AGENCY:

Nuclear Regulatory Commission.

ACTION:

Petition for rulemaking; docketing, and request for comment.

SUMMARY:

The U.S. Nuclear Regulatory Commission (NRC) has received a petition for rulemaking (PRM) from Anthony Pietrangelo, filed on behalf of the Nuclear Energy Institute (NEI or the petitioner) on June 12, 2014. The petitioner requests that the NRC revise its cyber security requirements to ensure that its regulations prevent radiological sabotage and adequately protect the public health and safety and common defense and security. The NRC is requesting public comment on the petition for rulemaking.

DATES:

Submit comments by December 8, 2014. Comments received after this date will be considered if it is practical to do so, but the NRC is able to assure consideration only for comments received on or before this date.

ADDRESSES:

You may submit comments by any of the following methods:

• Federal rulemaking Web site: Go to http://www.regulations.gov and search for Docket ID NRC-2014-0165. Address questions about NRC dockets to Carol Gallagher; telephone: 301-492-3668; email: Carol.Gallagher@nrc.gov. For technical questions, contact the individual listed in the FOR FURTHER INFORMATION CONTACT section of this document.
• Email comments to: Rulemaking.Comments@nrc.gov. If you do not receive an automatic email reply confirming receipt, then contact us at 301-415-1677.
• Fax comments to: Secretary, U.S. Nuclear Regulatory Commission at 301-415-1101.
• Mail comments to: Secretary, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, ATTN: Rulemakings and Adjudications Staff.
• Hand deliver comments to: 11555 Rockville Pike, Rockville, Maryland 20852, between 7:30 a.m. and 4:15 p.m. (Eastern Time) Federal workdays; telephone: 301-415-1677.

For additional direction on obtaining information and submitting comments, see “Obtaining Information and Submitting Comments” in the SUPPLEMENTARY INFORMATION section of this document.

FOR FURTHER INFORMATION CONTACT:

Robert Beall, Office of Nuclear Reactor Regulations, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001; telephone: 301-415-3874, email: Robert.Beall@nrc.gov.

SUPPLEMENTARY INFORMATION:

I. Obtaining Information and Submitting Comments

A. Obtaining Information

Please refer to Docket ID NRC-2014-0165 when contacting the NRC about the availability of information for this petition for rulemaking. You may obtain publicly available information related to this action by any of the following methods:

• Federal Rulemaking Web site: Go to http://www.regulations.gov and search for Docket ID NRC-2014-0165.
• NRC's Agencywide Documents Access and Management System (ADAMS): You may obtain publicly available documents online in the ADAMS Public Documents collection at http://www.nrc.gov/​reading-rm/​adams.html. To begin the search, select “ADAMS Public Documents” and then select “Begin Web-based ADAMS Search.” For problems with ADAMS, please contact the NRC's Public Document Room (PDR) reference staff at 1-800-397-4209, at 301-415-4737, or by email to pdr.resource@nrc.gov. The Petition to Amend section 73.54 of Title 10 of the Code of Federal Regulations (10 CFR), “Protection of Digital Computer and Communication Systems and Networks,” is available in ADAMS under Accession No. ML14184B120.
• NRC's PDR: You may examine and purchase copies of public documents at the NRC's PDR, Room O1-F21, One White Flint North, 11555 Rockville Pike, Rockville, Maryland 20852.

B. Submitting Comments

Please include Docket ID NRC-2014-0165 in the subject line of your comment submission, in order to ensure that the NRC is able to make your comment submission available to the public in this docket.

The NRC cautions you not to include identifying or contact information that you do not want to be publicly disclosed in you comment submission. The NRC will post all comment Start Printed Page 56526submissions at http://www.regulations.gov as well as enter the comment submissions into ADAMS. The NRC does not routinely edit comment submissions to remove identifying or contact information.

If you are requesting or aggregating comments from other persons for submission to the NRC, then you should inform those persons not to include identifying or contact information that they do not want to be publicly disclosed in their comment submission. Your request should state that the NRC does not routinely edit comment submissions to remove such information before making the comment submissions available to the public or entering the comment submissions into ADAMS.

II. The Petition

Anthony R. Pietrangelo, Vice President, and Chief Nuclear Officer, NEI, submitted a PRM dated June 12, 2014 (ADAMS Accession No. ML14184B120), requesting that the NRC revise its cyber security requirements. Specifically, the petitioner requests that the NRC revise 10 CFR 73.54(a) to ensure the regulation is not overly burdensome for NRC licensees, and adequately protects the public health and safety and common defense and security. The petitioner requests that the NRC promptly initiate rulemaking to resolve this matter. The NRC has determined that the petition meets the threshold sufficiency requirements for a petition for rulemaking under 10 CFR 2.802 “Petition for rulemaking,” and the petition has been docketed as PRM-73-18. The NRC is requesting public comment on the petition for rulemaking.

III. The Petitioner

The petition states that NEI “is responsible for establishing a unified industry position on matters affecting the nuclear energy industry, including the regulatory aspects of generic operational and technical issues.” The petition further states that “NEI member companies are specifically affected by the NRC's cyber security regulations.” The NEI claims it provides a “principal interface between power reactor licensees and the NRC on matters of policy, including cyber security-related policy.”

IV. Discussion of the Petition

The petitioner states that power reactor licensees are required to establish and maintain a physical protection program to protect against the design basis threat of radiological sabotage, and summarizes the physical protection program and the attributes of the design basis threat of radiological sabotage described in 10 CFR 73.1, which include: (1) An external physical assault, (2) an internal threat, (3) a land vehicle bomb assault, (4) a waterborne vehicle bomb assault, and (5) a cyber attack. The petitioner asserts that to prevent radiological sabotage, licensees have well-established programs to identify the set of personnel systems, and equipment that must be protected against the design basis threat in order to prevent significant core damage and spent fuel sabotage.

The petitioner noted that NRC's cyber security requirements, found in 10 CFR 73.54, provide the programmatic requirements to defend against the design basis threat of radiological sabotage through a cyber attack, and that Section 73.54(a)(1) requires licensees to protect certain digital assets against cyber attack even though those digital assets, if compromised, would not adversely impact the systems and equipment necessary to prevent significant core damage and spent fuel sabotage. The petitioner asserts that the current regulations require NRC licensees to protect one set of systems and equipment against the effects of four of the attributes of the design basis threat (physical assault; internal threat; land vehicle bomb assault; waterborne vehicle bomb assault), and a substantially broader set of assets against the fifth design basis threat attribute, cyber attack. Further, the petitioner contends that this regulatory language is inconsistent with both the agency's intent in promulgating the cyber security requirements and the NRC's programmatic requirements to defend against other attributes of the radiological sabotage design basis threat.

The petitioner argues that the language in 10 CFR 73.54(a)(1) unnecessarily diverts NRC licensee attention and resources away from the protection of assets that have a nexus to radiological safety. The petitioner asserts that this provision burdens NRC reactor licensees without providing a commensurate enhancement in the protection of the public health and safety, or plant security. Furthermore, the petitioner claims that for digital assets that do not reasonably require protection against radiological sabotage, the considerable time, resources, and cost needed to protect them against cyber attack is unjustified. In this regard, the petitioner asserts that the current cyber security regulations fail to comply with the Commission's Principles of Good Regulation.

The petitioner states that the industry has brought to the attention of the NRC staff the significant problems created by the current scoping language in 10 CFR 73.54(a), and has determined that revisions to NRC regulations are needed to address this problem. The petitioner further states that implementing the revisions proposed herein will not adversely affect NRC licensees' ability to ensure that public health, safety, and security are being adequately protected.

NEI contends that the change proposed in its petition is the single most important near-term regulatory improvement that can be made in the area of cyber security. The petitioner claims that it would provide a substantial benefit to regulatory clarity and stability by assuring that licensees have protected those assets that, if compromised by a cyber attack, would be inimical to the health and safety of the public.

The complete text of the petition is available for review as described in Section I.A. of this document.

Because the petitioner has satisfied the docketing criteria in 10 CFR 2.802, “Petition for rulemaking,” the NRC has docketed this petition as PRM-73-18. The NRC is reviewing the issues raised by the petitioner to determine whether they should be considered in the NRC's rulemaking process.