Text

Regional Inspector Comments on Updates to IMC 0612 Appendix E Section 11 Cybersecurity

Commenter Section of Specific Comments CSB Staff Resolution IMC 0612 Appendix E Region I Example A significant number of findings were written using The example was updated to cite NEI 08-09, 11.a MC 0612 Appendix E example 11.a to support the Appendix A, Section 3.1.6 - Mitigation of MTM justification since full implementation. Please Vulnerabilities and Application of Cyber Security strongly consider maintaining this example in MC Controls instead of NEI 08-09, Appendix A, Section 0612 Appendix E and use the attached updated 3.1.3 - Identification of Critical Digital Assets and example 11.a provided to NSIR that refers to CSP clarified that the example addresses 3.16, Mitigation of Vulnerabilities and Application of misclassification of a CDA that results in Cyber Security Controls instead of referring to CSP inadequate protection against a cyber -attack.

3.1.3., Identification of Critical Digital Assets. This example illustrates missed security controls that are required to be implemented for Indirect and Direct CDAs and continues to be a value added example to support issues identified during the cyber security baseline inspections.

Region IV Example The text commensurate to the required baseline The required baseline controls are specifically 11.a controls seems a bit vague to me. I recommend identified for indirect CDAs in NEI 13-10. The adding language similar to "...that mitigate the update text regarding misclassification of the CDA consequences of the threat/attack vector(s) provides clarity and reduces subjectivity when associated with one or more of the cyber security determining whether the performance deficiency is controls..." for consistency with the guidance. minor. No additional changes were made to the text based on this comment.

Region II Example RII also believes that 11.a should be deleted. See answer for the RI comment on this example, 11.a which revised the original example and added clarifying text.

Region IV Example Would it be useful to include a discussion on the It would be more appropriate to address this issue 11.d 92-day audit requirement under 10.3? with additional guidance to discuss acceptable alternative controls for periodicity requirements for security controls, which would include the Commenter Section of Specific Comments CSB Staff Resolution IMC 0612 Appendix E periodicity to verify baseline configurations. CSB staff will be reviewing new NEI guidance in this area.

Region I Example 11.f The MTM if section should include the language It is not clear to CSB staff that the text in the that we have used to screen recent issues at MTM comment would provide clarity for the example.

such as MTM if unnecessary services and The impact should not result in the reduction of the programs are installed but not disabled without a defense in depth protective strategy. The given cyber impact assessment to justify that those MTM examples are specific in stating how the programs and surfaces do not introduce any new unnecessary service or program would impact or unmitigated vulnerabilities or MTM if other security controls in the CSP and reduce the unnecessary services and programs are installed overall defense in depth strategy. No change was and manually turned off, but not disabled which made to the text based on this comment.

would not prevent those services and programs from running if another system, service or application triggers those unnecessary programs or services to run.

Region I Example It is standard practice for sites to perform a Changed the text from functional X-ray block test 11.g performance test using an x -ray test block at the to testing. This leaves the flexibility to the beginning of each shift or even prior to every scan. inspector to determine if the combination of The Minor if includes a functional X-Ray test security protections with the specific level of testing block to verify operability prior to use of searching. is adequate.

We have issued Findings even though sites have performed this test so the statement should be clarified or removed from this example.

Region I Example 11.e seems to toggle from missing a cyber security There have been instances on inspections where 11.e control in the Minor if section and focus on failing to security controls that had been in place but were perform an ongoing assessment of controls. The inadvertently changed during the lifecycle of the example needs to only focus on one or the other. I CDA. In almost all cases, if the licensee was would revise to change the minor if to only discuss performing adequate ongoing assessments, they ongoing assessment portion. We can discuss later would have determined that the security control for details. was no longer in place. Some inspectors have written violations based on the failure to perform

2 Commenter Section of Specific Comments CSB Staff Resolution IMC 0612 Appendix E adequate ongoing assessments rather than the missing control. No change was made to the text based on this comment.

Region I Example 11.f In prior discussions with Tim Marshall, we have It is understood that the listed criteria is not all also incorporated the additional complexity of inclusive and the additional criteria proposed would running versus standby (but not disabled) as part be included in the reduction of the defense in depth of the minor/more than minor discussion. strategy. No change was made to the text based on this comment.

Region I Example Consider changing the minor if from isolated CSB staff agree to the suggested changes and 11.h cases of vulnerability to an isolated vulnerability. updated the text.

As typically the inspectors only ask for a few vulnerabilities and therefore having mul tiple is actually a high percentage of the ones inspected.

On the MTM if, we could also include or multiple applicable vulnerabilities were not assessed.

3