[Federal Register Volume 79, Number 183 (Monday, September 22, 2014)]
[Proposed Rules]
[Pages 56525-56526]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2014-22523]


-----------------------------------------------------------------------

NUCLEAR REGULATORY COMMISSION

10 CFR Part 73

[Docket No. PRM-73-18; NRC-2014-0165]


Protection of Digital Computer and Communication Systems and 
Networks

AGENCY: Nuclear Regulatory Commission.

ACTION: Petition for rulemaking; docketing, and request for comment.

-----------------------------------------------------------------------

SUMMARY: The U.S. Nuclear Regulatory Commission (NRC) has received a 
petition for rulemaking (PRM) from Anthony Pietrangelo, filed on behalf 
of the Nuclear Energy Institute (NEI or the petitioner) on June 12, 
2014. The petitioner requests that the NRC revise its cyber security 
requirements to ensure that its regulations prevent radiological 
sabotage and adequately protect the public health and safety and common 
defense and security. The NRC is requesting public comment on the 
petition for rulemaking.

DATES: Submit comments by December 8, 2014. Comments received after 
this date will be considered if it is practical to do so, but the NRC 
is able to assure consideration only for comments received on or before 
this date.

ADDRESSES: You may submit comments by any of the following methods:
     Federal rulemaking Web site: Go to http://www.regulations.gov and search for Docket ID NRC-2014-0165. Address 
questions about NRC dockets to Carol Gallagher; telephone: 301-492-
3668; email: [email protected]. For technical questions, contact 
the individual listed in the FOR FURTHER INFORMATION CONTACT section of 
this document.
     Email comments to: [email protected]. If you do 
not receive an automatic email reply confirming receipt, then contact 
us at 301-415-1677.
     Fax comments to: Secretary, U.S. Nuclear Regulatory 
Commission at 301-415-1101.
     Mail comments to: Secretary, U.S. Nuclear Regulatory 
Commission, Washington, DC 20555-0001, ATTN: Rulemakings and 
Adjudications Staff.
     Hand deliver comments to: 11555 Rockville Pike, Rockville, 
Maryland 20852, between 7:30 a.m. and 4:15 p.m. (Eastern Time) Federal 
workdays; telephone: 301-415-1677.
    For additional direction on obtaining information and submitting 
comments, see ``Obtaining Information and Submitting Comments'' in the 
SUPPLEMENTARY INFORMATION section of this document.

FOR FURTHER INFORMATION CONTACT: Robert Beall, Office of Nuclear 
Reactor Regulations, U.S. Nuclear Regulatory Commission, Washington, DC 
20555-0001; telephone: 301-415-3874, email: [email protected].

SUPPLEMENTARY INFORMATION: 

I. Obtaining Information and Submitting Comments

A. Obtaining Information

    Please refer to Docket ID NRC-2014-0165 when contacting the NRC 
about the availability of information for this petition for rulemaking. 
You may obtain publicly available information related to this action by 
any of the following methods:
     Federal Rulemaking Web site: Go to http://www.regulations.gov and search for Docket ID NRC-2014-0165.
     NRC's Agencywide Documents Access and Management System 
(ADAMS): You may obtain publicly available documents online in the 
ADAMS Public Documents collection at http://www.nrc.gov/reading-rm/adams.html. To begin the search, select ``ADAMS Public Documents'' and 
then select ``Begin Web-based ADAMS Search.'' For problems with ADAMS, 
please contact the NRC's Public Document Room (PDR) reference staff at 
1-800-397-4209, at 301-415-4737, or by email to [email protected]. 
The Petition to Amend section 73.54 of Title 10 of the Code of Federal 
Regulations (10 CFR), ``Protection of Digital Computer and 
Communication Systems and Networks,'' is available in ADAMS under 
Accession No. ML14184B120.
     NRC's PDR: You may examine and purchase copies of public 
documents at the NRC's PDR, Room O1-F21, One White Flint North, 11555 
Rockville Pike, Rockville, Maryland 20852.

B. Submitting Comments

    Please include Docket ID NRC-2014-0165 in the subject line of your 
comment submission, in order to ensure that the NRC is able to make 
your comment submission available to the public in this docket.
    The NRC cautions you not to include identifying or contact 
information that you do not want to be publicly disclosed in you 
comment submission. The NRC will post all comment

[[Page 56526]]

submissions at http://www.regulations.gov as well as enter the comment 
submissions into ADAMS. The NRC does not routinely edit comment 
submissions to remove identifying or contact information.
    If you are requesting or aggregating comments from other persons 
for submission to the NRC, then you should inform those persons not to 
include identifying or contact information that they do not want to be 
publicly disclosed in their comment submission. Your request should 
state that the NRC does not routinely edit comment submissions to 
remove such information before making the comment submissions available 
to the public or entering the comment submissions into ADAMS.

II. The Petition

    Anthony R. Pietrangelo, Vice President, and Chief Nuclear Officer, 
NEI, submitted a PRM dated June 12, 2014 (ADAMS Accession No. 
ML14184B120), requesting that the NRC revise its cyber security 
requirements. Specifically, the petitioner requests that the NRC revise 
10 CFR 73.54(a) to ensure the regulation is not overly burdensome for 
NRC licensees, and adequately protects the public health and safety and 
common defense and security. The petitioner requests that the NRC 
promptly initiate rulemaking to resolve this matter. The NRC has 
determined that the petition meets the threshold sufficiency 
requirements for a petition for rulemaking under 10 CFR 2.802 
``Petition for rulemaking,'' and the petition has been docketed as PRM-
73-18. The NRC is requesting public comment on the petition for 
rulemaking.

III. The Petitioner

    The petition states that NEI ``is responsible for establishing a 
unified industry position on matters affecting the nuclear energy 
industry, including the regulatory aspects of generic operational and 
technical issues.'' The petition further states that ``NEI member 
companies are specifically affected by the NRC's cyber security 
regulations.'' The NEI claims it provides a ``principal interface 
between power reactor licensees and the NRC on matters of policy, 
including cyber security-related policy.''

IV. Discussion of the Petition

    The petitioner states that power reactor licensees are required to 
establish and maintain a physical protection program to protect against 
the design basis threat of radiological sabotage, and summarizes the 
physical protection program and the attributes of the design basis 
threat of radiological sabotage described in 10 CFR 73.1, which 
include: (1) An external physical assault, (2) an internal threat, (3) 
a land vehicle bomb assault, (4) a waterborne vehicle bomb assault, and 
(5) a cyber attack. The petitioner asserts that to prevent radiological 
sabotage, licensees have well-established programs to identify the set 
of personnel systems, and equipment that must be protected against the 
design basis threat in order to prevent significant core damage and 
spent fuel sabotage.
    The petitioner noted that NRC's cyber security requirements, found 
in 10 CFR 73.54, provide the programmatic requirements to defend 
against the design basis threat of radiological sabotage through a 
cyber attack, and that Section 73.54(a)(1) requires licensees to 
protect certain digital assets against cyber attack even though those 
digital assets, if compromised, would not adversely impact the systems 
and equipment necessary to prevent significant core damage and spent 
fuel sabotage. The petitioner asserts that the current regulations 
require NRC licensees to protect one set of systems and equipment 
against the effects of four of the attributes of the design basis 
threat (physical assault; internal threat; land vehicle bomb assault; 
waterborne vehicle bomb assault), and a substantially broader set of 
assets against the fifth design basis threat attribute, cyber attack. 
Further, the petitioner contends that this regulatory language is 
inconsistent with both the agency's intent in promulgating the cyber 
security requirements and the NRC's programmatic requirements to defend 
against other attributes of the radiological sabotage design basis 
threat.
    The petitioner argues that the language in 10 CFR 73.54(a)(1) 
unnecessarily diverts NRC licensee attention and resources away from 
the protection of assets that have a nexus to radiological safety. The 
petitioner asserts that this provision burdens NRC reactor licensees 
without providing a commensurate enhancement in the protection of the 
public health and safety, or plant security. Furthermore, the 
petitioner claims that for digital assets that do not reasonably 
require protection against radiological sabotage, the considerable 
time, resources, and cost needed to protect them against cyber attack 
is unjustified. In this regard, the petitioner asserts that the current 
cyber security regulations fail to comply with the Commission's 
Principles of Good Regulation.
    The petitioner states that the industry has brought to the 
attention of the NRC staff the significant problems created by the 
current scoping language in 10 CFR 73.54(a), and has determined that 
revisions to NRC regulations are needed to address this problem. The 
petitioner further states that implementing the revisions proposed 
herein will not adversely affect NRC licensees' ability to ensure that 
public health, safety, and security are being adequately protected.
    NEI contends that the change proposed in its petition is the single 
most important near-term regulatory improvement that can be made in the 
area of cyber security. The petitioner claims that it would provide a 
substantial benefit to regulatory clarity and stability by assuring 
that licensees have protected those assets that, if compromised by a 
cyber attack, would be inimical to the health and safety of the public.
    The complete text of the petition is available for review as 
described in Section I.A. of this document.
    Because the petitioner has satisfied the docketing criteria in 10 
CFR 2.802, ``Petition for rulemaking,'' the NRC has docketed this 
petition as PRM-73-18. The NRC is reviewing the issues raised by the 
petitioner to determine whether they should be considered in the NRC's 
rulemaking process.

    Dated at Rockville, Maryland, this 15th day of September, 2014.

    For the Nuclear Regulatory Commission.
Annette L. Vietti-Cook,
Secretary of the Commission.
[FR Doc. 2014-22523 Filed 9-19-14; 8:45 am]
BILLING CODE 7590-01-P