[Federal Register Volume 83, Number 94 (Tuesday, May 15, 2018)]
[Proposed Rules]
[Pages 22413-22414]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2018-10358]
�========================================================================
�Proposed Rules
� Federal Register
�________________________________________________________________________
�
�This section of the FEDERAL REGISTER contains notices to the public of
�the proposed issuance of rules and regulations. The purpose of these
�notices is to give interested persons an opportunity to participate in
�the rule making prior to the adoption of the final rules.
�
�========================================================================
�
��Federal Register / Vol. 83, No. 94 / Tuesday, May 15, 2018 / Proposed
Rules��
[[Page 22413]]
NUCLEAR REGULATORY COMMISSION
10 CFR Part 37
[NRC-2015-0019]
RIN 3150-AJ56
Cyber Security for Byproduct Materials Licensees
AGENCY: Nuclear Regulatory Commission.
ACTION: Discontinuation of rulemaking activity.
-----------------------------------------------------------------------
SUMMARY: The U.S. Nuclear Regulatory Commission (NRC) is discontinuing
the rulemaking activity that would have developed cyber security
requirements for byproduct materials licensees possessing risk-
significant quantities of radioactive materials. The purpose of this
action is to inform members of the public of the discontinuation of the
rulemaking activity and to provide a brief discussion of the NRC's
decision. The rulemaking activity will no longer be reported in the
NRC's portion of the Unified Agenda of Regulatory and Deregulatory
Actions (the Unified Agenda).
DATES: As of May 15, 2018, the rulemaking activity discussed in this
document is discontinued.
ADDRESSES: Please refer to Docket ID NRC-2015-0019 when contacting the
NRC about the availability of information regarding this action. You
may obtain publicly available information related to this document
using any of the following methods:
Federal Rulemaking website: Go to http://www.regulations.gov and search for Docket ID NRC-2015-0019. Address
questions about NRC dockets to Carol Gallagher; telephone: 301-415-
3463; email: [email protected]. For technical questions, contact
the individual listed in the FOR FURTHER INFORMATION CONTACT section of
this document.
NRC's Agencywide Documents Access and Management System
(ADAMS): You may obtain publicly-available documents online in the
ADAMS Public Documents collection at http://www.nrc.gov/reading-rm/adams.html. To begin the search, select ``ADAMS Public Documents'' and
then select ``Begin Web-based ADAMS Search.'' For problems with ADAMS,
please contact the NRC's Public Document Room (PDR) reference staff at
1-800-397-4209, 301-415-4737, or by email to [email protected]. The
ADAMS accession number for each document referenced (if it is available
in ADAMS) is provided the first time that it is mentioned in the
SUPPLEMENTARY INFORMATION section.
NRC's PDR: You may examine and purchase copies of public
documents at the NRC's PDR, Room O1F21, One White Flint North, 11555
Rockville Pike, Rockville, Maryland 20852.
FOR FURTHER INFORMATION CONTACT: Vanessa Cox, Office of Nuclear
Material Safety and Safeguards, U.S. Nuclear Regulatory Commission,
Washington, DC 20555-0001; telephone: 301-415-8342; email:
[email protected].
SUPPLEMENTARY INFORMATION:
I. Discussion
The NRC and Agreement States are responsible for overseeing and
implementing the National Materials Program to enable the safe and
secure use of radioactive materials licensed for commercial,
industrial, academic, and medical uses. The program includes thousands
of byproduct materials licensees in varying operating environments,
ranging from small industrial radiography and well-logging businesses
to large manufacturing facilities, universities, and medical
facilities. The majority of the licensees that possess risk-significant
quantities of radioactive materials are regulated by Agreement States.
Risk-significant quantities of radioactive material are defined as
those meeting the thresholds for Category 1 and Category 2 included in
appendix A to part 37 of title 10 of the Code of Federal Regulations
(10 CFR), ``Physical Protection of Category 1 and Category 2 Quantities
of Radioactive Material.''
In a Commission paper, SECY-12-0088, ``The Nuclear Regulatory
Commission Cyber Security Roadmap,'' dated June 25, 2012 (ADAMS
Accession No. ML12135A050), the NRC staff described its plan to
evaluate the need for cyber security requirements for NRC and Agreement
State licensees and facilities, including byproduct materials
licensees. As described in that paper, the NRC staff planned to form a
working group, with Agreement State participation, to develop self-
assessment tools for licensees and conduct a limited number of site
visits. Based on the results of these assessments and site visits, the
working group intended to prepare a paper outlining potential actions
for Commission consideration.
In July 2013, the NRC established the Byproduct Materials Cyber
Security Working Group, comprised of headquarters and regional NRC
staff and representation from the Organization of Agreement States. The
purpose of the working group was to identify potential cyber security
vulnerabilities among commercial, medical, industrial, and academic
users of risk-significant radioactive materials and determine if the
results warranted regulatory action. The working group worked with the
NRC's Intelligence Liaison and Threat Assessment Branch, which
regularly monitors the threats associated with cyber security and
shares cyber threat information with licensees, as appropriate.
The working group identified four sets of digital assets that the
NRC should evaluate with respect to cyber threat protection:
(1) Digital/microprocessor-based systems and devices that support
the physical security of the licensee's facilities. These include
access control systems, physical intrusion detection and alarm systems,
video camera monitoring systems, digital video recorders, door alarms,
motion sensors, keycard readers, and biometric scanners;
(2) Equipment and devices with software-based control, operation,
and automation features, such as panoramic irradiators and gamma
knives;
(3) Computers and systems used to maintain source inventories,
audit data, and records necessary for compliance with security
requirements and regulations; and
(4) Digital technology used to support incident response
communications and coordination such as digital packet radio systems,
digital repeater stations, and digital trunk radio systems.
On January 6, 2016, the NRC staff submitted a memorandum to the
[[Page 22414]]
Commission titled ``Staff Activities Related to the Evaluation of
Materials Cyber Security Vulnerabilities'' (ADAMS Accession No.
ML15201A509). This memorandum informed the Commission of the ongoing
evaluation to determine the cyber security risk to each of the four
sets of digital assets for risk-significant radioactive materials
licensees, and described the two-pronged approach focused on
information gathering and consequence analysis that was used.
As part of the information gathering effort, the NRC staff
distributed a voluntary survey, ``Questionnaire on Cyber Security at
Byproduct Materials Licensees'' (ADAMS Accession No. ML15246A306) on
April 29, 2016, to all NRC and Agreement State licensees that possessed
Category 1 and 2 quantities of radioactive materials. The purpose of
the questionnaire was to identify what key digital assets existed at
each licensee type, how they were connected to internal/external
networks and the internet, and what technical and procedural security
measures were in place for protection and operation of these systems
and devices. The NRC staff also conducted outreach to stakeholders to
encourage completion of the questionnaire, and site visits to
manufacturers and panoramic irradiator licensees.
The consequence analysis was conducted in parallel with the
information gathering effort, and evaluated the potential for onsite
and offsite consequences that could occur if the availability,
integrity, or confidentiality of data or systems associated with
nuclear materials were compromised by a cyber attack.
Given the regulatory responsibilities of the U.S. Food and Drug
Administration (FDA), the NRC limited its evaluation of the software
systems used in medical applications to the systems related to the
radiation safety and physical protection authority of the NRC. The NRC
has a memorandum of understanding with the FDA that clarifies the
respective roles of each agency in regulating the safe use of
radiopharmaceuticals and sealed sources, and other medical devices
containing radioactive material (ADAMS Accession No. ML023520399).
Additional information on the FDA's activities, role, and expectations
for the continued cyber security of medical devices can be found at
https://www.fda.gov/downloads/medicaldevices/digitalhealth/ucm544684.pdf.
On February 28, 2017, the NRC staff provided an update to the
Commission on the status of agency activities pertaining to cyber
security at licensee facilities in a Commission paper, SECY-17-0034,
``Update to the U.S. Nuclear Regulatory Commission Cyber Security
Roadmap'' (ADAMS Accession No. ML16354A258). The update noted the NRC
staff's further consideration of cyber security requirements for
radioactive materials licensees since the January 2016 memorandum.
Additionally, the paper stated that the working group planned to
complete its evaluation of the questionnaire responses, consequence
analysis, and any follow-up communication with stakeholders and develop
recommendations for a path forward.
Subsequently, the NRC completed its evaluation of cyber security
requirements for byproduct materials licensees in October 2017.
The NRC staff concluded that byproduct materials licensees that
possess risk-significant quantities of radioactive material do not rely
solely on digital assets to ensure safety or physical protection.
Rather, these licensees generally use a combination of measures, such
as doors, locks, barriers, human resources, and operational processes,
to ensure security, which reflects a defense-in-depth approach to
physical protection and safety. As a result, the staff concluded that a
compromise of any of the digital assets identified in the January 6,
2016, Commission memorandum would not result in a direct dispersal of
risk-significant quantities of radioactive material, or exposure of
individuals to radiation, without a concurrent and targeted breach of
the physical protection measures in force for these licensees.
Therefore, the NRC staff determined that the current cyber security
threat and potential consequences do not warrant regulatory action.
However, the NRC staff determined that it would be prudent to issue an
Information Notice (IN) to communicate effective practices for cyber
security to byproduct materials licensees possessing risk-significant
quantities of radioactive material. The IN will provide licensees with
a better understanding of contemporary cyber security issues and
strategies to protect digital assets (e.g., computers, digital alarm
systems), including those used to facilitate compliance with physical
security requirements, such as those in 10 CFR part 37. The IN, which
will reference existing cyber security guidance developed by the NRC's
Office of Nuclear Reactor Regulation and other Federal agencies, will
be issued later in 2018.
II. Conclusion
For the reasons discussed in this document, the NRC is
discontinuing rulemaking activity to develop cyber security
requirements for byproduct materials licensees possessing risk-
significant quantities of radioactive materials. In the next edition of
the Unified Agenda, the NRC will update the entry for this rulemaking
activity and refer to this document to indicate that the rulemaking has
been discontinued. This rulemaking activity will appear in the
``Completed Actions'' section of the next edition of the Unified
Agenda, but will not appear in future editions. If the NRC decides to
pursue similar or related rulemaking activities in the future, it will
inform the public through a new rulemaking entry in the Unified Agenda.
Dated at Rockville, Maryland, this 10th day of May, 2018.
For the Nuclear Regulatory Commission.
Victor McCree,
Executive Director for Operations.
[FR Doc. 2018-10358 Filed 5-14-18; 8:45 am]
BILLING CODE 7590-01-P