Quiero saber acerca de...

jbell on DSKJLSW7X2PROD with PROPOSALS

43600

Federal Register / Vol. 86, No. 151 / Tuesday, August 10, 2021 / Proposed Rules
NRC issued a series of security orders imposing new security requirements on nuclear power reactors and other facilities. In NRC Order EA02026, Interim Safeguards and Security Compensatory Measures for Nuclear Power Plants, dated February 25, 2002, the NRC required licensees to address certain cyber security threats at their facilities to protect against a cyber attack. A subsequent order, NRC Order EA03086, Issuance of Order Requiring Compliance with Revised Design Basis Threat for Operating Power Reactors, dated April 29, 2003, required licensees to address additional cyber attack characteristics.
In 2006, the NRC published in the Federal Register a proposed rulemaking, Power Reactor Security Requirements 71 FR 62664; October 26, 2006, to amend its existing security requirements and add new security requirements applicable to nuclear power reactors. This proposed rule contained a new 73.55m, Digital computer and communication networks. Section 73.55m1 would have required nuclear power reactor licensees to protect computer systems that, if compromised, would adversely impact safety, security and emergency preparedness SSEP. Section 73.55m2 would have required licensees to systematically assess and manage cyber risks at their facilities.
The NRC received comments on the proposed rule, including comments on 73.55m.
After considering all comments, the NRC issued a final rule, Power Reactor Security Requirements, 74 FR 13926;
March 27, 2009. This final rule relocated the cyber security requirements in the proposed rules 73.55m to a new stand-alone 73.54
in the final rule. As noted by the Commission in the 2009 final rule Statement of Considerations SOC, relocating the cyber security requirements into their own stand-alone section was appropriate because the implementation of a cyber security program requires a uniquely independent technical expertise and knowledge that would not necessarily be implemented by security personnel.
As further noted, placing the cyber security requirements in a stand-alone section would enable these requirements to be made applicable to other types of facilities in the future, if warranted.
In 2013, the NRC began performing inspections of NRC licensees 10 CFR
73.54 cyber security programs. By 2016, the NRC had completed initial inspections of all NRC licensees cyber security programs. During this period of
VerDate Sep<11>2014

16:29 Aug 09, 2021

Jkt 253001

time, both industry and the NRC gained valuable insights and lessons learned from implementation of the NRCs cyber security requirements.
In January 2019, the Office of Nuclear Security and Incident Responses NSIR
Cyber Security Branch initiated an assessment of the NRCs cyber security regulations and Power Reactor Cyber Security Program. Its purpose was to identify key areas of improvement that would strengthen the NRCs Power Reactor Cyber Security Program. The cyber assessment team engaged with external stakeholders to gain additional insights. The Cyber Security Branch in NSIR completed its assessment of the NRCs Power Reactor Cyber Security Program in July 2019. The assessment identified several enhancements to the Power Reactor Cyber Security Program, and the NRC staff developed an action plan to facilitate and prioritize implementation of these enhancements.
The enhancements are intended to further risk-inform the NRCs Power Reactor Cyber Security Program. Based on the assessment results, the NRC
determined that there was a need to further revise guidance documents beyond updates already implemented by industry stakeholders to, among other things, address issues associated with the scoping of critical digital assets CDAs.
III. Reasons for Denial The NRC is denying the petition because the petitioner did not present sufficient new information to warrant the requested changes to the NRCs regulations in 73.54. Specifically, the petitioner did not show that the regulatory language in 73.54a is inconsistent with the original intent of this provision or the cyber security rule and did not show that the regulatory language in 73.54a1 is overly broad.
Furthermore, an assessment of the NRCs cyber security regulations and Power Reactor Cyber Security Program performed by NRC staff as a separate effort from the review of this petition determined that existing and ongoing revisions to guidance can effectively address the issues raised by the petitioner in this PRM without the need for rulemaking.
Assertions in the Petition The assertions made by the petitioner in Section III of PRM7318, Bases for the Action Requested by Petitioner, are summarized in the following paragraphs along with the NRCs responses to those assertions.
Assertion A in Section III of the PRM:
In support of its PRM, the petitioner asserts, in part, that the scoping
PO 00000

Frm 00002

Fmt 4702

Sfmt 4702

language in 73.54a was not included in the 2006 proposed rule and was added to the 2009 final rule without the opportunity for public notice and comment. The petitioner further asserts that the effects of this scoping language were likely not clear when the final rule was issued.
NRC Response to Assertion A:
The NRC disagrees with the petitioners Assertion A. The 2006
proposed rule contained a new 73.55m titled Digital computer and communication networks. Section 73.55m1 would have required licensees to have a cyber security program that would protect computer systems that, if compromised, would adversely impact SSEP. The NRC
received several comments on the cyber security requirements in the 2006
proposed rule. This included a comment that the term protected computer system used in 73.55m1iii lacked clarity and should be better defined in the final rule. As the Commission stated in the SOC to the 2009 final rule, in response to a public comment, the NRC revised the language in 73.55m1, renumbered as 73.54a in the 2009
final rule, to provide a more detailed list of the types of computer systems and networks requiring protection from a cyber attack consistent with the language in the proposed rule.
The language in 73.55m1 of the 2006 proposed rule put licensees on notice that they were required to protect computer systems that, if compromised, could adversely affect SSEP. The language in 73.54a of the 2009 final rule, while modifying the 2006 language from SSEP to SSEP functions to better identify the computer systems and networks requiring protection, did not significantly change any cyber security requirements from the proposed rule to the final rule. The 2009
language is consistent with, and a logical outgrowth of, the language in the 2006 proposed rule. Accordingly, the NRC was not required to submit this clarifying language for public notice and comment.
Assertion B in Section III of the PRM:
The petitioner asserts that one result of the 73.54a1 language in the 2009
final rule was to enlarge the scope of digital assets to be protected from cyber attack beyond what the Commission originally intended in the 2006
proposed rule. The petitioner further asserts that the 73.54a1 language requires licensees to implement cyber security controls on hundreds to thousands of digital assets, most of which do not, even if compromised, have a direct relationship to radiological
E:FRFM10AUP1.SGM

10AUP1