[Federal Register Volume 80, Number 211 (Monday, November 2, 2015)]
[Rules and Regulations]
[Pages 67264-67277]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2015-27855]
=======================================================================
-----------------------------------------------------------------------
NUCLEAR REGULATORY COMMISSION
10 CFR Part 73
[NRC-2014-0036]
RIN 3150-AJ37
Cyber Security Event Notifications
AGENCY: Nuclear Regulatory Commission.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The U.S. Nuclear Regulatory Commission (NRC) is adopting new
cyber security regulations that govern nuclear power reactor licensees.
This final rule codifies certain reporting activities associated with
cyber security events contained in security advisories issued by the
NRC. This rule establishes new cyber security event notification
requirements that contribute to the NRC's analysis of the reliability
and effectiveness of licensees' cyber security programs and plays an
important role in the continuing effort to provide high assurance that
digital computer and communication systems and networks are adequately
protected against cyber attacks, up to and including the design basis
threat.
DATES: Effective Date: This final rule is effective December 2, 2015.
Compliance Date: Compliance with this final rule is required by May 2,
2016, for those licensed to operate under parts 50 and 52 of Title 10
of the Code of Federal Regulations (10 CFR) and subject to Sec. 73.54.
ADDRESSES: Please refer to Docket ID NRC-2014-0036 when contacting the
NRC about the availability of information for this action. You may
obtain publicly-available information related to this action by any of
the following methods:
Federal Rulemaking Web site: Go to http://www.regulations.gov and search for Docket ID NRC-2014-0036. Address
questions about NRC dockets to Carol Gallagher; telephone: 301-415-
3463; email: [email protected]. For technical questions, contact
the individuals listed in the FOR FURTHER INFORMATION CONTACT section
of this document.
NRC's Agencywide Documents Access and Management
System (ADAMS): You may obtain publicly-available documents online in
the ADAMS Public Documents collection at http://www.nrc.gov/reading-rm/adams.html. To begin the search, select ``ADAMS Public Documents'' and
then select ``Begin Web-based ADAMS Search.'' For problems with ADAMS,
please contact the NRC's Public Document Room (PDR) reference staff at
1-800-397-4209, 301-415-4737, or by email to [email protected]. The
ADAMS accession number for each document referenced (if it is available
in ADAMS) is provided the first time that it is mentioned in the
SUPPLEMENTARY INFORMATION section.
NRC's PDR: You may examine and purchase copies
of public documents at the NRC's PDR, Room O1-F21, One White Flint
North, 11555 Rockville Pike, Rockville, Maryland 20852.
FOR FURTHER INFORMATION CONTACT: Robert H. Beall, Office of Nuclear
Reactor Regulation, telephone: 301-415-3874, email:
[email protected], U.S. Nuclear Regulatory Commission, Washington,
DC 20555-0001.
SUPPLEMENTARY INFORMATION:
Table of Contents:
I. Background
II. Discussion
III. Opportunities for Public Participation
IV. Public Comment Analysis
V. Section-by-Section Analysis
VI. Regulatory Flexibility Certification
VII. Regulatory Analysis
VIII. Backfitting and Issue Finality
IX. Cumulative Effects of Regulation
X. Plain Writing
XI. Environmental Assessment and Final Finding of No Significant
Environmental Impact
XII. Paperwork Reduction Act
XIII. Congressional Review Act
XIV. Criminal Penalties
XV. Compatibility of Agreement State Regulations
XVI. Availability of Guidance
XVII. Availability of Documents
I. Background
On July 9, 2008, in SECY-08-0099, ``Final Rulemaking--Power Reactor
Security Requirements'' (Agencywide Documents Access and Management
System (ADAMS) Accession No. ML081650474), the NRC staff recommended
the Commission approve a final rule amending the NRC's Power Reactor
Security Requirements. The NRC staff also recommended removing sections
in the Power Reactor Security Requirements rule on new and revised
security notification requirements in Sec. 73.71 and appendix G of
part 73 of title 10 of the Code of Federal Regulations (10 CFR),
``Reportable
[[Page 67265]]
Safeguards Events,'' and placing them in a new proposed enhanced
weapons rulemaking. In SRM-SECY-08-099, dated December 17, 2008 (ADAMS
Accession No. ML083520252), the Commission approved the Power Reactor
Security final rule and the bifurcation of the security notification
requirements in Sec. 73.71 and appendix G to 10 CFR part 73 to the new
proposed enhanced weapons rule.
On June 27, 2010, in SECY-10-0085, ``Proposed Rule: Enhanced
Weapons, Firearms Background Checks and Security Event Notifications''
(ADAMS Accession No. ML101110121), the NRC staff recommended delegating
to the Office of the Executive Director for Operations the authority to
issue new cyber security notification changes in the proposed enhanced
weapons rule for publication in the Federal Register, as well as issue
draft implementing guidance on the proposed rule. On October 19, 2010,
in SRM-SECY-10-0085, ``Proposed Rule: Enhanced Weapons, Firearms
Background Checks and Security Event Notifications'' (ADAMS Accession
No. ML102920342), the Commission directed the NRC staff to publish a
proposed rule implementing requirements for enhanced weapons, revised
physical security event notifications, and adding new cyber security
event notifications. This proposed rule was published in the Federal
Register for comment on February 3, 2011 (76 FR 6199). The public was
provided a total of 180 days to review and comment on the proposed rule
and associated guidance.
In SECY-12-0125, ``Interim Actions to Execute Commission Preemption
Authority Under Section 161A of the Atomic Energy Act of 1954, as
Amended,'' dated September 20, 2012 (ADAMS Accession No. ML12171A089),
the NRC staff reported their discussions with the U.S. Department of
Justice on the need to revise the Firearms Guidelines to limit the
firearms background check requirement to only licensees that apply for
preemption authority. Subsequently in SRM--SECY-12-0125, dated November
12, 2012 (ADAMS Accession No. ML12326A653), the Commission directed the
NRC staff to revise the Firearms Guidelines accordingly, and publish a
supplemental proposed enhanced weapons rule for public comment as soon
as possible.
On December 20, 2013, in COMSECY-13-0031, ``Bifurcation of the
Enhanced Weapons, Firearms Background Checks, and Security Event
Notifications Rule'' (ADAMS Accession No. ML13280A366), the NRC staff
informed the Commission of its plan to bifurcate the cyber security
event notifications from the Enhanced Weapons rule due to delays
resulting from the Firearms Guidelines revision. The bifurcation would
allow the NRC staff to prepare a separate final rule for cyber security
event notifications, therefore avoiding any further delay associated
with the aforementioned Firearms Guidelines revision. In addition, this
action would supplement the existing cyber security requirements (i.e.,
Sec. 73.54, ``Protection of Digital Computer and Communication Systems
and Networks'') included in the 2009 power reactor security rule (76 FR
6199; February 3, 2011).
As part of the 2011 proposed enhanced weapons rule, the NRC
received comments on the proposed cyber security event notification
requirements. Changes between the proposed rule and this final cyber
security event notifications rule reflect those public comments.
Additionally, Draft Regulatory Guide (DG)-5019, Revision 1, ``Reporting
and Recording Safeguards Events'' (ADAMS Accession No. ML100830413),
was published for public comment on February 3, 2011 (76 FR 6085). The
portions of the DG related to cyber security event notifications were
also separated out from the original draft guide, and are now included
in a new final regulatory guide (RG) (RG 5.83, ``Cyber Security Event
Notifications,'' ADAMS Accession No. ML14269A388). Changes between DG-
5019, Revision 1, and RG 5.83 reflect public comment. This approach
(i.e., publish draft guidance with proposed rules and final guidance
with final rules) is consistent with the agency's efforts to
incorporate enhancements in the rulemaking process to address
Cumulative Effects of Regulation (CER), as approved by SRM--SECY-0032,
``Consideration of the Cumulative Effects of Regulation in the
Rulemaking Process,'' dated October 11, 2011 (ADAMS Accession No.
ML112840466).
II. Discussion
The NRC is adding cyber security event notification requirements
for nuclear power reactor facilities. These additions are necessary
because cyber security event notification requirements were not
included in the NRC's final rule that added Sec. 73.54, ``Protection
of Digital Computer and Communication Systems and Networks,'' to the
NRC's regulations (74 FR 13926; March 27, 2009). Section 73.54 requires
power reactor licensees to establish and maintain a cyber security
program that provides high assurance that digital computer and
communication systems and networks are adequately protected against
cyber attacks, up to and including the design basis threat as described
in Sec. 73.1. Cyber security event notification requirements will
contribute to the NRC's analysis of the reliability and effectiveness
of licensees' cyber security programs and play an important role in the
continuing effort to protect digital computer and communication systems
and networks associated with: Safety-related and important-to-safety
functions; security functions; emergency preparedness functions, to
include offsite communications; and support systems and equipment
which, if compromised, would adversely impact safety, security, and
emergency preparedness (SSEP) functions. Notifications conducted and
written reports generated by licensees will be used by the NRC to
respond to emergencies, monitor ongoing events, assess trends and
patterns, identify precursors of more significant events, and inform
other NRC licensees of cyber security-related events, enabling them to
take preemptive actions, if necessary (e.g., increase their security
posture). In addition, timely notifications assist the NRC in achieving
its strategic communications mission by informing the U.S. Department
of Homeland Security (DHS) and Federal intelligence and law enforcement
agencies of cyber security-related events that could: (1) Endanger
public health and safety or the common defense and security, (2)
provide information for threat-assessment processes, or (3) generate
public or media inquiries.
The terrorist attacks of September, 11, 2001, demonstrated that
adversaries were capable of simultaneously attacking multiple sectors
of critical infrastructure. After those attacks, the NRC issued several
Security Orders, as well as the Design Basis Threat (DBT) final rule
(72 FR 12705; March 19, 2007) and the Power Reactor Security final rule
(74 FR 13926; March 27, 2009). These Orders and final rules were steps
taken by the NRC to ensure adequate protection of the public health and
safety and common defense and security. The DBT final rule, in Sec.
73.1, ``Purpose and Scope,'' describes in general terms the types of
attacks licensees must protect against in order to prevent radiological
sabotage and to prevent theft or diversion of strategic special nuclear
material. An adversary attribute included under the DBT for
radiological sabotage is a cyber attack, which is a type of attack that
adversaries could remotely launch against multiple targets (i.e.,
nuclear power reactors) simultaneously. The Power Reactor Security
final rule included specific
[[Page 67266]]
requirements to provide high assurance that digital computer and
communication systems and networks are adequately protected against
cyber attacks (Sec. 73.54). The addition of cyber security event
notification requirements supplements Sec. 73.54 by enabling the
timely notifications of potential and/or imminent cyber attacks
directed against licensees. This allows for more timely assessment and
dissemination of threat information, and improves the NRC's ability to
respond and take the actions necessary to mitigate the adverse impacts
of cyber attacks directed against licensees.
Separating the cyber security event notification requirements from
the Power Reactor Security proposed rule narrowed the applicability to
licensees subject to the requirements of Sec. 73.54, which applies to
operating nuclear power plants after the effective date of the final
cyber security rule. Under the original proposed rule published on
October 26, 2006 (71 FR 62664), cyber security event notifications were
included with other event notifications (physical security, enhanced
weapons, etc.) requiring a broader range of applicability (e.g., Fuel
Cycle Facilities).
The NRC considered other options for licensees to report cyber
attacks to the NRC. The NRC considered taking no additional regulatory
actions and relying upon the continuation of voluntary reporting
initiatives currently in place through security advisories. These
voluntary reporting initiatives have allowed the NRC to identify
certain cyber security-related events that might have had a negative
impact upon licensees (e.g., vendor software updates containing
malware) as well as provided licensees with threat information that
assist them in protecting against cyber security-related threats.
However, the security advisories are not mandatory requirements and do
not provide timeliness requirements (one-hour, four-hour, eight-hour),
which can be instrumental in the NRC's ability to respond to cyber
security-related events, to evaluate cyber security-related activities
for threat implications, and to accomplish the agency's strategic
communications mission.
III. Opportunities for Public Participation
A. Public and Stakeholder Meetings
As part of its comprehensive assessment of the NRC's cyber security
event notification regulations and guidance development for this rule,
the NRC staff held two meetings with internal and external
stakeholders.
On June 1, 2011, staff held a public meeting to discuss the
proposed Enhanced Weapons, Firearms Background Checks, and Security
Event Notifications rulemaking, which included the cyber security event
notification requirements. The meeting was in workshop format, and was
held at the NRC Headquarters in Rockville, Maryland; it was attended by
more than 50 people. Additional individuals remotely participated in
the meeting through audio teleconferencing and webinar. Presenters at
the meeting included NRC staff, the Bureau of Alcohol, Tobacco,
Firearms and Explosives, and the Federal Bureau of Investigations
(FBI). Since the NRC was not accepting public comments, the meeting was
not transcribed; however, a meeting summary and the handouts from the
meeting are available in ADAMS under Accession No. ML111720007.
The NRC staff also met with internal and external stakeholders on
July 31, 2014. This public meeting was to discuss the draft final rule
implementation date for the cyber security event notification
requirements. The public meeting was held at the NRC Headquarters in
Rockville, Maryland, and it was attended by six individuals in person
and eight individuals remotely through audio teleconferencing and
webinar. The NRC staff presented the current status of the draft final
cyber security event notifications rule and the draft final
implementation date. The NRC transcribed the meeting in order to
capture public input on the draft final implementation date. The
feedback from this meeting, as well as all the previous interactions,
informed the NRC's schedule for the implementation of the new cyber
security event notification requirements. The meeting summary,
handouts, and a transcript of the meeting are available in ADAMS under
Accession No. ML14240A404.
B. Opportunity for Public Comment
The proposed rule was published in the Federal Register on February
3, 2011 (76 FR 6199), and the public comment period closed on August 4,
2011. On the same day the NRC also published a separate notice
requesting comment on DG-5019, Revision 1, ``Reporting and Recording
Safeguards Events.'' The NRC received a total of 14 submittals on the
proposed rule and draft guidance relating to enhanced weapons, firearms
background checks and security event notifications (which included
cyber security event notifications). The majority of comments came from
the Nuclear Energy Institute (NEI) on behalf of the nuclear power
reactor licensees.
IV. Public Comment Analysis
The proposed enhanced weapons rule was published February 03, 2011
(76 FR 6199), and the public comment period closed on August 04, 2011.
On the same day the NRC also published a separate notice requesting
comment on DG-5019, Revision 1, ``Reporting and Recording Safeguards
Events.''
The NRC received 14 submittals on the proposed rule and draft
guidance. The NRC also received one comment on the proposed
implementation date during the July 31, 2014, public meeting. Comments
specific to cyber security event notifications in the proposed enhanced
weapons rule and DG-5019, Revision 1, were identified and are addressed
in this final rule. The comments specific to the proposed rule on
Enhanced Weapons, Firearms Background Checks, and Security Event
Notifications (76 FR 6200) are not addressed in this final rule and
will be addressed in a subsequent rulemaking. In addition, certain
event notification comments in the proposed rule that were generic
(e.g., comments referring to four-hour notifications in general) are
addressed for cyber security events in this final rule. The submittals
containing comments specific to cyber security event notifications were
consolidated into a single document (ADAMS Accession No. ML14226A596)
that assigns the comment designators (e.g., NEI-155) used in this final
rule. In the proposed rule and draft guidance, the cyber security event
notifications aligned with physical security event notifications with a
focus on compensated and uncompensated events. However, based on public
comments, the final rule and regulatory guidance now aligns more
closely with Sec. 73.54 with a focus on adverse impacts to SSEP
functions.
A. Public Comments on Proposed Rule
Comment 1: One commenter stated that neither Sec. 73.71 nor
appendix G to 10 CFR part 73 contains an effective date for cyber
security reporting requirements, and recommended that the reporting
requirements align with the date the cyber security plan becomes
effective. [NEI-155]
Response: The NRC disagrees with this comment. Notification of a
cyber security event is necessary to assist the NRC in assessing and
evaluating issues with potential cyber security-related implications in
a timely manner, determining the significance and credibility of the
identified issue(s), and providing recommendations and/or
[[Page 67267]]
courses of action to NRC management. Currently, licensees are reporting
certain cyber security events voluntarily to the NRC. However, because
this is done voluntarily there could be certain cyber security events
that may not be reported to the NRC in a timely manner or reported at
all. The cyber security event notifications final rule removes the
voluntary aspects of reporting certain cyber security events, provides
regulatory stability, and ensures the NRC is notified in a timely
manner.
Prompt notification of a cyber attack could be vital to the NRC's
ability to take immediate action in response to a cyber attack and, if
necessary, to notify other NRC licensees, Government agencies, and
critical infrastructure facilities, to defend against a multiple sector
(e.g., energy, financial, etc.) cyber attack. Like the attacks of
September 2001, a cyber attack has the capability to be launched
against multiple targets simultaneously or spread quickly throughout
multiple sectors of critical infrastructure. In light of these
potential consequences, the NRC does not want to delay the
implementation of the cyber security event notification final rule to
match the effective date of each licensee's cyber security plan (i.e.,
Milestone 8) because those cyber security plans may not be fully
effective for several years.
The final rule will become effective 30 days after publication in
the Federal Register. The compliance date will be 180 days after
publication (consistent with the implementation schedule described in
the proposed rule) to allow licensees time to revise their event
notification procedures and train personnel on event notifications
specific to cyber security (i.e., identification, reporting). The cyber
security event notification final rule is consistent with existing
notification processes (i.e., Sec. Sec. 50.72 and 73.71) and aligns
closely with Sec. 73.54 (e.g., adverse impacts to SSEP functions) as
well as current voluntary reporting activities associated with cyber
security requiring less time for implementation. In addition, the cyber
security event notification final rule complements the implementation
of Milestones 1 through 7. For example, the identification of critical
systems and critical digital assets (Milestone 2), the implementation
of a deterministic one-way device (Milestone 3), and access controls
for portable media devices (Milestone 4) are all programs that when
properly implemented and maintained, should identify and mitigate
adverse impacts to SSEP functions. The cyber security event
notification final rule requires licenses to notify the NRC when a
cyber attack caused or could have caused an adverse impact to SSEP
functions. These factors, along with the importance of the NRC
strategic communications mission of informing the DHS and Federal
intelligence and law enforcement agencies of cyber security-related
events that could: 1) Endanger public health and safety or the common
defense and security, 2) provide information for threat-assessment
processes, or 3) generate public or media inquiries, support the need
for the 180-day implementation schedule.
Comment 2: One commenter indicated that critical digital assets
(CDAs) that are not part of a target set should not have the same
sensitivity as those CDAs that are contained within a target set. [NEI-
156]
Response: The NRC disagrees with this comment. The NRC staff has
recognized that a graded approach to controls required for CDAs is
warranted based on the ability to detect and mitigate the consequences
of a cyber attack. However, the cyber security event notification
requirements focus on events that have or could have an adverse impact
to SSEP functions, and thereby incorporates consideration of
protections that prevent successful cyber attacks. Therefore, the
notification requirements cover all CDAs and critical systems within
the scope of Sec. 73.54, which includes: Safety-related and important-
to-safety functions; security functions; emergency preparedness
functions, including offsite communications; and support systems and
equipment which, if compromised, would adversely impact safety,
security, or emergency preparedness functions.
Comment 3: Two commenters recommended that the four-hour
notification events should be incorporated into the eight-hour
notification events, therefore eliminating the four-hour notification
events. One commenter specifically recommended that suspicious events
be moved from four-hour to eight-hour notifications. [NEI-17, 161,
Hardin-2]
Response: The NRC agrees in part, with this comment. The NRC agrees
that suspicious cyber security events (i.e., activities that may
indicate intelligence gathering or pre-operational planning related to
a cyber attack) should be moved from four-hour notifications to eight-
hour notifications. However, notifications with a local, State, or
other Federal agency is consistent with existing NRC regulations at
Sec. 50.72(b)(2)(xi). In addition, unsuccessful cyber attacks has been
clarified to align more closely with Sec. 73.54 and addresses cyber
attacks that could have caused an adverse impact to SSEP functions and
remains a four-hour notification so the NRC can conduct additional
notifications as appropriate (e.g., other NRC licensees, Federal law
enforcement agencies, the intelligence community) to mitigate the
effects of a widespread cyber attack, or use as part of the National
threat assessment process. Furthermore, unauthorized operation and
tampering events have been clarified to address suspected or actual
cyber attacks initiated by personnel with physical or electronic access
and were moved in the final rule to four-hour notifications due to the
implications of an internal threat. Accordingly, the NRC has revised
the rule language and associated guidance consistent with this approach
to address the broader recommendation of aligning more closely with
Sec. 73.54.
Comment 4: One commenter suggested adding the word ``significant''
in front of cyber security events. [NEI-167]
Response: The NRC disagrees with this comment. Prefacing the phrase
``cyber security events'' with ``significant'' does not add clarity to
the rule. The NRC is requiring only those cyber security events
associated with actual or potential adverse impacts to be reported. The
NRC has changed the rule text and associated guidance to align more
closely with Sec. 73.54 and distinguishes cyber security events by
whether an adverse impact has occurred (or not) to SSEP functions as a
result of a cyber attack.
Comment 5: One commenter suggested removing the requirement in
appendix G of 10 CFR part 73 regarding the recording of events in a
safeguards event log. The commenter suggested licensees use the
corrective action program instead of using a separate log. [NEI-18,
194, 202]
Response: The NRC agrees with this comment. The cyber security plan
for each licensee describes the use of the corrective action program to
track, trend, correct, and prevent recurrence of cyber security
failures and deficiencies. Therefore, the cyber security event
notification rule text (Sec. 73.77) has been revised to require
licensees to use their corrective action program to record
vulnerabilities, weaknesses, failures and deficiencies in their cyber
security program. Regulatory Guide 5.83 has also been revised to
reflect this change.
Comment 6: The NRC received a comment regarding the use of the term
``compensatory'' in the context of cyber security, stating that the
term is unclear, and is not defined in the two cyber security plan
(CSP) templates, Appendix A of RG 5.71, and Appendix A of NEI 08-09.
[NEI-153, 165]
[[Page 67268]]
Response: The NRC agrees with this comment. The term
``compensatory'' is not defined in either CSP template or in other NRC
guidance related to cyber security. Based on public comments, the NRC
has developed a different approach for determining cyber security event
notifications, one that is based on whether the cyber attack caused an
adverse impact (or not) to SSEP functions. The final rule and RG 5.83
have been revised to reflect this new approach.
Comment 7: The NRC received one comment pertaining to use of the
term ``uncompensated'' in the context of cyber security, stating that
the term is unclear, and is not defined within the CSP. In addition,
one of the commenters also stated that the term ``failure'' in the
context of cyber security required clarification. [NEI-164, 207]
Response: The NRC agrees with this comment. The terms
``uncompensated'' and ``failure'' have been removed from the final rule
language. Based on public comments, the NRC has developed a different
approach for determining cyber security event notifications, one that
is based on whether the cyber attack or event caused an adverse impact
(or not) to SSEP functions. Regulatory Guide 5.83 has been revised to
reflect this new approach.
Comment 8: One commenter proposed changes to the rule language,
paragraph I.(h)(1) in appendix G of 10 CFR part 73, adding the terms
``credible,'' ``malicious,'' and ``radiological sabotage'' to add
clarity. The commenter recommended rewriting the event to add in part,
``a credible threat to commit or cause a malicious act to modify,
destroy, or compromise any systems, networks, or equipment that falls
within the scope of 10 CFR 73.54 of this part where a compromise of
these systems has resulted or could result in radiological sabotage.''
[NEI-157, 206]
Response: The NRC disagrees with this comment. Based on public
comments, the NRC developed a different approach for determining cyber
security event notifications, one that is based on whether a cyber
attack caused an adverse impact (or not) to SSEP functions. This
approach aligns more closely with Sec. 73.54 and the terms
``credible,'' ``malicious,'' and ``radiological sabotage'' are not
needed to provide clarity under this approach. Regulatory Guide 5.83
has been revised to reflect this new approach.
Comment 9: One commenter proposed revising the proposed rule
language in paragraph I.(h)(2) in appendix G of 10 CFR part 73 to
include language regarding the defense-in-depth protective strategies
required by Sec. 73.54(c)(2). [NEI-158]
Response: The NRC agrees with this comment. The NRC evaluated the
proposed rule language and determined that items to be reported under
this section are duplicative. Based on public comments, the NRC
developed a different approach for determining cyber security event
notifications, one based on whether the cyber attack caused an adverse
impact (or not) to SSEP functions. Regulatory Guide 5.83 has been
revised to reflect this approach.
Comment 10: One commenter proposed language to paragraph I.(c)(1)
in appendix G of 10 CFR part 73 to report only instances of suspicious
or surveillance activity or attempts to access systems, networks, or
equipment that is within the scope of Sec. 73.54. Additionally, the
commenter recommended deleting proposed language that would include
reporting of additional types of events like potential tampering or
potential destruction of networks, systems, or equipment. [NEI-159]
Response: The NRC disagrees with this comment. The commenter's
reference to paragraph I.(c)(1) in appendix G of 10 CFR part 73 appears
to be misquoted. The changes proposed by the commenter would amend
paragraph II.(c)(1) in appendix G. The NRC believes that surveillance
activities are captured within activities that indicate intelligence
gathering or pre-operational planning and should be reported, and has
made appropriate changes to this final rule. The NRC has clarified and
relocated this requirement to the eight-hour notifications, now
designated as Sec. 73.77(a)(3). Additionally, the NRC moved the
reporting of potential tampering, or potential destruction of networks,
systems or equipment from this requirement and they are now captured
under Sec. 73.77(a)(1), (a)(2)(i), and (a)(2)(ii) of this final rule.
Comment 11: One commenter indicated that paragraph I.(c)(2) in
appendix G of 10 CFR part 73 in the proposed rule text should be
completely removed because it duplicates other proposed rule text.
[NEI-160]
Response: The NRC agrees in part, with this comment. The
commenter's reference to paragraph I.(c)(2) in appendix G of 10 CFR
part 73 appears to be misquoted. The changes proposed by the commenter
would amend paragraph II.(c)(2) in appendix G. The final rule text has
been revised to remove all duplicative language and is aligned more
closely with the requirements in Sec. 73.54 (i.e., adverse impacts to
SSEP functions). This revised requirement is designated as Sec.
73.77(a)(2)(i). Regulatory Guide 5.83 has been revised to reflect this
change.
Comment 12: One commenter proposed changes to paragraph III in
appendix G of 10 CFR part 73 to clarify the language under eight-hour
reportable events to be consistent with Sec. 73.54(c)(1), which
implements security controls to protect CDAs and critical systems from
cyber attacks. [NEI-162]
Response: The NRC agrees in part, with this comment. Based on
public comments, the NRC developed an approach that aligns more closely
with Sec. 73.54. The implementation of security controls to protect
CDAs from cyber attacks as described in Sec. 73.54(c)(1) is designed
to prevent adverse impacts to SSEP functions. Therefore, in the final
rule, a cyber attack that adversely impacted SSEP functions requires
notification within one hour after discovery, and cyber attacks that
could have caused an adverse impact to SSEP functions requires
notification within four hours after discovery due to the potential
consequences of these events. Regulatory Guide 5.83 has been revised to
reflect this new approach.
Comment 13: One commenter recommended adding ``that would'' to a
proposed 24-hour recordable event provision in paragraph IV.(a)(2) in
appendix G of 10 CFR part 73. Specifically, the commenter recommended
that the proposed appendix G provision regarding compensated security
events state in part as follows:
(a) Any failure, degradation, or discovered vulnerability in a
safeguards system, had compensatory measures not been established,
that could . . . (2) Degrade the effectiveness of the licensee's or
certificate holder's cyber security program that would allow
unauthorized or undetected access to any systems, networks, or
equipment that fall within the scope of Sec. 73.54 of this part.
The commenter stated that this re-worded provision would better align
with another proposed provision in paragraph I.(h)(2) in appendix G of
10 CFR part 73. [NEI-163]
Response: The NRC disagrees with this comment. Adding the words,
``that would'' to the rule text changes the context of the type of
events that are required to be recorded. However, based on other public
comments, the NRC re-evaluated the 24-hour recordable events for cyber
security event notifications and developed an approach that aligns more
closely with the CSP requirements. Under this approach, as reflected in
the new Sec. 73.77(b)(1) provision being added as part of this
[[Page 67269]]
final rule, licensees will be required to use their corrective action
program to record vulnerabilities, weaknesses, failures, and
deficiencies in their cyber security program within twenty-four hours
of their discovery. Regulatory Guide 5.83 has been updated to reflect
this change.
Comment 14: One commenter recommended revising the proposed rule
language to align exactly with the rule language in Sec. 73.54(a)(2),
which discusses protecting digital assets from cyber attacks that would
adversely impact the operations of SSEP functions. Specifically, the
commenter notes that the reporting rule text uses the word ``could''
instead of ``would.'' [NEI-168]
Response: The NRC agrees in part, with this comment. The NRC agrees
that the reporting rule text should align more closely with Sec.
73.54. However, the NRC disagrees with changing the word ``could'' to
``would,'' because these words are correctly used in their respective
rules. Section 73.54 addresses hypothetical future cyber attacks that
must be protected against, while this rule describes notifications that
licensees are required to issue after an event has already occurred.
Further, there are different types of cyber attacks that licensees are
required to report. One type of attack required to be reported is a
cyber attack that adversely impacted SSEP functions. This type of
attack is to be reported within one-hour after discovery. Another type
required to be reported is a cyber attack that could have caused an
adverse impact to SSEP functions; this type of attack is to be reported
within four-hours after discovery. The NRC has revised RG 5.83 to
reflect this new approach that aligns more closely with Sec. 73.54
regarding adverse impacts to SSEP functions.
Comment 15: One commenter proposed deleting the requirement in
paragraph II.(c)(2) in appendix G of 10 CFR part 73 because the
commenter believes it is duplicated in paragraph I.(h)(2) in appendix
G. [NEI-169]
Response: The NRC agrees that the proposed paragraph II.(c)(2) in
appendix G of 10 CFR part 73 is similar to paragraph I.(h)(2) in
appendix G; therefore, the NRC has revised the final rule to make it
clear exactly what types of cyber attacks are reported to the NRC.
Specifically, the final rule language reflects a different approach for
determining cyber security event notifications, eliminates duplicative
requirements, and provides clarity based on whether the attack caused
an adverse impact (or not) to SSEP functions. Regulatory Guide 5.83 has
been revised to reflect this new approach.
Comment 16: One commenter proposed rule language in paragraph
I.(h)(2) in appendix G of 10 CFR part 73 that would change events that
``could'' allow unauthorized or undetected access into systems,
networks, or equipment to events that ``would'' allow unauthorized or
undetected access into systems, networks, or equipment. [NEI-170]
Response: The NRC disagrees with this comment, but has, for other
reasons, revised the requirement in the final rule. The objective of
this reporting requirement is not to have licensees confirm with the
NRC that a cyber attack has occurred. Rather, the objective is to
report conditions in which such an attack could have occurred. The NRC
continues to believe that licensees should report events or
circumstances that could have resulted in undetected or compromised
conditions at the facility. However, the NRC staff evaluated the
language in the proposed rule and determined that items reported under
this section were duplicative and therefore removed this requirement
from the final rule text. Regulatory Guide 5.83 was revised to reflect
this change.
Comment 17: One commenter recommended four and eight-hour
notifications be consolidated into ``within 24-hours'' to mitigate
event reporting violations. [B&W-30]
Response: The NRC disagrees with this comment. The four and eight-
hour notifications include cyber attacks and activities (i.e.,
precursors to an attack) where the timeliness of information allows the
NRC to conduct additional notifications (to DHS, other NRC licensees),
assists the Federal Government and/or other NRC licensees to take
mitigative measures to prevent a widespread cyber attack, and allows
the NRC to respond to public and/or media inquiries. In addition,
notifications to a local, State or other Federal agency is consistent
with existing NRC regulations at Sec. 50.72(b)(2)(xi).
Comment 18: One commenter recommended clarification on cyber
security event notification requirements regarding exclusion of
licensees not subject to Sec. 73.54. [NFS-11, 12]
Response: The NRC agrees with this comment. The final rule text was
revised and clarified to only apply to licensees subject to the
provisions of Sec. 73.54.
Comment 19: One commenter recommended that ``one-hour
notifications'' should be related to a specific threat or attempted
threat to the facility, and events that do not pose an actual threat
should be ``eight-hour notifications.'' [NEI-22, 33]
Response: The NRC disagrees with this comment. Based on public
comments, the NRC developed a different approach for determining cyber
security event notifications, one that is based on whether a cyber
attack caused an adverse impact (or not) to SSEP functions. Cyber
attacks that adversely impacted SSEP functions are now one-hour
notifications. Cyber attacks that could have caused an adverse impact
to SSEP functions are now four-hour notifications, and activities that
may indicate intelligence gathering or pre-operational planning related
to a cyber attack are now eight-hour notifications.
Comment 20: One commenter recommended adding the word
``malevolent'' to proposed requirements describing an unauthorized
operation or tampering event to rule out human error events. [NEI-31,
48]
Response: The NRC disagrees with this comment. The word
``malevolent'' is unnecessary because, under the new approach,
notification of such events is not based on the intent of the act, but
based on the potential consequences of the event (i.e., adverse impact
(or not) to SSEP functions). No change has been made to the final rule
based on this comment.
Comment 21: One commenter recommended clarifying requirements
regarding law enforcement interactions. The commenter recommended that
notifications that could result in public or media inquiries should not
duplicate notifications made under other NRC regulations such as Sec.
50.72(b)(2)(xi). [NEI-35]
Response: The NRC agrees with this comment. The final rule has been
revised to eliminate duplication of notifications made under other NRC
regulations. Regulatory Guide 5.83 has been revised to reflect this
change.
Comment 22: One commenter recommended clarification regarding
retraction of reports determined later to be invalid. The commenter
stated that the notification may not be invalid, but later be
determined it does not meet the threshold of a one-, four-, or eight-
hour notification (i.e., recordable event). [NEI-40]
Response: The NRC agrees with this comment. The final rule and RG
5.83 have been revised to clarify that retraction of reports can
include valid reports which later do not meet the threshold of a one-,
four-, or eight-hour notification.
Comment 23: One commenter recommended adding the term ``malicious
intent'' to each of the eight-
[[Page 67270]]
hour reportable events regarding unauthorized operation or tampering
events. [NEI-53, 112]
Response: The NRC disagrees with this comment. The term ``malicious
intent'' is unnecessary because, under the new approach, notification
of such events is not based on the intent of the act, but based on the
potential consequences of the event (i.e., adverse impact (or not) to
SSEP functions).
Comment 24: One commenter recommended that cyber attack reporting
needs to be synchronized with NEI 08-09 and RG 5.71 to ensure reporting
criteria are well-defined. [NEI-69]
Response: The NRC agrees with this comment. The final rule reflects
an approach that aligns more closely with Sec. 73.54 and RG 5.71 and
provides additional clarity on cyber security event notification
criteria (i.e., adverse impact to SSEP functions). Regulatory Guide
5.83 has also been revised to reflect this new approach.
Comment 25: One commenter recommended deleting the requirements and
guidance for written follow-up reports on several reporting events
(four and eight-hour notifications). [NEI-117]
Response: The NRC disagrees with this comment. Submission of
written follow-up reports is consistent with existing NRC regulations
and provides the NRC with information that may not have been available
at the time of the notification.
Comment 26: One commenter recommended that the final rule require
licensees to notify their local FBI Joint Terrorism Task Force (JTTF)
of suspicious events as contained in voluntary guidance documents and
eliminate or reduce the timeliness of reporting such events to the NRC.
[Hardin-3]
Response: The NRC disagrees with this comment. The reporting of
events to the FBI JTTF is voluntary and as such, does not have a
timeliness requirement. This final rule requires notification to the
NRC within a stated time for activities that may indicate intelligence
gathering or pre-operational planning related to a cyber attack.
Notifications of activities that may indicate intelligence gathering or
pre-operational planning related to a cyber attack will be evaluated
and forwarded as appropriate by the NRC to federal law enforcement
agencies and the intelligence community as part of the National threat
assessment process.
B. Public Comments on Draft Guide-5019
Comment 1: One commenter proposed removing the terms such as
``could,'' ``likelihood,'' and ``likely to'' from DG-5019. [NEI-21,
166]
Response: The NRC disagrees with this comment. The use of the terms
``could,'' ``likelihood,'' and ``likely to'' within DG-5019 is
consistent with existing NRC reporting guidelines (NUREG-1022, ``Event
Report Guidelines for 10 CFR 50.72 and 50.73'' (ADAMS Accession No.
ML13032A220)).
Comment 2: One commenter proposed revising section 2.3.2, item r,
of DG-5019 to include, ``Confirmed cyber attacks on computer systems
that adversely affected safety, security, and emergency preparedness
systems are reportable'' instead of, ``may adversely affect'' and
removing item aa of section 2.3.2 due to redundancy. [NEI-171]
Response: The NRC agrees with this comment. The staff evaluated
both items in section 2.3.2 of DG-5019 and revised RG 5.83 to reflect
the proposed changes.
Comment 3: One commenter proposed revising section 2.3.2, item
bb.(2), of DG-5019 to include the word ``cyber'' before security
program and security measures. [NEI-172]
Response: The NRC agrees with this comment, yet has, for other
reasons removed this material from the final guidance. The final
guidance reflects changes made to the final rule that aligns more
closely with Sec. 73.54 (i.e., adverse impacts to SSEP functions), and
in the process, the NRC staff determined that item bb.(4) was no longer
required.
Comment 4: One commenter proposed revising section 2.3.2, item
bb.(3), of DG-5019 to state that events caused inadvertently by an
individual and not resulting in a threat to facility security, would be
a recordable event, and events caused by a cyber attack resulting in an
adverse impact to SSEP functions would be a one-hour reportable event.
[NEI-173]
Response: The NRC agrees with this comment. The item was revised in
RG 5.83 to distinguish recordable inadvertent non-threatening events
from those cyber attacks causing adverse impacts, which are one-hour
notifications.
Comment 5: One commenter recommended moving section 2.3.2, item
bb.(4) from (one-hour notification examples) to section 2.6.2 (eight-
hour notification examples) in DG-5019 regarding attempts by
unauthorized persons. [NEI-174]
Response: The NRC disagrees with this comment, yet has, for other
reasons, removed this material from the final guidance. The final
guidance reflects changes made to the final rule that aligns more
closely with Sec. 73.54 (i.e., adverse impacts to SSEP functions), and
in the process, staff determined that item bb.(4) was no longer
required.
Comment 6: One commenter recommended moving section 2.3.2, item
bb.(5), (one-hour notification examples) to section 2.6.2 (eight-hour
notification examples) in DG-5019 regarding cyber attacks thwarted by
security controls. [NEI-175]
Response: The NRC disagrees with this comment, yet has, for other
reasons, removed this material from the final guidance. The final
guidance reflects changes made to the final rule that aligns more
closely with Sec. 73.54 (i.e., adverse impacts to SSEP functions), and
in the process, staff determined that item bb.(5) was no longer
required.
Comment 7: One commenter proposed removing the terms ``unauthorized
software'' and ``firmware'' from section 2.3.2, item cc, because of
redundancy with the term malware. [NEI-176]
Response: The NRC disagrees with this comment, but for other
reasons, the guidance has been revised. There is a difference between
malware, and unauthorized software, or firmware, and therefore there is
no redundancy. However, the staff re-evaluated the language and
determined the example is not consistent with Sec. 73.54 and RG 5.71.
Therefore, the example was not included in RG 5.83.
Comment 8: One commenter proposed changes to section 2.3.2, item
dd, of DG-5019 where the result was changed from compromising the CDA
to an adverse impact to SSEP functions. [NEI-177]
Response: The NRC agrees with the proposed changes to the item;
however, due to changes in the final rule language, this item was
clarified and moved to a four-hour notification example within RG 5.83.
Comment 9: One commenter recommended removing section 2.3.2, item
ee, of DG-5019, because there are no NRC regulations covering
``sensitive cyber security data.'' [NEI-178]
Response: The NRC agrees with this comment. The item has been
removed from RG 5.83.
Comment 10: One commenter recommended clarifying section 2.3.2,
item ff, of DG-5019, and proposed the term ``cyber intrusion detection
capability'' instead of the term ``cyber intrusion detection system.''
[NEI-179]
Response: The NRC disagrees with this comment, yet has, for other
reasons, removed this material from the final guidance. The item was
not included in RG 5.83 because it was not consistent with Sec. 73.54
and RG 5.71.
Comment 11: One commenter recommended section 2.3.2, item hh, of
[[Page 67271]]
DG-5019 be revised to be consistent with Sec. 73.54(a)(2) by removing
the term uncompensated. [NEI-181]
Response: The NRC disagrees with this comment, yet has, for other
reasons, removed this material from the final guidance. The staff
reviewed the item and determined it was not consistent with 10 CFR
73.54 and RG 5.71 and removed it from RG 5.83.
Comment 12: The NRC received several comments regarding redundant
material within section 2.3.2., item hh, of DG-5019. [NEI-180, 182,
185]
Response: The NRC agrees with this comment. Staff removed items gg,
ii and ll from section 2.3.2 in RG 5.83 because they were redundant
with item hh regarding unauthorized access to CDAs.
Comment 13: One commenter recommended moving section 2.3.2, item
jj, of DG-5019 from the one-hour notification examples to the four-hour
notification examples in section 2.5.2 regarding discovery of falsified
identification badges. [NEI-183]
Response: The NRC agrees in part with this comment, that the item
should be moved. However, under the new approach, this item is
consistent with eight-hour notifications (i.e., activities that may
indicate intelligence gathering or pre-operational planning related to
a cyber attack) and was moved in final guidance to the eight-hour
notification examples.
Comment 14: One commenter recommended revising section 2.3.2, item
kk, of DG-5019 replacing the term ``could'' with ``would.'' [NEI-184]
Response: The NRC disagrees with this comment, yet has, for other
reasons, removed this material from the final guidance. The NRC staff
re-evaluated this item, determined it was not consistent with the final
rule, and deleted it from RG 5.83.
Comment 15: One commenter recommended removing section 2.3.2, item
mm, of DG-5019 because it duplicates 2.3.2, item y, regarding
safeguards reporting requirements. [NEI-186]
Response: The NRC agrees with this comment. The item has been
removed from RG 5.83.
Comment 16: One commenter recommended removing section 2.3.2, item
nn, of DG-5019 because there are no NRC requirements for maintaining
cyber security response personnel staffing levels. [NEI-187]
Response: The NRC agrees with this comment. The item has been
removed from RG 5.83.
Comment 17: One commenter recommended revising section 2.3.2, item
oo, of DG-5019 to change the phrase, ``could increase the likelihood of
an attempted attack'' to the phrase, ``would result in an attack.''
[NEI-188]
Response: The NRC disagrees with this comment, yet has, for other
reasons, revised this material in the final guidance. This item has
been revised in RG 5.83 to include any event that allows unauthorized
or undetected access to a CDA that could be exploited in an attack to
be reported within four hours of discovery.
Comment 18: One commenter recommended adding new examples to
sections 2.3.2 and 2.5.2 of DG-5019. One example, (section 2.3.2)
involved discovery of unauthorized user IDs and unauthorized
configurations to cyber controls (e.g., firewall port opening, etc.).
The other example (section 2.5.2) involved unauthorized attempts to
probe CDAs including the use of social engineering techniques. [NEI-
189, 190]
Response: The NRC agrees with the examples provided, and based on
final rule text changes (cyber attacks initiated by personnel with
physical or electronic access and activities that may indicate pre-
operational planning), these items were included in RG 5.83.
Comment 19: One commenter recommended revising section 2.5.2, item
kk, of DG-5019 to include the word cyber before the term security
controls. [NEI-191]
Response: The NRC agrees with this comment. The item was revised in
RG 5.83 to include the word cyber before security controls.
Comment 20: One commenter recommended removing section 2.5.2, item
mm, of DG-5019 because it is redundant to section 2.5.2, item kk. [NEI-
192]
Response: The NRC agrees with this comment. The item has been
removed from RG 5.83.
Comment 21: One commenter recommended revising section 2.5.2, item
oo, of DG-5019 to add Levels 3 and 4 to the description so the item is
consistent with the definition provided in the glossary for a CDA.
[NEI-193]
Response: The NRC disagrees with this comment, but for other
reasons has revised the final guidance. The definition of a CDA in RG
5.83 was revised for consistency with the definition provided in RG
5.71.
Comment 22: One commenter recommended revising section 2.5.2, item
qq, of DG-5019 or removing it altogether because reporting the high
number of malware attempts on lower security level networks that do not
have the degree of protection of CDAs would be burdensome on the NRC
and the licensee. [NEI-195]
Response: The NRC agrees with this comment. Based on final rule
text changes, this item was revised in RG 5.83 narrowing the scope to
attacks discovered or manifested on a CDA, critical system or protected
network reducing the number of potential notifications on the licensee
and the NRC.
Comment 23: One commenter recommended revising section 2.5.2, item
rr, of DG-5019 to clarify the term ``cyber systems.'' [NEI-196]
Response: The NRC agrees with this comment. In RG 5.83 this item
was revised for consistency with RG 5.71 and uses the terms ``critical
systems'' and ``CDAs.''
Comment 24: One commenter recommended removing the 15-minute
reference in section 2.5.2, item ss, of DG-5019. [NEI-197]
Response: The NRC agrees with this comment. The final rule text
does not contain any 15-minute notifications related to cyber security,
and therefore, this item was revised in the final guidance to a four-
hour notification example.
Comment 25: One commenter recommended revising or removing the
paragraph before section 2.6.2, item h, in DG-5019 regarding cyber
security events that interrupt or degrade the facility's SSEP
functions. [NEI-198]
Response: The NRC agrees with this comment, yet has, for other
reasons removed this material from the final guidance. The final
guidance reflects changes made to the final rule that aligns more
closely with Sec. 73.54 (i.e., adverse impacts to SSEP functions), and
in the process, staff determined that this item was no longer required.
Comment 26: One commenter recommended revising section 2.6.2, item
I, of DG-5019. The commenter recommended removing the term ``failed''
because a CDA could fail for non-malicious reasons and not be the
result of a cyber attack or unauthorized activity. [NEI-199]
Response: The NRC agrees with this comment. There are many reasons
a critical digital asset can fail that are not related to unauthorized
activity or cyber attacks. Regulatory Guide 5.83 has been revised to
reflect this change.
Comment 27: One commenter recommended revising section 5.3, item n,
of DG-5019 because the term ``compensated'' is not defined. [NEI-200]
Response: The NRC agrees with this comment. This item was removed
from RG 5.83.
Comment 28: One commenter recommended clarifying section 5.3, item
o, of DG-5019 regarding individuals who are incorrectly authorized
access to a CDA. [NEI-201]
[[Page 67272]]
Response: The NRC agrees with this comment. This item was removed
from RG 5.83.
Comment 29: One commenter recommending adding items to section 5.3
of DG-5019 to include examples of cyber events that are compensated as
proposed by paragraph IV.(a) in appendix G of 10 CFR part 73. [NEI-203]
Response: The NRC disagrees with this comment. The final rule
language reflects a different approach, one based on whether the cyber
attack or event caused an adverse impact (or not) to SSEP functions,
instead of whether the cyber attack or event was compensated or
uncompensated. Regulatory Guide 5.83 has been revised to reflect this
new approach.
Comment 30: One commenter recommended changes to the definitions
provided in the glossary of DG-5019. The commenter proposed changing
``cyber attack'' to be consistent with the definition provided in NEI
08-09 and changing ``CDA'' to only include digital computer,
communication systems, and networks that fall within level 3 or 4
boundaries as well as a general comment that all definitions in the
glossary be synchronized with code requirements and regulatory guides.
[NEI-138, 204, 205]
Response: The NRC agrees in part with this comment. The definitions
of cyber attack and CDA in RG 5.83 have been revised to synchronize
with the definitions in RG 5.71, not NEI 08-09.
Comment 31: Two commenters proposed a definition of the term
``discovery time of'' in DG-5019. The commenters suggested discovery
occurs after initial notifications are made and a determination made
that the event meets applicable reporting requirements. [NEI-19, B&W-
29]
Response: The NRC disagrees with this comment. Internal
notifications and gathering information to make a determination as to
whether it meets applicable reporting requirements could take several
hours, or even days, depending on the amount of information needed to
reach a conclusion. The time to report an event is upon recognition;
the licensee can withdraw a report (based on subsequent analysis of the
circumstances) without prejudice to its security performance
indicators. No changes have been made to the guidance.
Comment 32: One commenter stated that the cyber security plan
templates published by the NRC and NEI do not contain guidance for
licensees to differentiate between events that are recordable versus
reportable. [NEI-20, 154]
Response: The NRC agrees with this comment. Neither cyber security
plan template issued by the NRC or NEI contains guidance for licensees
on which events are recordable or reportable. However, DG-5019 provided
guidance to licensees on events that are reportable and recordable
related to cyber security event notifications. Consistent with
Commission policy, the NRC is publishing with this final rule, final
guidance, RG 5.83, ``Cyber Security Event Notifications,'' which
provides guidance to licensees on an acceptable method for meeting
regulatory requirements. The final guidance has been revised to provide
examples that differentiate between events that are reportable and
recordable.
Comment 33: One commenter recommended revisions to NRC Form 366.
The commenter recommended the NRC specify the type of content licensees
should include in the abstract section of the form. [NEI-44, 118]
Response: The NRC disagrees with this comment. The NRC's Form 366
will not be revised. Regulatory Guide 5.83 will provide the specific
type of content that should be included in the abstract section of
NRC's Form 366.
Comment 34: One commenter recommended clarifying the guidance
regarding elicitation of information from facility personnel relating
to security or safe operation of the facility. The commenter suggested
adding the phrase ``non-routine'' regarding the elicitation of
information to distinguish general public or media inquiries from
elicitations that could be indicative of suspicious activity. [NEI-52,
95, 99]
Response: The NRC agrees with this comment. Regulatory Guide 5.83
has been revised to provide a distinction between common inquiries
(e.g., public and media inquiries) and uncommon inquiries (e.g.,
activities that may indicate intelligence gathering or pre-operational
planning related to a cyber attack).
Comment 35: One commenter recommended clarifying the examples of
one-hour notifications and including ``real life'' examples. [NEI-71]
Response: The NRC agrees with this comment. The NRC staff reviewed
previous ``real life'' examples and included them in final guidance. In
addition, the new approach for one-hour notifications (i.e., adverse
impacts to SSEP functions) provides additional clarity.
Comment 36: One commenter recommended changes to the examples
involving the compromise of CDAs. The commenter stated that section
2.3.2 of DG-5019, items (aa) and (bb) were duplicative, and that two
supporting examples (4 and 5) were not within the scope of one-hour
notifications (i.e., adverse impact to SSEP functions). [NEI-94]
Response: The NRC agrees with this comment. Regulatory Guide 5.83
has been revised to delete one of the duplicate items and to remove the
two supporting examples from the remaining item.
Comment 37: One commenter recommended moving an example related to
unauthorized attempts to steal business secrets or sensitive
information to the cyber security event notification examples. [NEI-
100]
Response: The NRC disagrees with this comment. The final rule
reflects an approach that aligns more closely with Sec. 73.54 and RG
5.71, and provides clarity to cyber security event notification
criteria. Unauthorized attempts to access business and trade sensitive
information is outside the scope of Sec. 73.54, and no changes to the
rule or RG 5.83 were made based on this comment
Comment 38: One commenter recommended clarifying the example
regarding unsubstantiated cyber threats related to harassment,
including threats that could represent tests of response capabilities.
The commenter stated the example was confusing and too broad in scope.
[NEI-111]
Response: The NRC agrees with this comment. The NRC has revised the
example to clarify the scope of the cyber attacks to be reported (i.e.,
a cyber attack that could have caused an adverse impact to SSEP
functions).
Comment 39: One commenter requested NRC clarify the guidance on
unplanned missed cyber vulnerability assessments. [NEI-131]
Response: The NRC agrees with this comment. Regulatory Guide 5.83
was revised to clarify the treatment of missed cyber vulnerability
assessments. The CSP states the periodicity that cyber vulnerability
assessments are performed (quarterly). If a cyber vulnerability
assessment exceeds the periodicity specified in the CSP, it would be
considered a 24-hour recordable event.
C. Public Comments on Proposed Implementation Date From July 31, 2014,
Public Meeting
Comment 1: One commenter raised a concern that by issuing the Cyber
Security Event Notifications (CSEN) final rulemaking now it may delay
full implementation of Sec. 73.54 because of the impact on resources.
The commenter stated that licensees may have to divert some resources
from implementing the cyber security
[[Page 67273]]
program to implementing the CSEN requirements.
Response: The NRC agrees in part with this comment. The NRC staff
recognizes that this rule will have an impact on licensee resources
(similar skillsets required for CSEN and cyber security program
implementation). The NRC staff acknowledges this and is conducting CER
related activities in an effort to minimize the impact (e.g.,
conducting a public meeting on the implementation date during final
rulemaking, issuing final guidance with the final rule). In addition,
the CSEN final rule is consistent with existing notification processes
(i.e., Sec. Sec. 50.72 and 73.71) and aligns closely with Sec. 73.54
and the current voluntary reporting initiatives thereby reducing the
level of impact on implementation. However, the CSEN final rule removes
the voluntary aspect of reporting certain cyber security events and
provides regulatory stability and ensures the NRC is notified in a
timely manner while maintaining its strategic communications mission
outlined in the framework of the National Infrastructure Protection
Plan developed by the DHS (see http://www.dhs.gov/sites/default/files/publications/National-Infrastructure-Protection-Plan-2013-508.pdf).
Prompt notification of a cyber attack could be vital to the NRC's
ability to take immediate action in response to a cyber attack and, if
necessary, to notify other NRC licensees, Government agencies, and
critical infrastructure facilities, to defend against a multiple sector
cyber attack. A cyber attack has the capability to be launched against
multiple targets simultaneously or spread quickly throughout multiple
sectors of critical infrastructure; therefore, the NRC has not changed
the 180-day implementation schedule.
V. Section-by-Section Analysis
The following section-by-section analysis discusses the final
revisions to the NRC's regulations regarding cyber security, and
explains how the final rule differs from the language in the proposed
rule. This final rule adds a new section (Sec. 73.77) to 10 CFR part
73 and revises three existing sections (Sec. Sec. 73.8, 73.22, and
73.54) to make conforming changes.
Section 73.8, Information Collection Requirements: OMB Approval
The NRC is amending Sec. 73.8 to add Sec. 73.77 to paragraph (b)
that provides the approved information collection requirements
contained in 10 CFR part 73 under control number 3150-0002. In
addition, the NRC is amending Sec. 73.8 to add Sec. 73.77 to
paragraph (c)(1) that provides that NRC Form 366 is approved under
control number 3150-0104.
Section 73.22, Protection of Safeguards Information: Specific
Requirements
The NRC is amending Sec. 73.22(f)(3) to add the sentence, ``Cyber
security event notifications required to be reported pursuant to Sec.
73.77 are considered to be extraordinary conditions'' to the end of the
paragraph.
Section 73.54, Protection of Digital Computer and Communication Systems
and Networks
The NRC is amending Sec. 73.54 to add a new paragraph (d)(4) that
reads, ``Conduct cyber security event notifications in accordance with
the provisions of Sec. 73.77.'' This new requirement guides the
licensee to the correct 10 CFR part 73 section for conducting cyber
security event notifications.
Section 73.77, Cyber Security Event Notifications
The NRC has moved cyber security event notifications requirements
that were proposed to be added to Sec. 73.71 and appendix G to a newly
created section (Sec. 73.77) within 10 CFR part 73.
Section 73.77(a)(1) requires licensees to notify the NRC within
one-hour after discovery of a cyber attack that adversely impacted
safety-related or important-to-safety functions, security functions, or
emergency preparedness functions (including offsite communications); or
that compromised support systems and equipment resulting in adverse
impacts to safety, security, or emergency preparedness functions within
the scope of Sec. 73.54. This requirement differs from the proposed
rule language, it has been revised to more closely align with Sec.
73.54 and to remove the term ``uncompensated cyber security events''
because it was unclear and not defined within the CSP.
Section 73.77(a)(2) requires licensees to notify the NRC within
four-hours.
Section 73.77(a)(2)(i) after discovery of a cyber attack that could
have caused an adverse impact to safety-related or important-to-safety
functions, security functions, or emergency preparedness functions
(including offsite communications); or that could have compromised
support systems and equipment, which if compromised, could have
adversely impacted safety, security, or emergency preparedness
functions within the scope of Sec. 73.54. This requirement differs
from the proposed rule; it has been revised to more closely align with
Sec. 73.54. In addition, the final rule distinguishes between four-
hour and eight-hour notifications.
Section 73.77(a)(2)(ii) after discovery of a suspected or actual
cyber attack initiated by personnel with physical or electronic access
to digital computer and communication systems and networks within the
scope of Sec. 73.54. This requirement differs from the proposed rule;
it has been revised to capture cyber attacks (e.g., tampering) that may
not have any impact on SSEP functions, but may indicate an internal
threat.
Section 73.77(a)(2)(iii) after notification of a local, State, or
other Federal agency (e.g., local law enforcement, FBI, etc.) of an
event related to implementation of their cyber security program. The
final rule includes other types of agencies besides law enforcement
(e.g., DHS, etc.) to maintain consistency with existing NRC reporting
requirements (e.g., Sec. 50.72).
Section 73.77(a)(3) requires licensees to notify the NRC within
eight-hours after receipt or collection of information regarding
observed behavior, activities, or statements that may indicate
intelligence gathering or pre-operational planning related to a cyber
attack against digital computer and communication systems and networks
within the scope of Sec. 73.54. Requirements for ``suspicious cyber
events'' have been revised and moved from four-hour notifications in
the proposed rule to eight-hour notifications in the final rule. This
requirement now captures activities that are associated with precursors
to a cyber attack (e.g., activities related to intelligence gathering
or pre-operational planning).
Section 73.77(b) requires licensees to record certain cyber
security events in their site corrective action program (CAP) within
24-hours of their discovery. The proposed rule required licensees to
use a Safeguards Event Log; to prevent duplication of effort, the final
rule requires licensees to use their site CAP.
Section 73.77(b)(1) requires licensees to use their site CAP to
record vulnerabilities, weaknesses, failures, and deficiencies in their
Sec. 73.54 cyber security program. This requirement has been revised
to align with NRC physical protection program requirements in Sec.
73.55(b)(10) regarding the use of the site CAP to track, trend,
correct, and prevent recurrence of failures and deficiencies.
Section 73.77(b)(2) requires licensees to record notifications made
under paragraph (a) of Sec. 73.77.
[[Page 67274]]
Section 73.77(c) provides the process for conducting cyber security
event notifications.
Section 73.77(c)(1) has been revised from the proposed rule to
include the Emergency Notification System (ENS) as the primary means
for conducting notifications, instead of any available telephone
system. Using the ENS is consistent with existing NRC regulations for
conducting notifications (e.g., Sec. 50.72).
Section 73.77(c)(3) in the final rule was revised to remove a
reference to paragraph III in appendix A of 10 CFR part 73 that
provided instructions on requesting a transfer to a secure phone. The
current appendix A in 10 CFR part 73 does not contain a paragraph III
and conforming changes to appendix A are not part of this final rule.
Section 73.77(c)(3) was revised to reference appendix A and request
transfer to a secure phone.
Sections 73.7(c)(6), ``Declaration of emergencies,'' and
73.77(c)(7), ``Elimination of duplication,'' were moved in the final
rule from the ``Written Security Follow-up Reports'' section into the
``Notification Process'' section because they contain notification-
specific information. In addition, due to the narrowed scope of this
final rule, the proposed rule referenced several sections of the NRC's
regulations (e.g., Sec. 70.50) that are not being revised by this
final rule.
Section 73.77(d), ``Written security follow-up reports,''
establishes the necessary regulatory framework to facilitate consistent
application of Commission requirements for written security follow-up
reports for cyber security event notifications.
VI. Regulatory Flexibility Certification
Under the Regulatory Flexibility Act (5 U.S.C. 605(b)), the NRC
certifies that this rule does not have a significant economic impact on
a substantial number of small entities. This final rule affects only
the licensing and operation of nuclear power plants. The companies that
own these plants do not fall within the scope of the definition of
``small entities'' set forth in the Regulatory Flexibility Act or the
size standards established by the NRC (10 CFR 2.810).
VII. Regulatory Analysis
The NRC has prepared a final regulatory analysis for this final
rule. The analysis examines the costs and benefits of the alternatives
considered by the NRC. The regulatory analysis is available as
indicated in Section XVII., ``Availability of Documents,'' of this
document.
VIII. Backfitting and Issue Finality
The final rule imposing new cyber security event notifications
affects information collection and reporting requirements and is not
considered to be a backfit, as presented in the charter for NRC's
Committee to Review Generic Requirements. Therefore, a backfit analysis
has not been completed for any of the provisions of this final rule.
IX. Cumulative Effects of Regulation
While the proposed rule was issued prior to the formal CER
requirements promulgated by SRM-SECY-0032, the intent of CER was still
met. For example, the draft guidance was issued for comment concurrent
with the proposed rule, a public meeting was conducted during the
development of the proposed rule, a public meeting on implementation
was conducted during the final rule stage, and the final guidance will
be issued with the final rule.
The NRC staff engaged external stakeholders at public meetings and
by soliciting public comments on the proposed rule and draft guidance
documents. A public meeting was held at NRC Headquarters on June 1,
2011, to discuss the proposed rule, the draft implementation plan, and
draft guidance.
In addition, on July 31, 2014, a public meeting was held at the NRC
Headquarters on the draft final implementation plan for the final rule
(a type of meeting specifically contemplated by the NRC's CER effort).
Prompt notification of a cyber attack is vital to the NRC's ability to
take immediate action in response to a cyber attack, which contributes
to protecting the public health and safety or the common defense and
security. The NRC's strategic communications mission and the feedback
from the public meetings informed the staff's recommended schedule for
the final implementation date in the CSEN final rule.
A fundamental CER process improvement is to publish the final
guidance with the final rule so as to support effective implementation.
This final rulemaking accomplishes this by ensuring that final guidance
is complete and available concurrent with this final rule publication
in the Federal Register.
X. Plain Writing
The Plain Writing Act of 2010 (Pub. L. 111-274) requires Federal
agencies to write documents in a clear, concise, and well-organized
manner. The NRC has written this document to be consistent with the
Plain Writing Act as well as the Presidential Memorandum, ``Plain
Language in Government Writing,'' published June 10, 1998 (63 FR
31883).
XI. Environmental Assessment and Final Finding of No Significant
Environmental Impact
The NRC has determined that this final rule is the type of action
described in 10 CFR 51.22(c)(3)(iii). Therefore, neither an
environmental impact statement nor environmental assessment has been
prepared for this final rule.
XII. Paperwork Reduction Act
This final rule contains new or amended information collection
requirements that are subject to the Paperwork Reduction Act of 1995
(44 U.S.C. 3501 et seq.). These requirements were approved by the
Office of Management and Budget (OMB), approval number 3150-0230 and
3150-0104.
The burden to the public for these information collections is
estimated to average 39.4 hours per response, including the time for
reviewing instructions, searching existing data sources, gathering and
maintaining the data needed, and completing and reviewing the
information collection. Send comments on any aspect of these
information collections, including suggestions for reducing the burden,
to the Freedom of Information Act, Privacy, and Information Collections
Branch (T-5 F53), U.S. Nuclear Regulatory Commission, Washington, DC
20555-0001, or by email to [email protected] and to the
Desk Officer, Office of Information and Regulatory Affairs, NEOB-10202,
(3150-0230 and 3150-0104), Office of Management and Budget, Washington,
DC 20503 or by email to [email protected].
Public Protection Notification
The NRC may not conduct or sponsor, and a person is not required to
respond to, a request for information or an information collection
requirement unless the requesting document displays a currently valid
OMB control number.
XIII. Congressional Review Act
In accordance with the Congressional Review Act of 1996 (5 U.S.C.
801-808), the NRC has determined that this action is not a major rule
and has verified this determination with the Office of Information and
Regulatory Affairs of OMB.
XIV. Criminal Penalties
For the purposes of Section 223 of the Atomic Energy Act of 1954,
as amended
[[Page 67275]]
(AEA), the NRC is issuing this final rule that would amend Sec. Sec.
73.8, 73.22, and 73.54, and add Sec. 73.77 under one or more of
Sections 161b, 161i, or 161o of the AEA. Willful violations of the rule
would be subject to criminal enforcement. Criminal penalties as they
apply to regulations in 10 CFR part 73 are discussed in Sec. 73.81(a).
XV. Compatibility of Agreement State Regulations
Under the ``Policy Statement on Adequacy and Compatibility of
Agreement State Programs,'' approved by the Commission on June 20,
1997, and published in the Federal Register (62 FR 46517; September 3,
1997), this rule is classified as compatibility ``NRC.'' Compatibility
is not required for Category ``NRC'' regulations. The NRC program
elements in this category are those that relate directly to areas of
regulation reserved to the NRC by the AEA or the provisions of 10 CFR,
and although an Agreement State may not adopt program elements reserved
to the NRC, it may wish to inform its licensees of certain requirements
via a mechanism that is consistent with a particular State's
administrative procedure laws, but does not confer regulatory authority
on the State.
XVI. Availability of Guidance
The NRC is issuing implementation guidance for this rule, RG 5.83,
``Cyber Security Event Notifications'' (Docket ID NRC-2014-0036). The
guidance is available in ADAMS under Accession No. ML14269A388.
Regulatory Guide 5.83 is intended to describe a proposed method that
the NRC staff considers acceptable for use in complying with the NRC's
regulations on cyber security event notifications. Because the
regulatory analysis for the final rule provides sufficient explanation
for the rule and the implementing guidance, a separate regulatory
analysis was not prepared for the regulatory guide.
XVII. Availability of Documents
The documents identified in the following table are available to
interested persons through the following methods, as indicated.
------------------------------------------------------------------------
ADAMS Accession No./ Federal
Document Register (FR) citation
------------------------------------------------------------------------
SECY-10-0085--Proposed Rule: ML101110121
``Enhanced Weapons, Firearms
Background Checks and Security Event
Notifications'' (RIN: 3150-AI49)
(June 27, 2010).
Staff Requirements--SECY-10-0085-- ML102920342
Proposed Rule: Enhanced Weapons,
Firearms Background Checks and
Security Event Notifications (RIN:
3150-AI49) (October 19, 2010).
Proposed Enhanced Weapons, Firearms 76 FR 6199
Background Checks, and Security
Event Notifications Rule (February
3, 2011).
DG-5019, ``Reporting and Recording 76 FR 6085
Safeguards Events'' (February 3,
2011).
Summary of the June 1, 2011, Public ML111720007
Meeting to Discuss the Proposed
Enhanced Weapons, Firearms
Background Checks and Security Event
Notifications Rulemaking (June 24,
2011).
Bifurcation of the Enhanced Weapons, ML13280A366
Firearms Background Checks, and
Security Event Notifications Rule
(December 20, 2013).
Staff Requirements--COMSECY-13-0031-- ML14023A860
Bifurcation of the Enhanced Weapons,
Firearms Background Checks, and
Security Event Notification Rule
(January 22, 2014).
Regulatory Analysis for Final Rule on ML14170B076
Cyber Security Event Notifications
(10 CFR Part 73).
Summary of the July 31, 2014, Public ML14240A404
Meeting to Discuss the Proposed
Implementation Date of the Draft
Cyber Security Event Notification
Final Rule (August 29, 2014).
Regulatory Guide 5.83, ``Cyber ML14269A388
Security Event Notifications''
(March 2015).
CSEN Public Comments Associated with ML14226A596
Final Rule.
Final Rule: Cyber Security Event ML15203A233
Notification OMB Supporting
Statement.
------------------------------------------------------------------------
List of Subjects for 10 CFR Part 73
Criminal penalties, Exports, Hazardous materials transportation,
Incorporation by reference, Imports, Nuclear energy, Nuclear materials,
Nuclear power plants and reactors, Penalties, Reporting and
recordkeeping requirements, Security measures.
For the reasons set out in the preamble and under the authority of
the Atomic Energy Act of 1954, as amended; the Energy Reorganization
Act of 1974, as amended; and 5 U.S.C. 552 and 553, the NRC is adopting
the following amendments to 10 CFR part 73.
PART 73--PHYSICAL PROTECTION OF PLANTS AND MATERIALS
0
1. The authority citation for part 73 continues to read as follows:
Authority: Atomic Energy Act of 1954, secs. 53, 147, 149, 161,
170D, 170E, 170H, 170I, 223, 229, 234, 1701 (42 U.S.C. 2073, 2167,
2169, 2201, 2210d, 2210e, 2210h, 2210i, 2273, 2278a, 2282, 2297f);
Energy Reorganization Act of 1974, secs. 201, 202 (42 U.S.C. 5841,
5842); Nuclear Waste Policy Act of 1982, secs. 135, 141 (42 U.S.C.
10155, 10161); 44 U.S.C. 3504 note.
Section 73.37(b)(2) also issued under Sec. 301, Public Law 96-295,
94 Stat. 789 (42 U.S.C. 5841 note).
0
2. In Sec. 73.8, revise paragraphs (b) and (c)(1) to read as follows:
Sec. 73.8 Information collection requirements: OMB approval.
* * * * *
(b) The approved information collection requirements contained in
this part appear in Sec. Sec. 73.5, 73.20, 73.21, 73.24, 73.25, 73.26,
73.27, 73.37, 73.38, 73.40, 73.45, 73.46, 73.50, 73.54, 73.55, 73.56,
73.57, 73.58, 73.60, 73.67, 73.70, 73.71, 73.72, 73.73, 73.74, 73.77
and appendices B, C, and G to this part.
(c) * * *
(1) In Sec. Sec. 73.71 and 73.77, NRC Form 366 is approved under
control number 3150-0104.
* * * * *
0
3. In Sec. 73.22, add a sentence to the end of paragraph (f)(3) to
read as follows:
Sec. 73.22 Protection of Safeguards Information: Specific
requirements.
* * * * *
(f) * * *
(3) * * * Cyber security event notifications required to be
reported pursuant to Sec. 73.77 are considered to be extraordinary
conditions.
* * * * *
0
4. In Sec. 73.54, add paragraph (d)(4) to read as follows:
Sec. 73.54 Protection of digital computer and communication systems
and networks.
* * * * *
(d) * * *
(4) Conduct cyber security event notifications in accordance with
the provisions of Sec. 73.77.
* * * * *
0
5. Add Sec. 73.77 to read as follows:
[[Page 67276]]
Sec. 73.77 Cyber security event notifications.
(a) Each licensee subject to the provisions of Sec. 73.54 shall
notify the NRC Headquarters Operations Center via the Emergency
Notification System (ENS), in accordance with paragraph (c) of this
section:
(1) Within one hour after discovery of a cyber attack that
adversely impacted safety-related or important-to-safety functions,
security functions, or emergency preparedness functions (including
offsite communications); or that compromised support systems and
equipment resulting in adverse impacts to safety, security, or
emergency preparedness functions within the scope of Sec. 73.54.
(2) Within four hours:
(i) After discovery of a cyber attack that could have caused an
adverse impact to safety-related or important-to-safety functions,
security functions, or emergency preparedness functions (including
offsite communications); or that could have compromised support systems
and equipment, which if compromised, could have adversely impacted
safety, security, or emergency preparedness functions within the scope
of Sec. 73.54.
(ii) After discovery of a suspected or actual cyber attack
initiated by personnel with physical or electronic access to digital
computer and communication systems and networks within the scope of
Sec. 73.54.
(iii) After notification of a local, State, or other Federal agency
(e.g., law enforcement, FBI, etc.) of an event related to the
licensee's implementation of their cyber security program for digital
computer and communication systems and networks within the scope of
Sec. 73.54 that does not otherwise require a notification under
paragraph (a) of this section.
(3) Within eight hours after receipt or collection of information
regarding observed behavior, activities, or statements that may
indicate intelligence gathering or pre-operational planning related to
a cyber attack against digital computer and communication systems and
networks within the scope of Sec. 73.54.
(b) Twenty-four hour recordable events. (1) The licensee shall use
the site corrective action program to record vulnerabilities,
weaknesses, failures and deficiencies in their Sec. 73.54 cyber
security program within twenty-four hours of their discovery.
(2) The licensee shall use the site corrective action program to
record notifications made under paragraph (a) of this section within
twenty-four hours of their discovery.
(c) Notification process. (1) Each licensee shall make telephonic
notifications required by paragraph (a) of this section to the NRC
Headquarters Operations Center via the ENS. If the ENS is inoperative
or unavailable, the licensee shall make the notification via a
commercial telephone service or other dedicated telephonic system or
any other methods that will ensure a report is received by the NRC
Headquarters Operations Center within the timeframe. Commercial
telephone numbers for the NRC Headquarters Operations Center are
specified in appendix A to this part.
(2) Notifications required by this section that contain Safeguards
Information may be made to the NRC Headquarters Operations Center
without using secure communications systems under the exception in
Sec. 73.22(f)(3) for emergency or extraordinary conditions.
(3) Notifications required by this section that contain Safeguards
Information and/or classified national security information and/or
restricted data must be made to the NRC Headquarters Operations Center
using secure communications systems appropriate to the sensitivity/
classification level of the message. Licensees making these types of
telephonic notifications must contact the NRC Headquarters Operations
Center at the commercial numbers specified in appendix A to this part
and request a transfer to a secure telephone.
(i) If the licensee's secure communications capability is
unavailable (e.g., due to the nature of the security event), the
licensee must provide as much information to the NRC as is required by
this section, without revealing or discussing any Safeguards
Information and/or Classified Information, in order to meet the
timeliness requirements of this section. The licensee must also
indicate to the NRC that its secure communications capability is
unavailable.
(ii) Licensees using a non-secure communications capability may be
directed by the NRC Emergency Response management to provide classified
information to the NRC over the non-secure system, due to the
significance of the ongoing security event. In such circumstances, the
licensee must document this direction and any information provided to
the NRC over a non-secure communications capability in the written
security follow-up report required in accordance with paragraph (d) of
this section.
(4) For events reported under paragraph (a)(1) of this section, the
NRC may request that the licensee maintain an open and continuous
communication channel with the NRC Headquarters Operations Center.
(5) Licensees desiring to retract a previous security event report
that has been determined to not meet the threshold of a reportable
event must telephonically notify the NRC Headquarters Operations Center
and indicate the report being retracted and basis for the retraction.
(6) Declaration of emergencies. Notifications made to the NRC for
the declaration of an emergency class shall be performed in accordance
with Sec. 50.72 of this chapter, as applicable.
(7) Elimination of duplication. Separate notifications and reports
are not required for events that are also reportable in accordance with
Sec. Sec. 50.72 and 50.73 of this chapter. However, these
notifications should also indicate the applicable Sec. 73.77 reporting
criteria.
(d) Written security follow-up reports. Each licensee making an
initial telephonic notification of security events to the NRC according
to the provisions of paragraphs (a)(1), (a)(2)(i), and (a)(2)(ii) of
this section must also submit a written security follow-up report to
the NRC within 60 days of the telephonic notification in accordance
with Sec. 73.4.
(1) Licensees are not required to submit a written security follow-
up report following a telephonic notification made under Sec.
73.77(a)(2)(iii) or (a)(3).
(2) Each licensee shall submit to the NRC written security follow-
up reports that are of a quality that will permit legible reproduction
and processing.
(3) Licensees shall prepare the written security follow-up report
on NRC Form 366.
(4) In addition to the addressees specified in Sec. 73.4, the
licensee shall also provide one copy of the written security follow-up
report addressed to the Director, Office of Nuclear Security and
Incident Response, or the Director's designee. Any written security
follow-up reports containing classified information shall be
transmitted to the NRC Headquarters' classified mailing address as
specified in appendix A to this part.
(5) The written security follow-up report must include sufficient
information for NRC analysis and evaluation.
(6) Significant supplemental information which becomes available
after the initial telephonic notification to the NRC Headquarters
Operations Center or after the submission of the written security
follow-up report must be telephonically reported to the NRC
Headquarters Operations Center under paragraph (c) of this section and
also
[[Page 67277]]
submitted in a revised written security follow-up report (with the
revisions indicated) as required under this section.
(7) Errors discovered in a written security follow-up report must
be corrected in a revised written security follow-up report with the
revision(s) indicated.
(8) The revised written security follow-up report must replace the
previous written security follow-up report; the update must be complete
and not be limited to only supplementary or revised information.
(9) If the licensee subsequently retracts a telephonic notification
made under this section as not meeting the threshold of a reportable
event, and has not yet submitted a written security follow-up report
then submission of a written security follow-up report is not required.
(10) If the licensee subsequently retracts a telephonic
notification made under this section as not meeting the threshold of a
reportable event after it has submitted a written security follow-up
report required by this paragraph, then the licensee shall submit a
revised written security follow-up report in accordance with this
paragraph.
(11) Each written security follow-up report submitted containing
Safeguards Information or Classified Information must be created,
stored, marked, labeled, handled, and transmitted to the NRC according
to the requirements of Sec. Sec. 73.21 and 73.22 or with part 95 of
this chapter, as applicable.
(12) Each licensee shall maintain a copy of the written security
follow-up report of an event submitted under this section as a record
for a period of three years from the date of the report or until the
Commission terminates the license for which the records were developed,
whichever comes first.
Dated at Rockville, Maryland, this 23rd day of October, 2015.
For the Nuclear Regulatory Commission.
Annette L. Vietti-Cook,
Secretary of the Commission.
[FR Doc. 2015-27855 Filed 10-30-15; 8:45 am]
BILLING CODE 7590-01-P