Text

10 CFR 50, Appendix B Components and Cyber Security Presentation (June 25-29, 2018)
	ML18156A419
Person / Time
Issue date:	06/05/2018
From:	Aaron Armstrong; NRC/NRO/DCIP/QVIB1
To:	;
	Armstrong A, NRO/DCIP
References
	Download: ML18156A419 (15)
	v • d • e

10 CFR 50, Appendix B Components and Cyber Security Technical Meeting for Reducing Cyber Risks in the Supply Chain IAEA Headquarters Vienna, Austria June 25-29, 2018 Aaron Armstrong Office of New Reactors (NRO) 1

Topics

Nuclear Regulatory Commission (NRC)

Regulations

Discuss the oversight of the supply chain

Observations identified during vendor inspection activities

Questions 2

NRC Regulations

10 CFR Part 50, Appendix B, Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants

- Quality Assurance comprises all those planned and systematic actions necessary to provide adequate confidence that a structure, system, or component will perform satisfactorily in service

- Consists of 18 Criteria of Quality Assurance (QA) 3

NRC Regulations

NRC evaluated Appendix B and ISO 9001-2000

NRC issued the results of this analysis in SECY-03-0117 which is publicly available

The attachment to SECY-03-0117 provides the details for the Appendix B to ISO 9001-2000 comparison.

4

NRC Regulations

10 CFR Part 21, Reporting Of Defects And Noncompliance

- Requires evaluation of deviations and failures to comply relating to defects that could create a substantial safety hazard

- Also prescribes the reporting requirements for defects or failures to comply

- Section 21.41, Inspection grants access for NRC inspections 5

NRC Regulations Other NRC Regulations that are applicable to NRC vendors:

10 CFR Part 50.5, Deliberate misconduct

10 CFR Part 50.7, Employee protection 6

Oversight of the supply chain

NRCs Vendor Inspection Center of Expertise (COE) provides oversight of vendors supplying safety-related* parts, materials and services.

Performs routine and reactive vendor inspections, as well as, quality assurance implementation inspections for new reactor applicants.

safety-related as defined by 10 CFR 50.2 7

Oversight of the supply chain

SECY-11-0154, Agencywide approach to Counterfeit, Fraudulent and Suspect Items, provide the following direction:

- The NRC staff will conduct vendor inspections at suppliers of safety-related Critical Digital Assets (CDAs), in accordance with 10 CFR Part 21

- The NRC staff will evaluate the results of these inspections to determine the need to expand the inspection sample to suppliers and sub-suppliers of non-safety-related CDAs 8

Oversight of the supply chain Vendor oversight of CDAs occurs if the items are procured as basic components (safety-related*)

- Appendix B and Part 21 requirements are contractually imposed on the vendor through the licensees procurement document

- These requirements are inspected by NRC using Inspection Procedure 43002

safety-related as defined by 10 CFR 50.2 9

Oversight of the supply chain

Inspection Procedure 43002, Routine Inspections of Nuclear Vendors

- Provides guidance to ensure NRC staff observes and assesses the vendors actual implementation to meet the licensee's contractual / procedural requirements 10

Vendor Inspection Observations

Several licensee purchase orders to a vendor requiring:

- No harmful code or malicious logic: vendor shall have appropriate procedures in place to ensure that no viruses, malicious code or unintended code is transported into the production environment or the operational environment