[Federal Register Volume 83, Number 164 (Thursday, August 23, 2018)]
[Proposed Rules]
[Pages 42623-42624]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2018-18231]



[[Page 42623]]

=======================================================================
-----------------------------------------------------------------------

NUCLEAR REGULATORY COMMISSION

10 CFR Chapter I

[NRC-2018-0182]


Cyber Security Programs for Nuclear Power Reactors

AGENCY: Nuclear Regulatory Commission.

ACTION: Draft regulatory guide; request for comment.

-----------------------------------------------------------------------

SUMMARY: The U.S. Nuclear Regulatory Commission (NRC) is issuing for 
public comment Draft Regulatory Guide (DG) DG-5061, ``Cyber Security 
Programs for Nuclear Power Reactors.'' This revision incorporates 
lessons learned from operating experience since the original 
publication of the guide. Specifically, this revision clarifies issues 
identified from interim cybersecurity milestone inspections, additional 
insights gained through the Security Frequently Asked Questions (SFAQs) 
process, documented cybersecurity attacks, new technologies, and new 
regulations. This revision also considers the changes in the most 
recent revision to the National Institute of Standards and Technology 
(NIST) Special Publications (SP) 800-53, upon which Revision 0 of RG 
5.71 was based.

DATES: Submit comments by October 22, 2018. Comments received after 
this date will be considered if it is practical to do so, but the NRC 
is able to ensure consideration only for comments received on or before 
this date. Although a time limit is given, comments and suggestions in 
connection with items for inclusion in guides currently being developed 
or improvements in all published guides are encouraged at any time.

ADDRESSES: You may submit comments by any of the following methods:
     Federal Rulemaking Website: Go to http://www.regulations.gov and search for Docket ID NRC-2018-0182. Address 
questions about NRC dockets to Jennifer Borges; telephone: 301-287-
9127; email: [email protected]. For technical questions, contact 
the individuals listed in the FOR FURTHER INFORMATION CONTACT section 
of this document.
     Mail comments to: May Ma, Office of Administration, Mail 
Stop: ON 2A13, U.S. Nuclear Regulatory Commission, Washington, DC 
20555-0001.
    For additional direction on accessing information and submitting 
comments, see ``Accessing Information and Submitting Comments'' in the 
SUPPLEMENTARY INFORMATION section of this document.

FOR FURTHER INFORMATION CONTACT: Kim Lawson-Jenkins, Office of Nuclear 
Security and Incident Response, telephone: 301-287-3656; email: 
[email protected], and Mekonen Bayssie, Office of Nuclear 
Regulatory Research, telephone: 301-415-1699; email: 
[email protected]. Both are staff of the U.S. Nuclear Regulatory 
Commission, Washington, DC 20555-0001.

SUPPLEMENTARY INFORMATION:

I. Obtaining Information and Submitting Comments

A. Obtaining Information

    Please refer to Docket ID NRC-2018-0182 when contacting the NRC 
about the availability of information regarding this document. You may 
obtain publically-available information related to this document, by 
any of the following methods:
     Federal Rulemaking Website: Go to http://www.regulations.gov and search for Docket ID NRC-2018-0182.
     NRC's Agencywide Documents Access and Management System 
(ADAMS): You may access publicly- available documents online in the 
ADAMS Public Documents collection at http://www.nrc.gov/reading-rm/adams.html. To begin the search, select ``Begin Web-based ADAMS 
Search.'' For problems with ADAMS, please contact the NRC's Public 
Document Room (PDR) reference staff at 1-800-397-4209, 301-415-4737, or 
by email to [email protected]. DG-5061 is available in ADAMS under 
Accession No. ML18016A129.
     NRC's PDR: You may examine and purchase copies of public 
documents at the NRC's PDR, Room O1-F21, One White Flint North, 11555 
Rockville Pike, Rockville, Maryland 20852.

B. Submitting Comments

    Please include Docket ID NRC-2018-0182 in your comment submission. 
The NRC cautions you not to include identifying or contact information 
that you do not want to be publicly disclosed in your comment 
submission. The NRC posts all comment submissions at http://www.regulations.gov as well as enters the comment submissions into 
ADAMS. The NRC does not routinely edit comment submissions to remove 
identifying or contact information.
    If you are requesting or aggregating comments from other persons 
for submission to the NRC, then you should inform those persons not to 
include identifying or contact information that they do not want to be 
publicly disclosed in their comment submission. Your request should 
state that the NRC does not routinely edit comment submissions to 
remove such information before making the comment submissions available 
to the public or entering the comment submissions into ADAMS.

II. Additional Information

    The NRC is issuing for public comment a DG in the NRC's 
``Regulatory Guide'' series. This series was developed to describe and 
make available to the public information regarding methods that are 
acceptable to the NRC staff for implementing specific parts of the 
NRC's regulations, techniques that the staff uses in evaluating 
specific issues or postulated events, and data that the staff needs in 
its review of applications for permits and licenses.
    The DG, titled ``Cyber Security Programs for Nuclear Power 
Plants,'' is temporarily identified by its task number, DG-5061. DG-
5061 is a proposed revision (Revision 1) to RG 5.71, ``Cyber Security 
Programs for Nuclear Power Plants.'' It provides NRC licensees with 
guidance on meeting the cybersecurity requirements described in title 
10 of the Code of Federal Regulations (10 CFR) Sec.  73.54, 
``Protection of digital computer and communication systems and 
networks.''
    This revision clarifies issues identified from interim 
cybersecurity milestone inspections, additional insights gained through 
the SFAQs process, documented cybersecurity attacks, new technologies, 
and new regulations. In addition, it considers changes in NIST SP 800-
53, upon which Revision 0 of RG 5.71 was based.
    In 2010, the Commission issued Staff Requirements Memorandum (SRM), 
SRM-COMWCO-10-0001 (ADAMS Accession No. ML102940009) which clarified 
the scope of the cyber security rule in regards to balance of plant 
(BOP) systems. This revision to RG 5.71 includes guidance for 
structures, systems, and components (SSCs) in the BOP.
    In 2015, the NRC published the regulation 10 CFR 73.77, and its 
associated guidance, RG 5.83, that provides guidance on cyber security 
event notifications. This rule established requirements clarifying the 
types of cyber attacks that require notification to the NRC, the 
timeliness for making the notifications, how licensees make 
notifications, and how to submit follow-up written reports to the NRC.

[[Page 42624]]

III. Backfitting and Issue Finality

    DG-5061 describes a method that the staff of the NRC considers 
acceptable for use by nuclear power plant licensees in meeting the 
requirements for the cybersecurity requirements in 10 CFR 73.54. The 
revision updates the guidance by incorporating lessons learned and 
guidance documents since the original publication of the guide.
    On October 21, 2010, the Commission issued SRM-COMWCO-10-0001, 
which clarified the scope of the cyber security rule. In the SRM, the 
Commission determined as a matter of policy that the NRC's cyber 
security regulation (10 CFR 73.54) should be interpreted to include 
Systems Structures and Components in the Balance of Plant that have a 
nexus to radiological health and safety at NRC-licensed nuclear power 
plants. The Commission clarified the scope of the rule to include 
digital assets previously covered by cyber security regulations of the 
Federal Energy Regulatory Commission. In response to this SRM, the 
licensees updated their cyber security plans to incorporate BOP systems 
into their cyber security plans. This revision includes guidance for 
SSCs in the BOP.
    Issuance of this DG, if finalized, would not constitute backfitting 
as defined in 10 CFR 50.109 (the Backfit Rule) and would not otherwise 
be inconsistent with the issue finality provisions in 10 CFR part 52. 
As discussed in the ``Implementation'' section of this DG, the NRC has 
no current intention to impose this guide, if finalized, on holders of 
current operating licenses or combined licenses.
    However, the scope of issue finality provided extends only to the 
matters resolved in the license or regulatory approval. Early site 
permits, design certification rules, and standard design approvals 
typically do not address or resolve compliance with operational 
programs such as the cybersecurity requirements in 10 CFR 73.54. 
Therefore, the various issue finality provisions would not apply to 
applications referencing an early site permit, design certification 
rule, or standard design approval with respect to the security matters 
addressed in this draft regulatory guide.

    Dated at Rockville, Maryland, this 20th day of August, 2018.

    For the Nuclear Regulatory Commission.
Thomas H. Boyce,
Chief, Regulatory Guide and Generic Issues Branch, Division of 
Engineering, Office of Nuclear Regulatory Research.
[FR Doc. 2018-18231 Filed 8-22-18; 8:45 am]
BILLING CODE 7590-01-P