80 FR 53478 - Cyber Security at Fuel Cycle Facilities
NUCLEAR REGULATORY COMMISSION Federal Register Volume 80, Issue 172 (September 4, 2015)
Federal Register Volume 80, Issue 172 (September 4, 2015)
| Page Range | 53478-53480 | |
| FR Document | 2015-22051 |
[Federal Register Volume 80, Number 172 (Friday, September 4, 2015)] [Proposed Rules] [Pages 53478-53480] From the Federal Register Online [www.thefederalregister.org] [FR Doc No: 2015-22051] ======================================================================= ----------------------------------------------------------------------- NUCLEAR REGULATORY COMMISSION 10 CFR Part 73 [NRC-2015-0179] RIN 3150-AJ64 Cyber Security at Fuel Cycle Facilities AGENCY: Nuclear Regulatory Commission. ACTION: Draft regulatory basis; request for comment. ----------------------------------------------------------------------- SUMMARY: The U.S. Nuclear Regulatory Commission (NRC) is requesting comments on a draft regulatory basis to support a rulemaking that would amend its regulations by adopting new cyber security requirements for certain nuclear fuel cycle facility (FCF) licensees in order to address safety and security consequences of concern. Potentially affected licensees include certain FCFs authorized to possess Category I, II, or III quantities of special nuclear material and uranium hexafluoride conversion and deconversion facilities. DATES: Submit comments by October 5, 2015. Comments received after this date will be considered if it is practical to do so, but the NRC is only able to ensure consideration of comments received on or before this date. ADDRESSES: You may submit comments by any of the following methods (unless this document describes a different method for submitting comments on a specific subject):Federal Rulemaking Web site: Go to http://www.regulations.gov and search for Docket ID NRC-2015-0179. Address questions about NRC dockets to Carol Gallagher; telephone: 301-415- 3463; email: [email protected]. For technical questions, contact the individual listed in the FOR FURTHER INFORMATION CONTACT section of this document. Email comments to: [email protected]. If you [[Page 53479]] do not receive an automatic email reply confirming receipt, then contact us at 301-415-1677. Fax comments to: Secretary, U.S. Nuclear Regulatory Commission at 301-415-1101. Mail comments to: Secretary, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, ATTN: Rulemakings and Adjudications Staff. Hand deliver comments to: 11555 Rockville Pike, Rockville, Maryland 20852, between 7:30 a.m. and 4:15 p.m. (Eastern Time) Federal workdays; telephone: 301-415-1677. For additional direction on obtaining information and submitting comments, see ``Obtaining Information and Submitting Comments'' in the SUPPLEMENTARY INFORMATION section of this document. FOR FURTHER INFORMATION CONTACT: Matthew Bartlett, Office of Nuclear Material Safety and Safeguards, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001; telephone: 301-415-7154, email: [email protected]. SUPPLEMENTARY INFORMATION: I. Obtaining Information and Submitting Comments A. Obtaining Information Please refer to Docket ID NRC-2015-0179 when contacting the NRC about the availability of information for this action. You may obtain publicly-available information related to this action by any of the following methods: Federal Rulemaking Web site: Go to http://www.regulations.gov and search for Docket ID NRC-2015-0179. NRC's Agencywide Documents Access and Management System (ADAMS): You may obtain publicly-available documents online in the ADAMS Public Documents collection at http://www.nrc.gov/reading-rm/adams.html. To begin the search, select ``ADAMS Public Documents'' and then select ``Begin Web-based ADAMS Search.'' For problems with ADAMS, please contact the NRC's Public Document Room (PDR) reference staff at 1-800-397-4209, 301-415-4737, or by email to [email protected]. The draft regulatory basis document is available in ADAMS under Accession No. ML15198A021. NRC's PDR: You may examine and purchase copies of public documents at the NRC's PDR, Room O1-F21, One White Flint North, 11555 Rockville Pike, Rockville, Maryland 20852. B. Submitting Comments Please include Docket ID NRC-2015-0179 in the subject line of your comment submission, in order to ensure that the NRC is able to make your comment submission available to the public in this docket. If your comment contains proprietary or sensitive information, please contact the individual listed in the FOR INFORMATION CONTACT section of this document to determine the most appropriate method for submitting your comment. The NRC cautions you not to include identifying or contact information that you do not want to be publicly disclosed in your comment submission. The NRC will post all comment submissions at http://www.regulations.gov as well as enter the comment submissions into ADAMS, and the NRC does not routinely edit comment submissions to remove identifying or contact information. If you are requesting or aggregating comments from other persons for submission to the NRC, then you should inform those persons not to include identifying or contact information that they do not want to be publicly disclosed in their comment submission. Your request should state that the NRC does not routinely edit comment submissions to remove such information before making the comment submissions available to the public or entering the comment into ADAMS. II. Discussion The NRC is requesting comments on a draft regulatory basis to support a rulemaking that would amend part 73 of Title 10 of the Code of Federal Regulations (10 CFR), ``Physical Protection of Plants and Materials,'' by adopting new cyber security regulations for FCF licensees. The specific objectives of this rulemaking effort are to establish new requirements for FCF licensees that: (1) Require licensees authorized to possess a Category I quantity of special nuclear material (SNM) to establish and maintain a cyber security program that provides high assurance that digital computer systems, communication systems, and networks associated with safety, security, emergency preparedness, and material control and accounting (SSEPMCA) functions are protected from cyber attacks up to and including the design basis threats defined in 10 CFR 73.1; (2) require certain licensees authorized to possess source material or a Category II or III quantity of SNM to establish and maintain a cyber security program that provides reasonable assurance that digital computer systems, communication systems, and networks associated with SSEPMCA functions are protected from cyber attacks; (3) codify existing cyber security requirements imposed on FCF licensees by security orders issued following the terrorist attacks of September 11, 2001, and applicable subsequent voluntary actions instituted by FCF licensees; (4) implement a graded, performance-based regulatory framework to prevent cyber attacks that could result in certain consequences of concern; and (5) implement cyber security reporting criteria. The scope of the draft regulatory basis includes cyber security for FCFs licensed under 10 CFR part 70 and uranium hexafluoride conversion and deconversion facilities licensed under 10 CFR part 40. These licensees have varying safety and security consequences of concern based on their functions and the type and quantity of material possessed. To account for these differences, the NRC plans to develop a graded, consequence-based approach for the identification and protection of digital assets associated with SSEPMCA functions. The draft regulatory basis, in part, explains why the NRC believes the existing regulations should be updated, revised, and enhanced; presents alternatives to rulemaking; and discusses costs and other impacts of the potential changes. III. Specific Requests for Comments The NRC requests that stakeholders consider answering the following questions when commenting on the draft regulatory basis: Is the NRC considering an appropriate approach for each objective described in the draft regulatory basis? Chapter 3 of the draft regulatory basis discusses the regulatory concerns the NRC expects to address through rulemaking. Chapter 4 presents the intended regulatory changes to address those regulatory concerns, and Chapter 5 discusses alternatives to rulemaking considered by the NRC staff. Are there other regulatory concerns within or related to the scope of the rulemaking efforts (see Chapter 1 of the draft regulatory basis) that the NRC should consider? Are there other approaches or alternatives the NRC should consider to resolve those regulatory concerns? Chapter 8 of the draft regulatory basis presents the NRC staff's initial consideration of costs and other impacts for a number of key aspects of the potential regulatory changes (i.e., cyber security programs, cyber incident reporting). This initial assessment is based on limited available data. The staff is seeking additional data and input relative to expected and/or unintentional impacts from the desired regulatory changes. What would be the [[Page 53480]] potential impacts to stakeholders/licensees from implementing any of the desired regulatory changes described in this draft regulatory basis (e.g., what would be a reasonable cost estimate for implementation of the cyber security programs, including startup and annual costs)? The NRC staff is aware of licensee voluntary efforts to address cyber security. Is there additional information related to these efforts that would inform the NRC staff's assessment or analysis? IV. Cumulative Effects of Regulation The Cumulative Effects of Regulation (CER) describes the challenges that licensees or other impacted entities (such as State agency partners) may face while implementing new regulatory positions, programs, and requirements (e.g., rules, generic letters, backfits, inspections). The CER is an organizational effectiveness challenge that results from a licensee or impacted entity implementing a number of complex positions, programs, or requirements within a limited implementation period and with available resources (which may include limited available expertise to address a specific issue). The NRC has implemented CER enhancements to the rulemaking process to facilitate public involvement throughout the rulemaking process. Therefore, the NRC is specifically requesting comment on the cumulative effects that may result from this proposed rulemaking. In developing comments on the draft regulatory basis, consider the following questions: (1) In light of any current or projected CER challenges, what should be a reasonable effective date, compliance date, or submittal date(s) from the time the final rule is published to the actual implementation of any new proposed requirements, including changes to programs, procedures, or the facility? (2) If current or projected CER challenges exist, what should be done to address this situation (e.g., if more time is required to implement the new requirements, what period of time would be sufficient, and why such a time frame is necessary)? (3) Do other regulatory actions (e.g., orders, generic communications, license amendment requests, and inspection findings of a generic nature) by NRC or other agencies influence the implementation of the potential proposed requirements? (4) Are there unintended consequences? Does the potential proposed action create conditions that would be contrary to the potential proposed action's purpose and objectives? If so, what are the consequences and how should they be addressed? Please provide information on the costs and benefits of the potential proposed action. This information will be used to support any regulatory analysis by the NRC. V. Availability of Documents The NRC may post additional materials related to this rulemaking activity to the Federal rulemaking Web site at www.regulations.gov under Docket ID NRC-2015-0179. By making these documents publicly available, the NRC seeks to inform stakeholders of the current status of the NRC's rulemaking development activities and to provide preparatory material for future public meetings. The Federal rulemaking Web site allows you to receive alerts when changes or additions occur in a docket folder. To subscribe: (1) Navigate to the docket folder (NRC-2015-0179); (2) click the ``Sign up for Email Alerts'' link; and (3) enter your email address and select how frequently you would like to receive emails (daily, weekly, or monthly). VI. Plain Writing The Plain Writing Act of 2010 (Pub. L. 111-274) requires Federal agencies to write documents in a clear, concise, well-organized manner. The NRC has written this document to be consistent with the Plain Writing Act as well as the Presidential Memorandum, ``Plain Language in Government Writing,'' published in the Federal Register on June 10, 1998 (63 FR 31883). The NRC requests comment on this document with respect to the clarity and effectiveness of the language used. Dated at Rockville, Maryland, this 27th day of August, 2015. For the Nuclear Regulatory Commission. Marissa G. Bailey, Director, Division of Fuel Cycle Safety, Safeguards, and Environmental Review, Office of Nuclear Materials Safety and Safeguards. [FR Doc. 2015-22051 Filed 9-3-15; 8:45 am] BILLING CODE 7590-01-P
![53478 Federal Register / Vol. 80, No. 172 / Friday, September 4, 2015 / Proposed Rules
compliance with the E-Government Act § 116.1 Applicability and general unexpected must be reported within 15
to promote the use of the Internet and considerations. business days of the date the report was
other information technologies, to (a) * * * first received.
provide increased opportunities for (3) Records (other than disposition (3) All other adverse event reports
citizen access to Government records and adverse event records) must be reported within 90 calendar
information and services, and for other required by this part must be completed days of the date the report was first
purposes. For information pertinent to by the licensee, permittee, or foreign received.
E-Government Act compliance related manufacturer, as the case may be, before Done in Washington, DC, this 31st day of
to this proposed rule, please contact Ms. any portion of a serial of any product August 2015.
Kimberly Hardy, APHIS’ Information may be marketed in the United States or Kevin Shea,
Collection Coordinator, at (301) 851– exported. Administrator, Animal and Plant Health
2727. * * * * * Inspection Service.
■ 5. Section 116.8 is revised to read as [FR Doc. 2015–21997 Filed 9–3–15; 8:45 am]
Lists of Subjects
follows: BILLING CODE 3410–34–P
9 CFR Part 101
§ 116.8 Completion and retention of
Animal biologics. records.
All records (other than disposition NUCLEAR REGULATORY
9 CFR Part 116
records and adverse event records) COMMISSION
Animal biologics, Reporting and
required by this part must be completed
recordkeeping requirements. 10 CFR Part 73
by the licensee, permittee, or foreign
Accordingly, we propose to amend 9 manufacturer before any portion of a [NRC–2015–0179]
CFR parts 101 and 116 as follows: serial of any product may be marketed RIN 3150–AJ64
in the United States or exported. All
PART 101—DEFINITIONS
records must be retained at the licensed Cyber Security at Fuel Cycle Facilities
■ 1. The authority citation for part 101 or foreign establishment or permittee’s
place of business for a period of 2 years AGENCY: Nuclear Regulatory
continues to read as follows: Commission.
after the expiration date of a product or
Authority: 21 U.S.C. 151–159; 7 CFR 2.22, ACTION: Draft regulatory basis; request
2.80, and 371.4.
longer as may be required by the
Administrator. for comment.
■ 2. Section 101.2 is amended by adding ■ 6. Section 116.9 is added to read as
definitions for adverse event and SUMMARY: The U.S. Nuclear Regulatory
follows:
adverse event report in alphabetical Commission (NRC) is requesting
order to read as follows: § 116.9 Recording and reporting adverse comments on a draft regulatory basis to
events. support a rulemaking that would amend
§ 101.2 Administrative terminology. (a) Licensees and permittees must its regulations by adopting new cyber
* * * * * maintain a detailed record for every security requirements for certain
Adverse event. Any observation in adverse event report the licensee or nuclear fuel cycle facility (FCF)
animals, whether or not the cause of the permittee receives for any biological licensees in order to address safety and
event is known, that is unfavorable and product it produces or distributes. security consequences of concern.
unintended, and that occurs after any These records shall be maintained for a Potentially affected licensees include
use (as indicated on the label or any off- period of 3 years after the date the certain FCFs authorized to possess
label use) of a biological product, adverse event report is received. The Category I, II, or III quantities of special
including events related to a suspected adverse event report form and guidance nuclear material and uranium
lack of expected efficacy. For products on how to complete it, including hexafluoride conversion and
intended to diagnose disease, adverse guidance specific to the various deconversion facilities.
events refer to a failure in product information blocks on the form, is DATES: Submit comments by October 5,
performance that hinders an expected available on the APHIS Web site at 2015. Comments received after this date
discovery of the correct diagnosis. [ADDRESS TO BE ADDED IN FINAL will be considered if it is practical to do
Adverse event report. Any RULE] or by writing to APHIS at so, but the NRC is only able to ensure
communication concerning the [POSTAL ADDRESS TO BE ADDED IN consideration of comments received on
occurrence of an adverse event from an FINAL RULE]. or before this date.
identifiable first-hand reporter which (b) A report of all adverse events ADDRESSES: You may submit comments
includes the following information: reports received by a licensee or by any of the following methods (unless
(1) An identifiable reporter; permittee must be compiled and this document describes a different
(2) An identifiable animal; submitted to the Animal and Plant method for submitting comments on a
(3) An identifiable biologic product; Health Inspection Service. The specific subject):
and frequency of report submission is as • Federal Rulemaking Web site: Go to
(4) One or more adverse events. follows: http://www.regulations.gov and search
* * * * * (1) Immediate notification is required for Docket ID NRC–2015–0179. Address
if at any time there are indications that questions about NRC dockets to Carol
rmajette on DSK2VPTVN1PROD with PROPOSALS
PART 116—RECORDS AND REPORTS raise questions regarding the purity, Gallagher; telephone: 301–415–3463;
■ 3. The authority citation for part 116 safety, potency, or efficacy of a product, email: Carol.Gallagher@nrc.gov. For
continues to read as follows: or if it appears that there may be a technical questions, contact the
problem regarding the preparation, individual listed in the FOR FURTHER
Authority: 21 U.S.C. 151–159; 7 CFR 2.22, testing, or distribution of a product. INFORMATION CONTACT section of this
2.80, and 371.4. (2) Adverse event reports determined document.
■ 4. In § 116.1, paragraph (a)(3) is by the licensee or permittee to be • Email comments to:
revised to read as follows: product-related, serious, and Rulemaking.Comments@nrc.gov. If you
VerDate Sep<11>2014 13:58 Sep 03, 2015 Jkt 235001 PO 00000 Frm 00004 Fmt 4702 Sfmt 4702 E:\FR\FM\04SEP1.SGM 04SEP1](https://thefederalregister.org/doc/80_FR_53650/page/1.svg)
![53480 Federal Register / Vol. 80, No. 172 / Friday, September 4, 2015 / Proposed Rules
potential impacts to stakeholders/ objectives? If so, what are the DEPARTMENT OF TRANSPORTATION
licensees from implementing any of the consequences and how should they be
desired regulatory changes described in addressed? Federal Aviation Administration
this draft regulatory basis (e.g., what Please provide information on the
would be a reasonable cost estimate for 14 CFR Part 39
costs and benefits of the potential
implementation of the cyber security [Docket No. FAA–2015–3073; Directorate
proposed action. This information will
programs, including startup and annual Identifier 2015–CE–017–AD]
costs)? be used to support any regulatory
• The NRC staff is aware of licensee analysis by the NRC. RIN 2120–AA64
voluntary efforts to address cyber V. Availability of Documents
security. Is there additional information Airworthiness Directives; Viking Air
related to these efforts that would The NRC may post additional Limited Airplanes
inform the NRC staff’s assessment or materials related to this rulemaking AGENCY: Federal Aviation
analysis? activity to the Federal rulemaking Web Administration (FAA), DOT.
IV. Cumulative Effects of Regulation site at www.regulations.gov under ACTION: Proposed rule; correction.
Docket ID NRC–2015–0179. By making
The Cumulative Effects of Regulation SUMMARY: The FAA is correcting a
these documents publicly available, the
(CER) describes the challenges that notice of proposed rulemaking (NPRM)
NRC seeks to inform stakeholders of the
licensees or other impacted entities that published in the Federal Register.
(such as State agency partners) may face current status of the NRC’s rulemaking
development activities and to provide That NPRM applies to Viking Air
while implementing new regulatory Limited Model DHC–3 airplanes. The
positions, programs, and requirements preparatory material for future public
meetings. repetitive inspection column in ‘‘Table
(e.g., rules, generic letters, backfits, 1 of Paragraph (f)(3) of This AD—
inspections). The CER is an The Federal rulemaking Web site Inspection Schedule’’ contains data that
organizational effectiveness challenge allows you to receive alerts when is intended to apply to all conditions.
that results from a licensee or impacted changes or additions occur in a docket However, the way the table is displayed
entity implementing a number of folder. To subscribe: (1) Navigate to the makes it look as if it only applies to the
complex positions, programs, or docket folder (NRC–2015–0179); (2) first condition. This document corrects
requirements within a limited click the ‘‘Sign up for Email Alerts’’ it to assure that it applies to all
implementation period and with link; and (3) enter your email address conditions. In all other respects, the
available resources (which may include and select how frequently you would original document remains the same.
limited available expertise to address a like to receive emails (daily, weekly, or DATES: The last date for submitting
specific issue). The NRC has monthly). comments to the NPRM (80 FR 44892,
implemented CER enhancements to the
July 28, 2015) remains September 11,
rulemaking process to facilitate public VI. Plain Writing
2015.
involvement throughout the rulemaking
process. Therefore, the NRC is The Plain Writing Act of 2010 (Pub. ADDRESSES: You may send comments by
specifically requesting comment on the L. 111–274) requires Federal agencies to any of the following methods:
cumulative effects that may result from write documents in a clear, concise, • Federal eRulemaking Portal: Go to
this proposed rulemaking. In developing well-organized manner. The NRC has http://www.regulations.gov. Follow the
comments on the draft regulatory basis, written this document to be consistent instructions for submitting comments.
consider the following questions: with the Plain Writing Act as well as the • Fax: (202) 493–2251.
(1) In light of any current or projected Presidential Memorandum, ‘‘Plain • Mail: U.S. Department of
CER challenges, what should be a Language in Government Writing,’’ Transportation, Docket Operations, M–
reasonable effective date, compliance published in the Federal Register on 30, West Building Ground Floor, Room
date, or submittal date(s) from the time June 10, 1998 (63 FR 31883). The NRC W12–140, 1200 New Jersey Avenue SE.,
the final rule is published to the actual requests comment on this document Washington, DC 20590.
implementation of any new proposed with respect to the clarity and • Hand Delivery: U.S. Department of
requirements, including changes to Transportation, Docket Operations, M–
effectiveness of the language used.
programs, procedures, or the facility? 30, West Building Ground Floor, Room
(2) If current or projected CER Dated at Rockville, Maryland, this 27th day W12–140, 1200 New Jersey Avenue SE.,
challenges exist, what should be done to of August, 2015. Washington, DC 20590, between 9 a.m.
address this situation (e.g., if more time For the Nuclear Regulatory Commission. and 5 p.m., Monday through Friday,
is required to implement the new Marissa G. Bailey, except Federal holidays.
requirements, what period of time Director, Division of Fuel Cycle Safety, For service information identified in
would be sufficient, and why such a Safeguards, and Environmental Review, this proposed AD, contact Viking Air
time frame is necessary)? Office of Nuclear Materials Safety and Limited Technical Support, 1959 De
(3) Do other regulatory actions (e.g., Safeguards. Havilland Way, Sidney, British
orders, generic communications, license [FR Doc. 2015–22051 Filed 9–3–15; 8:45 am] Columbia, Canada, V8L 5V5; Fax: 250–
amendment requests, and inspection BILLING CODE 7590–01–P
656–0673; telephone: (North America)
findings of a generic nature) by NRC or 1–800–663–8444; email:
rmajette on DSK2VPTVN1PROD with PROPOSALS
other agencies influence the technical.support@vikingair.com;
implementation of the potential Internet: http://www.vikingair.com/
proposed requirements? support/service-bulletins. It is also
(4) Are there unintended available on the Internet at http://
consequences? Does the potential www.regulations.gov by searching for
proposed action create conditions that and locating Docket No. FAA–2015–
would be contrary to the potential 3073.You may view this referenced
proposed action’s purpose and service information at the FAA, Small
VerDate Sep<11>2014 13:58 Sep 03, 2015 Jkt 235001 PO 00000 Frm 00006 Fmt 4702 Sfmt 4702 E:\FR\FM\04SEP1.SGM 04SEP1](https://thefederalregister.org/doc/80_FR_53650/page/3.svg)
Document Created: 2015-12-15 09:57:46
Document Modified: 2015-12-15 09:57:46
| Category | Regulatory Information | |
| Collection | Federal Register | |
| sudoc Class | AE 2.7: GS 4.107: AE 2.106: | |
| Publisher | Office of the Federal Register, National Archives and Records Administration | |
| Section | Proposed Rules | |
| Action | Draft regulatory basis; request for comment. | |
| Dates | Submit comments by October 5, 2015. Comments received after this date will be considered if it is practical to do so, but the NRC is only able to ensure consideration of comments received on or before this date. | |
| Contact | Matthew Bartlett, Office of Nuclear Material Safety and Safeguards, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001; telephone: 301-415-7154, email: [email protected] | |
| FR Citation | 80 FR 53478 | |
| RIN Number | 3150-AJ64 |
2025 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR