Voglio sapere a riguardo di…

jbell on DSKJLSW7X2PROD with PROPOSALS

43606

Federal Register / Vol. 86, No. 151 / Tuesday, August 10, 2021 / Proposed Rules
cyber security protection for such digital assets and decrease defense-in-depth, inconsistent with the rule. For example, the term defense-in-depth used in 73.54c2 requires that a cyber security program be designed to apply and maintain defense-in-depth protective strategies to ensure the capability to detect, respond to, and recover from cyber attacks. In responding to a comment on what became 73.54c2, the Commission in Section III.D of the 2009 SOC stated that defense-in-depth for digital assets includes technical and administrative controls that are integrated and used to mitigate threats from identified risks 74 FR 13934; March 27, 2009.
To the extent that the comment submissions are asserting that the NRC
should be the single regulatory authority establishing cyber security requirements for nuclear power plants, the NRC does not have the authority to limit the jurisdiction granted to other agencies by statute. However, the NRC has worked closely with FERC on matters of mutual interest related to the nations electric power grid reliability and nuclear power plant safety and security, including but not limited to, coordination of activities related to cyber security at nuclear power plants. By the memorandum of agreement dated September 22, 2015, the NRC and FERC have reached a mutual agreement on how each agency will implement its jurisdiction over cyber security assets at nuclear power plants.
Comment Category 6: Interpretation of Critical Digital Assets under the cyber security rule.
One commenter asserts that NRC
inspectors have interpreted critical digital assets to include backup valve position indicators to which an operator may refer during an abnormal plant condition. The commenter states that if such indicators were affected by a cyber security event, the required response action could be potentially delayed but would not affect plant safety. The commenter concludes that designating valve position indicators as CDAs adds hundreds of components to the critical digital asset program without contributing to plant safety and goes well beyond any reasonable definition of what constitutes a critical digital asset.
NRC Response to Category 6
Comments: The subject of whether any digital asset is a critical digital asset is based on a site-specific analysis of digital assets performed by the licensee.
RG 5.71, Cyber Security Program for Nuclear Facilities, NEI 0809, Cyber Security Plan for Nuclear Power Reactors, and NEI 1310, Cyber
VerDate Sep<11>2014

16:29 Aug 09, 2021

Jkt 253001

Security Control Assessment, provide guidance to licensees on the development of licensee cyber security plans that meet NRC requirements, including the process of identifying and implementing appropriate cyber security controls for CDAs.
The NRC is continuing to engage with stakeholders to develop guidance revisions to streamline the process for addressing the application of cyber security controls to CDAs. For example, the NRC has reviewed NEI proposals for risk-informing the identification of CDAs for EP, BOP, important-to-safety and safety-related digital assets ADAMS Accession Nos. ML20129J981, ML20209A442, and ML20223A256.
NEI has stated its intent to incorporate these revisions into its guidance documents and to submit them to the NRC for endorsement.
Comment Category 7: Critical Infrastructure Protection standards.
Two comment submissions assert that the evidence required by the NRC and the North American Electric Reliability Corporation Critical Infrastructure Protection standards regarding compliance with cybersecurity requirements should be brought into closer alignment through rulemaking to reduce the current burden on those utilities that run both nuclear and non-nuclear facilities. The comment submissions further assert that 73.54
requires utilities to comply with the requirements of multiple regulatory agencies and having to provide different types of evidence to different agencies places unnecessary burdens on the limited number of utility cybersecurity professionals. One of these comment submissions also asserts that a rulemaking should establish clear boundaries of jurisdiction between the NRC and other regulatory agencies.
NRC Response to Category 7
Comments: These comments pertain to issues that were not raised by the petitioner and, therefore, are outside the scope of this PRM. The NRCs cyber security rule is applicable only to NRC
power reactor licensees and is not applicable to non-nuclear electric utilities.
Further, to the extent that the comment submissions are asserting that the NRC should establish clear boundaries to limit the jurisdiction of other Federal regulatory agencies, the NRC has no authority to limit the jurisdiction granted to other agencies by statute. However, the NRC has worked closely with FERC on matters of mutual interest related to the nations electric power grid reliability and nuclear power plant safety and security, including but not limited to coordination of activities
PO 00000

Frm 00008

Fmt 4702

Sfmt 4702

related to cyber security, to avoid dual regulation of nuclear power plants. By the memorandum of agreement dated September 22, 2015, the NRC and FERC
have reached a mutual agreement of how each agency will implement its jurisdiction over cyber security assets at nuclear power plants.
Comment Category 8: The petition should be denied.
Two comment submissions assert that the petition should be denied. The commenters assert that granting the petition would roll back cybersecurity regulations essential for nuclear safety.
The comment submissions endorse maintaining a high level of cybersecurity protection for both nuclear facilities and communication networks.
NRC Response to Category 8
Comments: The NRC agrees that the petition should be denied. As discussed in the Reasons for Denial section of this document, the existing cyber security regulations in 73.54 are necessary to ensure adequate protection of digital computer and communication systems and networks associated with SSEP functions and their related support systems.
Comment Category 9: Include PRMproposed changes in the cyber security event notification rulemaking.
Eleven comment submissions assert that the cyber security event notification rulemaking could provide a ready vehicle for the changes proposed in the petition.
NRC Response to Category 9
Comments: The Cyber Security Event Notification final rule was published in the Federal Register on November 2, 2015 80 FR 67264. It was a separate action that did not address the issues raised by the petitioner in PRM7318.
These comments are outside the scope of this PRM.
Comment Category 10: Specific examples of equipment that should not be covered by the cyber security rule.
Nine comment submissions provide examples of equipment that should not be required to be protected by the cyber security rule. Some of the examples the commenters provide are digital process instruments within BOP systems, wireless control systems associated with plant cranes, non-safety related digital indicators, business computer systems, and cameras, transmitters, and media converters.
NRC Response to Category 10
Comments: The issue of whether a specific digital asset must be protected from cyber attacks under the regulations in 73.54 is based on a site-specific analysis made by the licensee. The NRC
notes that, to address issues associated
E:FRFM10AUP1.SGM

10AUP1