[Federal Register Volume 88, Number 29 (Monday, February 13, 2023)]
[Rules and Regulations]
[Pages 9117-9118]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-02941]



[[Page 9117]]

-----------------------------------------------------------------------

NUCLEAR REGULATORY COMMISSION

10 CFR Part 73

[NRC-2021-0143]


Cyber Security Programs for Nuclear Power Reactors

AGENCY: Nuclear Regulatory Commission.

ACTION: Regulatory guide; issuance.

-----------------------------------------------------------------------

SUMMARY: The U.S. Nuclear Regulatory Commission (NRC) is issuing 
Revision 1 to Regulatory Guide (RG) 5.71, ``Cyber Security Programs for 
Nuclear Power Reactors.'' Revision 1 incorporates references to 
industry guidance on identifying and protecting critical digital assets 
for safety-related, important to safety, balance of plant, and 
emergency preparedness equipment. It also clarifies guidance on 
defense-in-depth for cyber security and includes updated text based on 
the latest National Institute of Standards and Technology (NIST) and 
International Atomic Energy Agency (IAEA) cyber security guidance. 
Specifically, this revision clarifies issues identified from cyber 
security inspections, insights gained through the Security Frequently 
Asked Questions (SFAQ) process, documented cyber security attacks, new 
technologies, and new regulations. This revision also considers the 
changes in the most recent revision to the NIST Special Publications 
(SP) 800-53, upon which Revision 0 of Regulatory Guide (RG) 5.71, 
``Cyber Security Programs for Nuclear Facilities'' was based.

DATES: Revision 1 to RG 5.71 is available on February 13, 2023.

ADDRESSES: Please refer to Docket ID NRC-2021-0143 when contacting the 
NRC about the availability of information regarding this document. You 
may obtain publicly available information related to this document 
using any of the following methods:
     Federal Rulemaking Website: Go to https://www.regulations.gov and search for Docket ID NRC-2021-0143. Address 
questions about Docket IDs in Regulations.gov to Stacy Schumann; 
telephone: 301-415-0624; email: [email protected]. For technical 
questions, contact the individuals listed in the FOR FURTHER 
INFORMATION CONTACT section of this document.
     NRC's Agencywide Documents Access and Management System 
(ADAMS): You may obtain publicly available documents online in the 
ADAMS Public Documents collection at https://www.nrc.gov/reading-rm/adams.html. To begin the search, select ``Begin Web-based ADAMS 
Search.'' For problems with ADAMS, please contact the NRC's Public 
Document Room (PDR) reference staff at 1-800-397-4209, 301-415-4737, or 
by email to [email protected]. The ADAMS accession number for each 
document referenced (if it is available in ADAMS) is provided the first 
time that it is mentioned in this document.
     NRC's PDR: You may examine and purchase copies of public 
documents, by appointment, at the NRC's Public Document Room (PDR), 
Room P1 B35, One White Flint North, 11555 Rockville Pike, Rockville, 
Maryland 20852. To make an appointment to visit the PDR, please send an 
email to [email protected] or call 1-800-397-4209 or 301-415-4737, 
between 8 a.m. and 4 p.m. eastern time (ET), Monday through Friday, 
except Federal holidays.
    Revision 1 to RG 5.71 and the regulatory analysis may be found in 
ADAMS under Accession No. ML22258A204 and ML21130A636, respectively.
    Regulatory guides are not copyrighted, and NRC approval is not 
required to reproduce them.

FOR FURTHER INFORMATION CONTACT: Kim Lawson-Jenkins, Office of Nuclear 
Security and Incident Response, telephone: 301-287-3656, email: 
[email protected] and Stanley Gardocki, Office of Nuclear 
Regulatory Research, telephone: 301-415-1067, email: 
[email protected]. Both are staff of the U.S. Nuclear Regulatory 
Commission, Washington, DC 20555-0001.

SUPPLEMENTARY INFORMATION:

I. Discussion

    The NRC is issuing a revision to an existing guide in the NRC's 
``Regulatory Guide'' series. This series was developed to describe 
methods that are acceptable to the NRC staff for implementing specific 
parts of the agency's regulations, to explain techniques that the staff 
uses in evaluating specific issues or postulated events, and to 
describe information that the staff needs in its review of applications 
for permits and licenses.
    RG 5.71, Revision 1 is entitled ``Cyber Security Programs for 
Nuclear Power Reactors.'' It provides NRC licensees with guidance on 
meeting the cyber security requirements described in section 73.54 of 
title 10 of the Code of Federal Regulations (10 CFR), ``Protection of 
digital computer and communication systems and networks.''
    Revision 1 clarifies guidance on defense-in-depth for cyber 
security and updates guidance based on the latest NIST and IAEA cyber 
security guidance. Revision 1 also clarifies issues identified from 
cyber security inspections, insights gained through the SFAQ process, 
lessons learned from international and domestic cyber security attacks, 
new technologies, and new regulations.
    The proposed Revision 1 to RG 5.71 was issued with a temporary 
identification Draft Regulatory Guide (DG) 5061.

II. Additional Information

    The NRC published a notice of availability of DG-5061 (ADAMS 
Accession No. ML18016A129) in the Federal Register on August 23, 2018 
(83 FR 42623) for a 60-day public comment period. The public comment 
period closed on October 22, 2018. Public comments received on DG-5061 
and the staff responses are available in ADAMS under Accession No. 
ML21266A132.
    In order to incorporate updates in industry documents, DG-5061 was 
re-issued in the Federal Register on March 3, 2022 (87 FR 12208) for a 
60-day public comment period. The public comment period closed on May 
2, 2022. Public comments received on DG-5061 and the staff responses 
are available in ADAMS under Accession No. ML22258A200.
    As noted in the Federal Register on December 9, 2022 (87 FR 75671), 
this document is being published in the ``Rules'' section of the 
Federal Register to comply with publication requirements under 1 CFR 
chapter I.

III. Congressional Review Act

    This RG is a rule as defined in the Congressional Review Act (5 
U.S.C. 801-808). However, the Office of Management and Budget has not 
found it to be a major rule as defined in the Congressional Review Act.

IV. Backfitting, Forward Fitting, and Issue Finality

    RG 5.71 describes methods acceptable to the NRC staff for complying 
with the NRC's regulations to meet the regulatory requirements in 10 
CFR 73.54. Issuance of this RG, would not constitute backfitting as 
defined in 10 CFR 50.109, ``Backfitting,'' and as described in NRC 
Management Directive (MD) 8.4, ``Management of Backfitting, Forward 
Fitting, Issue Finality, and Information Requests,'' constitute forward 
fitting as that term is defined and described in MD 8.4; or affect the 
issue finality of any approval issued under 10 CFR part 52, ``Licenses, 
certifications, and approvals for nuclear power plants.''

[[Page 9118]]

V. Submitting Suggestions for Improvement of Regulatory Guides

    A member of the public may, at any time, submit suggestions to the 
NRC for improvement of existing RGs or for the development of new RGs. 
Suggestions can be submitted on the NRC's public website at https://www.nrc.gov/reading-rm/doc-collections/reg-guides/contactus.html. 
Suggestions will be considered in future updates and enhancements to 
the ``Regulatory Guide'' series.

    Dated: February 7, 2023.

    For the Nuclear Regulatory Commission.
Meraj Rahimi,
Chief, Regulatory Guide and Programs Management Branch, Division of 
Engineering, Office of Nuclear Regulatory Research.
[FR Doc. 2023-02941 Filed 2-10-23; 8:45 am]
BILLING CODE 7590-01-P