

7. Appendix D - Additional Conditions Date of Issuance: April 21, 2011 Renewed Facility Operating License No. NPF-41 Amendment No. -tW, 204 E.

The licensees shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 1 O CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contains Safeguards Information protected under 1 O CFR 73.21, is entitled: "Palo Verde Nuclear Station Security Plan, Training and Qualification Plan, Safeguards Contingency Plan and Independent Spent Fuel Storage Installation Security Program Revision 3,"

submitted by letter dated May 16, 2006.

APS shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 1 O CFR 50.54(p). The APS CSP was approved by License Amendment No. 185 as supplemented by a change approved by License Amendment No. 190 and a change approved by License Amendment No. 204.

F.

Deleted G.

The licensees shall have and maintain financial protection of such type and in such amounts as the Commission shall require in accordance with Section 170 of the Atomic Energy Act of 1954, as amended, to cover public liability claims; and H.

This renewed operating license is effective as of the date of issuance and shall expire at midnight on April 24, 2046.

FOR THE NUCLEAR REGULATORY COMMISSION IRA/

Eric J. Leeds, Director Office of Nuclear Reactor Regulation Attachments:

1. [Requirements for Initial Mode 1 Entry] - Deleted

2. [Schedule for NUREG-0737, Sup. 1, Requirement (SPDS)] - Deleted

3. Appendix A - Technical Specifications

4. Appendix B - Environmental Protection Plan

5. Appendix C - Antitrust Conditions

6. Appendix D - Additional Conditions Date of Issuance: April 21, 2011 Renewed Facility Operating License No. NPF-51 Amendment No. +9-0, 204 (b)

The UFSAR supplement, as revised, submitted pursuant to 1 O CFR 54.21 (d), describes certain future activities to be completed prior to and/or during the period of extended operation.

The licensee shall complete these activities in accordance with Appendix A of NUREG-1961, "Safety Evaluation Report Related to the License Renewal of Palo Verde Nuclear Generating Station, Units 1, 2, and 3, issued April 2011. The licensee shall notify the NRC in writing when activities to be completed prior to the period of extended operation are complete and can be verified by NRC inspection.

(c)

All capsules in the reactor vessel that are removed and tested must meet the test procedures and reporting requirements of American Society for Testing and Materials (ASTM) E 185-82 to the extent practicable for the configuration of the specimens in the capsule. The NRC must approve any changes to the capsule withdrawal schedule, including spare capsules, prior to implementation. All capsules placed in storage must be maintained for future insertion. The NRC must approve any changes to storage requirements.

D.

APS has previously been granted an exemption from Paragraph lll.D.2(b)(ii) of Appendix J to 1 O CFR Part 50. This exemption was previously granted in Facility Operating License N PF-65 pursuant to 10 CFR 50.12.

With the granting of this exemption, the facility will operate, to the extent authorized herein, in conformity with the application, as amended, the provisions of the Act, and the rules and regulations of the Commission.

E.

The licensees shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contains Safeguards Information protected under 1 O CFR 73.21, is entitled: "Palo Verde Nuclear Station Security Plan, Training and Qualification Plan, Safeguards Contingency Plan and Independent Spent Fuel Storage Installation Security Program Revision 3,"

submitted by letter dated May 16, 2006.

APS shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 1 O CFR 50.90 and 10 CFR 50.54(p). The APS CSP was approved by License Amendment No. 185 as supplemented by a change approved by License Amendment No. 190 and a change approved by License Amendment No. 204.

Renewed Facility Operating License No. NPF-74 Amendment No..+w, 204

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO AMENDMENT NOS. 204, 204, AND 204 TO RENEWED FACILITY OPERATING LICENSE NOS. NPF-41 I NPF-51 I AND NPF-74 ARIZONA PUBLIC SERVICE COMPANY, ET AL.

PALO VERDE NUCLEAR GENERATING STATION, UNITS 1, 2, AND 3 DOCKET NOS. STN 50-528, STN 50-529, AND STN 50-530

1.0 INTRODUCTION

By letter dated June 14, 2017 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML17165A555), Arizona Public Service Company (APS, the licensee) requested a change to the renewed facility operating licenses for the Palo Verde Nuclear Generating Station (PVNGS), Units 1, 2, and 3.

The U.S. Nuclear Regulatory Commission (NRG, the Commission) staff initially reviewed and approved the licensee's original Cyber Security Plan (CSP) implementation schedule by Amendment No. 185 dated July 26, 2011 (ADAMS Accession No. ML111710110), to Renewed Facility Operating Licenses NPF-41, NPF-51, and NPF-74 for PVNGS, Units 1, 2, and 3, concurrent with the incorporation of the CSP into the facility's current licensing basis.

Subsequently, the NRG staff reviewed and approved the licensee's current CSP implementation schedule by Amendment No. 190 dated December 13, 2013 (ADAMS Accession No. ML12312A190). This schedule required PVNGS to fully implement and maintain all provisions of the CSP no later than September 30, 2017.

The proposed change would revise the date of CSP Implementation Schedule Milestone 8 and paragraph 2.E in the renewed facility operating licenses from September 30, 2017, to December 31, 2017. Milestone 8 of the CSP implementation schedule concerns the full implementation of the CSP. The NRG issued a proposed finding that the amendments involve no significant hazards consideration, published in the Federal Register on July 18, 2017 (82 FR 32878).

2.0 REGULATORY EVALUATION

The NRC staff reviewed and approved the licensee's current CSP implementation schedule by Amendment No. 190 to the renewed facility operating licenses for PVNGS, Units 1, 2, and 3.

The NRC staff considered the following regulatory requirements and guidance in its review of the license amendment request (LAR) to modify the existing CSP implementation schedule:

Title 1 O of the Code of Federal Regulations (1 O CFR}, Section 73.54, "Protection of digital computer and communication systems and networks," which states, in part:

Each [CSP] submittal must include a proposed implementation schedule.

Implementation of the licensee's cyber security program must be consistent with the approved schedule.

The licensee's renewed facility operating licenses include a license condition that requires the licensee to fully implement and maintain in effect all provisions of the Commission-approved CSP.

Review criteria provided by the NRC staff's internal memorandum, "Review Criteria for Title 10 of the Code of Federal Regulations Part 73.54, Cyber Security Implementation Schedule Milestone 8 License Amendment Requests," dated October 24, 2013 (ADAMS Accession No. ML13295A467), to be considered for evaluating licensees' requests to postpone their cyber security program implementation date (commonly known as Milestone 8).

The NRC staff does not regard the CSP milestone implementation dates as regulatory commitments that can be changed unilaterally by the licensee, particularly in light of the regulatory requirement at 1 O CFR 73.54, that states, in part, that "[i]mplementation of the licensee's cyber security program must be consistent with the approved schedule." As the NRC staff explained in its letter to all operating reactor licensees dated May 9, 2011 (ADAMS Accession No. ML110980538), the implementation of the plan, including the key intermediate milestone dates and the full implementation date, shall be in accordance with the implementation schedule submitted by the licensee and approved by the NRC. All subsequent changes to the NRG-approved CSP implementation schedule, thus, will require prior NRC approval as required by 10 CFR 50.90, "Application for amendment of license, construction permit, or early site permit."

3.0 TECHNICAL EVALUATION

3.1 Licensee's Requested Change The NRC staff issued Amendment No. 185 to Renewed Facility Operating License Nos.

NPF-41, NPF-51 and NPF-74 for PVNGS Units 1, 2, and 3 by letter dated July 26, 2011. These amendments approved the CSP and associated implementation schedule, and added a license condition requiring the licensee to fully implement and maintain the Commission-approved CSP.

The implementation schedule was based on a template prepared by the Nuclear Energy Institute (NEI), which was transmitted to the NRC by letter dated February 28, 2011 (ADAMS Accession No. ML110600206). By letter dated March 1, 2011, the NRC staff found the NEI template acceptable for licensees to use to develop their CSP implementation schedules (ADAMS Accession No. ML110070348). The licensee's proposed implementation schedule for the CSP identified completion dates and bases for the following eight milestones:

1)

Establish the Cyber Security Assessment Team;

2)

Identify Critical Systems and Critical Digital Assets (CDAs);

3)

Install deterministic one-way devices between lower level devices and higher level devices;

4)

Implement the security control "Access Control For Portable And Mobile Devices";

5)

Implement observation and identification of obvious cyber-related tampering to existing insider mitigation rounds by incorporating the appropriate elements;

6)

Identify, document, and implement technical cyber security controls in accordance with "Mitigation of Vulnerabilities and Application of Cyber Security Controls," for CDAs that could adversely impact the design function of physical security target set equipment;

7)

Ongoing monitoring and assessment activities for those target set CDAs whose security controls have been implemented; and

8)

Fully implement the CSP.

Currently, Milestone 8 of the PVNGS CSP requires the licensee to fully implement the CSP by September 30, 2017. By letter dated June 14, 2017, the licensee proposed to modify the Milestone 8 completion date to December 31, 2017.

The licensee provided the following information pertinent to each of the criteria identified in the NRC guidance memorandum dated October 24, 2013.

1) Identification of the specific requirement or requirements of the cyber security plan that the licensee needs additional time to implement.

The licensee stated that additional time is required to complete the cyber security assessment and application of cyber security controls described in the PVNGS CSP, Appendix A, Sections 3 and 4. Specifically, the licensee is working on the application of security controls for the Meteorological Data Transmission System (MOTS), and the assessment and application of security controls for the recently modified security system. Additionally, APS is completing programmatic change management associated with 30 procedure changes pursuant to NEI 08-09, Revision 6, Appendix E.

During this additional period the requirements of Milestones 1-7 will be maintained.

2) Detailed justification that describes the reason the licensee requires additional time to implement the specific requirement or requirements identified.

The licensee stated that while the 2016 cyber security assessment identified the need for an MOTS full system modification, a fast-track modification plan was created and work is in progress, it has been determined that additional time is required to complete the modification. In January 2017, APS completed the installation of the Security System Upgrade Project. Although, the physical installation is complete the creation of final configuration documents is not complete. The lack of final configuration documentation on the new security system has delayed the completion of its cyber security assessment. The security assessment team has been supplemented with additional resources, however, the licensee reports that additional time is still needed to complete the assessment. Other items reported by the licensee as contributing to the need for additional time to fully implement Milestone 8 include: resource intensive CDA mitigation activities, the incorporation of changes associated with the NRC endorsed Addendum 1 to NEI 08-09, Revision 6, change management challenges and training on the new programs.

3) A proposed completion date for Milestone 8 consistent with the remaining scope of work to be conducted and the resources available.

The licensee stated that the proposed completion date for Milestone 8 is December31, 2017.

4) An evaluation of the impact that the additional time to implement the requirements will have on the effectiveness of the licensee's overall cyber security program in the context of milestones already completed.

The licensee stated that the impact of the additional time on the effectiveness of the overall cyber security program will be very low because of the cyber security protections provided by the actions completed pursuant to Milestones 1 through 7. The licensee also stated the completed activities provide a high degree of protection against cyber security attacks while APS implements the full program.

5) A description of the licensee's methodology for prioritizing completion of work for critical digital assets associated with significant safety, security and emergency preparedness (SSEP) consequences and with reactivity effects in the balance of plant.

The licensee said the APS methodology for prioritizing the implementation of Milestone 8 activities is centered on considerations for SSEP and Balance of Plant continuity of plant consequences. The remainder of the work identified by the licensee to be completed by the revised date of December 31, 2017, includes: completion of the nonsafety-related and emergency preparedness CDA assessments, completion of all the security control design remediation actions, completion of station procedure revisions, completion of the integration of on-going and time-based actions into the plant preventive maintenance/surveillance (or equivalent) programs, and completion of the security change management plan and required training.

6) A discussion of the PVNGS cyber security program performance up to the date of the LAR.

The licensee stated that the NRC completed an inspection related to compliance with interim Milestones 1 thorough 7. The three findings identified met the criteria for enforcement discretion because of the licensee's "good-faith" attempt to interpret and implement Milestone 1 through 7 and because of its prompt actions to enter the issues into the corrective action program (CAP). The NRC completed a cyber security Milestone 8 pilot assessment and the PVNGS nuclear assurance department (NAO) has performed audits for both the interim Milestones 1 through 7 and Milestone 8. The NAO will conduct another Milestone 8 audit prior to the completion date of December 31, 2017. The licensee stated that on-going monitoring and time-based periodic actions provide continuing program performance monitoring.

7) A discussion of cyber security issues pending in the licensee's corrective action program.

The licensee stated that there are presently no significant nuclear cyber security issues pending in the PVNGS CAP. However, there are several non-significant issues identified through self-identification, security frequently asked question notification, industry lessons learned, and NAO audits that have been entered into the CAP.

8) A discussion of modifications completed to support the cyber security program and a discussion of pending cyber security modifications.

The licensee stated that modifications completed include modifications associated with Milestone 3 of the CSP and associated defense-in-depth procedures. The licensee lists 3 modifications completed for Milestone 8 including: the PVNGS automated security information and event management system for monitoring activity on the plant process computer network, cyber hardening of the plant computer system and the generator excitation system. Pending modifications to be completed by the revised date of December 31, 2017, include the MOTS cyber security control system upgrade and the cyber hardening of the modified plant security system.

The licensee discussed completed modifications and pending modifications. These are consistent with the CSP.

3.2 NRG Staff Evaluation of Requested Change The NRC staff has evaluated the licensee's application using the regulatory requirements and guidance above. The NRC staff's evaluation is below. The staff finds that the actions necessary for full compliance with the PVNGS CSP are reasonable as discussed below.

The licensee completed the cyber security protections of Milestones 1 through 7, which continue to provide a high degree of protection against cyber security attacks while APS implements the full program. The licensee has completed important aspects of Milestone 8 and its efforts to complete Milestone 8 are priotized and ongoing. PVNGS identified the specific areas where additional time and resources are required to complete CDA assessments. PVNGS is implementing design modifications based on assessment results, updating existing procedures, developing new program procedures, and providing training to complete the full implementation of the cyber security program. In addition, the licensee is completing a full system modification of the MOTS to conform with Appendix D of NEI 08-09, Revision 6. The licensee commits to implementing the revised Appendix Din its cyber security plan. The work authorization process for this modification has been prioritized.

The unanticipated challenges with completing the Milestone 8 activities and the delays encountered with the installation of the security system upgrade project prevented the licensee from creating configuration documentation as scheduled. These difficulties in turn delayed the cyber security assessment of the new security system. PVNGS's cyber security assessment and implementation of the remaining cyber security controls require additional time. In addition, implementation challenges, CDA mitigation activities, and the associated training have also contributed to the need for additional time to fully implement Milestone 8.

The NRC staff concludes that the Milestone 8 activities already undertaken and completed by the licensee result in an increase to site security because the activities the licensee completed mitigate the most significant cyber-attack vectors for the most significant CDAs. The staff also finds that the licensee prioritized the completion of important Milestone 8 activities and commits to full implementation. Therefore, the NRC has reasonable assurance that full implementation of the CSP by December 31, 2017, will provide adequate protection of the public health and safety and the common defense and security.

3.3 Technical Evaluation Conclusion

The NRC staff concludes that the licensee's request to delay full implementation of its CSP until December 31, 2017, is reasonable for the following reasons: (i) the licensee's implementation of Milestones 1 through 7 provides a high degree of protection against cyber security attacks while APS implements the full program, as discussed in the staff evaluation above; (ii) the licensee has made substantial progress toward full implementation of Milestone 8 requirements; iii) the licensee also identified outstanding actions are needed to complete implementation; and iv) the additional time required to come into full compliance with the CSP implementation schedule does not raise safety concerns. Further, APS has a plan of action in place for completing the pending activities by December 31, 2017.

3.4 Revision to License Condition Paragraph 2.E By letter dated June 14, 2017, the licensee proposed to modify paragraph 2.E of Renewed Facility Operating License Nos. NPF-41, NPF-51, and NPF-74 for PVNGS, Units 1, 2, and 3, respectively, which provides a license condition to require the licensee to fully implement and maintain in effect all provisions of the NRG-approved CSP.

The current license condition in paragraph 2.E of Renewed Facility Operating License Nos. NPF-41, NPF-51, and NPF-74 for PVNGS, Units 1, 2, and 3, respectively, states, in part:

APS shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The APS CSP was approved by License Amendment No. 185 as supplemented by a change approved by License Amendment No. 190.

The revised portion of the license condition in paragraph 2.E of Renewed Facility Operating License Nos. NPF-41, NPF-51, and NPF-74 for PVNGS, Units 1, 2, and 3, respectively, would state, in part:

APS shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 1 O CFR 50.90 and 10 CFR 50.54(p). The APS CSP was approved by License Amendment No. 185 as supplemented by a change approved by License Amendment No. 190 and a change approved by License Amendment No. 204.

3.5 Regulatory Commitments By letter dated June 14, 2017, the licensee made the following regulatory commitment:

Fully implement the [PVNGS] CSP for all SSEP functions.

Scheduled Completion Date: December 31, 2017.

The above stated commitment is consistent with the revised Milestone 8 implementation date proposed by the licensee and evaluated by the NRC staff.

4.0 STATE CONSULTATION

In accordance with the Commission's regulations, the Arizona State official was notified of the proposed issuance of the amendments on September 8, 2017. The State official had no comments.

5.0 ENVIRONMENTAL CONSIDERATION

These amendments to 10 CFR Part 50 licenses relate solely to safeguards matters and do not involve any significant construction impacts. These amendments are of administrative nature to extend the date by which the licensee must have its CSP fully implemented. Accordingly, the amendments meet the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(12). Pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the issuance of the amendments.

6.0 CONCLUSION

The Commission has concluded, based on the considerations discussed above, that: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) there is reasonable assurance that such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendments will not be inimical to the common defense and security or to the health and safety of the public.

Principal Contributor: Shyrl Coker, NSIR/DPCP/CSB Date: September 27, 2017

ML17254A499 OFFICE N RR/DORL/LPL4/PM NAME Sling am DATE 9/12/17 OFFICE OGC/NLO NAME PJehle DATE 9/26/17 RidsNrrPMPaloVerde Resource RidsRgn4MailCenter Resource SCoker, NSIR/DPCP/CSB JBeardsley, NSIR/DPCP/CSB

• SE memorandum dated NRR/DORL/LPL4/LA NSIR/DPCP/CSB/BC*

PBlechman JBeardsley 9/12/17 9/5/17 NRR/DORL/LPL4/BC NRR/DORL/LPL4/PM RPascarelli Sling am 9/27/17 9/27/17