Quiero saber acerca de...

jbell on DSKJLSW7X2PROD with PROPOSALS

Federal Register / Vol. 86, No. 151 / Tuesday, August 10, 2021 / Proposed Rules of important-to-safety functions described in 73.54a1.
To the extent that Assertion D raises issues concerning FERCs jurisdiction at nuclear power plants, the NRC does not have the authority to limit the jurisdiction granted to other agencies by statute.
Assertion E in Section III of the PRM:
The petitioner states that, as of March 1, 2014, NRC inspections had identified violations of low safety significance associated with the failure of reactor licensees to identify digital assets needing protection against cyber attacks under 73.54a1. The petitioner views the violations as an illustration of the problems created by the 73.54a1
scoping language. The petitioner concludes that although these violations have little to no safety significance, they have resulted in unnecessary expense and a diversion of licensee resources, as well as conveying to the public an incorrect impression that the state of cyber security preparedness at those sites is less than adequate.
NRC Response to Assertion E:
The NRC agrees that several violations have been identified during its inspections of licensee cyber security programs at reactor sites. The implementation plan for licensees cyber security programs, which has eight distinct milestones, was developed to allow a phased approach to full implementation of the cyber security requirements in 73.54. One of the goals of this phased approach was to allow lessons learned to be applied by licensees prior to full program implementation. The use of this phased approach was intended to identify issues in an iterative way, particularly in regard to digital asset identification.
In cases where violations were identified during cyber security inspections of milestones 1 through 7, the NRC performed an evaluation and did not cite the violations if the licensee had made a good faith effort to comply with the requirements.
Licensees addressed these issues and made corrections to their cyber security programs prior to full program implementation. The identification and resolution of these cyber security issues help ensure that licensees successfully implement an effective cyber security program.
The NRC disagrees with the petitioners assertion that the violations illustrate problems with the scoping language in 73.54a1. This scoping language correctly identifies the digital computer and communication systems and networks that the Commission intends licensees to protect against a cyber attack. The language in
VerDate Sep<11>2014

18:09 Aug 09, 2021

Jkt 253001

73.54a1 does not identify specific digital assets that must be protected by licensee cyber security programs. It is the responsibility of the licensee to conduct the analysis required by 73.54b1 and correctly identify those digital assets that, if compromised, could adversely impact SSEP functions.
Failure to correctly identify digital assets may result in violations of the NRCs cyber security requirements.
The NRC also disagrees that the violations have conveyed to the public an incorrect impression that the state of cyber security preparedness at reactor sites is less than adequate. The petitioner provides no evidence that the public has formed such an impression as a result of these violations.
IV. Public Comments on the Petition The comment period closed on December 8, 2014, and the NRC
received 19 comment submissions on the PRM. All of the comment submissions received on this petition are available on https
www.regulations.gov under Docket ID
NRC20140165.
Of the 19 comment submissions received, 15 comment submissions supported the petition, two opposed the petition, and two provided other observations on the cyber security rule language. Overall, the comments received do not present additional information to support the petitioners proposal that the NRC amend its cyber security regulations. The NRC organized the 19 comment submissions into 18
comment categories that are summarized and evaluated in the following paragraphs.
Comment Category 1: Scope of the rule language is too broad.
In support of the PRM, several comment submissions assert that the scope of the existing cyber security requirements in 73.54 is too broad.
They contend that this broad scope has resulted in unnecessary burden on reactor licensees having to maintain hundreds to thousands of digital assets within their cyber security programs.
The comment submissions state that most of these digital assets have no nexus to protecting the health and safety of the public. One commenter stated that the high level of protection required by 73.54 should be focused on the equipment whose compromise could endanger the health and safety of the public. Another commenter stated that the regulations in 73.54 now allow the NRC to require that licensees classify an excessive number of components as critical even though their functions have little or no bearing on nuclear safety.

PO 00000

Frm 00005

Fmt 4702

Sfmt 4702

43603

NRC Response to Category 1
Comments: The comments included in Category 1 reiterate assertions made in the petition that the scope of the cyber security rule is too broad. For the reasons set forth in the Reasons for Denial section of this document, the NRC does not agree with these comments.
The NRC also disagrees with the commenters assertion that actions required by 73.54 are overly burdensome and have no nexus to protecting the health and safety of the public. As the Commission stated in SRMCOMWCO100001, it has determined as a matter of policy that the NRCs cyber security rule at 10 CFR
73.54 should be interpreted to include SSCs in the BOP that have a nexus to radiological health and safety at NRClicensed nuclear power plants. In SECY100153, Cyber Security Implementation of the Commissions Determination of Systems and Equipment within the Scope of Title 10
of the Code of Federal Regulations, Section 73.54, dated November 19, 2010, the Commission was informed that SSCs in the BOP that have a nexus to radiological health and safety are those that could, if compromised, directly or indirectly affect reactivity of a nuclear power plant, and are therefore within the scope of important-to-safety functions described in 73.54a1.
Consistent with the NRCs cyber security rule, it is the licensees responsibility to analyze its digital computer and communication systems and networks and identify those digital assets that could adversely impact SSEP
functions if compromised by a cyber attack. The NRC agrees with the commenters that some licensees may have conservatively identified certain digital assets that could not adversely impact SSEP functions even if compromised as being within the scope of the NRCs cyber security rule.
RG 5.71 contains NRC guidance for complying with the regulations in 73.54. Licensees may use methods other than those described in RG 5.71 to meet the regulations in 73.54. The NRC has also engaged with stakeholders regarding revisions to industry guidance to assist licensees in better identifying digital assets that fall within the scope of the NRCs cyber security rule. For example, as a result of insights gained from these interactions, NEI revised NEI
0809, Cyber Security Plan for Nuclear Power Reactors, and NEI 1310, Cyber Security Control Assessment, to address the application of cyber security controls for CDAs at nuclear power plants. Similarly, NEI revised NEI 1310, Revision 6, to address
E:FRFM10AUP1.SGM

10AUP1