[Federal Register Volume 79, Number 183 (Monday, September 22, 2014)]
[Proposed Rules]
[Pages 56525-56526]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2014-22523]
-----------------------------------------------------------------------
NUCLEAR REGULATORY COMMISSION
10 CFR Part 73
[Docket No. PRM-73-18; NRC-2014-0165]
Protection of Digital Computer and Communication Systems and
Networks
AGENCY: Nuclear Regulatory Commission.
ACTION: Petition for rulemaking; docketing, and request for comment.
-----------------------------------------------------------------------
SUMMARY: The U.S. Nuclear Regulatory Commission (NRC) has received a
petition for rulemaking (PRM) from Anthony Pietrangelo, filed on behalf
of the Nuclear Energy Institute (NEI or the petitioner) on June 12,
2014. The petitioner requests that the NRC revise its cyber security
requirements to ensure that its regulations prevent radiological
sabotage and adequately protect the public health and safety and common
defense and security. The NRC is requesting public comment on the
petition for rulemaking.
DATES: Submit comments by December 8, 2014. Comments received after
this date will be considered if it is practical to do so, but the NRC
is able to assure consideration only for comments received on or before
this date.
ADDRESSES: You may submit comments by any of the following methods:
Federal rulemaking Web site: Go to http://www.regulations.gov and search for Docket ID NRC-2014-0165. Address
questions about NRC dockets to Carol Gallagher; telephone: 301-492-
3668; email: [email protected]. For technical questions, contact
the individual listed in the FOR FURTHER INFORMATION CONTACT section of
this document.
Email comments to: [email protected]. If you do
not receive an automatic email reply confirming receipt, then contact
us at 301-415-1677.
Fax comments to: Secretary, U.S. Nuclear Regulatory
Commission at 301-415-1101.
Mail comments to: Secretary, U.S. Nuclear Regulatory
Commission, Washington, DC 20555-0001, ATTN: Rulemakings and
Adjudications Staff.
Hand deliver comments to: 11555 Rockville Pike, Rockville,
Maryland 20852, between 7:30 a.m. and 4:15 p.m. (Eastern Time) Federal
workdays; telephone: 301-415-1677.
For additional direction on obtaining information and submitting
comments, see ``Obtaining Information and Submitting Comments'' in the
SUPPLEMENTARY INFORMATION section of this document.
FOR FURTHER INFORMATION CONTACT: Robert Beall, Office of Nuclear
Reactor Regulations, U.S. Nuclear Regulatory Commission, Washington, DC
20555-0001; telephone: 301-415-3874, email: [email protected].
SUPPLEMENTARY INFORMATION:
I. Obtaining Information and Submitting Comments
A. Obtaining Information
Please refer to Docket ID NRC-2014-0165 when contacting the NRC
about the availability of information for this petition for rulemaking.
You may obtain publicly available information related to this action by
any of the following methods:
Federal Rulemaking Web site: Go to http://www.regulations.gov and search for Docket ID NRC-2014-0165.
NRC's Agencywide Documents Access and Management System
(ADAMS): You may obtain publicly available documents online in the
ADAMS Public Documents collection at http://www.nrc.gov/reading-rm/adams.html. To begin the search, select ``ADAMS Public Documents'' and
then select ``Begin Web-based ADAMS Search.'' For problems with ADAMS,
please contact the NRC's Public Document Room (PDR) reference staff at
1-800-397-4209, at 301-415-4737, or by email to [email protected].
The Petition to Amend section 73.54 of Title 10 of the Code of Federal
Regulations (10 CFR), ``Protection of Digital Computer and
Communication Systems and Networks,'' is available in ADAMS under
Accession No. ML14184B120.
NRC's PDR: You may examine and purchase copies of public
documents at the NRC's PDR, Room O1-F21, One White Flint North, 11555
Rockville Pike, Rockville, Maryland 20852.
B. Submitting Comments
Please include Docket ID NRC-2014-0165 in the subject line of your
comment submission, in order to ensure that the NRC is able to make
your comment submission available to the public in this docket.
The NRC cautions you not to include identifying or contact
information that you do not want to be publicly disclosed in you
comment submission. The NRC will post all comment
[[Page 56526]]
submissions at http://www.regulations.gov as well as enter the comment
submissions into ADAMS. The NRC does not routinely edit comment
submissions to remove identifying or contact information.
If you are requesting or aggregating comments from other persons
for submission to the NRC, then you should inform those persons not to
include identifying or contact information that they do not want to be
publicly disclosed in their comment submission. Your request should
state that the NRC does not routinely edit comment submissions to
remove such information before making the comment submissions available
to the public or entering the comment submissions into ADAMS.
II. The Petition
Anthony R. Pietrangelo, Vice President, and Chief Nuclear Officer,
NEI, submitted a PRM dated June 12, 2014 (ADAMS Accession No.
ML14184B120), requesting that the NRC revise its cyber security
requirements. Specifically, the petitioner requests that the NRC revise
10 CFR 73.54(a) to ensure the regulation is not overly burdensome for
NRC licensees, and adequately protects the public health and safety and
common defense and security. The petitioner requests that the NRC
promptly initiate rulemaking to resolve this matter. The NRC has
determined that the petition meets the threshold sufficiency
requirements for a petition for rulemaking under 10 CFR 2.802
``Petition for rulemaking,'' and the petition has been docketed as PRM-
73-18. The NRC is requesting public comment on the petition for
rulemaking.
III. The Petitioner
The petition states that NEI ``is responsible for establishing a
unified industry position on matters affecting the nuclear energy
industry, including the regulatory aspects of generic operational and
technical issues.'' The petition further states that ``NEI member
companies are specifically affected by the NRC's cyber security
regulations.'' The NEI claims it provides a ``principal interface
between power reactor licensees and the NRC on matters of policy,
including cyber security-related policy.''
IV. Discussion of the Petition
The petitioner states that power reactor licensees are required to
establish and maintain a physical protection program to protect against
the design basis threat of radiological sabotage, and summarizes the
physical protection program and the attributes of the design basis
threat of radiological sabotage described in 10 CFR 73.1, which
include: (1) An external physical assault, (2) an internal threat, (3)
a land vehicle bomb assault, (4) a waterborne vehicle bomb assault, and
(5) a cyber attack. The petitioner asserts that to prevent radiological
sabotage, licensees have well-established programs to identify the set
of personnel systems, and equipment that must be protected against the
design basis threat in order to prevent significant core damage and
spent fuel sabotage.
The petitioner noted that NRC's cyber security requirements, found
in 10 CFR 73.54, provide the programmatic requirements to defend
against the design basis threat of radiological sabotage through a
cyber attack, and that Section 73.54(a)(1) requires licensees to
protect certain digital assets against cyber attack even though those
digital assets, if compromised, would not adversely impact the systems
and equipment necessary to prevent significant core damage and spent
fuel sabotage. The petitioner asserts that the current regulations
require NRC licensees to protect one set of systems and equipment
against the effects of four of the attributes of the design basis
threat (physical assault; internal threat; land vehicle bomb assault;
waterborne vehicle bomb assault), and a substantially broader set of
assets against the fifth design basis threat attribute, cyber attack.
Further, the petitioner contends that this regulatory language is
inconsistent with both the agency's intent in promulgating the cyber
security requirements and the NRC's programmatic requirements to defend
against other attributes of the radiological sabotage design basis
threat.
The petitioner argues that the language in 10 CFR 73.54(a)(1)
unnecessarily diverts NRC licensee attention and resources away from
the protection of assets that have a nexus to radiological safety. The
petitioner asserts that this provision burdens NRC reactor licensees
without providing a commensurate enhancement in the protection of the
public health and safety, or plant security. Furthermore, the
petitioner claims that for digital assets that do not reasonably
require protection against radiological sabotage, the considerable
time, resources, and cost needed to protect them against cyber attack
is unjustified. In this regard, the petitioner asserts that the current
cyber security regulations fail to comply with the Commission's
Principles of Good Regulation.
The petitioner states that the industry has brought to the
attention of the NRC staff the significant problems created by the
current scoping language in 10 CFR 73.54(a), and has determined that
revisions to NRC regulations are needed to address this problem. The
petitioner further states that implementing the revisions proposed
herein will not adversely affect NRC licensees' ability to ensure that
public health, safety, and security are being adequately protected.
NEI contends that the change proposed in its petition is the single
most important near-term regulatory improvement that can be made in the
area of cyber security. The petitioner claims that it would provide a
substantial benefit to regulatory clarity and stability by assuring
that licensees have protected those assets that, if compromised by a
cyber attack, would be inimical to the health and safety of the public.
The complete text of the petition is available for review as
described in Section I.A. of this document.
Because the petitioner has satisfied the docketing criteria in 10
CFR 2.802, ``Petition for rulemaking,'' the NRC has docketed this
petition as PRM-73-18. The NRC is reviewing the issues raised by the
petitioner to determine whether they should be considered in the NRC's
rulemaking process.
Dated at Rockville, Maryland, this 15th day of September, 2014.
For the Nuclear Regulatory Commission.
Annette L. Vietti-Cook,
Secretary of the Commission.
[FR Doc. 2014-22523 Filed 9-19-14; 8:45 am]
BILLING CODE 7590-01-P