ML19024A053: Difference between revisions
Jump to navigation
Jump to search
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
||
| Line 16: | Line 16: | ||
=Text= | =Text= | ||
{{#Wiki_filter:}} | {{#Wiki_filter:Power Reactor Cyber Security Program Assessment Brad Bergemann Cyber Security Branch Division of Physical and Cyber Security Policy Office of Nuclear Security and Incident Response 1 | ||
Agenda | |||
* Objectives | |||
* Task Organization & Purpose | |||
* Schedule | |||
* Framework | |||
* Questions & Comments 2 | |||
Objectives | |||
* In 2019, conduct an assessment of the power reactor cyber security program that captures the following: | |||
- Effectiveness of the cyber security rule, guidance documents and licensees implementation; | |||
- Effectiveness of the full implementation inspection program and develop a path forward; | |||
- Lessons learned over the course of program implementation for the purposes of knowledge management and continuous improvement. | |||
* The assessment will result in a final report and support the staff assessment of PRM-73-18. | |||
3 | |||
Task Organization & Purpose | |||
* The Assessment Team will consist of 3 personnel: | |||
- 1 NRC staff from Cyber Security Branch; | |||
- 1 NRC staff from Nuclear Reactor Regulation; | |||
- 1 independent cyber security specialist from outside the NRC. | |||
* The Assessment Team will conduct multiple engagements with stakeholders to discuss, review and collect data to identify and determine the outcomes of the objectives. | |||
4 | |||
Schedule | |||
* Schedule of assessment activities: | |||
- Kickoff public meeting: January 10, 2019 | |||
- Engagement 1: week of January 28th | |||
- Engagement 2: week of February 11th | |||
- Engagement 3: week of February 25th | |||
- Engagement 4: week of March 11th | |||
- Mid-process public meeting: week of March 18th | |||
- Engagement 5: week of March 25th | |||
- Final public meeting: TBD (April or May) | |||
- Assessment final report: TBD (May or June) | |||
- Petition Review Board Closure Package to the Commission: | |||
NLT October 23, 2019 | |||
* Specific dates and locations of engagements 1-4 to be determined. 5 | |||
Framework | |||
* Discussion and data collection framework: | |||
: 1. Discuss specific rule language and/or guidance documents that may have contributed to not correctly screening Digital Assets (DAs) as Critical Digital Assets (CDAs). | |||
: 2. Discuss the processes used for assessing/screening the overall consequence to the Critical System (CS) and Safety, Security and Emergency Preparedness (SSEP) functions if a compromise of the CDA occurs. | |||
: 3. Discuss the process used to identify CSs and CDAs including the criteria used to include or exclude each DA. | |||
: a. How many DAs were screened as CDAs based on compromise NOT adversely impacting its function? | |||
: 4. Discuss number of DAs identified based on 73.54(a)(1). | |||
: a. Discuss number of DAs screened as CDAs (require protection) as a result of the analysis in 73.54(b)(1). | |||
: 5. Discuss any differences (if applicable) between any DA/CDA assessments conducted pre-rule, for Milestone 2 (M2), and for full implementation and their impacts or insights. | |||
: 6. Discuss and provide recommendations on approaches to further risk inform the CDA screening process. | |||
: 7. Discuss formation of the Cyber Assessment Team and any changes over time (M2, full implementation, size, etc.) and their impacts (if applicable). | |||
: 8. Discuss lessons learned from the full implementation inspections conducted to date and ideas for inspection efficiency. | |||
: 9. Discuss self-assessment and licensee program/system testing and performance indicators as well as periodicity that could be used as input for cyber security oversight in the future. | |||
6 | |||
Questions & Comments 7}} | |||
Revision as of 06:17, 20 October 2019
| ML19024A053 | |
| Person / Time | |
|---|---|
| Issue date: | 01/28/2019 |
| From: | Brad Bergemann NRC/NSIR/DPCP/CSB |
| To: | Jim Beardsley NRC/NSIR/DPCP/CSB |
| Bergemann B | |
| Shared Package | |
| ML19024A051 | List: |
| References | |
| Download: ML19024A053 (7) | |
Text
Power Reactor Cyber Security Program Assessment Brad Bergemann Cyber Security Branch Division of Physical and Cyber Security Policy Office of Nuclear Security and Incident Response 1
Agenda
- Objectives
- Task Organization & Purpose
- Schedule
- Framework
- Questions & Comments 2
Objectives
- In 2019, conduct an assessment of the power reactor cyber security program that captures the following:
- Effectiveness of the cyber security rule, guidance documents and licensees implementation;
- Effectiveness of the full implementation inspection program and develop a path forward;
- Lessons learned over the course of program implementation for the purposes of knowledge management and continuous improvement.
- The assessment will result in a final report and support the staff assessment of PRM-73-18.
3
Task Organization & Purpose
- The Assessment Team will consist of 3 personnel:
- 1 NRC staff from Cyber Security Branch;
- 1 NRC staff from Nuclear Reactor Regulation;
- 1 independent cyber security specialist from outside the NRC.
- The Assessment Team will conduct multiple engagements with stakeholders to discuss, review and collect data to identify and determine the outcomes of the objectives.
4
Schedule
- Schedule of assessment activities:
- Kickoff public meeting: January 10, 2019
- Engagement 1: week of January 28th
- Engagement 2: week of February 11th
- Engagement 3: week of February 25th
- Engagement 4: week of March 11th
- Mid-process public meeting: week of March 18th
- Engagement 5: week of March 25th
- Final public meeting: TBD (April or May)
- Assessment final report: TBD (May or June)
- Petition Review Board Closure Package to the Commission:
NLT October 23, 2019
- Specific dates and locations of engagements 1-4 to be determined. 5
Framework
- Discussion and data collection framework:
- 1. Discuss specific rule language and/or guidance documents that may have contributed to not correctly screening Digital Assets (DAs) as Critical Digital Assets (CDAs).
- 2. Discuss the processes used for assessing/screening the overall consequence to the Critical System (CS) and Safety, Security and Emergency Preparedness (SSEP) functions if a compromise of the CDA occurs.
- 3. Discuss the process used to identify CSs and CDAs including the criteria used to include or exclude each DA.
- 4. Discuss number of DAs identified based on 73.54(a)(1).
- a. Discuss number of DAs screened as CDAs (require protection) as a result of the analysis in 73.54(b)(1).
- 5. Discuss any differences (if applicable) between any DA/CDA assessments conducted pre-rule, for Milestone 2 (M2), and for full implementation and their impacts or insights.
- 6. Discuss and provide recommendations on approaches to further risk inform the CDA screening process.
- 7. Discuss formation of the Cyber Assessment Team and any changes over time (M2, full implementation, size, etc.) and their impacts (if applicable).
- 8. Discuss lessons learned from the full implementation inspections conducted to date and ideas for inspection efficiency.
- 9. Discuss self-assessment and licensee program/system testing and performance indicators as well as periodicity that could be used as input for cyber security oversight in the future.
6
Questions & Comments 7