ML16014A169: Difference between revisions
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
StriderTol (talk | contribs) (StriderTol Bot change) |
||
| Line 2: | Line 2: | ||
| number = ML16014A169 | | number = ML16014A169 | ||
| issue date = 03/14/2016 | | issue date = 03/14/2016 | ||
| title = | | title = Issuance of Amendment No. 265 to Renewed Facility Operating License Cyber Security Plan Implementation Schedule | ||
| author name = Parrott J | | author name = Parrott J | ||
| author affiliation = NRC/NMSS/DDUWP/RDB | | author affiliation = NRC/NMSS/DDUWP/RDB | ||
| addressee name = | | addressee name = | ||
| Line 9: | Line 9: | ||
| docket = 05000271 | | docket = 05000271 | ||
| license number = DPR-028 | | license number = DPR-028 | ||
| contact person = Parrot J | | contact person = Parrot J 301-415-6634 | ||
| case reference number = CAC MF6403 | | case reference number = CAC MF6403 | ||
| document type = Letter, License-Operating (New/Renewal/Amendments) DKT 50, Safety Evaluation, Technical Paper, Technical Specifications | | document type = Letter, License-Operating (New/Renewal/Amendments) DKT 50, Safety Evaluation, Technical Paper, Technical Specifications | ||
| page count = 14 | | page count = 14 | ||
| project = CAC:MF6403 | |||
| stage = Approval | |||
}} | }} | ||
=Text= | |||
{{#Wiki_filter:March 14, 2016 Vice President, Operations Entergy Nuclear Operations, Inc. | |||
Vermont Yankee Nuclear Power Station P.O. Box 250 Governor Hunt Road Vernon, VT 05354 | |||
==SUBJECT:== | |||
VERMONT YANKEE NUCLEAR POWER STATION - ISSUANCE OF AMENDMENT TO RENEWED FACILTIY OPERATING LICENSE RE: CYBER SECURITY PLAN IMPLEMENTATION SCHEDULE (CAC NO. MF6403) | |||
==Dear Sir or Madam:== | |||
The U.S. Nuclear Regulatory Commission has issued the enclosed Amendment No. 265 to Renewed Facility Operating License DPR-28 for the Vermont Yankee Nuclear Power Station (VY). The amendment consists of changes to the renewed facility operating license in response to your application dated June 24, 2015. | |||
The amendment approves a change to the VY Cyber Security Plan Milestone 8 Implementation Schedule full implementation date from June 30, 2016, to December 15, 2017, and revises the existing operating license Security Plan license condition. | |||
A copy of the related Safety Evaluation is also enclosed. The Notice of Issuance will be included in the Commissions next biweekly Federal Register notice. | |||
Sincerely, | |||
/RA/ | |||
Jack D. Parrott, Senior Project Manager Reactor Decommissioning Branch Division of Decommissioning, Uranium Recovery and Waste Programs Office of Nuclear Material Safety and Safeguards Docket No. 50-271 | |||
==Enclosures:== | |||
: 1. Amendment No. 265 to DPR-28 | |||
: 2. Safety Evaluation cc w/encls: Distribution via Listserv | |||
ML16014A169 | |||
*concurrence via email dated OFFICE NRR/DORL/LPL4-2/PM NRR/DORL/LPL4-2/LA NSIR/CSD/DD OGC - NLO w/ comments NAME JKim PBlechman JAndersen* | |||
JBielecki* | |||
DATE 1/19/2016 1/19/2016 1/7/2016 3/2/2016 OFFICE NMSS/DUWP/RDB/BC NMSS/DUWP NMSS/DUWP/RDB/PM NAME BWatson JTappert JParrott DATE 3/9/2016 3/14/2016 3/14/2016 ENTERGY NUCLEAR VERMONT YANKEE, LLC AND ENTERGY NUCLEAR OPERATIONS, INC. | |||
DOCKET NO. 50-271 VERMONT YANKEE NUCLEAR POWER STATION AMENDMENT TO RENEWED FACILITY OPERATING LICENSE Amendment No. 265 License No. DPR-28 | |||
: 1. | |||
The U.S. Nuclear Regulatory Commission (the Commission) has found that: | |||
A. | |||
The application for amendment filed by Entergy Nuclear Vermont Yankee, LLC and Entergy Nuclear Operations, Inc. (the licensee) dated June 24, 2015, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commissions rules and regulations set forth in 10 CFR Chapter I; B. | |||
The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C. | |||
There is reasonable assurance: (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commissions regulations; D. | |||
The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E. | |||
The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commissions regulations and all applicable requirements have been satisfied. | |||
: 2. | |||
Accordingly, the license is amended by changes to the renewed facility operating license as indicated in the attachment to this license amendment, and Paragraph 3.B. of Renewed Facility Operating License No. DPR-28 is hereby amended to read as follows: | |||
(B) | |||
Technical Specifications The Technical Specifications contained in Appendix A, as revised through Amendment No. 265, are hereby incorporated in the license. Entergy Nuclear Operations, Inc. shall operate the facility in accordance with the Technical Specifications. | |||
Further, the second paragraph in Paragraph 3.G. is hereby amended to read as follows: | |||
Entergy Nuclear Operations, Inc. shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). Entergy Nuclear Operations, Inc. CSP was approved by License Amendment No. 247, as supplemented by changes approved by License Amendment Nos. 251, 259, and 265. | |||
: 3. | |||
This license amendment is effective as of the date of issuance and shall be implemented by June 30, 2016. All subsequent changes to the NRC-approved CSP implementation schedule will require NRC approval pursuant to 10 CFR 50.90. | |||
FOR THE NUCLEAR REGULATORY COMMISSION | |||
/RA/ | |||
John R. Tappert, Director Division of Decommissioning, Uranium Recovery and Waste Programs Office of Nuclear Material Safety and Safeguards | |||
==Attachment:== | |||
Changes to the Renewed Facility Operating License No. DPR-28 Date of Issuance: March 14, 2016 | |||
ATTACHMENT TO LICENSE AMENDMENT NO. 265 RENEWED FACILITY OPERATING LICENSE NO. DPR-28 DOCKET NO. 50-271 Replace the following pages of the Renewed Facility Operating License with the attached revised pages. The revised pages are identified by amendment number and contain marginal lines indicating the areas of change. | |||
Facility Operating License REMOVE INSERT | |||
Renewed Facility Operating License No. DPR-28 Amendment No. 259, 260, 262, 263, 265 D. Entergy Nuclear Operations, Inc., pursuant to the Act and 10 CFR Parts 30, 40 and 70, to receive, possess, and use in amounts as required any byproduct, source, or special nuclear material without restriction to chemical or physical form, for sample analysis or instrument calibration or associated with radioactive apparatus or components. | |||
E. | |||
Entergy Nuclear Operations, Inc., pursuant to the Act and 10 CFR Parts 30 and 70, to possess, but not to separate, such byproduct and special nuclear material as may be produced by operation of the facility. | |||
: 3. | |||
This renewed license shall be deemed to contain and is subject to the conditions specified in the following Commission regulations: 10 CFR Part 20, Section 30.34 of 10 CFR Part 30, Section 40.41 of 10 CFR Part 40, Section 50.54 and 50.59 of 10 CFR Part 50, and Section 70.32 of 10 CFR Part 70; and is subject to all applicable provisions of the Act and to the rules, regulations, and orders of the Commission now or hereafter in effect; and is subject to the additional conditions specified below: | |||
A. | |||
This paragraph deleted by Amendment No. 263. | |||
B. | |||
Technical Specifications The Technical Specifications contained in Appendix A, as revised through Amendment No. 265, are hereby incorporated in the license. Entergy Nuclear Operations, Inc. shall operate the facility in accordance with the Technical Specifications. | |||
C. Reports Entergy Nuclear Operations, Inc. shall make reports in accordance with the requirements of the Technical Specifications. | |||
D. This paragraph deleted by Amendment No. 226. | |||
E. | |||
Environmental Conditions Pursuant to the Initial Decision of the presiding Atomic Safety and Licensing Board issued February 27, 1973, the following conditions for the protection of the environment are incorporated herein: | |||
: 1. | |||
This paragraph deleted by Amendment No. 206, October 22, 2001. | |||
: 2. | |||
This paragraph deleted by Amendment 131, 10/07/91. | |||
Renewed Facility Operating License No. DPR-28 Amendment No. 247, 251, 259, 263, 265 Corrected by {{letter dated|date=November 21, 2012|text=letter dated November 21, 2012}} G. Security Plan Entergy Nuclear Operations, Inc. shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822), and the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans1, which contain Safeguards Information protected under 10 CFR 73.21, is entitled: "Vermont Yankee Nuclear Power Station Security Plan, Training and Qualification Plan, and Safeguards Contingency Plan, Revision 0," | |||
submitted by {{letter dated|date=October 18, 2004|text=letter dated October 18, 2004}}, as supplemented by {{letter dated|date=May 16, 2006|text=letter dated May 16, 2006}}. | |||
Entergy Nuclear Operations, Inc. shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). Entergy Nuclear Operations, Inc. CSP was approved by License Amendment No. 247, as supplemented by changes approved by License Amendment Nos. 251, 259, and 265. | |||
H. This paragraph deleted by Amendment No. 107, 8/25/88. | |||
I. | |||
This paragraph deleted by Amendment No. 131, 10/7/91. | |||
J. | |||
License Transfer Conditions On the closing date of the transfer of Vermont Yankee Nuclear Power Station (Vermont Yankee), Entergy Nuclear Vermont Yankee, LLC shall obtain from Vermont Yankee Nuclear Power Corporation all of the accumulated decommissioning trust funds for the facility, and ensure the deposit of such funds into a decommissioning trust for Vermont Yankee established by Entergy Nuclear Vermont Yankee, LLC. If the amount of such funds does not meet or exceed the minimum amount required for the facility pursuant to 10 CFR 50.75, Entergy Nuclear Vermont Yankee, LLC shall at such time deposit additional funds into the trust and/or obtain a parent company guarantee (to be updated annually) and/or obtain a surety pursuant to 10 CFR 50.75(e)(1)(iii) in a form acceptable to the NRC and in an amount or amounts which, when combined with the decommissioning trust funds for the facility that have been obtained and deposited as required above, equals or 1 The Training and Qualification Plan and Safeguards Contingency Plan are Appendices to the Security Plan. | |||
SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO AMENDMENT NO. 265 TO RENEWED FACILITY OPERATING LICENSE NO. DPR-28 ENTERGY NUCLEAR VERMONT YANKEE, LLC AND ENTERGY NUCLEAR OPERATIONS, INC. | |||
VERMONT YANKEE NUCLEAR POWER STATION DOCKET NO. 50-271 | |||
==1.0 INTRODUCTION== | |||
By application dated June 24, 2015 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML15177A016), Entergy Nuclear Operations Inc. (Entergy, the licensee) requested a change to the renewed facility operating license (FOL) for Vermont Yankee Nuclear Power Station (VY). | |||
The U.S. Nuclear Regulatory Commission (NRC or the Commission) staff initially reviewed and approved the licensees CSP implementation schedule by VY License Amendment No. 247 dated July 20, 2011 (ADAMS Accession No. ML11152A013). Subsequently, NRC staff reviewed and approved Amendment No. 259, dated November 12, 2014, which extended the CSP implementation schedule (ADAMS Accession No. ML14206A710). This schedule required VY to fully implement and maintain all provisions of the CSP no later than June 30, 2016. | |||
The proposed change would revise the completion date of Cyber Security Plan (CSP), by extending the date for full implementation of the CSP Milestone 8 at VY, from June 30, 2016, to December 15, 2017. The second paragraph of license condition 3.G of Renewed Facility Operating License No. DPR-28 would also be amended. | |||
Portions of the {{letter dated|date=June 24, 2015|text=letter dated June 24, 2015}}, contain sensitive unclassified non-safeguards information and, accordingly, those portions have been withheld from public disclosure in accordance with the provisions of paragraph 2.390(d)(1) of Title 10 of the Code of Federal Regulations (10 CFR). | |||
==2.0 REGULATORY EVALUATION== | |||
The NRC staff considered the following regulatory requirements and guidance in its review of the June 24, 2015, license amendment request to modify the existing CSP implementation schedule: | |||
The regulations in 10 CFR Section 73.54, Protection of digital computer and communication systems and networks, which states, in part: Each [CSP] | |||
submittal must include a proposed implementation schedule. Implementation of the licensees cyber security program must be consistent with the approved schedule. | |||
The licensees renewed FOL includes a license condition that requires the licensee to fully implement and maintain in effect all provisions of the Commission-approved CSP. | |||
In a publically available NRC memorandum dated October 24, 2013 (ADAMS Accession No. ML13295A467), the NRC staff listed criteria to consider during evaluations of licensees requests to postpone their cyber security program implementation date (commonly known as Milestone 8). | |||
The NRC staff does not regard the CSP milestone implementation dates as regulatory commitments that can be changed unilaterally by the licensee, particularly in light of the regulatory requirement at 10 CFR 73.54, which states, in part, that [i]mplementation of the licensee's cyber security program must be consistent with the approved schedule. As the NRC staff explained in its letter to all operating reactor licensees dated May 9, 2011 (ADAMS Accession No. ML110980538), the implementation of the plan, including the key intermediate milestone dates and the full implementation date shall be in accordance with the implementation schedule submitted by the licensee and approved by the NRC. All subsequent changes to the NRC-approved CSP implementation schedule, thus, will require prior NRC approval pursuant in 10 CFR 50.90, Application for amendment of license, construction permit, or early site permit. | |||
==3.0 TECHNICAL EVALUATION== | |||
3.1 Licensees Proposed Change The NRC issued Amendment No. 247 to Renewed FOL DPR-28 for VY by {{letter dated|date=July 20, 2011|text=letter dated July 20, 2011}}. This amendment approved the licensees CSP and associated implementation schedule, as discussed in the safety evaluation issued with the amendment. The licensees implementation schedule was based on a template prepared by the Nuclear Energy Institute (ADAMS Accession No. ML110600218), which the NRC staff found acceptable for licensees to use to develop their CSP implementation schedules. The licensees proposed implementation schedule for the CSP identified completion dates and bases for the following eight milestones: | |||
: 1) | |||
Establish the Cyber Security Assessment Team (CSAT); | |||
: 2) | |||
Identify Critical Systems (CSs) and Critical Digital Assets (CDAs); | |||
: 3) | |||
Install a deterministic one-way device between lower level devices and higher level devices; | |||
: 4) | |||
Implement the security control Access Control For Portable And Mobile Devices; | |||
: 5) | |||
Implement observation and identification of obvious cyber related tampering to existing insider mitigation rounds; | |||
: 6) | |||
Identify, document, and implement cyber security controls in accordance with Mitigation of Vulnerabilities and Application of Cyber Security Controls for CDAs that could adversely impact the design function of physical security target set equipment; | |||
: 7) | |||
Ongoing monitoring and assessment activities for those target set CDAs whose security controls have been implemented; | |||
: 8) | |||
Fully implement the CSP. | |||
Currently, Milestone 8 of the VY CSP requires Entergy to fully implement the CSP by June 30, 2016. In its application dated June 24, 2015, the licensee proposed to change the Milestone 8 completion date to December 15, 2017. | |||
The licensee submitted its application on June 24, 2015 using the NRC staffs guidance to evaluate requests to postpone Milestone 8 implementation dates. The licensees application addressed all the criteria in the guidance. The intent of the staggered cyber security implementation schedule was for licensees to demonstrate ongoing implementation of their cyber security program prior to full implementation, which was scheduled for the date specified in Milestone 8. The licensee completed seven other milestones (Milestone 1 through Milestone 7) by December 31, 2012. Activities included establishing a CSAT, identifying CSs and CDAs, installing deterministic one-way devices between defensive levels, implementing access control for portable and mobile devices, implementing methods to observe and identify obvious cyber related tampering, and conducting ongoing monitoring and assessment activities for target set CDAs. In their aggregate, the interim milestones demonstrate ongoing implementation of the cyber security program. | |||
The licensee provided the following information pertinent to each of the criteria identified in the NRC guidance memorandum dated October 24, 2013. | |||
(1) | |||
Identification of the specific requirement or requirements of the cyber security plan that the licensee needs additional time to implement. | |||
The licensee stated that the requirements of the CSP that need additional time to implement are Section 3, Analyzing Digital Computer Systems and Networks, and Section 4, Establishing, Implementing and Maintaining the Cyber Security Program. The licensee further noted that these sections describe requirements for application of cyber security controls and describes the process of security control assessments. The licensee also noted any combination of physical, logical (software-related), or programmatic/procedural changes could be required. | |||
(2) | |||
Detailed justification that describes the reason the licensee requires additional time to implement the specific requirement or requirements identified. | |||
The licensee stated that Entergy hosted a pilot Milestone 8 inspection at the Indian Point site in March 2014. During the pilot, insight was gained into NRC perspective on how to apply the cyber security controls listed in NEI 08-09, Revision 6, Cyber Security Plan for Nuclear Power Reactors, dated April 2010 (ADAMS Accession No. ML101180437). During the pilot inspection, the NRC team reviewed several examples of CDAs with Entergy and indicated the level of detail and depth expected for the technical analyses against cyber security controls referenced in NEI 08-09. Based on this review, Entergy stated that the detail and depth of the technical analysis exceeds Entergy's prior understanding and necessitates a greater effort to achieve than initially anticipated. | |||
The licensee stated that during 2015, each operating Entergy licensee had an inspection of compliance with interim Milestones 1 through 7. The preparation for and support of these inspections required a significant commitment of time from Entergy's most knowledgeable subject matter experts on nuclear cyber security, exceeding the estimate previously developed and therefore, drawing those resources away from Milestone 8 implementation activities. | |||
(3) | |||
A proposed completion date for Milestone 8 consistent with the remaining scope of work to be conducted and the resources available. | |||
The licensee proposed a Milestone 8 completion date of December 15, 2017. | |||
During the pilot inspection, the NRC team reviewed several examples of CDAs with the licensee and indicated the level of detail and depth expected for the technical analyses against cyber security controls referenced in NEI 08-09. The licensee stated that based on this review, the detail and depth of the technical analysis exceeds licensee's prior understanding and necessitates considerably greater time and effort to achieve than initially anticipated. | |||
(4) | |||
An evaluation of the impact that the additional time to implement the requirements will have on the effectiveness of the licensees overall cyber security program in the context of milestones already completed. | |||
The licensee indicated the impact of the requested additional implementation time on the effectiveness of the overall cyber security program is very low. The milestones already completed have resulted in a high degree of protection of safety-related, important-to-safety, and security CDAs against common threat vectors. Additionally, extensive physical and administrative measures are already in place for CDAs because they are plant components, pursuant to the Physical Security Plan and Technical Specification requirements. The licensee also briefly described how it had implemented the various milestones. | |||
: 5) | |||
A description of the licensees methodology for prioritizing completion of work for critical digital assets associated with significant safety, security, or emergency preparedness consequences and with reactivity effects in the balance of plant. | |||
The licensee stated that, because CDAs are plant components, prioritization follows the normal work management process that places the highest priority on | |||
apparent conditions adverse to quality in system, structure, and component design function and related to factors such as safety risk and nuclear defense-in-depth. High focus continues to be maintained on prompt attention to any emergent issue with safety related, security and important to safety (including balance of plant) CDAs that would potentially challenge the established cyber protective barriers. Additionally it should be noted that these CDAs encompass those associated with physical security target sets. | |||
: 6) | |||
A discussion of the licensees cyber security program performance up to the date of the license amendment request. | |||
The licensee stated there has been no identified compromise of SSEP functions by cyber means. Additionally, a Quality Assurance (QA) audit was conducted in the fourth quarter of 2014 pursuant to the physical security program review required by 10 CFR 73.55(m). The QA audit included review of cyber security program implementation. There were no significant findings related to overall cyber security program performance and effectiveness. | |||
: 7) | |||
A discussion of cyber security issues pending in the licensees corrective action program (CAP). | |||
The licensee stated there are presently no significant (constituting a threat to a CDA via cyber means or calling into question program effectiveness) nuclear cyber security issues pending in the CAP. Several fleet generic non-significant issues identified during NRC inspections of compliance with nuclear cyber security Interim Milestones 1 through 7 at other Entergy licensees have been entered into CAP. | |||
: 8) | |||
A discussion of modifications completed to support the cyber security program and a discussion of pending cyber security modifications. | |||
The licensee stated that there are presently no significant (constituting a threat to a CDA via cyber means or calling into question program effectiveness) nuclear cyber security issues pending in the CAP. Several fleet generic non-significant issues identified during NRC inspections of compliance with nuclear cyber security Interim Milestones 1 through 7 at other Entergy licensees have been entered into CAP. | |||
3.2 | |||
===NRC Staff Evaluation=== | |||
The NRC staff has evaluated the licensee's application using the regulatory requirements and guidance above. The NRC's staff's evaluation is below. The NRC staff finds that the actions the licensee noted as being required to implement CSP, Section 3, Analyzing Digital Computer Systems and Networks" and Section 4, "Establishing, Implementing and Maintaining the Cyber Security Program" are reasonable as discussed below. | |||
The licensee indicated that the activities described in Milestones 1 through 7, were completed prior to December 31, 2012, and provide a high degree of protection of safety-related, | |||
important-to-safety, and security CDAs against common threat vectors. The NRC staff concludes that the licensee's site is more secure after the implementation of Milestones 1 through 7 because the activities the licensee has completed mitigate the most significant cyber attack vectors for the most significant CDAs. Therefore, the NRC has reasonable assurance that full implementation of the CSP by December 15, 2017 will provide adequate protection of the public health and safety and the common defense and security. | |||
The licensee stated that the detail and depth of the technical analysis exceeds Entergy's prior understanding and necessitates a greater effort to achieve than Entergy anticipated when the current implementation schedule was developed. The NRC staff recognizes that CDA assessment work including application of controls is more complex and resource intensive than Entergy anticipated. As a result, the licensee has a large number of additional tasks not considered when developing its current CSP implementation schedule. The NRC staff concludes that the licensee's request for additional time to implement Milestone 8 is reasonable given the complexity, volume, and scope of the remaining work required to fully implement its CSP. | |||
The licensee proposed a Milestone 8 completion date of December 15, 2017. The licensee prioritization of completion of work for CDAs follows the normal work management process that places the highest priority on apparent conditions adverse to quality in system, structure, and component design function and related to factors such as safety risk and nuclear defense in depth. High focus continues to be maintained on prompt attention to any emergent issue with safety related, security and important to safety (including balance of plant) CDAs that would potentially challenge the established cyber protective barriers. The NRC staff concludes that the licensee's methodology for prioritizing work on CDAs is appropriate. The staff further concludes that the licensee's request to delay final implementation of the CSP until December 15, 2017, is reasonable given the complexity of the remaining work and the licensees resource constraints. | |||
3.3 Revision to License Condition By {{letter dated|date=June 24, 2015|text=letter dated June 24, 2015}}, the licensee proposed to modify Paragraph 3.G. of Renewed FOL No. DPR-28 for VY, which provides a license condition requiring the licensees to fully implement and maintain in effect all provisions of the NRC-approved CSP. | |||
The second paragraph of the license condition in Paragraph 3.G. of Renewed FOL No. | |||
DPR-28 for VY is modified as follows: | |||
Entergy Nuclear Operations, Inc. shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). | |||
Entergy Nuclear Operations, Inc. CSP was approved by License Amendment No. 247, as supplemented by changes approved by License Amendment Nos. 251, 259, and 265. | |||
===3.4 Technical Evaluation Conclusion=== | |||
Based on its review of the licensees submissions, the NRC staff concludes that the licensee's request to delay full implementation of its CSP until December 15, 2017, is reasonable for the | |||
following reasons: (i) the licensee's implementation of Milestones 1 through 7 provides mitigation for significant cyber attack vectors for the most significant CDAs; (ii) the scope of the work required to come into full compliance with the CSP implementation schedule was more complicated than the licensee anticipated when the current CSP implementation schedule was developed; and (iii) the licensee has reasonably prioritized and scheduled the work required to come into full compliance with its CSP implementation schedule. Therefore, the NRC staff finds the proposed change acceptable. | |||
==4.0 STATE CONSULTATION== | |||
In accordance with the Commissions regulations, the Vermont State official was notified of the proposed issuance of the amendment. The State official had no comments. | |||
==5.0 ENVIRONMENTAL CONSIDERATION== | |||
This is an amendment to a 10 CFR Part 50 license that relates solely to safeguards matters and does not involve any significant construction impacts. This amendment is an administrative change to extend the date by which the licensee must have its cyber security plan fully implemented. Accordingly, the amendment meets the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(12). Pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the issuance of the amendment. | |||
==6.0 CONCLUSION== | |||
The Commission has concluded, based on the considerations discussed above, that: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) there is reasonable assurance that such activities will be conducted in compliance with the Commissions regulations, and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public. | |||
Principal Contributor: J. Rycyna, NSIR/CSD Date: March 14, 2016}} | |||
Latest revision as of 05:36, 10 January 2025
| ML16014A169 | |
| Person / Time | |
|---|---|
| Site: | Vermont Yankee File:NorthStar Vermont Yankee icon.png |
| Issue date: | 03/14/2016 |
| From: | Jack Parrott Reactor Decommissioning Branch |
| To: | Entergy Nuclear Operations |
| Parrot J 301-415-6634 | |
| References | |
| CAC MF6403 | |
| Download: ML16014A169 (14) | |
Text
March 14, 2016 Vice President, Operations Entergy Nuclear Operations, Inc.
Vermont Yankee Nuclear Power Station P.O. Box 250 Governor Hunt Road Vernon, VT 05354
SUBJECT:
VERMONT YANKEE NUCLEAR POWER STATION - ISSUANCE OF AMENDMENT TO RENEWED FACILTIY OPERATING LICENSE RE: CYBER SECURITY PLAN IMPLEMENTATION SCHEDULE (CAC NO. MF6403)
Dear Sir or Madam:
The U.S. Nuclear Regulatory Commission has issued the enclosed Amendment No. 265 to Renewed Facility Operating License DPR-28 for the Vermont Yankee Nuclear Power Station (VY). The amendment consists of changes to the renewed facility operating license in response to your application dated June 24, 2015.
The amendment approves a change to the VY Cyber Security Plan Milestone 8 Implementation Schedule full implementation date from June 30, 2016, to December 15, 2017, and revises the existing operating license Security Plan license condition.
A copy of the related Safety Evaluation is also enclosed. The Notice of Issuance will be included in the Commissions next biweekly Federal Register notice.
Sincerely,
/RA/
Jack D. Parrott, Senior Project Manager Reactor Decommissioning Branch Division of Decommissioning, Uranium Recovery and Waste Programs Office of Nuclear Material Safety and Safeguards Docket No. 50-271
Enclosures:
- 1. Amendment No. 265 to DPR-28
- 2. Safety Evaluation cc w/encls: Distribution via Listserv
- concurrence via email dated OFFICE NRR/DORL/LPL4-2/PM NRR/DORL/LPL4-2/LA NSIR/CSD/DD OGC - NLO w/ comments NAME JKim PBlechman JAndersen*
JBielecki*
DATE 1/19/2016 1/19/2016 1/7/2016 3/2/2016 OFFICE NMSS/DUWP/RDB/BC NMSS/DUWP NMSS/DUWP/RDB/PM NAME BWatson JTappert JParrott DATE 3/9/2016 3/14/2016 3/14/2016 ENTERGY NUCLEAR VERMONT YANKEE, LLC AND ENTERGY NUCLEAR OPERATIONS, INC.
DOCKET NO. 50-271 VERMONT YANKEE NUCLEAR POWER STATION AMENDMENT TO RENEWED FACILITY OPERATING LICENSE Amendment No. 265 License No. DPR-28
- 1.
The U.S. Nuclear Regulatory Commission (the Commission) has found that:
A.
The application for amendment filed by Entergy Nuclear Vermont Yankee, LLC and Entergy Nuclear Operations, Inc. (the licensee) dated June 24, 2015, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commissions rules and regulations set forth in 10 CFR Chapter I; B.
The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C.
There is reasonable assurance: (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commissions regulations; D.
The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E.
The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commissions regulations and all applicable requirements have been satisfied.
- 2.
Accordingly, the license is amended by changes to the renewed facility operating license as indicated in the attachment to this license amendment, and Paragraph 3.B. of Renewed Facility Operating License No. DPR-28 is hereby amended to read as follows:
(B)
Technical Specifications The Technical Specifications contained in Appendix A, as revised through Amendment No. 265, are hereby incorporated in the license. Entergy Nuclear Operations, Inc. shall operate the facility in accordance with the Technical Specifications.
Further, the second paragraph in Paragraph 3.G. is hereby amended to read as follows:
Entergy Nuclear Operations, Inc. shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). Entergy Nuclear Operations, Inc. CSP was approved by License Amendment No. 247, as supplemented by changes approved by License Amendment Nos. 251, 259, and 265.
- 3.
This license amendment is effective as of the date of issuance and shall be implemented by June 30, 2016. All subsequent changes to the NRC-approved CSP implementation schedule will require NRC approval pursuant to 10 CFR 50.90.
FOR THE NUCLEAR REGULATORY COMMISSION
/RA/
John R. Tappert, Director Division of Decommissioning, Uranium Recovery and Waste Programs Office of Nuclear Material Safety and Safeguards
Attachment:
Changes to the Renewed Facility Operating License No. DPR-28 Date of Issuance: March 14, 2016
ATTACHMENT TO LICENSE AMENDMENT NO. 265 RENEWED FACILITY OPERATING LICENSE NO. DPR-28 DOCKET NO. 50-271 Replace the following pages of the Renewed Facility Operating License with the attached revised pages. The revised pages are identified by amendment number and contain marginal lines indicating the areas of change.
Facility Operating License REMOVE INSERT
Renewed Facility Operating License No. DPR-28 Amendment No. 259, 260, 262, 263, 265 D. Entergy Nuclear Operations, Inc., pursuant to the Act and 10 CFR Parts 30, 40 and 70, to receive, possess, and use in amounts as required any byproduct, source, or special nuclear material without restriction to chemical or physical form, for sample analysis or instrument calibration or associated with radioactive apparatus or components.
E.
Entergy Nuclear Operations, Inc., pursuant to the Act and 10 CFR Parts 30 and 70, to possess, but not to separate, such byproduct and special nuclear material as may be produced by operation of the facility.
- 3.
This renewed license shall be deemed to contain and is subject to the conditions specified in the following Commission regulations: 10 CFR Part 20, Section 30.34 of 10 CFR Part 30, Section 40.41 of 10 CFR Part 40, Section 50.54 and 50.59 of 10 CFR Part 50, and Section 70.32 of 10 CFR Part 70; and is subject to all applicable provisions of the Act and to the rules, regulations, and orders of the Commission now or hereafter in effect; and is subject to the additional conditions specified below:
A.
This paragraph deleted by Amendment No. 263.
B.
Technical Specifications The Technical Specifications contained in Appendix A, as revised through Amendment No. 265, are hereby incorporated in the license. Entergy Nuclear Operations, Inc. shall operate the facility in accordance with the Technical Specifications.
C. Reports Entergy Nuclear Operations, Inc. shall make reports in accordance with the requirements of the Technical Specifications.
D. This paragraph deleted by Amendment No. 226.
E.
Environmental Conditions Pursuant to the Initial Decision of the presiding Atomic Safety and Licensing Board issued February 27, 1973, the following conditions for the protection of the environment are incorporated herein:
- 1.
This paragraph deleted by Amendment No. 206, October 22, 2001.
- 2.
This paragraph deleted by Amendment 131, 10/07/91.
Renewed Facility Operating License No. DPR-28 Amendment No. 247, 251, 259, 263, 265 Corrected by letter dated November 21, 2012 G. Security Plan Entergy Nuclear Operations, Inc. shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822), and the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans1, which contain Safeguards Information protected under 10 CFR 73.21, is entitled: "Vermont Yankee Nuclear Power Station Security Plan, Training and Qualification Plan, and Safeguards Contingency Plan, Revision 0,"
submitted by letter dated October 18, 2004, as supplemented by letter dated May 16, 2006.
Entergy Nuclear Operations, Inc. shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). Entergy Nuclear Operations, Inc. CSP was approved by License Amendment No. 247, as supplemented by changes approved by License Amendment Nos. 251, 259, and 265.
H. This paragraph deleted by Amendment No. 107, 8/25/88.
I.
This paragraph deleted by Amendment No. 131, 10/7/91.
J.
License Transfer Conditions On the closing date of the transfer of Vermont Yankee Nuclear Power Station (Vermont Yankee), Entergy Nuclear Vermont Yankee, LLC shall obtain from Vermont Yankee Nuclear Power Corporation all of the accumulated decommissioning trust funds for the facility, and ensure the deposit of such funds into a decommissioning trust for Vermont Yankee established by Entergy Nuclear Vermont Yankee, LLC. If the amount of such funds does not meet or exceed the minimum amount required for the facility pursuant to 10 CFR 50.75, Entergy Nuclear Vermont Yankee, LLC shall at such time deposit additional funds into the trust and/or obtain a parent company guarantee (to be updated annually) and/or obtain a surety pursuant to 10 CFR 50.75(e)(1)(iii) in a form acceptable to the NRC and in an amount or amounts which, when combined with the decommissioning trust funds for the facility that have been obtained and deposited as required above, equals or 1 The Training and Qualification Plan and Safeguards Contingency Plan are Appendices to the Security Plan.
SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO AMENDMENT NO. 265 TO RENEWED FACILITY OPERATING LICENSE NO. DPR-28 ENTERGY NUCLEAR VERMONT YANKEE, LLC AND ENTERGY NUCLEAR OPERATIONS, INC.
VERMONT YANKEE NUCLEAR POWER STATION DOCKET NO. 50-271
1.0 INTRODUCTION
By application dated June 24, 2015 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML15177A016), Entergy Nuclear Operations Inc. (Entergy, the licensee) requested a change to the renewed facility operating license (FOL) for Vermont Yankee Nuclear Power Station (VY).
The U.S. Nuclear Regulatory Commission (NRC or the Commission) staff initially reviewed and approved the licensees CSP implementation schedule by VY License Amendment No. 247 dated July 20, 2011 (ADAMS Accession No. ML11152A013). Subsequently, NRC staff reviewed and approved Amendment No. 259, dated November 12, 2014, which extended the CSP implementation schedule (ADAMS Accession No. ML14206A710). This schedule required VY to fully implement and maintain all provisions of the CSP no later than June 30, 2016.
The proposed change would revise the completion date of Cyber Security Plan (CSP), by extending the date for full implementation of the CSP Milestone 8 at VY, from June 30, 2016, to December 15, 2017. The second paragraph of license condition 3.G of Renewed Facility Operating License No. DPR-28 would also be amended.
Portions of the letter dated June 24, 2015, contain sensitive unclassified non-safeguards information and, accordingly, those portions have been withheld from public disclosure in accordance with the provisions of paragraph 2.390(d)(1) of Title 10 of the Code of Federal Regulations (10 CFR).
2.0 REGULATORY EVALUATION
The NRC staff considered the following regulatory requirements and guidance in its review of the June 24, 2015, license amendment request to modify the existing CSP implementation schedule:
The regulations in 10 CFR Section 73.54, Protection of digital computer and communication systems and networks, which states, in part: Each [CSP]
submittal must include a proposed implementation schedule. Implementation of the licensees cyber security program must be consistent with the approved schedule.
The licensees renewed FOL includes a license condition that requires the licensee to fully implement and maintain in effect all provisions of the Commission-approved CSP.
In a publically available NRC memorandum dated October 24, 2013 (ADAMS Accession No. ML13295A467), the NRC staff listed criteria to consider during evaluations of licensees requests to postpone their cyber security program implementation date (commonly known as Milestone 8).
The NRC staff does not regard the CSP milestone implementation dates as regulatory commitments that can be changed unilaterally by the licensee, particularly in light of the regulatory requirement at 10 CFR 73.54, which states, in part, that [i]mplementation of the licensee's cyber security program must be consistent with the approved schedule. As the NRC staff explained in its letter to all operating reactor licensees dated May 9, 2011 (ADAMS Accession No. ML110980538), the implementation of the plan, including the key intermediate milestone dates and the full implementation date shall be in accordance with the implementation schedule submitted by the licensee and approved by the NRC. All subsequent changes to the NRC-approved CSP implementation schedule, thus, will require prior NRC approval pursuant in 10 CFR 50.90, Application for amendment of license, construction permit, or early site permit.
3.0 TECHNICAL EVALUATION
3.1 Licensees Proposed Change The NRC issued Amendment No. 247 to Renewed FOL DPR-28 for VY by letter dated July 20, 2011. This amendment approved the licensees CSP and associated implementation schedule, as discussed in the safety evaluation issued with the amendment. The licensees implementation schedule was based on a template prepared by the Nuclear Energy Institute (ADAMS Accession No. ML110600218), which the NRC staff found acceptable for licensees to use to develop their CSP implementation schedules. The licensees proposed implementation schedule for the CSP identified completion dates and bases for the following eight milestones:
- 1)
Establish the Cyber Security Assessment Team (CSAT);
- 2)
Identify Critical Systems (CSs) and Critical Digital Assets (CDAs);
- 3)
Install a deterministic one-way device between lower level devices and higher level devices;
- 4)
Implement the security control Access Control For Portable And Mobile Devices;
- 5)
Implement observation and identification of obvious cyber related tampering to existing insider mitigation rounds;
- 6)
Identify, document, and implement cyber security controls in accordance with Mitigation of Vulnerabilities and Application of Cyber Security Controls for CDAs that could adversely impact the design function of physical security target set equipment;
- 7)
Ongoing monitoring and assessment activities for those target set CDAs whose security controls have been implemented;
- 8)
Fully implement the CSP.
Currently, Milestone 8 of the VY CSP requires Entergy to fully implement the CSP by June 30, 2016. In its application dated June 24, 2015, the licensee proposed to change the Milestone 8 completion date to December 15, 2017.
The licensee submitted its application on June 24, 2015 using the NRC staffs guidance to evaluate requests to postpone Milestone 8 implementation dates. The licensees application addressed all the criteria in the guidance. The intent of the staggered cyber security implementation schedule was for licensees to demonstrate ongoing implementation of their cyber security program prior to full implementation, which was scheduled for the date specified in Milestone 8. The licensee completed seven other milestones (Milestone 1 through Milestone 7) by December 31, 2012. Activities included establishing a CSAT, identifying CSs and CDAs, installing deterministic one-way devices between defensive levels, implementing access control for portable and mobile devices, implementing methods to observe and identify obvious cyber related tampering, and conducting ongoing monitoring and assessment activities for target set CDAs. In their aggregate, the interim milestones demonstrate ongoing implementation of the cyber security program.
The licensee provided the following information pertinent to each of the criteria identified in the NRC guidance memorandum dated October 24, 2013.
(1)
Identification of the specific requirement or requirements of the cyber security plan that the licensee needs additional time to implement.
The licensee stated that the requirements of the CSP that need additional time to implement are Section 3, Analyzing Digital Computer Systems and Networks, and Section 4, Establishing, Implementing and Maintaining the Cyber Security Program. The licensee further noted that these sections describe requirements for application of cyber security controls and describes the process of security control assessments. The licensee also noted any combination of physical, logical (software-related), or programmatic/procedural changes could be required.
(2)
Detailed justification that describes the reason the licensee requires additional time to implement the specific requirement or requirements identified.
The licensee stated that Entergy hosted a pilot Milestone 8 inspection at the Indian Point site in March 2014. During the pilot, insight was gained into NRC perspective on how to apply the cyber security controls listed in NEI 08-09, Revision 6, Cyber Security Plan for Nuclear Power Reactors, dated April 2010 (ADAMS Accession No. ML101180437). During the pilot inspection, the NRC team reviewed several examples of CDAs with Entergy and indicated the level of detail and depth expected for the technical analyses against cyber security controls referenced in NEI 08-09. Based on this review, Entergy stated that the detail and depth of the technical analysis exceeds Entergy's prior understanding and necessitates a greater effort to achieve than initially anticipated.
The licensee stated that during 2015, each operating Entergy licensee had an inspection of compliance with interim Milestones 1 through 7. The preparation for and support of these inspections required a significant commitment of time from Entergy's most knowledgeable subject matter experts on nuclear cyber security, exceeding the estimate previously developed and therefore, drawing those resources away from Milestone 8 implementation activities.
(3)
A proposed completion date for Milestone 8 consistent with the remaining scope of work to be conducted and the resources available.
The licensee proposed a Milestone 8 completion date of December 15, 2017.
During the pilot inspection, the NRC team reviewed several examples of CDAs with the licensee and indicated the level of detail and depth expected for the technical analyses against cyber security controls referenced in NEI 08-09. The licensee stated that based on this review, the detail and depth of the technical analysis exceeds licensee's prior understanding and necessitates considerably greater time and effort to achieve than initially anticipated.
(4)
An evaluation of the impact that the additional time to implement the requirements will have on the effectiveness of the licensees overall cyber security program in the context of milestones already completed.
The licensee indicated the impact of the requested additional implementation time on the effectiveness of the overall cyber security program is very low. The milestones already completed have resulted in a high degree of protection of safety-related, important-to-safety, and security CDAs against common threat vectors. Additionally, extensive physical and administrative measures are already in place for CDAs because they are plant components, pursuant to the Physical Security Plan and Technical Specification requirements. The licensee also briefly described how it had implemented the various milestones.
- 5)
A description of the licensees methodology for prioritizing completion of work for critical digital assets associated with significant safety, security, or emergency preparedness consequences and with reactivity effects in the balance of plant.
The licensee stated that, because CDAs are plant components, prioritization follows the normal work management process that places the highest priority on
apparent conditions adverse to quality in system, structure, and component design function and related to factors such as safety risk and nuclear defense-in-depth. High focus continues to be maintained on prompt attention to any emergent issue with safety related, security and important to safety (including balance of plant) CDAs that would potentially challenge the established cyber protective barriers. Additionally it should be noted that these CDAs encompass those associated with physical security target sets.
- 6)
A discussion of the licensees cyber security program performance up to the date of the license amendment request.
The licensee stated there has been no identified compromise of SSEP functions by cyber means. Additionally, a Quality Assurance (QA) audit was conducted in the fourth quarter of 2014 pursuant to the physical security program review required by 10 CFR 73.55(m). The QA audit included review of cyber security program implementation. There were no significant findings related to overall cyber security program performance and effectiveness.
- 7)
A discussion of cyber security issues pending in the licensees corrective action program (CAP).
The licensee stated there are presently no significant (constituting a threat to a CDA via cyber means or calling into question program effectiveness) nuclear cyber security issues pending in the CAP. Several fleet generic non-significant issues identified during NRC inspections of compliance with nuclear cyber security Interim Milestones 1 through 7 at other Entergy licensees have been entered into CAP.
- 8)
A discussion of modifications completed to support the cyber security program and a discussion of pending cyber security modifications.
The licensee stated that there are presently no significant (constituting a threat to a CDA via cyber means or calling into question program effectiveness) nuclear cyber security issues pending in the CAP. Several fleet generic non-significant issues identified during NRC inspections of compliance with nuclear cyber security Interim Milestones 1 through 7 at other Entergy licensees have been entered into CAP.
3.2
NRC Staff Evaluation
The NRC staff has evaluated the licensee's application using the regulatory requirements and guidance above. The NRC's staff's evaluation is below. The NRC staff finds that the actions the licensee noted as being required to implement CSP, Section 3, Analyzing Digital Computer Systems and Networks" and Section 4, "Establishing, Implementing and Maintaining the Cyber Security Program" are reasonable as discussed below.
The licensee indicated that the activities described in Milestones 1 through 7, were completed prior to December 31, 2012, and provide a high degree of protection of safety-related,
important-to-safety, and security CDAs against common threat vectors. The NRC staff concludes that the licensee's site is more secure after the implementation of Milestones 1 through 7 because the activities the licensee has completed mitigate the most significant cyber attack vectors for the most significant CDAs. Therefore, the NRC has reasonable assurance that full implementation of the CSP by December 15, 2017 will provide adequate protection of the public health and safety and the common defense and security.
The licensee stated that the detail and depth of the technical analysis exceeds Entergy's prior understanding and necessitates a greater effort to achieve than Entergy anticipated when the current implementation schedule was developed. The NRC staff recognizes that CDA assessment work including application of controls is more complex and resource intensive than Entergy anticipated. As a result, the licensee has a large number of additional tasks not considered when developing its current CSP implementation schedule. The NRC staff concludes that the licensee's request for additional time to implement Milestone 8 is reasonable given the complexity, volume, and scope of the remaining work required to fully implement its CSP.
The licensee proposed a Milestone 8 completion date of December 15, 2017. The licensee prioritization of completion of work for CDAs follows the normal work management process that places the highest priority on apparent conditions adverse to quality in system, structure, and component design function and related to factors such as safety risk and nuclear defense in depth. High focus continues to be maintained on prompt attention to any emergent issue with safety related, security and important to safety (including balance of plant) CDAs that would potentially challenge the established cyber protective barriers. The NRC staff concludes that the licensee's methodology for prioritizing work on CDAs is appropriate. The staff further concludes that the licensee's request to delay final implementation of the CSP until December 15, 2017, is reasonable given the complexity of the remaining work and the licensees resource constraints.
3.3 Revision to License Condition By letter dated June 24, 2015, the licensee proposed to modify Paragraph 3.G. of Renewed FOL No. DPR-28 for VY, which provides a license condition requiring the licensees to fully implement and maintain in effect all provisions of the NRC-approved CSP.
The second paragraph of the license condition in Paragraph 3.G. of Renewed FOL No.
DPR-28 for VY is modified as follows:
Entergy Nuclear Operations, Inc. shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p).
Entergy Nuclear Operations, Inc. CSP was approved by License Amendment No. 247, as supplemented by changes approved by License Amendment Nos. 251, 259, and 265.
3.4 Technical Evaluation Conclusion
Based on its review of the licensees submissions, the NRC staff concludes that the licensee's request to delay full implementation of its CSP until December 15, 2017, is reasonable for the
following reasons: (i) the licensee's implementation of Milestones 1 through 7 provides mitigation for significant cyber attack vectors for the most significant CDAs; (ii) the scope of the work required to come into full compliance with the CSP implementation schedule was more complicated than the licensee anticipated when the current CSP implementation schedule was developed; and (iii) the licensee has reasonably prioritized and scheduled the work required to come into full compliance with its CSP implementation schedule. Therefore, the NRC staff finds the proposed change acceptable.
4.0 STATE CONSULTATION
In accordance with the Commissions regulations, the Vermont State official was notified of the proposed issuance of the amendment. The State official had no comments.
5.0 ENVIRONMENTAL CONSIDERATION
This is an amendment to a 10 CFR Part 50 license that relates solely to safeguards matters and does not involve any significant construction impacts. This amendment is an administrative change to extend the date by which the licensee must have its cyber security plan fully implemented. Accordingly, the amendment meets the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(12). Pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the issuance of the amendment.
6.0 CONCLUSION
The Commission has concluded, based on the considerations discussed above, that: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) there is reasonable assurance that such activities will be conducted in compliance with the Commissions regulations, and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.
Principal Contributor: J. Rycyna, NSIR/CSD Date: March 14, 2016