AGENCY:

Nuclear Regulatory Commission.

ACTION:

Regulatory guide; issuance.

SUMMARY:

The U.S. Nuclear Regulatory Commission (NRC) is issuing Revision 1 to Regulatory Guide (RG) 5.71, “Cyber Security Programs for Nuclear Power Reactors.” Revision 1 incorporates references to industry guidance on identifying and protecting critical digital assets for safety-related, important to safety, balance of plant, and emergency preparedness equipment. It also clarifies guidance on defense-in-depth for cyber security and includes updated text based on the latest National Institute of Standards and Technology (NIST) and International Atomic Energy Agency (IAEA) cyber security guidance. Specifically, this revision clarifies issues identified from cyber security inspections, insights gained through the Security Frequently Asked Questions (SFAQ) process, documented cyber security attacks, new technologies, and new regulations. This revision also considers the changes in the most recent revision to the NIST Special Publications (SP) 800-53, upon which Revision 0 of Regulatory Guide (RG) 5.71, “Cyber Security Programs for Nuclear Facilities” was based.

DATES:

Revision 1 to RG 5.71 is available on February 13, 2023.

ADDRESSES:

Please refer to Docket ID NRC-2021-0143 when contacting the NRC about the availability of information regarding this document. You may obtain publicly available information related to this document using any of the following methods:

• Federal Rulemaking Website: Go to https://www.regulations.gov and search for Docket ID NRC-2021-0143. Address questions about Docket IDs in Regulations.gov to Stacy Schumann; telephone: 301-415-0624; email: Stacy.Schumann@nrc.gov. For technical questions, contact the individuals listed in the FOR FURTHER INFORMATION CONTACT section of this document.

• NRC's Agencywide Documents Access and Management System (ADAMS): You may obtain publicly available documents online in the ADAMS Public Documents collection at https://www.nrc.gov/​reading-rm/​adams.html. To begin the search, select “Begin Web-based ADAMS Search.” For problems with ADAMS, please contact the NRC's Public Document Room (PDR) reference staff at 1-800-397-4209, 301-415-4737, or by email to PDR.Resource@nrc.gov. The ADAMS accession number for each document referenced (if it is available in ADAMS) is provided the first time that it is mentioned in this document.

• NRC's PDR: You may examine and purchase copies of public documents, by appointment, at the NRC's Public Document Room (PDR), Room P1 B35, One White Flint North, 11555 Rockville Pike, Rockville, Maryland 20852. To make an appointment to visit the PDR, please send an email to PDR.Resource@nrc.gov or call 1-800-397-4209 or 301-415-4737, between 8 a.m. and 4 p.m. eastern time (ET), Monday through Friday, except Federal holidays.

Revision 1 to RG 5.71 and the regulatory analysis may be found in ADAMS under Accession No. ML22258A204 and ML21130A636, respectively.

Regulatory guides are not copyrighted, and NRC approval is not required to reproduce them.

FOR FURTHER INFORMATION CONTACT:

Kim Lawson-Jenkins, Office of Nuclear Security and Incident Response, telephone: 301-287-3656, email: Kim.Lawson-Jenkins@nrc.gov and Stanley Gardocki, Office of Nuclear Regulatory Research, telephone: 301-415-1067, email: Stanley.Gardocki@nrc.gov. Both are staff of the U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001.

SUPPLEMENTARY INFORMATION:

I. Discussion

The NRC is issuing a revision to an existing guide in the NRC's “Regulatory Guide” series. This series was developed to describe methods that are acceptable to the NRC staff for implementing specific parts of the agency's regulations, to explain techniques that the staff uses in evaluating specific issues or postulated events, and to describe information that the staff needs in its review of applications for permits and licenses.

RG 5.71, Revision 1 is entitled “Cyber Security Programs for Nuclear Power Reactors.” It provides NRC licensees with guidance on meeting the cyber security requirements described in section 73.54 of title 10 of the Code of Federal Regulations (10 CFR), “Protection of digital computer and communication systems and networks.”

Revision 1 clarifies guidance on defense-in-depth for cyber security and updates guidance based on the latest NIST and IAEA cyber security guidance. Revision 1 also clarifies issues identified from cyber security inspections, insights gained through the SFAQ process, lessons learned from international and domestic cyber security attacks, new technologies, and new regulations.

The proposed Revision 1 to RG 5.71 was issued with a temporary identification Draft Regulatory Guide (DG) 5061.

II. Additional Information

The NRC published a notice of availability of DG-5061 (ADAMS Accession No. ML18016A129) in the Federal Register on August 23, 2018 (83 FR 42623) for a 60-day public comment period. The public comment period closed on October 22, 2018. Public comments received on DG-5061 and the staff responses are available in ADAMS under Accession No. ML21266A132.

In order to incorporate updates in industry documents, DG-5061 was re-issued in the Federal Register on March 3, 2022 (87 FR 12208) for a 60-day public comment period. The public comment period closed on May 2, 2022. Public comments received on DG-5061 and the staff responses are available in ADAMS under Accession No. ML22258A200.

As noted in the Federal Register on December 9, 2022 (87 FR 75671), this document is being published in the “Rules” section of the Federal Register to comply with publication requirements under 1 CFR chapter I.

III. Congressional Review Act

This RG is a rule as defined in the Congressional Review Act (5 U.S.C. 801-808). However, the Office of Management and Budget has not found it to be a major rule as defined in the Congressional Review Act.

IV. Backfitting, Forward Fitting, and Issue Finality

RG 5.71 describes methods acceptable to the NRC staff for complying with the NRC's regulations to meet the regulatory requirements in 10 CFR 73.54. Issuance of this RG, would not constitute backfitting as defined in 10 CFR 50.109, “Backfitting,” and as described in NRC Management Directive (MD) 8.4, “Management of Backfitting, Forward Fitting, Issue Finality, and Information Requests,” constitute forward fitting as that term is defined and described in MD 8.4; or affect the issue finality of any approval issued under 10 CFR part 52, “Licenses, certifications, and approvals for nuclear power plants.” Start Printed Page 9118

V. Submitting Suggestions for Improvement of Regulatory Guides

A member of the public may, at any time, submit suggestions to the NRC for improvement of existing RGs or for the development of new RGs. Suggestions can be submitted on the NRC's public website at https://www.nrc.gov/​reading-rm/​doc-collections/​reg-guides/​contactus.html. Suggestions will be considered in future updates and enhancements to the “Regulatory Guide” series.