[Federal Register Volume 75, Number 6 (Monday, January 11, 2010)]
[Notices]
[Pages 1416-1418]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2010-229]


=======================================================================
-----------------------------------------------------------------------

NUCLEAR REGULATORY COMMISSION

[NRC-2010-0007]


Final Memorandum of Understanding Between the U.S. Nuclear 
Regulatory Commission and the North American Electric Reliability 
Corporation

AGENCY: Nuclear Regulatory Commission.

ACTION: Notice.

-----------------------------------------------------------------------

FOR FURTHER INFORMATION CONTACT: Kenneth Miller, Electrical Engineer, 
Electrical Engineering Branch, Division of Engineering, Office of 
Nuclear Reactor Regulation, U.S. Nuclear Regulatory Commission, 
Washington, DC 20555. Telephone: (301) 415-3152; fax number: (301) 415-
3031; e-mail: [email protected].

SUPPLEMENTARY INFORMATION:

I. Introduction

    This notice is to advise the public of the issuance of a Final 
Memorandum of Understanding (MOU) between the U.S. Nuclear Regulatory 
Commission (NRC) and the North American Electric Reliability 
Corporation (NERC). The purpose of this MOU is to set forth and 
coordinate the roles and responsibilities of each organization as they 
relate to the application of their respective cyber security 
requirements for the protection of digital assets at commercial nuclear 
power plants operating in the USA.

II. Effective Date

    This MOU is effective December 30, 2009.

III. Further Information

    Documents related to this action are available electronically at 
the NRC's Electronic Reading Room at http://www.nrc.gov/reading-rm/adams.html. From this site, you can access the NRC's Agencywide 
Documents Access and Management System (ADAMS), which provides text and 
image files of NRC's public documents. The ADAMS accession number for 
the document related to this notice is: Memorandum of Understanding 
between the NRC and NERC ML093510905. If you do not have access to 
ADAMS or if there are problems in accessing the documents located in 
ADAMS, contact the NRC Public Document Room (PDR) Reference staff at 1-
800-397-4209, 301-415-4737 or by e-mail to [email protected].
    These documents may also be viewed electronically on the public 
computers located at the NRC's Public Document Room (PDR), O 1 F21, One 
White Flint North, 11555 Rockville Pike, Rockville, MD 20852. The PDR 
reproduction contractor will copy documents for a fee.

    Dated at Rockville, Maryland this 5th day of January, 2010.

    For the Nuclear Regulatory Commission.
George A Wilson,
Chief, Electrical Engineering Branch, Division of Engineering, Office 
of Nuclear Reactor Regulation.

Memorandum of Understanding Between the U.S. Nuclear Regulatory 
Commission and the North American Electric Reliability Corporation

I. Purpose

    1. This Memorandum of Understanding (MOU) is entered into by the 
U.S. Nuclear Regulatory Commission (NRC) and the North American 
Electric Reliability Corporation (NERC) (hereafter ``Party'' or 
``Parties'').
    2. Consistent with their statutory authority and regulations, 
the NRC and NERC each have responsibility for establishing and 
enforcing cyber security requirements at commercial nuclear power 
plants operating in the United States of America (USA). The NRC's 
primary focus is on the prevention of radiological sabotage (i.e., 
significant core damage) that could result in harm to public health 
and safety or the environment or have an adverse impact upon the 
common defense and security of the USA. NERC's primary focus is on 
the reliability of the bulk power system (BPS). It accomplishes this 
in part by enforcing compliance with applicable NERC Reliability 
Standards, including, but not limited to, the Critical 
Infrastructure Protection (CIP) Reliability Standards.
    3. The purpose of this MOU is to set forth and coordinate the 
roles and responsibilities of each organization as they relate to 
the application of their respective cyber security requirements for 
the protection of digital assets at commercial nuclear power plants 
operating in the USA. This cooperation will ensure that the common 
responsibilities of each organization are achieved in the most 
efficient and effective manner without diminishing or interfering 
with their respective responsibilities and authorities. The goal of 
this cooperation is to maintain the safety and security of 
commercial nuclear power plants operating in the USA while 
optimizing the reliability of the BPS to the maximum extent 
possible.
    4. This memorandum supplements an existing Memorandum of 
Agreement (MOA) between the NRC and NERC dated July 10, 2007.

II. Roles and Responsibilities

    1. NRC:
    a. The NRC has statutory responsibility for licensing and 
regulating commercial nuclear facilities operating in the USA as 
well as the civilian use of byproduct, source, and special nuclear 
materials in order to protect public health and safety, promote the 
common defense and security, and protect the environment. Public Law 
93-438, 88 Stat. 1233 (42 U.S.C. 5801 et seq.).
    b. The NRC carries out its statutory responsibilities by 
promulgating regulations and issuing licenses, certificates and 
orders for commercial nuclear power plants and other nuclear 
facilities and materials in the USA.
    c. The NRC has issued orders and promulgated regulations 
imposing cyber security requirements on commercial nuclear power 
plants under its jurisdiction. Portions of these facilities also 
fall under the concurrent jurisdiction of NERC's CIP reliability 
standards.
    d. The NRC's cyber security regulations set forth at 10 CFR 
73.54 govern digital systems and networks that can affect commercial 
nuclear power reactor safety, security, and emergency preparedness 
functions. Those regulations do not govern systems within nuclear 
facilities, such as those related to continuity of power that could 
not have an adverse impact on safety, security, or emergency 
preparedness functions.
    2. NERC:
    a. NERC has statutory responsibility for improving the 
reliability and security of the BPS in the United States. NERC 
conducts equivalent activities in Canada. NERC's authority and 
jurisdiction in the USA is set forth in the Federal Power Act 
pursuant to Title XII of the Energy Policy Act of 2005, FERC's 
implementing regulations at 18 CFR Part 39, and applicable FERC 
Orders, including but not limited to, the Electric Reliability 
Organization (ERO) Certification Order, Order Nos. 672, 693, 706 and 
706-B. NERC is a not-for-profit, self-regulatory corporation.
    b. NERC develops and enforces reliability standards; monitors 
the BPS; analyzes BPS events; assesses the adequacy of the BPS 
annually via a 10-year forecast and winter and summer forecasts; 
audits owners, operators, and users of the BPS; and educates and 
trains industry personnel.

III. NRC/NERC Consultations on the FERC Order 706-B Exception Process

    1. On January 18, 2008, FERC issued Order No. 706 imposing eight 
NERC-developed cyber security CIP reliability standards on BPS 
owners, operators, and users. This Order exempted facilities 
regulated by the NRC from compliance with NERC's CIP standards.
    2. On March 19, 2009, FERC issued Order No. 706-B, significantly 
narrowing the nuclear facilities exemptions from NERC's CIP 
standards in order to ensure comprehensive cyber security protection 
of appropriate digital assets at nuclear power plants. Order No. 
706-B allows nuclear facilities to seek exceptions from NERC's CIP 
standards on a case-by-case basis for those digital assets subject 
to the NRC's cyber security requirements.
    3. The NRC and NERC agree to cooperate regarding NERC's 
disposition of exception requests received from nuclear facilities 
subject to NERC's CIP standards. NERC

[[Page 1417]]

agrees to consult with the NRC on each request for an exception from 
NERC's CIP standards that NERC receives from a nuclear facility also 
regulated by the NRC. This cooperation and consultation will 
facilitate the proper characterization of digital assets as subject 
to either the NRC's cyber security requirements or NERC's CIP 
standards.

IV. Cyber Security Inspection Protocol

    1. The NRC has regulatory responsibility for inspecting those 
digital assets, including digital control and data acquisition 
systems and networks, which can affect safety, security, and 
emergency preparedness functions of a nuclear power plant. The NRC 
will inspect such systems to ensure compliance with the NRC's cyber 
security requirements.
    2. The NRC does not have regulatory responsibility to inspect 
those digital assets unrelated to the safety, security or emergency 
preparedness functions of a nuclear power plant, such as those 
digital control and data acquisition systems related to continuity 
of power, unless those systems can have an adverse impact on safety, 
security, or emergency preparedness functions.
    3. NERC has regulatory responsibility for inspecting digital 
assets related to continuity of power for compliance with NERC's CIP 
standards.
    4. The NRC and NERC agree to share any information discovered 
during the course of their respective inspections that they believe 
may be relevant to or have an adverse impact on any digital asset 
governed by the other Party's cyber security requirements.
    5. The NRC and NERC agree to consult and coordinate to the 
maximum extent practicable on the process for conducting inspections 
to carry out activities contemplated under this MOU.

V. Information Sharing

    1. The NRC and NERC recognize that the sharing of relevant 
information between the Parties may be necessary to implement the 
provisions of this MOU. Consistent with applicable laws and 
regulations, the NRC and NERC support the sharing of all information 
necessary to carry out the intent of this MOU. Accordingly, all 
relevant information will be shared with the other Party in a timely 
manner so that each Party can take appropriate action.
    2. The NRC and NERC recognize that this MOU may require the 
sharing of sensitive information up to and including Safeguards 
Information (SGI) as defined in 10 CFR 73.2. The NRC and NERC agree 
to protect sensitive information received from the other party in 
accordance with all applicable laws and requirements, including all 
requirements governing access to and protection of SGI. NERC further 
agrees that it will not transmit any SGI received from the NRC to 
any third party, except for its Regional Entities pursuant to V.4 
below, without the written consent of the NRC.
    3. NERC agrees to adhere to procedures governing the sharing, 
possession and handling of SGI under this MOU in accordance with the 
Appendix to this MOU, entitled, ``Procedures Governing Access to and 
Possession of Safeguards Information.'' NERC further agrees to 
develop, implement, and maintain an SGI program in accordance with 
applicable requirements and the Appendix to this MOU.
    4. NRC and NERC recognize that NERC has delegated, by contract, 
certain authority to eight Regional Entities to assist NERC in 
carrying out NERC's compliance and enforcement program and that it 
may be necessary for NERC to share certain sensitive information 
with those Regional Entities in the process of carrying out the 
compliance and enforcement program. With respect to access to and 
protection of SGI, those eight Regional Entities will be considered 
to be contractors of NERC. NERC agrees that it will adhere to the 
procedures governing the sharing, possession and handling of SGI in 
accordance with the Appendix to this MOU entitled, ``Procedures 
Governing Access to and Possession of Safeguards Information'' for 
any SGI to which Regional Entities are given access.

VI. Enforcement Actions

    1. Nothing in this MOU is intended to limit the authority of the 
NRC or NERC to take enforcement action consistent with their 
statutory authority and regulations.
    2. The NRC and NERC agree that the NRC will have sole 
responsibility for taking enforcement action because of a violation 
involving a digital asset subject to the NRC's cyber security 
requirements. The NRC shall inform NERC of any enforcement actions 
that it plans to take as a result of a violation of NRC cyber 
security requirements.
    3. The NRC and NERC agree that NERC will have sole 
responsibility for taking enforcement action because of a violation 
involving a digital asset subject to NERC's CIP standards. NERC 
shall inform the NRC of any enforcement actions that it plans to 
take as a result of a violation of NERC's CIP standards.
    4. In those situations where a cyber security incident at a 
nuclear power plant results in violations of both the NRC's and 
NERC's requirements, the NRC and NERC agree to consult and 
coordinate on any enforcement actions to be taken.
    5. If NERC considers imposing remedial action directives or 
sanctions on a nuclear power plant, NERC agrees to consult in 
advance with the NRC to ensure that the proposed action will not 
adversely affect nuclear safety, security or emergency preparedness.
    6. The NRC and NERC agree to coordinate on any public 
announcements of enforcement actions taken as a result of any 
violation of their respective cyber security requirements.

VII. Points of Contact

    The following are designated points of contact for carrying out 
the routine administration of matters arising under this MOU:
    1. The resolution of policy issues concerning organizational 
jurisdiction and operational relations will be coordinated by the 
NRC's Executive Director for Operations and NERC's Chief Executive 
Officer. Appropriate points of contact will be established.
    2. The NRC's Office of Enforcement (OE) and NERC's Compliance 
Department shall coordinate the resolution of issues involving 
enforcement actions taken by one or both parties at an NRC-licensed 
nuclear power plant. Appropriate OE and Compliance Program points of 
contact will be established.

VIII. Administrative Matters

    1. This MOU shall become effective upon signing by all of the 
Parties and shall remain in effect for five years from the date of 
signing unless terminated in accordance with the procedures set 
forth below.
    2. This MOU may be modified or amended by written mutual 
agreement of the Parties.
    3. Any Party may terminate this MOU by providing written notice 
of its intent to terminate the MOU to the other Party at least 180 
days in advance of the effective date of termination.
    4. This MOU shall not be construed to be or create a private 
right of action for or by any person or entity.
    5. This MOU does not commit or obligate appropriated funds. All 
activities undertaken to implement any responsibilities carried out 
pursuant to this MOU shall be subject to the availability of 
appropriated funds.
    6. If any provision(s) of this MOU, or the application of any 
provision(s) to any person or entity, is held to be invalid, the 
remainder of this MOU and the application of any remaining 
provision(s) to any person or entity shall not be affected.

    For the Nuclear Regulatory Commission.

    Dated: December 30, 2009.

/RA Martin Virgilio for/

R. W. Borchardt,
Executive Director for Operations.

    For the North American Electric Reliability Corporation.

    Dated: December 30, 2009

Rick Sergel,
Chief Executive Officer and President.

Appendix

Procedures Governing Access to and Possession of Safeguards Information

    It is possible that both the NRC and NERC may require access to 
Safeguards Information (SGI) to carry out their respective 
responsibilities under this Memorandum of Understanding (MOU). The 
NRC has promulgated detailed regulations in 10 CFR Part 73 governing 
access to and the handling of SGI. The definition of SGI is set 
forth at 10 CFR 73.2. This Appendix sets forth general principles 
and procedures governing access to and the handling of SGI for 
purposes of carrying out this MOU. To the extent that any of the 
principles and procedures set forth in this Appendix conflict with 
the requirements set forth in 10 CFR Part 73, the NRC and NERC agree 
that the regulatory requirements set forth in Part 73 shall take 
precedence over this MOU.
    SGI is a special category of sensitive unclassified information 
protected from unauthorized disclosure under Section 147 of the 
Atomic Energy Act of 1954 (AEA), as amended. Although SGI is 
sensitive unclassified information, it is handled and protected more 
like Classified National

[[Page 1418]]

Security Information than like other sensitive unclassified 
information. Information designated as SGI must be withheld from 
public disclosure and must be physically controlled and protected to 
prevent any unauthorized disclosure. The requirements set forth in 
10 CFR Part 73 apply to any person, whether or not a licensee of the 
NRC, who produces, receives or acquires SGI.
    All persons who have or have had access to SGI have a continuing 
obligation to protect SGI in order to prevent its inadvertent 
release and/or unauthorized disclosure. Violations of SGI handling 
and protection requirements, including the unauthorized disclosure 
of SGI, may result in the imposition of applicable civil and 
criminal penalties.

Information To Be Protected as Safeguards Information

    Any documents provided to NERC by NRC that contain SGI will be 
designated in accordance with 10 CFR 73.22. Documents developed by 
NERC that contain SGI must also be designated and protected as SGI 
in accordance with 10 CFR 73.22. The NRC and NERC agree to comply 
with the requirements for protecting all information designated as 
SGI as set forth in 10 CFR 73.22(a).

Access to Safeguards Information

    Generally, no person may have access to SGI unless the person 
has an established ``need to know'' for the information and has been 
determined to be ``trustworthy and reliable.'' Typically, a 
determination of trustworthiness and reliability is based upon a 
background check, including at a minimum, a Federal Bureau of 
Investigation (FBI) criminal history records check (including 
verification of identity based on fingerprinting), employment 
history, education and personal references. The terms ``background 
check,'' ``need to know'' and ``trustworthy and reliable'' are 
defined in 10 CFR 73.2. The NRC and NERC agree to comply with the 
requirements for access to SGI set forth in 10 CFR 73.22(b) and 10 
CFR 73.57.

Reviewing Official

    The determination that a NERC employee, consultant or contractor 
has a need for access to SGI (established ``need to know'' and is 
``trustworthy and reliable'') must initially be made by an 
individual already authorized access to SGI. Accordingly, the NRC 
and NERC agree to implement the following procedures for granting 
NERC employees, consultants and contractors access to SGI for the 
purpose of carrying out this MOU.
    NERC shall submit the name and fingerprints of at least one 
individual to the NRC who NERC has determined to be trustworthy and 
reliable and has a need to know SGI. NERC's trustworthiness and 
reliability determination shall be based, at a minimum, on all 
elements of a background check except for each individual's criminal 
history record. The NRC will conduct a criminal history record check 
based on each individual's fingerprints. Based upon the outcome of 
the criminal history record check, the NRC shall determine if the 
individual (or individuals if more than one name is submitted and 
approved) may have access to SGI and can serve as a reviewing 
official under this MOU. Upon approval by the NRC, this individual 
(or individuals if more than one name is submitted and approved) may 
serve as a reviewing official authorized to make SGI access 
authorization determinations for other NERC employees, consultants 
and contractors.
    Individuals possessing an active Federal security clearance 
require no additional fingerprinting or background check for access 
to SGI, as this clearance meets the fingerprinting requirement and 
other elements of the background check, as prescribed in 10 CFR 
73.22(b)(1). Such individuals must still meet the need to know 
requirement for access to SGI. However, when relying upon an 
existing active Federal security clearance to meet the SGI access 
requirements (except for the need to know determination), NERC 
should obtain and maintain a record of official notification stating 
that the individual possesses such a clearance.
    Only NRC-approved reviewing officials shall be authorized to 
make SGI access determinations for other individuals who have been 
identified by NERC as having a need to know SGI. The reviewing 
official shall be responsible for determining that these individuals 
have a ``need to know'' for access to SGI to carry out their 
official duties under this MOU and for determining that these 
individuals are trustworthy and reliable. The reviewing official's 
determination of trustworthiness and reliability shall be based upon 
an adequate background check, including, at a minimum, an FBI 
criminal history records checks and fingerprinting. The reviewing 
official can only make SGI access determinations for other 
individuals, but cannot approve other individuals to act as 
reviewing officials.
    NERC agrees that the reviewing official shall maintain secure 
and adequate records of each SGI access authorization determination. 
Such records shall be available to the NRC for inspection upon 
request.

Protection of Safeguards Information While in Use or Storage

    SGI must be adequately protected while in use or storage to 
prevent its unauthorized release or disclosure. The NRC and NERC 
agree to comply with the requirements for protection of SGI while in 
use or storage set forth in 10 CFR 73.22(c).

Preparation and Marking of Documents or Other Matter

    Documents and other matter must be prepared and conspicuously 
marked as SGI to ensure against unauthorized release or disclosure. 
The NRC and NERC agree to comply with the requirements for 
preparation and marking of documents and other material as set forth 
in 10 CFR 73.22(d).

Reproduction of Matter Containing Safeguards Information

    SGI may be reproduced to the minimum extent necessary consistent 
with need without permission of the originator. The NRC and NERC 
agree to comply with the requirements for reproduction of documents 
and other material containing SGI as set forth in 10 CFR 73.22(e).

External Transmission of Documents and Material

    Documents or other matter containing SGI when transmitted 
outside an authorized place of use or storage shall be enclosed in 
two sealed envelopes or wrappers and must not bear any markings or 
indication that the document contains SGI. The NRC and NERC agree to 
comply with the requirements for the external transmission of 
documents and other material containing SGI as set forth in 10 CFR 
73.22(f).

Processing of Safeguards Information on Electronic Systems

    SGI may not be transmitted by unprotected telecommunications 
circuits except under emergency or extraordinary conditions. SGI 
must be processed or produced on an electronic system that ensures 
the integrity of the information and prevents the unauthorized 
release or disclosure of SGI. The NRC and NERC agree to comply with 
the requirements for the processing of SGI on electronic systems as 
set forth in 10 CFR 73.22(g).

Removal from Safeguards Information Category

    Documents containing SGI shall be removed from the SGI category 
(decontrolled) only after the NRC determines that the information no 
longer meets the criteria for designation as SGI. Organizations have 
the authority to make determinations that specific documents which 
they created no longer contain SGI and may be decontrolled. The NRC 
and NERC agree to comply with the requirements for removing 
information from the SGI category as set forth in 10 CFR 73.22(h).

Destruction of Matter Containing Safeguards Information

    Documents containing SGI should be destroyed when no longer 
needed. The NRC and NERC agree to comply with the requirements for 
the destruction of documents and other material containing SGI as 
set forth in 10 CFR 73.22(i).

[FR Doc. 2010-229 Filed 1-8-10; 8:45 am]
BILLING CODE 7590-01-P