Voglio sapere a riguardo di…

jbell on DSKJLSW7X2PROD with PROPOSALS

43604

Federal Register / Vol. 86, No. 151 / Tuesday, August 10, 2021 / Proposed Rules
scoping issues using a consequencebased approach for screening CDAs. The consequence-based approach in NEI 13
10 enables industry to focus resources on the more consequential digital assets that require protection. The NRC
continues to engage with stakeholders to review and revise, as appropriate, relevant cyber security guidance, including guidance on the scoping of CDAs.
Comment Category 2: Implementation costs are significantly higher than those presented in the regulatory analysis for the 2009 rule.
Two comment submissions that support the PRM assert that the costs associated with implementation of the cyber security requirements in 73.54
are substantially higher than those presented in the NRCs 2009 regulatory analysis of these requirements.
NRC Response to Category 2
Comments: The NRC acknowledges that the costs regarding the implementation of 73.54 were underestimated in the 2009 regulatory analysis that supported the final rule. Specifically, the quantity of digital assets identified as CDAs far exceeded the NRCs estimates developed at the time the cyber security rule was finalized. As noted previously, given that many licensees adopted a conservative approach to identifying digital assets at their facilities, the NRC
has and is continuing to engage with stakeholders to revise guidance for identifying CDAs. The NRC anticipates that this will reduce the number of identified CDAs and result in a reduction of costs to licensees in implementing the NRCs cyber security requirements. As a separate effort, the NRC is reviewing its process for developing cost estimates associated with rulemakings.
Comment Category 3: Unnecessary diversion of licensee resources and attention.
The commenters assert that in determining required cyber security controls, no graded approach is acceptable for use by NRC licensees in complying with the requirements in 73.54. These commenters assert that the cost of implementing and maintaining these controls contribute no added value, are costly to maintain, and reduce the effectiveness of the digital assets.
One commenter asserts that the current rule language significantly increases costs by: 1 Creating a need for vendor processes outside of a wellvetted procurement process; 2
imposing requirements for monitoring and assessment outside of current practices; and 3 failing to accept current maintenance rule analysis of a
VerDate Sep<11>2014

16:29 Aug 09, 2021

Jkt 253001

components risk significance for exemption from additional treatment.
Two commenters assert that the cost of implementing and maintaining the requirements of the rule directly competes with the cost of facility modifications that could improve plant safety, equipment reliability, and reduce the likelihood of an initiating event.
Another commenter states that the scope of the existing requirements in 73.54 introduce significant and unwarranted costs in terms of complying with the requirements in 73.56, and that these issues would be resolved by granting the PRM.
Two commenters suggest specific alternatives for refocusing the rule language in 73.54. One commenter suggests, as an alternative to the petitioners suggested changes: 1
Modifying 73.54a1i to directly state that only Target Set and credited security system equipment need special consideration for preventing the previously established 73.1 DBT intent of radiological sabotage; and 2
modifying 73.54a1ii to focus on trips and transients created by cyber attacks initiated by outsiders external to the Protected Area PA. Another commenter similarly suggested that the NRC refocus the rule language on: 1
High assurance protection for preventing radiological sabotage; 2
preventing plant trips and transients caused by cyber attacks initiated from outside the PA; and 3 preventing accidental initiation of a cyber attack caused by insider action.
NRC Response to Category 3
Comments: The NRC disagrees that a graded approach is not acceptable for use by licensees in complying with the requirements in 73.54. A consequencebased, graded assessment process for identifying CDAs and determining the appropriate security controls to be applied to those CDAs may contribute to reducing unnecessary costs to licensees.
Using this graded approach may result in the application of certain minimum cyber security controls to specifically identified CDAs as well as provide a method to assess alternate means of protecting CDAs, for example EP CDAs, from cyber attacks. However, this graded approach will still require that licensees adequately protect CDAs from a cyber attack. For these reasons and the reasons stated in the Reasons for Denial section of this document, the NRC disagrees with the assertion that the development of a consequencebased, graded approach for implementing the requirements in 73.54 contributes no added value, and therefore, results in the unnecessary expenditure of licensee resources.

PO 00000

Frm 00006

Fmt 4702

Sfmt 4702

The NRC also disagrees with the assertion that the application of cyber security controls reduces the effectiveness of digital assets. The commenters did not provide any evidence to support this assertion. The NRC is not aware of any operational experience or data that demonstrates a reduction in effectiveness of digital assets due to the application of cyber security controls to those assets.
The NRC does not agree that the rule language in 73.54 imposes requirements for monitoring and assessment that are outside of current practices. The cyber security rule does not require any change to existing licensee monitoring and assessment practices that have already been implemented and does not impose any requirement that licensees develop and implement new monitoring and assessment practices.
The NRC disagrees with the comments regarding limiting the scope of 73.54 to only target sets and credited security system equipment, and trips and transients created by cyber attacks initiated by outsiders external to the PA. Cyber attacks can adversely affect the performance of SSEP
functions of a nuclear facility, which are broader than the functions performed by target sets and security system equipment. As described in RG 5.71, the scope of the cyber security rule goes beyond consideration of cyber attacks initiated by outsiders external to the PA
because a defense-in-depth approach requires the licensee to evaluate threats from all possible vectors, including internal and external threats. The NRC
further notes that the commenters did not provide a technical basis to support their recommendations.
Certain Category 3 comments are outside the scope of the petition for rulemaking. First, the comment that the requirements in 73.54 create a need for vendor processes outside of a wellvetted procurement process is outside the scope of the petition. The petition does not discuss the alleged need for additional vendor processes identified in the comment submission.
Additionally, the commenter did not provide any evidence that the NRCs cyber security rule impacts licensee procurement processes. Licensees may procure any computer systems, networks or digital assets that enable them to comply with NRC requirements and are not prohibited by federal law.
The cyber security rule requires licensees to ensure that CDAs associated with whatever digital systems the licensee procures are adequately protected from a cyber attack by the application of appropriate security
E:FRFM10AUP1.SGM

10AUP1