AGENCY:

Nuclear Regulatory Commission.

ACTION:

Draft regulatory guide; request for comment.

SUMMARY:

The U.S. Nuclear Regulatory Commission (NRC) is issuing for public comment Draft Regulatory Guide (DG) DG-5061, “Cyber Security Programs for Nuclear Power Reactors.” This revision incorporates lessons learned from operating experience since the original publication of the guide. Specifically, this revision clarifies issues identified from interim cybersecurity milestone inspections, additional insights gained through the Security Frequently Asked Questions (SFAQs) process, documented cybersecurity attacks, new technologies, and new regulations. This revision also considers the changes in the most recent revision to the National Institute of Standards and Technology (NIST) Special Publications (SP) 800-53, upon which Revision 0 of RG 5.71 was based.

DATES:

Submit comments by October 22, 2018. Comments received after this date will be considered if it is practical to do so, but the NRC is able to ensure consideration only for comments received on or before this date. Although a time limit is given, comments and suggestions in connection with items for inclusion in guides currently being developed or improvements in all published guides are encouraged at any time.

ADDRESSES:

You may submit comments by any of the following methods:

• Federal Rulemaking Website: Go to http://www.regulations.gov and search for Docket ID NRC-2018-0182. Address questions about NRC dockets to Jennifer Borges; telephone: 301-287-9127; email: Jennifer.Borges@nrc.gov. For technical questions, contact the individuals listed in the FOR FURTHER INFORMATION CONTACT section of this document.
• Mail comments to: May Ma, Office of Administration, Mail Stop: ON 2A13, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001.

For additional direction on accessing information and submitting comments, see “Accessing Information and Submitting Comments” in the SUPPLEMENTARY INFORMATION section of this document.

FOR FURTHER INFORMATION CONTACT:

Kim Lawson-Jenkins, Office of Nuclear Security and Incident Response, telephone: 301-287-3656; email: Kim.Lawson-Jenkins@nrc.gov, and Mekonen Bayssie, Office of Nuclear Regulatory Research, telephone: 301-415-1699; email: Mekonen.Bayssie@nrc.gov. Both are staff of the U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001.

SUPPLEMENTARY INFORMATION:

I. Obtaining Information and Submitting Comments

A. Obtaining Information

Please refer to Docket ID NRC-2018-0182 when contacting the NRC about the availability of information regarding this document. You may obtain publically-available information related to this document, by any of the following methods:

• Federal Rulemaking Website: Go to http://www.regulations.gov and search for Docket ID NRC-2018-0182.
• NRC's Agencywide Documents Access and Management System (ADAMS): You may access publicly- available documents online in the ADAMS Public Documents collection at http://www.nrc.gov/​reading-rm/​adams.html. To begin the search, select “Begin Web-based ADAMS Search.” For problems with ADAMS, please contact the NRC's Public Document Room (PDR) reference staff at 1-800-397-4209, 301-415-4737, or by email to pdr.resource@nrc.gov. DG-5061 is available in ADAMS under Accession No. ML18016A129.
• NRC's PDR: You may examine and purchase copies of public documents at the NRC's PDR, Room O1-F21, One White Flint North, 11555 Rockville Pike, Rockville, Maryland 20852.

B. Submitting Comments

Please include Docket ID NRC-2018-0182 in your comment submission. The NRC cautions you not to include identifying or contact information that you do not want to be publicly disclosed in your comment submission. The NRC posts all comment submissions at http://www.regulations.gov as well as enters the comment submissions into ADAMS. The NRC does not routinely edit comment submissions to remove identifying or contact information.

If you are requesting or aggregating comments from other persons for submission to the NRC, then you should inform those persons not to include identifying or contact information that they do not want to be publicly disclosed in their comment submission. Your request should state that the NRC does not routinely edit comment submissions to remove such information before making the comment submissions available to the public or entering the comment submissions into ADAMS.

II. Additional Information

The NRC is issuing for public comment a DG in the NRC's “Regulatory Guide” series. This series was developed to describe and make available to the public information regarding methods that are acceptable to the NRC staff for implementing specific parts of the NRC's regulations, techniques that the staff uses in evaluating specific issues or postulated events, and data that the staff needs in its review of applications for permits and licenses.

The DG, titled “Cyber Security Programs for Nuclear Power Plants,” is temporarily identified by its task number, DG-5061. DG-5061 is a proposed revision (Revision 1) to RG 5.71, “Cyber Security Programs for Nuclear Power Plants.” It provides NRC licensees with guidance on meeting the cybersecurity requirements described in title 10 of the Code of Federal Regulations (10 CFR) § 73.54, “Protection of digital computer and communication systems and networks.”

This revision clarifies issues identified from interim cybersecurity milestone inspections, additional insights gained through the SFAQs process, documented cybersecurity attacks, new technologies, and new regulations. In addition, it considers changes in NIST SP 800-53, upon which Revision 0 of RG 5.71 was based.

In 2010, the Commission issued Staff Requirements Memorandum (SRM), SRM-COMWCO-10-0001 (ADAMS Accession No. ML102940009) which clarified the scope of the cyber security rule in regards to balance of plant (BOP) systems. This revision to RG 5.71 includes guidance for structures, systems, and components (SSCs) in the BOP.

In 2015, the NRC published the regulation 10 CFR 73.77, and its associated guidance, RG 5.83, that provides guidance on cyber security event notifications. This rule established requirements clarifying the types of cyber attacks that require notification to the NRC, the timeliness for making the notifications, how licensees make notifications, and how to submit follow-up written reports to the NRC.Start Printed Page 42624

III. Backfitting and Issue Finality

DG-5061 describes a method that the staff of the NRC considers acceptable for use by nuclear power plant licensees in meeting the requirements for the cybersecurity requirements in 10 CFR 73.54. The revision updates the guidance by incorporating lessons learned and guidance documents since the original publication of the guide.

On October 21, 2010, the Commission issued SRM-COMWCO-10-0001, which clarified the scope of the cyber security rule. In the SRM, the Commission determined as a matter of policy that the NRC's cyber security regulation (10 CFR 73.54) should be interpreted to include Systems Structures and Components in the Balance of Plant that have a nexus to radiological health and safety at NRC-licensed nuclear power plants. The Commission clarified the scope of the rule to include digital assets previously covered by cyber security regulations of the Federal Energy Regulatory Commission. In response to this SRM, the licensees updated their cyber security plans to incorporate BOP systems into their cyber security plans. This revision includes guidance for SSCs in the BOP.

Issuance of this DG, if finalized, would not constitute backfitting as defined in 10 CFR 50.109 (the Backfit Rule) and would not otherwise be inconsistent with the issue finality provisions in 10 CFR part 52. As discussed in the “Implementation” section of this DG, the NRC has no current intention to impose this guide, if finalized, on holders of current operating licenses or combined licenses.

However, the scope of issue finality provided extends only to the matters resolved in the license or regulatory approval. Early site permits, design certification rules, and standard design approvals typically do not address or resolve compliance with operational programs such as the cybersecurity requirements in 10 CFR 73.54. Therefore, the various issue finality provisions would not apply to applications referencing an early site permit, design certification rule, or standard design approval with respect to the security matters addressed in this draft regulatory guide.