[Federal Register Volume 86, Number 151 (Tuesday, August 10, 2021)]
[Proposed Rules]
[Pages 43599-43609]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-16889]


 ========================================================================
 Proposed Rules
                                                 Federal Register
 ________________________________________________________________________
 
 This section of the FEDERAL REGISTER contains notices to the public of 
 the proposed issuance of rules and regulations. The purpose of these 
 notices is to give interested persons an opportunity to participate in 
 the rule making prior to the adoption of the final rules.
 
 ========================================================================
 

  Federal Register / Vol. 86, No. 151 / Tuesday, August 10, 2021 / 
Proposed Rules  

[[Page 43599]]



NUCLEAR REGULATORY COMMISSION

10 CFR Part 73

[Docket No. PRM-73-18; NRC-2014-0165]


Protection of Digital Computer and Communication Systems and 
Networks

AGENCY: Nuclear Regulatory Commission.

ACTION: Petition for rulemaking; denial.

-----------------------------------------------------------------------

SUMMARY: The U.S. Nuclear Regulatory Commission (NRC) is denying a 
petition for rulemaking (PRM), dated June 12, 2014, submitted by 
Anthony Pietrangelo on behalf of the Nuclear Energy Institute. The 
petitioner requested that the NRC amend its power reactor cyber 
security regulations to make them consistent with the original intent 
of the rule and clarify that the scope of those regulations only 
require the protection of those digital assets that can directly cause 
core damage and spent fuel sabotage, or whose failure would cause a 
reactor scram. The petition was docketed by the NRC on September 22, 
2014, and assigned Docket No. PRM-73-18. The NRC staff has determined 
that the information presented in PRM-73-18 does not support 
rulemaking. The NRC has also determined that existing and ongoing 
revisions to guidance can effectively address the issues raised by the 
petitioner in this PRM. Therefore, for the reasons discussed in the 
SUPPLEMENTARY INFORMATION of this document, the NRC is denying PRM-73-
18.

DATES: The docket for the petition for rulemaking, PRM-73-18, is closed 
on August 10, 2021.

ADDRESSES: Please refer to Docket ID NRC-2014-0165 when contacting the 
NRC about the availability of information for this action. You may 
obtain publicly-available information related to this action by any of 
the following methods:
     Federal Rulemaking website: Go to https://www.regulations.gov and search for Docket ID NRC-2014-0165. Address 
questions about NRC dockets to Dawn Forder; telephone: 301-415-3407; 
email: [email protected]. For technical questions, contact the 
individuals listed in the FOR FURTHER INFORMATION CONTACT section of 
this document.
     NRC's Agencywide Documents Access and Management System 
(ADAMS): You may obtain publicly-available documents online in the 
ADAMS Public Documents collection at https://www.nrc.gov/reading-rm/adams.html. To begin the search, select ``Begin Web-based ADAMS 
Search.'' For problems with ADAMS, please contact the NRC's Public 
Document Room (PDR) reference staff at 1-800-397-4209, 301-415-4737, or 
by email to [email protected]. For the convenience of the reader, 
the ADAMS accession numbers and instructions about obtaining materials 
referenced in this document are provided in the ``Availability of 
Documents'' section of this document. The incoming petition is 
available in ADAMS under Accession No. ML14184B120.
     Attention: The PDR, where you may examine and order copies 
of public documents, is currently closed. You may submit your request 
to the PDR via email at [email protected] or call 1-800-397-4209 
between 8:00 a.m. and 4:00 p.m. (EST), Monday through Friday, except 
Federal holidays.

FOR FURTHER INFORMATION CONTACT: Juan Lopez, Office of Nuclear Material 
Safety and Safeguards; telephone: 301-415-2338; email: 
[email protected]; or Ilka Berrios, Office of Nuclear Material Safety 
and Safeguards; telephone: 301-415-2404; email: [email protected]. 
Both are staff of the U.S. Nuclear Regulatory Commission, Washington, 
DC 20555-0001.

SUPPLEMENTARY INFORMATION:

Table of Contents

I. The Petition
II. Background
III. Reasons for Denial
IV. Public Comments on the Petition
V. Availability of Documents
VI. Conclusion

I. The Petition

    Section 2.802 of title 10 of the Code of Federal Regulations (10 
CFR), ``Petition for rulemaking--requirements for filing,'' provides an 
opportunity for any person to petition the Commission to issue, amend, 
or rescind any regulation. On June 12, 2014, the NRC received a PRM 
from Anthony Pietrangelo on behalf of the Nuclear Energy Institute (NEI 
or the petitioner). The petitioner requested that the NRC amend its 
regulations in Sec.  73.54, ``Protection of digital computer and 
communication systems and networks,'' to clarify the scope of Sec.  
73.54(a) to only protect those systems and networks associated with 
structures, systems, or components (SSCs) that are either necessary to 
prevent core damage and spent fuel sabotage, or whose failure would 
cause a reactor scram.
    The NRC identified two principal issues in the petition. First, the 
petitioner asserts that a rulemaking is needed to clarify the language 
in Sec.  73.54(a) to make it consistent with the original intent of 
this provision to protect against radiological sabotage by only 
protecting those digital assets that if compromised could directly 
cause significant core damage or spent fuel sabotage, or whose failure 
would cause a reactor scram. Second, the petitioner asserts that what 
it sees as the broad scoping language in Sec.  73.54(a)(1) goes 
considerably beyond the scope of systems and networks necessary to 
prevent radiological sabotage, unnecessarily diverting licensee 
attention from the protection of those digital assets having a direct 
relationship to radiological sabotage. According to the petitioner, the 
time, resources, and costs of protecting from a cyber attack those 
digital assets not directly related to preventing radiological sabotage 
are inconsistent with the intent of the cyber security rule and are not 
justified. As discussed in the ``Reasons for Denial'' section of this 
document, the petitioner presented several assertions to support its 
petition that the NRC considered in the evaluation the PRM. On 
September 22, 2014, the NRC published a notice of docketing of PRM-73-
18 in the Federal Register along with a request for public comment.

II. Background

    Following the terrorist attacks of September 11, 2001, the NRC 
conducted a review of its security requirements to ensure that nuclear 
power reactors and other licensed facilities could effectively protect 
against the changing threat environment. Based on this review, the

[[Page 43600]]

NRC issued a series of security orders imposing new security 
requirements on nuclear power reactors and other facilities. In NRC 
Order EA-02-026, ``Interim Safeguards and Security Compensatory 
Measures for Nuclear Power Plants,'' dated February 25, 2002, the NRC 
required licensees to address certain cyber security threats at their 
facilities to protect against a cyber attack. A subsequent order, NRC 
Order EA-03-086, ``Issuance of Order Requiring Compliance with Revised 
Design Basis Threat for Operating Power Reactors,'' dated April 29, 
2003, required licensees to address additional cyber attack 
characteristics.
    In 2006, the NRC published in the Federal Register a proposed 
rulemaking, ``Power Reactor Security Requirements'' (71 FR 62664; 
October 26, 2006), to amend its existing security requirements and add 
new security requirements applicable to nuclear power reactors. This 
proposed rule contained a new Sec.  73.55(m), ``Digital computer and 
communication networks.'' Section 73.55(m)(1) would have required 
nuclear power reactor licensees to protect computer systems that, if 
compromised, would adversely impact safety, security and emergency 
preparedness (SSEP). Section 73.55(m)(2) would have required licensees 
to systematically assess and manage cyber risks at their facilities. 
The NRC received comments on the proposed rule, including comments on 
Sec.  73.55(m).
    After considering all comments, the NRC issued a final rule, 
``Power Reactor Security Requirements,'' (74 FR 13926; March 27, 2009). 
This final rule relocated the cyber security requirements in the 
proposed rule's Sec.  73.55(m) to a new stand-alone Sec.  73.54 in the 
final rule. As noted by the Commission in the 2009 final rule Statement 
of Considerations (SOC), relocating the cyber security requirements 
into their own stand-alone section was appropriate because the 
implementation of a cyber security program requires a uniquely 
independent technical expertise and knowledge that would not 
necessarily be implemented by security personnel. As further noted, 
placing the cyber security requirements in a stand-alone section would 
enable these requirements to be made applicable to other types of 
facilities in the future, if warranted.
    In 2013, the NRC began performing inspections of NRC licensees' 10 
CFR 73.54 cyber security programs. By 2016, the NRC had completed 
initial inspections of all NRC licensees' cyber security programs. 
During this period of time, both industry and the NRC gained valuable 
insights and lessons learned from implementation of the NRC's cyber 
security requirements.
    In January 2019, the Office of Nuclear Security and Incident 
Response's (NSIR) Cyber Security Branch initiated an assessment of the 
NRC's cyber security regulations and Power Reactor Cyber Security 
Program. Its purpose was to identify key areas of improvement that 
would strengthen the NRC's Power Reactor Cyber Security Program. The 
cyber assessment team engaged with external stakeholders to gain 
additional insights. The Cyber Security Branch in NSIR completed its 
assessment of the NRC's Power Reactor Cyber Security Program in July 
2019. The assessment identified several enhancements to the Power 
Reactor Cyber Security Program, and the NRC staff developed an action 
plan to facilitate and prioritize implementation of these enhancements. 
The enhancements are intended to further risk-inform the NRC's Power 
Reactor Cyber Security Program. Based on the assessment results, the 
NRC determined that there was a need to further revise guidance 
documents beyond updates already implemented by industry stakeholders 
to, among other things, address issues associated with the scoping of 
critical digital assets (CDAs).

III. Reasons for Denial

    The NRC is denying the petition because the petitioner did not 
present sufficient new information to warrant the requested changes to 
the NRC's regulations in Sec.  73.54. Specifically, the petitioner did 
not show that the regulatory language in Sec.  73.54(a) is inconsistent 
with the original intent of this provision or the cyber security rule 
and did not show that the regulatory language in Sec.  73.54(a)(1) is 
overly broad. Furthermore, an assessment of the NRC's cyber security 
regulations and Power Reactor Cyber Security Program performed by NRC 
staff as a separate effort from the review of this petition determined 
that existing and ongoing revisions to guidance can effectively address 
the issues raised by the petitioner in this PRM without the need for 
rulemaking.

Assertions in the Petition

    The assertions made by the petitioner in Section III of PRM-73-18, 
``Bases for the Action Requested by Petitioner,'' are summarized in the 
following paragraphs along with the NRC's responses to those 
assertions.
    Assertion A in Section III of the PRM:
    In support of its PRM, the petitioner asserts, in part, that the 
scoping language in Sec.  73.54(a) was not included in the 2006 
proposed rule and was added to the 2009 final rule without the 
opportunity for public notice and comment. The petitioner further 
asserts that the effects of this scoping language were likely not clear 
when the final rule was issued.
    NRC Response to Assertion A:
    The NRC disagrees with the petitioner's Assertion A. The 2006 
proposed rule contained a new Sec.  73.55(m) titled ``Digital computer 
and communication networks.'' Section 73.55(m)(1) would have required 
licensees to have a cyber security program that would protect computer 
systems that, if compromised, would adversely impact SSEP. The NRC 
received several comments on the cyber security requirements in the 
2006 proposed rule. This included a comment that the term ``protected 
computer system'' used in Sec.  73.55(m)(1)(iii) lacked clarity and 
should be better defined in the final rule. As the Commission stated in 
the SOC to the 2009 final rule, in response to a public comment, the 
NRC revised the language in Sec.  73.55(m)(1), renumbered as Sec.  
73.54(a) in the 2009 final rule, to provide a more detailed list of the 
types of computer systems and networks requiring protection from a 
cyber attack consistent with the language in the proposed rule.
    The language in Sec.  73.55(m)(1) of the 2006 proposed rule put 
licensees on notice that they were required to protect computer systems 
that, if compromised, could adversely affect SSEP. The language in 
Sec.  73.54(a) of the 2009 final rule, while modifying the 2006 
language from ``SSEP'' to ``SSEP functions'' to better identify the 
computer systems and networks requiring protection, did not 
significantly change any cyber security requirements from the proposed 
rule to the final rule. The 2009 language is consistent with, and a 
logical outgrowth of, the language in the 2006 proposed rule. 
Accordingly, the NRC was not required to submit this clarifying 
language for public notice and comment.
    Assertion B in Section III of the PRM:
    The petitioner asserts that one result of the Sec.  73.54(a)(1) 
language in the 2009 final rule was to enlarge the scope of digital 
assets to be protected from cyber attack beyond what the Commission 
originally intended in the 2006 proposed rule. The petitioner further 
asserts that the Sec.  73.54(a)(1) language requires licensees to 
implement cyber security controls on hundreds to thousands of digital 
assets, most of which do not, even if compromised, have a direct 
relationship to radiological

[[Page 43601]]

sabotage. According to the petitioner, this creates an inconsistency 
between the NRC's cyber security requirements and the Sec.  73.55 
physical protection program. The petitioner, citing Sec.  73.55(b)(3) 
and referencing the existing process used to identify target sets, 
asserts that the performance objectives of the Sec.  73.55 physical 
protection program must protect against significant core damage and 
spent fuel sabotage. However, according to the petitioner, because the 
current language in Sec.  73.54(a)(1) requires the protection of 
digital assets that cannot, even if compromised, result in significant 
core damage or spent fuel sabotage, it is inconsistent with the 
performance objectives of the Sec.  73.55 physical protection program.
    NRC Response to Assertion B:
    The NRC disagrees with the petitioner's Assertion B. The petitioner 
asserts that the language in Sec.  73.54(a)(1) is inconsistent with the 
cyber security rule's original intent of protecting against the Design 
Basis Threat (DBT) of radiological sabotage. The petitioner's assertion 
is predicated on the assumption that protecting against the DBT of 
radiological sabotage is limited to only protecting that equipment and 
those digital assets that can directly cause significant core damage or 
spent fuel sabotage.
    The NRC agrees that, consistent with the regulatory language in 
Sec.  73.54(b)(3) and Sec.  73.55(b)(3), a licensee's cyber security 
program must protect against significant core damage and spent fuel 
sabotage. However, the NRC does not agree that protecting against the 
radiological sabotage DBT only involves protecting those digital assets 
that can directly cause significant core damage and spent fuel 
sabotage. Rather, protecting against radiological sabotage also 
involves protecting those digital assets that could either directly or 
indirectly cause significant core damage or spent fuel sabotage. 
Additionally, the NRC included EP systems in the cyber security rule 
because such systems are essential to mitigate the consequences of 
radiological sabotage. Accordingly, for the reasons described in this 
section, the NRC does not agree that the language in Sec.  73.54(a)(1) 
is inconsistent with either the cyber security rule's original intent 
of protecting against the DBT of radiological sabotage or inconsistent 
with the performance objectives of Sec.  73.55.
    There is nothing in the language of either the 2006 proposed rule 
or the 2009 final rule that supports the petitioner's assertion. 
Section 73.54(a) of the 2009 final rule states the general performance 
objective that licensees must protect against the DBT as described in 
Sec.  73.1. There is no language indicating that protecting against the 
DBT is limited to protecting only those digital assets that can 
directly cause significant core damage or spent fuel sabotage. 
Similarly, Regulatory Guide (RG) 5.71, ``Cyber Security Program for 
Nuclear Facilities,'' and the other documents cited by the petitioner 
reiterate the general performance objective that licensees must protect 
against the DBT and prevent significant core damage or spent fuel 
damage.
    The petitioner references the existing process used to identify 
target sets to support the assertion that the performance objectives of 
the Sec.  73.55 physical protection program only require protection 
against significant core damage and spent fuel sabotage. As noted 
previously, the NRC agrees that a licensee's cyber security program 
must protect against significant core damage and spent fuel sabotage. 
The NRC further agrees that the process for developing and identifying 
target sets defines the set of equipment that must be protected from a 
physical attack to prevent significant core damage and spent fuel 
sabotage. The NRC notes that Sec.  73.55(f)(2) requires that licensees 
consider cyber attacks in the development and identification of target 
sets. However, the purpose of the cyber security language in Sec.  
73.55(f)(2) is to identify a specific type of threat that target sets 
must be protected from. This language is not intended and should not be 
used to define the scope of the NRC's cyber security requirements.
    As previously noted in the NRC's response to petitioner's Assertion 
A, Sec.  73.55(m)(1) of the 2006 proposed rule would have required 
licensees to have a cyber security program that would protect computer 
systems that, if compromised, would adversely impact SSEP. In the SOC 
to the 2006 proposed rule, the NRC explained that the cyber security 
requirements were designed to minimize potential attack pathways and 
the consequences of a successful cyber attack. These requirements are 
part of a defense-in-depth strategy to protect SSEP digital assets 
that, if compromised, could directly or indirectly result in 
radiological sabotage at an NRC-licensed nuclear power plant. 
Additionally, the NRC included EP systems in the cyber security rule 
because such systems are essential to mitigate the consequences of 
radiological sabotage.
    The NRC made a conscious and deliberate decision to include 
computer and network systems that could affect SSEP functions in the 
cyber security rule, even though not all of the equipment and digital 
assets requiring protection that are associated with those systems can 
directly cause significant core damage or spent fuel sabotage. The NRC 
further explained that as computer technology is increasingly 
integrated into nuclear power plants, many plant safety and security 
systems rely on this technology to carry out their functions. The NRC 
intended that digital assets associated with such systems be protected 
to minimize potential attack pathways that could indirectly or directly 
result in radiological sabotage. Accordingly, the NRC does not agree 
with the petitioner's assertion that the original intent of the cyber 
security requirements in the 2006 proposed rule was limited to 
protecting only those digital assets that could directly cause 
significant core damage or spent fuel sabotage. For these reasons, the 
NRC has determined that the language in Sec.  73.54(a)(1) is consistent 
with the original intent of the 2006 proposed rule and is consistent 
with the performance objectives in Sec.  73.55.
    Assertion C in Section III of the PRM:
    The petitioner asserts that the language in Sec.  73.54(a)(1) 
unnecessarily requires licensees to focus on protecting hundreds to 
thousands of digital assets at their sites that are, in some way, 
associated with the SSEP functions identified in Sec.  73.54(a)(1). The 
petitioner asserts that many of these digital assets have no nexus to 
radiological sabotage. As a result, the considerable time, resources 
and costs needed to protect these assets is not justified. The 
petitioner further asserts that granting the petition will lead to a 
more efficient use of licensee resources without compromising plant 
safety or security.
    NRC Response to Assertion C:
    The NRC disagrees with the petitioner's assertion that the NRC's 
cyber security requirements in Sec.  73.54(a)(1) require the protection 
of hundreds, and in some cases thousands, of digital assets that have 
no nexus to radiological sabotage. Section 73.54(a)(1) requires that 
licensees protect digital computer and communication systems and 
networks associated with SSEP functions from a cyber attack. The NRC 
recognizes that these systems may contain hundreds and possibly 
thousands of digital assets. It is not the NRC's expectation that all 
digital assets associated with such functions will necessarily require 
protection in accordance with the NRC's cyber security requirements. 
Consistent with the requirements in Sec.  73.54(a)(2), only those 
digital assets that could adversely impact SSEP functions are within 
the scope of the NRC's cyber

[[Page 43602]]

security requirements and must be protected against a cyber attack.
    Section 73.54(b)(1) requires licensees to conduct an analysis of 
digital computer and communication systems and networks and identify 
those digital assets that must be protected against a cyber attack. 
This requirement reflects the NRC's recognition that licensees are well 
situated to determine the safety and security significance of digital 
systems and assets at their facilities. The NRC issued RG 5.71 to 
provide guidance to licensees in implementing the NRC's cyber security 
requirements. Section 3.1.3 of RG 5.71 recognizes that not all digital 
assets associated with SSEP functions may need to be protected. It sets 
forth a process for identifying those assets, referred to as CDAs in 
the regulatory guide, that must be protected against a cyber attack. 
CDAs are those digital assets that meet the criteria in Sec.  
73.54(a)(2) and, if compromised, could adversely impact SSEP functions.
    The petitioner identifies examples of digital assets--specifically 
fax machines, hand-held calibration devices, radios and pagers, and 
certain calculators used by licensee staff--that it claims have no 
nexus to radiological sabotage. The NRC agrees that some digital assets 
associated with SSEP functions may not need to be protected from cyber 
attack. Consistent with Sec.  73.54(b)(1), determining whether a 
specific digital asset, such as a fax machine, calibration device, 
radio, or the like, has a nexus to radiological sabotage requires a 
site-specific analysis to determine the safety and security 
significance of the specific asset. The purpose of the analysis is to 
determine if a specific digital asset must be protected consistent with 
the criteria in Sec.  73.54(a)(2). That is why neither the NRC's cyber 
security rule nor RG 5.71 prescribe a list of specific digital assets 
that must be protected against a cyber attack.
    As elaborated in the NRC Response to Assertion B, the NRC does not 
agree with the petitioner's assertion that only those digital assets 
that, if compromised, can directly result in radiological sabotage are 
subject to the NRC's cyber security requirements. Digital assets, the 
compromise of which may not directly cause significant core damage or 
spent fuel sabotage, but that could serve as attack pathways that 
potentially increase the risk of a successful cyber attack if not 
protected, are within the scope of the NRC's cyber security 
requirements.
    The NRC has been conducting cyber security inspections since 2013 
and recently completed a major assessment of the NRC's cyber security 
requirements. One of the major lessons learned from these inspections 
and the assessment is that many licensees adopted a conservative 
approach to identifying digital assets at their facilities that could 
potentially impact SSEP functions. This resulted in a large number of 
digital assets being included within the scope of licensees' cyber 
security programs. As a result of the lessons learned from these 
inspections and the assessment, the NRC has been and is continuing to 
engage with stakeholders to revise existing guidance and refine the 
methodology for identifying CDAs that fall within the scope of the 
NRC's cyber security requirements. Based on these interactions, NEI 
revised NEI 13-10 to include a consequence-based, graded approach for 
identifying CDAs. The NEI 13-10 guidance enables industry to focus 
resources on the more significant digital assets. The NRC is continuing 
to work with stakeholders to identify additional revisions to the 
guidance for identifying those digital assets that must be protected 
from a cyber attack. For the reasons discussed in this section, the NRC 
does not agree with the petitioner's assertion that the language in 
Sec.  73.54(a)(1) requires the protection of digital assets that do not 
have a nexus to radiological sabotage.
    The NRC disagrees with the assertion that the cyber security rule 
requires the unnecessary expenditure of licensee resources to protect 
digital assets that have no nexus to radiological sabotage. The NRC 
issued RG 5.71 in January 2010 to provide guidance to licensees in 
implementing the NRC's cyber security requirements. It establishes a 
process for identifying those digital assets, called CDAs, that must be 
protected against a cyber attack. Some stakeholders have taken a 
conservative approach to identifying CDAs. The NRC has determined that 
this is an implementation issue, not an issue with the cyber security 
rule language. Accordingly, the NRC has been and is continuing to work 
with industry stakeholders to revise existing guidance and establish 
new guidance to refine the methodology for identifying CDAs. For these 
reasons, the NRC does not agree with the petitioner's assertion that 
the language in Sec.  73.54(a)(1) requires the protection of digital 
assets that do not have a nexus to radiological sabotage and results in 
an unjustified burden and costs for licensees.
    Assertion D in Section III of the PRM
    The petitioner notes that on October 21, 2010, the Commission made 
a policy determination to apply the NRC's cyber security rule to SSCs 
in the balance of plant (BOP) at NRC-licensed nuclear power plants. The 
petitioner further notes that as a result of this policy determination, 
SSCs in the BOP were no longer subject to the Federal Energy Regulatory 
Commission's (FERC) Critical Infrastructure Protection reliability 
standards. The petitioner states that this policy determination 
expanded the scope of the cyber security program to include digital 
assets not strictly necessary to prevent radiological sabotage.
    NRC Response to Assertion D:
    The NRC agrees with the petitioner that on October 21, 2010, the 
Commission made a policy determination to apply the NRC's cyber 
security regulations to SSCs in a nuclear power plant's BOP that have a 
nexus to radiological health and safety. The petitioner asserts that 
this policy determination expanded the scope of Sec.  73.54(a) to 
include digital assets not strictly necessary to be protected to 
prevent radiological sabotage.
    As the petitioner notes, the Commission's October 2010 policy 
determination applied the NRC's cyber security regulations to BOP 
digital assets that by themselves, even if compromised, could not 
directly cause significant core damage or spent fuel sabotage. For the 
same reasons set forth in the NRC's response to the petitioner's 
Assertions B and C, the NRC does not agree with the petitioner's 
statement that this policy determination resulted in an expansion of 
the scope of either the 2006 proposed rule or the 2009 final rule.
    From its inception, the 2006 proposed cyber security rule would 
have required licensees to protect those digital assets associated with 
SSEP that, if compromised, could either directly or indirectly cause 
radiological sabotage resulting in significant core damage or spent 
fuel sabotage. As the Commission stated in SRM-COMWCO-10-0001, it ``has 
determined as a matter of policy that the NRC's cyber security rule at 
10 CFR 73.54 should be interpreted to include SSCs in the BOP that have 
a nexus to radiological health and safety at NRC-licensed nuclear power 
plants.'' In SECY-10-0153, ``Cyber Security--Implementation of the 
Commission's Determination of Systems and Equipment within the Scope of 
Title 10 of the Code of Federal Regulations, Section 73.54,'' dated 
November 19, 2010, the staff informed the Commission that it considered 
SSCs in the BOP that have a nexus to radiological health and safety to 
be those that could, if compromised, directly or indirectly affect 
reactivity of a nuclear power plant, and are therefore within the scope

[[Page 43603]]

of important-to-safety functions described in Sec.  73.54(a)(1).
    To the extent that Assertion D raises issues concerning FERC's 
jurisdiction at nuclear power plants, the NRC does not have the 
authority to limit the jurisdiction granted to other agencies by 
statute.
    Assertion E in Section III of the PRM:
    The petitioner states that, as of March 1, 2014, NRC inspections 
had identified violations of low safety significance associated with 
the failure of reactor licensees to identify digital assets needing 
protection against cyber attacks under Sec.  73.54(a)(1). The 
petitioner views the violations as an illustration of the problems 
created by the Sec.  73.54(a)(1) scoping language. The petitioner 
concludes that although these violations ``have little to no safety 
significance,'' they have resulted in unnecessary expense and a 
diversion of licensee resources, as well as conveying to the public 
``an incorrect impression that the state of cyber security preparedness 
at those sites is less than adequate.''
    NRC Response to Assertion E:
    The NRC agrees that several violations have been identified during 
its inspections of licensee cyber security programs at reactor sites. 
The implementation plan for licensees' cyber security programs, which 
has eight distinct milestones, was developed to allow a phased approach 
to full implementation of the cyber security requirements in Sec.  
73.54. One of the goals of this phased approach was to allow lessons 
learned to be applied by licensees prior to full program 
implementation. The use of this phased approach was intended to 
identify issues in an iterative way, particularly in regard to digital 
asset identification. In cases where violations were identified during 
cyber security inspections of milestones 1 through 7, the NRC performed 
an evaluation and did not cite the violations if the licensee had made 
a ``good faith'' effort to comply with the requirements. Licensees 
addressed these issues and made corrections to their cyber security 
programs prior to full program implementation. The identification and 
resolution of these cyber security issues help ensure that licensees 
successfully implement an effective cyber security program.
    The NRC disagrees with the petitioner's assertion that the 
violations illustrate problems with the scoping language in Sec.  
73.54(a)(1). This scoping language correctly identifies the digital 
computer and communication systems and networks that the Commission 
intends licensees to protect against a cyber attack. The language in 
Sec.  73.54(a)(1) does not identify specific digital assets that must 
be protected by licensee cyber security programs. It is the 
responsibility of the licensee to conduct the analysis required by 
Sec.  73.54(b)(1) and correctly identify those digital assets that, if 
compromised, could adversely impact SSEP functions. Failure to 
correctly identify digital assets may result in violations of the NRC's 
cyber security requirements.
    The NRC also disagrees that the violations have conveyed to the 
public an incorrect impression that the state of cyber security 
preparedness at reactor sites is less than adequate. The petitioner 
provides no evidence that the public has formed such an impression as a 
result of these violations.

IV. Public Comments on the Petition

    The comment period closed on December 8, 2014, and the NRC received 
19 comment submissions on the PRM. All of the comment submissions 
received on this petition are available on https://www.regulations.gov 
under Docket ID NRC-2014-0165.
    Of the 19 comment submissions received, 15 comment submissions 
supported the petition, two opposed the petition, and two provided 
other observations on the cyber security rule language. Overall, the 
comments received do not present additional information to support the 
petitioner's proposal that the NRC amend its cyber security 
regulations. The NRC organized the 19 comment submissions into 18 
comment categories that are summarized and evaluated in the following 
paragraphs.
    Comment Category 1: Scope of the rule language is too broad.
    In support of the PRM, several comment submissions assert that the 
scope of the existing cyber security requirements in Sec.  73.54 is too 
broad. They contend that this broad scope has resulted in unnecessary 
burden on reactor licensees having to maintain hundreds to thousands of 
digital assets within their cyber security programs. The comment 
submissions state that most of these digital assets have no nexus to 
protecting the health and safety of the public. One commenter stated 
that the high level of protection required by Sec.  73.54 should be 
focused on the equipment whose compromise could endanger the health and 
safety of the public. Another commenter stated that the regulations in 
Sec.  73.54 now allow the NRC to require that licensees classify an 
excessive number of components as ``critical'' even though their 
functions have little or no bearing on nuclear safety.
    NRC Response to Category 1 Comments: The comments included in 
Category 1 reiterate assertions made in the petition that the scope of 
the cyber security rule is too broad. For the reasons set forth in the 
``Reasons for Denial'' section of this document, the NRC does not agree 
with these comments.
    The NRC also disagrees with the commenters' assertion that actions 
required by Sec.  73.54 are overly burdensome and have no nexus to 
protecting the health and safety of the public. As the Commission 
stated in SRM-COMWCO-10-0001, it ``has determined as a matter of policy 
that the NRC's cyber security rule at 10 CFR 73.54 should be 
interpreted to include SSCs in the BOP that have a nexus to 
radiological health and safety at NRC-licensed nuclear power plants.'' 
In SECY-10-0153, ``Cyber Security--Implementation of the Commission's 
Determination of Systems and Equipment within the Scope of Title 10 of 
the Code of Federal Regulations, Section 73.54,'' dated November 19, 
2010, the Commission was informed that SSCs in the BOP that have a 
nexus to radiological health and safety are those that could, if 
compromised, directly or indirectly affect reactivity of a nuclear 
power plant, and are therefore within the scope of important-to-safety 
functions described in Sec.  73.54(a)(1).
    Consistent with the NRC's cyber security rule, it is the licensee's 
responsibility to analyze its digital computer and communication 
systems and networks and identify those digital assets that could 
adversely impact SSEP functions if compromised by a cyber attack. The 
NRC agrees with the commenters that some licensees may have 
conservatively identified certain digital assets that could not 
adversely impact SSEP functions even if compromised as being within the 
scope of the NRC's cyber security rule.
    RG 5.71 contains NRC guidance for complying with the regulations in 
Sec.  73.54. Licensees may use methods other than those described in RG 
5.71 to meet the regulations in Sec.  73.54. The NRC has also engaged 
with stakeholders regarding revisions to industry guidance to assist 
licensees in better identifying digital assets that fall within the 
scope of the NRC's cyber security rule. For example, as a result of 
insights gained from these interactions, NEI revised NEI 08-09, ``Cyber 
Security Plan for Nuclear Power Reactors,'' and NEI 13-10, ``Cyber 
Security Control Assessment,'' to address the application of cyber 
security controls for CDAs at nuclear power plants. Similarly, NEI 
revised NEI 13-10, Revision 6, to address

[[Page 43604]]

scoping issues using a consequence-based approach for screening CDAs. 
The consequence-based approach in NEI 13-10 enables industry to focus 
resources on the more consequential digital assets that require 
protection. The NRC continues to engage with stakeholders to review and 
revise, as appropriate, relevant cyber security guidance, including 
guidance on the scoping of CDAs.
    Comment Category 2: Implementation costs are significantly higher 
than those presented in the regulatory analysis for the 2009 rule.
    Two comment submissions that support the PRM assert that the costs 
associated with implementation of the cyber security requirements in 
Sec.  73.54 are substantially higher than those presented in the NRC's 
2009 regulatory analysis of these requirements.
    NRC Response to Category 2 Comments: The NRC acknowledges that the 
costs regarding the implementation of Sec.  73.54 were underestimated 
in the 2009 regulatory analysis that supported the final rule. 
Specifically, the quantity of digital assets identified as CDAs far 
exceeded the NRC's estimates developed at the time the cyber security 
rule was finalized. As noted previously, given that many licensees 
adopted a conservative approach to identifying digital assets at their 
facilities, the NRC has and is continuing to engage with stakeholders 
to revise guidance for identifying CDAs. The NRC anticipates that this 
will reduce the number of identified CDAs and result in a reduction of 
costs to licensees in implementing the NRC's cyber security 
requirements. As a separate effort, the NRC is reviewing its process 
for developing cost estimates associated with rulemakings.
    Comment Category 3: Unnecessary diversion of licensee resources and 
attention.
    The commenters assert that in determining required cyber security 
controls, no graded approach is acceptable for use by NRC licensees in 
complying with the requirements in Sec.  73.54. These commenters assert 
that the cost of implementing and maintaining these controls contribute 
no added value, are costly to maintain, and reduce the effectiveness of 
the digital assets.
    One commenter asserts that the current rule language significantly 
increases costs by: (1) Creating a need for vendor processes outside of 
a well-vetted procurement process; (2) imposing requirements for 
monitoring and assessment outside of current practices; and (3) failing 
to accept current maintenance rule analysis of a component's risk 
significance for exemption from additional treatment. Two commenters 
assert that the cost of implementing and maintaining the requirements 
of the rule directly competes with the cost of facility modifications 
that could improve plant safety, equipment reliability, and reduce the 
likelihood of an initiating event. Another commenter states that the 
scope of the existing requirements in Sec.  73.54 introduce significant 
and unwarranted costs in terms of complying with the requirements in 
Sec.  73.56, and that these issues would be resolved by granting the 
PRM.
    Two commenters suggest specific alternatives for refocusing the 
rule language in Sec.  73.54. One commenter suggests, as an alternative 
to the petitioner's suggested changes: (1) Modifying Sec.  
73.54(a)(1)(i) to directly state that only ``Target Set and credited 
security system equipment'' need special consideration for preventing 
the previously established Sec.  73.1 DBT intent of radiological 
sabotage; and (2) modifying Sec.  73.54(a)(1)(ii) to focus on trips and 
transients created by cyber attacks initiated by outsiders external to 
the Protected Area (PA). Another commenter similarly suggested that the 
NRC refocus the rule language on: (1) High assurance protection for 
preventing radiological sabotage; (2) preventing plant trips and 
transients caused by cyber attacks initiated from outside the PA; and 
(3) preventing accidental initiation of a cyber attack caused by 
insider action.
    NRC Response to Category 3 Comments: The NRC disagrees that a 
graded approach is not acceptable for use by licensees in complying 
with the requirements in Sec.  73.54. A consequence-based, graded 
assessment process for identifying CDAs and determining the appropriate 
security controls to be applied to those CDAs may contribute to 
reducing unnecessary costs to licensees. Using this graded approach may 
result in the application of certain minimum cyber security controls to 
specifically identified CDAs as well as provide a method to assess 
alternate means of protecting CDAs, for example EP CDAs, from cyber 
attacks. However, this graded approach will still require that 
licensees adequately protect CDAs from a cyber attack. For these 
reasons and the reasons stated in the ``Reasons for Denial'' section of 
this document, the NRC disagrees with the assertion that the 
development of a consequence-based, graded approach for implementing 
the requirements in Sec.  73.54 contributes no added value, and 
therefore, results in the unnecessary expenditure of licensee 
resources.
    The NRC also disagrees with the assertion that the application of 
cyber security controls reduces the effectiveness of digital assets. 
The commenters did not provide any evidence to support this assertion. 
The NRC is not aware of any operational experience or data that 
demonstrates a reduction in effectiveness of digital assets due to the 
application of cyber security controls to those assets.
    The NRC does not agree that the rule language in Sec.  73.54 
imposes requirements for monitoring and assessment that are ``outside 
of current practices.'' The cyber security rule does not require any 
change to existing licensee monitoring and assessment practices that 
have already been implemented and does not impose any requirement that 
licensees develop and implement new monitoring and assessment 
practices.
    The NRC disagrees with the comments regarding limiting the scope of 
Sec.  73.54 to only target sets and credited security system equipment, 
and trips and transients created by cyber attacks initiated by 
outsiders external to the PA. Cyber attacks can adversely affect the 
performance of SSEP functions of a nuclear facility, which are broader 
than the functions performed by target sets and security system 
equipment. As described in RG 5.71, the scope of the cyber security 
rule goes beyond consideration of cyber attacks initiated by outsiders 
external to the PA because a defense-in-depth approach requires the 
licensee to evaluate threats from all possible vectors, including 
internal and external threats. The NRC further notes that the 
commenters did not provide a technical basis to support their 
recommendations.
    Certain Category 3 comments are outside the scope of the petition 
for rulemaking. First, the comment that the requirements in Sec.  73.54 
create a need for vendor processes outside of a well-vetted procurement 
process is outside the scope of the petition. The petition does not 
discuss the alleged need for additional vendor processes identified in 
the comment submission. Additionally, the commenter did not provide any 
evidence that the NRC's cyber security rule impacts licensee 
procurement processes. Licensees may procure any computer systems, 
networks or digital assets that enable them to comply with NRC 
requirements and are not prohibited by federal law. The cyber security 
rule requires licensees to ensure that CDAs associated with whatever 
digital systems the licensee procures are adequately protected from a 
cyber attack by the application of appropriate security

[[Page 43605]]

controls. Second, the assertion that the requirements in Sec.  73.54 
fail to address the maintenance rule's analysis of a component's risk 
significance is also outside the scope of the petition. The petition 
does not discuss the application of the maintenance rule and its 
discussion of a component's risk significance. Finally, the commenters 
assertion that the requirements in Sec.  73.54 introduce significant 
and unwarranted costs in terms of compliance with the access 
authorization requirements in Sec.  73.56 are also outside the scope of 
the petition. The petition does not discuss the impact of the cyber 
security rule on access authorization requirements. Furthermore, the 
rule does not limit licensees' ability to purchase any digital system 
that helps it meet the NRC's access authorization requirements. The NRC 
is not aware of any operational experience or data showing that 
licensees have had significant and unwarranted costs that are unique to 
compliance with access authorization requirements as a result of the 
cyber security rule.
    Comment Category 4: Issues with process for identification of CDAs.
    In support of the PRM, several comment submissions assert that a 
significant amount of resources are expended on protecting CDAs that 
have no capability to cause core damage or spent fuel sabotage even if 
compromised, and that these efforts result in no measurable increase in 
reactor and spent fuel security. One commenter specifies in this regard 
that each CDA requires documentation of an assessment as configured 
against the cyber security technical controls in NEI 08-09, Revision 6, 
Appendix D, ``even if the CDA has no capability to cause core damage or 
spent fuel sabotage.'' Several comment submissions identify CDAs 
associated with EP communication systems and other equipment as 
examples of CDAs that should not be included in the scope of the cyber 
security program. One commenter similarly states that the application 
of cyber security controls to CDAs is not consistent with other 
elements of the physical protection program, since cyber security 
controls are required for systems and equipment that go beyond the 
systems and equipment necessary to prevent radiological sabotage. One 
commenter asserts that the resources expended on protecting these CDAs 
may delay other facility enhancements that would protect more important 
equipment.
    One commenter further states that additional burden is added to 
protect CDAs when the postulated attack is specific to an active 
insider with physical CDA access. Two comment submissions cited the 
Plant Process Computer (PPC) as an example of a system that should not 
be subject to cyber security requirements.
    NRC Response to Category 4 Comments: These comments reiterate 
issues raised in the petition; the NRC does not agree with these 
comments for the reasons stated in the ``Reasons for Denial'' section 
of this document.
    Regarding the comment that the application of cyber security 
controls to CDAs for demonstrating compliance with the cyber security 
requirements in Sec.  73.54 is not consistent with other elements of 
the physical protection program, the commenter did not provide an 
example that supports this assertion. Furthermore, the cyber security 
requirements in Sec.  73.54 are not inconsistent with the physical 
protection program performance objectives set forth in Sec.  73.55. 
Specifically, there is no inconsistency as protecting against 
radiological sabotage is not limited to protecting only those digital 
assets the compromise of which can directly cause significant core 
damage and spent fuel sabotage. Rather, protecting against radiological 
sabotage involves protecting those digital assets that, if compromised 
by a cyber attack, could either directly or indirectly cause 
significant core damage or spent fuel sabotage. As noted previously, 
the Commission included EP functions within the scope of the cyber 
security rule because they are essential to mitigate the consequences 
of radiological sabotage.
    Regarding the comment on the need to assess CDAs that have no 
capability to cause core damage or spent fuel sabotage even if 
compromised, this essentially repeats assertions made in the petition. 
The NRC does not agree that protecting against radiological sabotage is 
limited to protecting only those digital assets that can directly cause 
significant core damage or spent fuel sabotage if impacted by a cyber 
attack.
    The comments identify the PPC as an example of a system that should 
not be subject to cyber security requirements. Consistent with Sec.  
73.54(b)(1), a licensee must conduct a site-specific analysis to 
identify those digital assets that meet the criteria of Sec.  
73.54(a)(1) and must be protected from a cyber attack. Determining 
whether or not the PPC should or should not be subject to the NRC's 
cyber security requirements is dependent upon the outcome of the site-
specific analysis.
    Comment Category 5: Benefits of granting the petition.
    The comment submissions supporting the PRM generally assert that 
granting the petition would: (1) Have an immediate positive impact on 
overall safety and security while reducing unnecessary burden on 
reactor licensees; (2) continue to provide defense-in-depth protection 
for those digital assets having a nexus to radiological safety and 
security, thereby eliminating the unnecessary diversion of attention 
and resources expended on protecting digital assets that do not have a 
nexus to radiological safety and security; and (3) be consistent with 
the NRC's original intent to prevent radiological sabotage, in 
accordance with long-standing physical protection program requirements. 
Several comment submissions added that if the petition is granted, they 
would still be able to meet the requirements in Sec.  73.54 to provide 
high assurance of adequate protection from cyber attacks. Two comment 
submissions assert that granting the petition would support grid 
reliability through protection of digital assets capable of causing a 
reactor trip, and they continue to support having the NRC as the single 
regulatory authority for cyber security in order to enhance regulatory 
clarity and implementation efficiency.
    NRC Response to Category 5 Comments: For the reasons set forth in 
response to petitioner's Assertion B, the NRC disagrees with the 
commenters' assertion that the current version of the cyber security 
rule is not consistent with the original intent of the rule.
    Additionally, the NRC disagrees with the comments asserting that 
the petitioner's proposed changes would have an immediate positive 
impact on overall safety and security while reducing unnecessary burden 
on reactor licensees. Instead, granting the petition would have the 
opposite effect as it would increase the risk of SSEP functions being 
compromised by a cyber attack.
    The NRC also disagrees with the commenters' assertions that the 
petitioner's proposed changes would continue to provide defense-in-
depth protection of digital assets (i.e., digital computer and 
communication systems and networks). The NRC explained in the 2009 SOC 
that as computer technology is increasingly integrated into nuclear 
power plants, many plant safety and security systems rely on this 
technology to carry out their functions. The digital assets associated 
with these integrated systems must be protected to minimize potential 
attack pathways and the consequences of a successful cyber attack. 
Granting the petition would have the opposite effect as it would remove

[[Page 43606]]

cyber security protection for such digital assets and decrease defense-
in-depth, inconsistent with the rule. For example, the term ``defense-
in-depth'' used in Sec.  73.54(c)(2) requires that a cyber security 
program be designed to apply and maintain ``defense-in-depth protective 
strategies to ensure the capability to detect, respond to, and recover 
from cyber attacks.'' In responding to a comment on what became Sec.  
73.54(c)(2), the Commission in Section III.D of the 2009 SOC stated 
that defense-in-depth for digital assets ``includes technical and 
administrative controls that are integrated and used to mitigate 
threats from identified risks'' (74 FR 13934; March 27, 2009).
    To the extent that the comment submissions are asserting that the 
NRC should be the single regulatory authority establishing cyber 
security requirements for nuclear power plants, the NRC does not have 
the authority to limit the jurisdiction granted to other agencies by 
statute. However, the NRC has worked closely with FERC on matters of 
mutual interest related to the nation's electric power grid reliability 
and nuclear power plant safety and security, including but not limited 
to, coordination of activities related to cyber security at nuclear 
power plants. By the memorandum of agreement dated September 22, 2015, 
the NRC and FERC have reached a mutual agreement on how each agency 
will implement its jurisdiction over cyber security assets at nuclear 
power plants.
    Comment Category 6: Interpretation of ``Critical Digital Assets'' 
under the cyber security rule.
    One commenter asserts that NRC inspectors have interpreted 
``critical digital assets'' to include backup valve position indicators 
to which an operator may refer during an abnormal plant condition. The 
commenter states that if such indicators were affected by a cyber 
security event, the required response action could be potentially 
delayed but would not affect plant safety. The commenter concludes that 
designating valve position indicators as CDAs ``adds hundreds of 
components to the critical digital asset program'' without contributing 
to plant safety and goes well beyond any reasonable definition of what 
constitutes a ``critical'' digital asset.
    NRC Response to Category 6 Comments: The subject of whether any 
digital asset is a ``critical digital asset'' is based on a site-
specific analysis of digital assets performed by the licensee. RG 5.71, 
``Cyber Security Program for Nuclear Facilities,'' NEI 08-09, ``Cyber 
Security Plan for Nuclear Power Reactors,'' and NEI 13-10, ``Cyber 
Security Control Assessment,'' provide guidance to licensees on the 
development of licensee cyber security plans that meet NRC 
requirements, including the process of identifying and implementing 
appropriate cyber security controls for CDAs.
    The NRC is continuing to engage with stakeholders to develop 
guidance revisions to streamline the process for addressing the 
application of cyber security controls to CDAs. For example, the NRC 
has reviewed NEI proposals for risk-informing the identification of 
CDAs for EP, BOP, important-to-safety and safety-related digital assets 
(ADAMS Accession Nos. ML20129J981, ML20209A442, and ML20223A256). NEI 
has stated its intent to incorporate these revisions into its guidance 
documents and to submit them to the NRC for endorsement.
    Comment Category 7: Critical Infrastructure Protection standards.
    Two comment submissions assert that the evidence required by the 
NRC and the North American Electric Reliability Corporation Critical 
Infrastructure Protection standards regarding compliance with 
cybersecurity requirements should be brought into closer alignment 
through rulemaking to reduce the current burden on those utilities that 
run both nuclear and non[hyphen]nuclear facilities. The comment 
submissions further assert that Sec.  73.54 requires utilities to 
comply with the requirements of multiple regulatory agencies and having 
to provide different types of evidence to different agencies places 
unnecessary burdens on the limited number of utility cybersecurity 
professionals. One of these comment submissions also asserts that a 
rulemaking should establish clear boundaries of jurisdiction between 
the NRC and other regulatory agencies.
    NRC Response to Category 7 Comments: These comments pertain to 
issues that were not raised by the petitioner and, therefore, are 
outside the scope of this PRM. The NRC's cyber security rule is 
applicable only to NRC power reactor licensees and is not applicable to 
non-nuclear electric utilities.
    Further, to the extent that the comment submissions are asserting 
that the NRC should establish clear boundaries to limit the 
jurisdiction of other Federal regulatory agencies, the NRC has no 
authority to limit the jurisdiction granted to other agencies by 
statute. However, the NRC has worked closely with FERC on matters of 
mutual interest related to the nation's electric power grid reliability 
and nuclear power plant safety and security, including but not limited 
to coordination of activities related to cyber security, to avoid dual 
regulation of nuclear power plants. By the memorandum of agreement 
dated September 22, 2015, the NRC and FERC have reached a mutual 
agreement of how each agency will implement its jurisdiction over cyber 
security assets at nuclear power plants.
    Comment Category 8: The petition should be denied.
    Two comment submissions assert that the petition should be denied. 
The commenters assert that granting the petition would roll back 
cybersecurity regulations essential for nuclear safety. The comment 
submissions endorse maintaining a high level of cybersecurity 
protection for both nuclear facilities and communication networks.
    NRC Response to Category 8 Comments: The NRC agrees that the 
petition should be denied. As discussed in the ``Reasons for Denial'' 
section of this document, the existing cyber security regulations in 
Sec.  73.54 are necessary to ensure adequate protection of digital 
computer and communication systems and networks associated with SSEP 
functions and their related support systems.
    Comment Category 9: Include PRM-proposed changes in the cyber 
security event notification rulemaking.
    Eleven comment submissions assert that the cyber security event 
notification rulemaking could provide a ready vehicle for the changes 
proposed in the petition.
    NRC Response to Category 9 Comments: The Cyber Security Event 
Notification final rule was published in the Federal Register on 
November 2, 2015 (80 FR 67264). It was a separate action that did not 
address the issues raised by the petitioner in PRM-73-18. These 
comments are outside the scope of this PRM.
    Comment Category 10: Specific examples of equipment that should not 
be covered by the cyber security rule.
    Nine comment submissions provide examples of equipment that should 
not be required to be protected by the cyber security rule. Some of the 
examples the commenters provide are digital process instruments within 
BOP systems, wireless control systems associated with plant cranes, 
non-safety related digital indicators, business computer systems, and 
cameras, transmitters, and media converters.
    NRC Response to Category 10 Comments: The issue of whether a 
specific digital asset must be protected from cyber attacks under the 
regulations in Sec.  73.54 is based on a site-specific analysis made by 
the licensee. The NRC notes that, to address issues associated

[[Page 43607]]

with determining if certain equipment should be protected by the cyber 
security rule, the NRC has found the guidance in NEI 13-10 and NEI 10-
04 to be acceptable for use in identifying systems and assets subject 
to the cyber security rule. NEI 10-04 provides industry with a risk-
informed methodology for determining which digital assets should be 
considered CDAs. NEI 13-10 provides guidance for developing a 
consequence-based, graded approach to comply with the regulations in 
Sec.  73.54. This approach provides for the application of certain 
minimum cyber security controls to specifically identified CDAs, and a 
method to assess alternate means for protecting certain classes of 
equipment from cyber attack. Furthermore, the NRC has reviewed NEI 
proposals for risk-informing the identification of CDAs for EP, BOP, 
important-to-safety and safety-related digital assets. NEI has stated 
its intent to incorporate these revisions into its guidance documents 
and to submit them to the NRC for endorsement.
    Comment Category 11: Suggested alternatives to granting the 
petition.
    Several comment submissions suggest the NRC should reassess the 
adequacy of the cyber security rule and should work with external 
stakeholders to consider other approaches such as a risk-informed, 
graded approach, or international ISA99 industrial standards. Several 
comment submissions provide specific examples of alternate approaches 
to the cyber security rule. One commenter also asserts that concepts 
such as redundancy, diversity, and common-cause failures should be 
reexamined in the context of cyber security.
    NRC Response to Category 11 Comments: In 2019, the NRC performed an 
assessment of the Power Reactor Cyber Security Program. The program 
assessment identified opportunities to further risk-inform the cyber 
security guidance in lieu of pursuing changes to the cyber security 
rule. For example, the NRC has reviewed NEI proposals for risk-
informing the identification of CDAs for EP, BOP, important-to-safety 
and safety-related digital assets. NEI has stated its intent to 
incorporate these revisions into its guidance documents and to submit 
them to the NRC for endorsement.
    Comment Category 12: NRC should impose additional requirements for 
cyber security.
    One commenter asserts that unintentional or non-malicious cyber 
incidents are not adequately addressed in NRC guidance documents, and 
that the NRC should have a requirement to include unintentional cyber 
incidents. Also, the commenter asserts that engineers and technicians 
that are experts in instrumentation and control (I&C), electrical 
engineering, and plant maintenance should be part of the cyber security 
team, and that the NRC should consider the use of digital I&C and 
electrical systems for nuclear plant safety applications. The commenter 
asserts that the training for engineers to be able to identify 
potential cyber incidents is minimal, and that the current NRC 
requirements for cyber security are not conservative when compared to 
safety requirements.
    NRC Response to Category 12 Comments: The NRC notes that the NRC's 
cyber security requirements do not distinguish between intentional and 
unintentional cyber attacks. Licensees are required to protect against 
any cyber attack that could adversely impact critical digital assets 
associated SSEP functions. The NRC's existing cyber security 
regulations in Sec.  73.54 provide high assurance that digital computer 
and communication systems and networks associated with SSEP functions 
are protected against a cyber attack. The NRC's cyber security 
framework also requires that the licensee's cyber security staff have 
the appropriate training.
    Comment Category 13: Examples of cyber security incidents that 
illustrate need for more requirements.
    One commenter who opposes the PRM asserts that the current NRC 
cyber security requirements need to be strengthened, and that granting 
the PRM would lessen protection against cyber attacks. The commenter 
provides examples of cyber security incidents supporting his concern, 
and further asserts that: (1) The NRC cyber security review of the 
Oconee I&C upgrade was not adequate, and the NRC should accordingly 
reassess the adequacy of the cyber security rule because control 
systems are not adequately protected by the current scope of Sec.  
73.54; (2) a comprehensive review is needed to understand the potential 
system interactions of the different devices in a reactor facility's 
safety and non-safety systems, and these system vulnerabilities should 
be covered by Sec.  73.54; (3) air-gapped security measures are not 
necessarily adequate since it is possible that a well-meaning insider 
could unintentionally connect infected portable media to a plant system 
or component, and the commenter provides examples of how a reactor 
facility could be compromised using an unintentional insider as a 
vector for a cyber attack; (4) integrity checking does not offer 
protection against malicious manipulations until complemented with 
authenticity checking; and (5) malware has been shown to affect certain 
cyber vulnerable systems such as human machine interfaces that are used 
in reactor facilities.
    NRC Response to Category 13 Comments: The NRC agrees that granting 
the PRM could lessen protection against cyber attacks. For the reasons 
set forth in the ``Reasons for Denial'' section of this document, the 
NRC has decided to deny the PRM. The commenter is requesting that the 
NRC take action to strengthen its cyber security requirements to 
increase protection of digital computer and communication systems and 
networks at nuclear power plants. The NRC has determined that the 
current cyber security requirements are robust and provide reasonable 
assurance that critical digital assets are adequately protected to 
prevent a cyber attack.
    Comment Category 14: Specific Disagreement with petitioner's 
changes.
    Two comment submissions that oppose the PRM assert that the 
petitioner's proposed changes do not adequately protect safety and 
security of nuclear power plants, and that the petitioner's proposed 
changes are not conservative. The comment submissions assert that cyber 
threats to safety-related and important-to-safety functions can cause, 
or contribute to, core melt scenarios. The comment submissions also 
assert that a reduction in cyber security requirements for EP systems 
is unacceptable because it would not then be possible to meet existing 
regulations concerning notification of emergency responders if these 
systems were compromised.
    One commenter further asserts that limiting the Sec.  73.54 
cybersecurity requirements to the prevention of significant core damage 
and spent fuel sabotage would not provide effective protection for 
other safety-critical systems. This commenter also asserts that only 
the strongest, layered defenses are likely to discourage reconnaissance 
and attack vector development, and that granting the PRM would (1) 
eviscerate the NRC's strong cybersecurity regulations and technical 
guidance; and, (2) exacerbate dependence of nuclear facilities on 
offsite AC power, therefore producing greater exposure to long-term 
loss of offsite power risks.
    NRC Response to Category 14 Comments: The NRC generally agrees with 
these comments. Cyber attacks on safety-related and important-to-safety 
functions may cause, or contribute to, radiological sabotage (e.g., 
core melt scenarios). If the provisions in Sec.  73.54(a)(1)(iii) 
(requiring the protection of digital computer and

[[Page 43608]]

communication systems and networks associated with EP functions, 
including offsite communications) were removed as the PRM requests, 
this would likely hamper a reactor licensee's ability to notify 
emergency responders in the event that offsite communication systems 
were compromised in a cyber attack.
    The NRC assumes that the commenter's reference to ``layered 
defenses'' refers to the concept of defense-in-depth. As discussed in 
the response to the Category 5 Comments, the existing regulations in 
Sec.  73.54 reflect a defense-in-depth approach, and the NRC agrees 
that granting the PRM would not be consistent with maintaining defense-
in-depth.
    Comment Category 15: RG 5.71 and NEI 08-09 should be reassessed.
    Two comment submissions opposing the petition assert that the 
current regulatory guidance is insufficient. The commenters assert that 
neither RG 5.71 nor NEI 08-09 addresses cyber threats and 
vulnerabilities that have been demonstrated to be exploitable, and that 
the scope of RG 5.71 should be reassessed. One commenter also states 
that the scope of RG 5.71 should be reassessed to better address 
control system-specific cyber security issues. The commenters also 
provide various examples of concerns regarding the current regulatory 
guidance and specific suggestions for improving this guidance. The 
commenters assert that the current interpretation of the cyber security 
rule is increasing plant risk by reducing operational stability. The 
commenters further assert that configuration changes prescribed by NEI 
08-09 and RG 5.71 contribute to uncertainty in the reliability of CDAs. 
The commenters assert that RG 5.71 should be updated to include 
consideration of plant risk. One commenter asserts that the existing 
guidance is too focused on information technology and ignores the 
merits of current protective approaches that are based on traditional 
I&C Engineering and other license requirements.
    NRC Response to Category 15 Comments: These comments are beyond the 
scope of the PRM. The petition does not raise the guidance issues 
identified in the comment submissions. The NRC performs periodic 
reviews of its guidance documents to determine if they need revision. 
The results of the most recent periodic review of RG 5.71 can be found 
under ADAMS Accession No. ML15099A158. The NRC disagrees that the 
current interpretation of the cyber security rule is increasing plant 
risk by reducing operational stability. The comment submissions did not 
provide support for this assertion, and the NRC is not aware of any 
such reduction in operational stability.
    Comment Category 16: Existing plant processes are sufficient to 
protect most digital equipment.
    Two comment submissions that support the PRM assert that while 
there are thousands of digital assets that are important to the 
efficient operation of reactor facilities, such assets would be 
adequately protected by the existing plant controls such as physical 
protection, network isolation, configuration management, maintenance 
and testing. One of the comment submissions adds that EP functionality 
assets, such as communication systems, are typically protected using 
redundancy and diversity.
    NRC Response to Category 16 Comments: The NRC recognizes that there 
may be large numbers of digital assets that are important to the 
efficient operation at a nuclear power plant. These assets may well be 
protected by existing plant controls. The NRC cyber security 
requirements do not require the protection of such assets if they 
cannot adversely impact SSEP functions even if they are compromised. 
The NRC has determined that CDAs that can adversely impact SSEP 
functions must be protected from a cyber attack. If a licensee's site-
specific analysis can demonstrate that existing plant controls at a 
given nuclear power plant can protect these CDAs from a cyber attack, 
then the licensee does not need to apply additional security controls 
to meet the requirements of the NRC's cyber security rule. If existing 
plant controls cannot provide such protection, then additional cyber 
security controls for CDAs would be required.
    Comment Category 17: Cyber Security Language was not offered for 
public comment.
    One commenter reiterates the petitioner's assertion that the 2006 
proposed rule's scoping language (71 FR 62664; October 26, 2006) was 
removed and replaced with new text in the 2009 final rule (74 FR 13926; 
March 27, 2009), asserting that the practical effect of the new scoping 
language was likely not clear when the final rule was issued.
    NRC Response to Category 17 Comments: For the reasons stated in the 
``Reasons for Denial'' section of this document, the NRC does not agree 
with this comment. The clarifying changes made to the scoping language 
in the 2009 final rule are consistent with and a logical outgrowth of 
the proposed rule, and the reasons for making these changes were 
adequately explained in the 2009 SOC.
    Comment Category 18: NRC cyber security requirements should be 
expanded.
    One commenter suggested that in order to cover ``all digital assets 
involved in the management of power-block industrial energy,'' the 
scope of Sec.  73.54 should be expanded.
    NRC Response to Category 18 Comments: The NRC assumes that in 
referencing ``all digital assets involved in the management of power-
block industrial energy'' the commenter is referring to digital assets 
or digital components used to support a reactor facility's on-site 
power systems. Safety-related digital assets or safety-related digital 
components interfacing with the facility's on-site power systems are 
addressed in the safety requirements of 10 CFR part 50 (specifically in 
appendix A to 10 CFR part 50, general design criterion 17). The 
commenter does not provide a basis for expanding the scope of Sec.  
73.54 to include matters relating to general design criterion 17.

V. Availability of Documents

    The documents identified in the following table are available to 
interested persons through one or more of the following methods, as 
indicated.

------------------------------------------------------------------------
                                                    Adams Accession No.
            Document                   Date         or Federal  Register
                                                    citation or website
------------------------------------------------------------------------
PRM-73-18--Petition to Amend 10  June 12, 2014...  ML14184B120
 CFR 73.54, ``Protection of
 Digital Computer and
 Communication Systems and
 Networks'' submitted by
 Nuclear Energy Institute (NEI).
Protection of Digital Computer   September 22,     79 FR 56525
 and Communication Systems and    2014.
 Networks; Notice of Docketing
 and Request for Comment.

[[Page 43609]]

 
PRM-73-18--Public Comments RE:   August 10, 2020.  ML20223A027
 Protection of Digital Computer
 and Communication Systems and
 Networks.
SRM-CMWCO-10-0001--``Regulation  October 21, 2010  ML102940009
 of Cyber Security at Nuclear
 Power Plants''.
Regulatory Guide 5.71, ``Cyber   January 2010....  ML090340159
 Security Program for Nuclear
 Facilities''.
NEI 08-09, ``Cyber Security      April 2010......  ML101180437
 Plan for Nuclear Power
 Reactors,'' Revision 6.
NEI 13-10, ``Cyber Security      August 2017.....  ML17234A615
 Control Assessment,'' Revision
 6,.
Regulatory Analysis and Backfit  March 17, 2009..  ML083390372
 Analysis; Final Rulemaking:
 Power Reactor Security
 Requirements.
GAO-15-98, NRC Needs to Improve  December 12,      https://www.gao.gov/
 Its Cost Estimates by            2014.             products/GAO-15-98
 Incorporating More Best
 Practices.
SECY-14-0002, ``Plan for         January 17, 2014  ML13274A495
 Updating the U.S. Nuclear
 Regulatory Commission's Cost-
 Benefit Guidance''.
NUREG/BR-0058, ``Regulatory      April 2017......  ML17100A480
 Analysis Guidelines of the
 U.S. Nuclear Regulatory
 Commission, Draft Report for
 Comment,'' Revision 5.
MD 8.2, ``Management of          September 20,     ML18093B087
 Backfitting, Forward Fitting,    2019.
 Issue Finality, and
 Information Requests''.
SECY-20-0008: Draft Final NUREG/ February 13,      ML19261A277
 BR-0058, Regulatory Analysis     2020.
 Guidelines of the U.S. Nuclear.
Memorandum of Agreement between  September 22,     ML15033A181
 the U.S. Nuclear Regulatory      2015.
 Commission (NRC) and the
 Federal Energy Regulatory
 Commission (FERC).
SECY-14-0129: Rulemaking: Final  November 20,      ML14136A212
 Rule: Cyber Security Event       2014.
 Notification (CSEN).
Power Reactor Security           March 27, 2009..  74 FR 13926
 Requirements; Final Rule.
Power Reactor Cyber Security     July 12, 2019...  ML19175A211
 Program Assessment.
Periodic Review of RG 5.71.....  April 9, 2015...  ML15099A158
Draft Regulatory Guide (DG)-     August 2018.....  ML18016A129
 5061, ``Cyber Security Program
 for Nuclear Power Reactor''.
Power Reactor Security           October 26, 2006  71 FR 62664
 Requirements; Proposed Rule.
Cyber Security Event             November 2, 2015  80 FR 67265
 Notifications; Final Rule.
Memorandum of Understanding      December 17,      ML093510905
 Between the U.S. Nuclear         2019.
 Regulatory Commission and the
 North American Electric
 Reliability Corporation.
EA-02-026, Issuance of Order     February 25,      ML020510635
 for Interim Safeguards and       2002.
 Security Compensatory Measures
 for Nuclear Power Plants.
EA-03-086, ``Issuance of Order   April 29, 2003..  ML030740002
 Requiring Compliance with
 Revised Design Basis Threat
 for Operating Power Reactors''.
SECY-10-0153, ``Cyber Security-- November 19,      ML103490344
 Implementation of the            2010.
 Commission's Determination of
 Systems and Equipment within
 the Scope of Title 10 of the
 Code of Federal Regulations,
 Section 73.54''.
NEI 10-04, ``Identifying         July 2012.......  ML12180A081
 Systems and Assets Subject to
 the Cyber Security Rule, Rev.
 2''.
------------------------------------------------------------------------

VI. Conclusion

    For the reasons discussed in this document, the NRC finds that the 
petitioner did not present sufficient new information to warrant the 
requested changes in PRM-73-18. The NRC's current cyber security 
requirements are consistent with the NRC's original intent for the 
cyber security rule, and these requirements continue to provide 
reasonable assurance of adequate protection of public health and 
safety, and the common defense and security. Further, the NRC has 
determined that the language in Sec.  73.54(a) is not overly broad. 
Finally, the NRC has determined that existing and ongoing revisions to 
guidance can effectively address the other issues raised by the 
petitioner in this PRM without the need for rulemaking. Accordingly, 
the NRC is denying the PRM-73-18.

    Dated: August 3, 2021.

    For the Nuclear Regulatory Commission.
Annette L. Vietti-Cook,
Secretary of the Commission.
[FR Doc. 2021-16889 Filed 8-9-21; 8:45 am]
BILLING CODE 7590-01-P