80_FR_67475<html>
<head>
<title>80 FR 67264 - Cyber Security Event Notifications</title>
<link rel="alternate" type="application/pdf"  href="https://thefederalregister.org/80-FR/67264/2015-27855.pdf" title="80 FR 67264 - Cyber Security Event Notifications PDF">
<meta name="twitter:card" content="summary" />
<meta name="description" content="80 FR 67264 - Cyber Security Event Notifications : <td>The U.S. Nuclear Regulatory Commission (NRC) is adopting new cyber security regulations that govern nuclear power reactor licensees. This final rule codifies certain reporting activities associated with cyber security events contained in security advisories issued by the NRC. This rule establishes new cyber security event notification requirements that contribute to the NRC's analysis of the reliability and effectiveness of licensees' cyber security programs and plays an important role in the continuing effort to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat.</td>">
<meta name="keywords" content="80 FR 67264 - Cyber Security Event Notifications">
<link rel="canonical" href="https://thefederalregister.org/80-FR/67264" />
<link rel="shortlink" href="https://thefederalregister.org/80-FR/67264" />
<meta name="twitter:title" content="80 FR 67264 - Cyber Security Event Notifications" />
<meta name="twitter:description" content="80 FR 67264 - Cyber Security Event Notifications : <td>The U.S. Nuclear Regulatory Commission (NRC) is adopting new cyber security regulations that govern nuclear power reactor licensees. This final rule codifies certain reporting activities associated with cyber security events contained in security advisories issued by the NRC. This rule establishes new cyber security event notification requirements that contribute to the NRC's analysis of the reliability and effectiveness of licensees' cyber security programs and plays an important role in the continuing effort to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat.</td>" />
<meta property="og:type" content="website" />
<meta property="og:title" content="80 FR 67264 - Cyber Security Event Notifications" />
<meta property="og:site_name" content="Federal Register" />
<meta property="og:description" content="80 FR 67264 - Cyber Security Event Notifications : <td>The U.S. Nuclear Regulatory Commission (NRC) is adopting new cyber security regulations that govern nuclear power reactor licensees. This final rule codifies certain reporting activities associated with cyber security events contained in security advisories issued by the NRC. This rule establishes new cyber security event notification requirements that contribute to the NRC's analysis of the reliability and effectiveness of licensees' cyber security programs and plays an important role in the continuing effort to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat.</td>" />
<meta property="og:url" content="https://thefederalregister.org/80-FR/67264" />
<meta property="article:author" content="Federal Register" />

<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="robots" content="index, follow">
<meta name="msvalidate.01" content="5B046922808AE7C143BCA89AD8E43DE8" />
<link rel="icon" href="https://thefederalregister.org/favicon.png">
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous">
  <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
<script async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>
<script>
     (adsbygoogle = window.adsbygoogle || []).push({
          google_ad_client: "ca-pub-0545639743190253",
          enable_page_level_ads: true
     });
</script>
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-53164437-11"></script>
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('js', new Date());

  gtag('config', 'UA-53164437-11');
</script>

</head>
<body>
<nav class="navbar navbar-inverse navbar-fixed-top">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand" href="https://thefederalregister.org/" title="Federal Register">FR<small></small></a>
</div>
<div id="navbar" class="navbar-collapse collapse">
<ul class="nav navbar-nav">
<li class="active"><a href="https://ecfr.io/" title="Code of Federal Regulations">e-CFR</a></li>
</ul>
<ul class="nav navbar-nav">
<li class="active"><a href="https://uscode.us/" title="United States Code">US Code</a></li>
</ul>
</div>
</div>
</nav>
<div class="container">
  <div class="jumbotron">
<h1>80 FR 67264 - Cyber Security Event Notifications</h1>
<nav aria-label="breadcrumb">
<ol vocab="http://schema.org/" typeof="BreadcrumbList" class="breadcrumb">
  <li property="itemListElement" typeof="ListItem" class="breadcrumb-item">
    <a property="item" typeof="WebPage"
        href="https://thefederalregister.org">
      <span property="name" title="Federal Register">FR</span></a>
    <meta property="position" content="1">
  </li>
  ›
  <li property="itemListElement" typeof="ListItem" class="breadcrumb-item">
    <a property="item" typeof="WebPage"
        href="/80-FR/">
      <span property="name" title="Federal Register Volume 80">80 FR</span></a>
    <meta property="position" content="2">
  </li>  ›
  <li property="itemListElement" typeof="ListItem" class="breadcrumb-item">
    <a property="item" typeof="WebPage"
        href="/80-FR/Issue-211">
      <span property="name" title="Federal Register Volume 80 Issue 211">80 FR Issue 211</span></a>
    <meta property="position" content="3">
  </li>  ›
  <li property="itemListElement" typeof="ListItem" class="breadcrumb-item">
    <a property="item" typeof="WebPage"
        href="/80-FR/67264">
      <span property="name">80 FR 67264</span></a>
    <meta property="position" content="4">
  </li> [<a href="https://thefederalregister.org/80-FR/67264/2015-27855.pdf">PDF</a>]</ol>
</nav>
<h2><td>NUCLEAR REGULATORY COMMISSION</td><h2><h3>Federal Register Volume 80, Issue 211                (November 2, 2015)</h3>
<table class=table>
<tr><td>Page Range</td><td><td>67264-67277</td></td></tr>
<tr><td>FR Document</td><td><td>2015-27855</td></td></tr>
</table>
<p><td>The U.S. Nuclear Regulatory Commission (NRC) is adopting new cyber security regulations that govern nuclear power reactor licensees. This final rule codifies certain reporting activities associated with cyber security events contained in security advisories issued by the NRC. This rule establishes new cyber security event notification requirements that contribute to the NRC's analysis of the reliability and effectiveness of licensees' cyber security programs and plays an important role in the continuing effort to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat.</td></p>
<a href="https://thefederalregister.org/80-FR/67264/2015-27855.pdf"><button type="button" class="btn btn-info">Download PDF</button></a>


<html>
<head>
<title>Federal Register, Volume 80 Issue 211 (Monday, November 2, 2015)</title>
</head>
<body><pre>
[Federal Register Volume 80, Number 211 (Monday, November 2, 2015)]
[Rules and Regulations]
[Pages 67264-67277]
From the Federal Register Online  [<a href="http://www.thefederalregister.org">www.thefederalregister.org</a>]
[FR Doc No: 2015-27855]


=======================================================================
-----------------------------------------------------------------------

NUCLEAR REGULATORY COMMISSION

10 CFR Part 73

[NRC-2014-0036]
RIN 3150-AJ37


Cyber Security Event Notifications

AGENCY: Nuclear Regulatory Commission.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The U.S. Nuclear Regulatory Commission (NRC) is adopting new 
cyber security regulations that govern nuclear power reactor licensees. 
This final rule codifies certain reporting activities associated with 
cyber security events contained in security advisories issued by the 
NRC. This rule establishes new cyber security event notification 
requirements that contribute to the NRC's analysis of the reliability 
and effectiveness of licensees' cyber security programs and plays an 
important role in the continuing effort to provide high assurance that 
digital computer and communication systems and networks are adequately 
protected against cyber attacks, up to and including the design basis 
threat.

DATES: Effective Date: This final rule is effective December 2, 2015. 
Compliance Date: Compliance with this final rule is required by May 2, 
2016, for those licensed to operate under parts 50 and 52 of Title 10 
of the Code of Federal Regulations (10 CFR) and subject to Sec.  73.54.

ADDRESSES: Please refer to Docket ID NRC-2014-0036 when contacting the 
NRC about the availability of information for this action. You may 
obtain publicly-available information related to this action by any of 
the following methods:
    <bullet> Federal Rulemaking Web site: Go to <a href="https://www.regulations.gov">http://www.regulations.gov</a> and search for Docket ID NRC-2014-0036. Address 
questions about NRC dockets to Carol Gallagher; telephone: 301-415-
3463; email: <a href="/cdn-cgi/l/email-protection#521133203d3e7c15333e3e33353a3720123c20317c353d24"><span class="__cf_email__" data-cfemail="044765766b682a4365686865636c6176446a76672a636b72">[email&#160;protected]</span></a>. For technical questions, contact 
the individuals listed in the FOR FURTHER INFORMATION CONTACT section 
of this document.
    <bullet<ls-thn-eq> NRC's Agencywide Documents Access and Management 
System (ADAMS): You may obtain publicly-available documents online in 
the ADAMS Public Documents collection at <a href="http://www.nrc.gov/reading-rm/adams.html">http://www.nrc.gov/reading-rm/adams.html</a>. To begin the search, select ``ADAMS Public Documents'' and 
then select ``Begin Web-based ADAMS Search.'' For problems with ADAMS, 
please contact the NRC's Public Document Room (PDR) reference staff at 
1-800-397-4209, 301-415-4737, or by email to <a href="/cdn-cgi/l/email-protection#d7a7b3a5f9a5b2a4b8a2a5b4b297b9a5b4f9b0b8a1"><span class="__cf_email__" data-cfemail="96e6f2e4b8e4f3e5f9e3e4f5f3d6f8e4f5b8f1f9e0">[email&#160;protected]</span></a>. The 
ADAMS accession number for each document referenced (if it is available 
in ADAMS) is provided the first time that it is mentioned in the 
SUPPLEMENTARY INFORMATION section.
    <bullet<ls-thn-eq> NRC's PDR: You may examine and purchase copies 
of public documents at the NRC's PDR, Room O1-F21, One White Flint 
North, 11555 Rockville Pike, Rockville, Maryland 20852.

FOR FURTHER INFORMATION CONTACT: Robert H. Beall, Office of Nuclear 
Reactor Regulation, telephone: 301-415-3874, email: 
<a href="/cdn-cgi/l/email-protection#a0f2cfc2c5d2d48ee2c5c1cccce0ced2c38ec7cfd6"><span class="__cf_email__" data-cfemail="beecd1dcdbccca90fcdbdfd2d2fed0ccdd90d9d1c8">[email&#160;protected]</span></a>, U.S. Nuclear Regulatory Commission, Washington, 
DC 20555-0001.

SUPPLEMENTARY INFORMATION:

Table of Contents:

I. Background
II. Discussion
III. Opportunities for Public Participation
IV. Public Comment Analysis
V. Section-by-Section Analysis
VI. Regulatory Flexibility Certification
VII. Regulatory Analysis
VIII. Backfitting and Issue Finality
IX. Cumulative Effects of Regulation
X. Plain Writing
XI. Environmental Assessment and Final Finding of No Significant 
Environmental Impact
XII. Paperwork Reduction Act
XIII. Congressional Review Act
XIV. Criminal Penalties
XV. Compatibility of Agreement State Regulations
XVI. Availability of Guidance
XVII. Availability of Documents

I. Background

    On July 9, 2008, in SECY-08-0099, ``Final Rulemaking--Power Reactor 
Security Requirements'' (Agencywide Documents Access and Management 
System (ADAMS) Accession No. ML081650474), the NRC staff recommended 
the Commission approve a final rule amending the NRC's Power Reactor 
Security Requirements. The NRC staff also recommended removing sections 
in the Power Reactor Security Requirements rule on new and revised 
security notification requirements in Sec.  73.71 and appendix G of 
part 73 of title 10 of the Code of Federal Regulations (10 CFR), 
``Reportable

[[Page 67265]]

Safeguards Events,'' and placing them in a new proposed enhanced 
weapons rulemaking. In SRM-SECY-08-099, dated December 17, 2008 (ADAMS 
Accession No. ML083520252), the Commission approved the Power Reactor 
Security final rule and the bifurcation of the security notification 
requirements in Sec.  73.71 and appendix G to 10 CFR part 73 to the new 
proposed enhanced weapons rule.
    On June 27, 2010, in SECY-10-0085, ``Proposed Rule: Enhanced 
Weapons, Firearms Background Checks and Security Event Notifications'' 
(ADAMS Accession No. ML101110121), the NRC staff recommended delegating 
to the Office of the Executive Director for Operations the authority to 
issue new cyber security notification changes in the proposed enhanced 
weapons rule for publication in the Federal Register, as well as issue 
draft implementing guidance on the proposed rule. On October 19, 2010, 
in SRM-SECY-10-0085, ``Proposed Rule: Enhanced Weapons, Firearms 
Background Checks and Security Event Notifications'' (ADAMS Accession 
No. ML102920342), the Commission directed the NRC staff to publish a 
proposed rule implementing requirements for enhanced weapons, revised 
physical security event notifications, and adding new cyber security 
event notifications. This proposed rule was published in the Federal 
Register for comment on February 3, 2011 (76 FR 6199). The public was 
provided a total of 180 days to review and comment on the proposed rule 
and associated guidance.
    In SECY-12-0125, ``Interim Actions to Execute Commission Preemption 
Authority Under Section 161A of the Atomic Energy Act of 1954, as 
Amended,'' dated September 20, 2012 (ADAMS Accession No. ML12171A089), 
the NRC staff reported their discussions with the U.S. Department of 
Justice on the need to revise the Firearms Guidelines to limit the 
firearms background check requirement to only licensees that apply for 
preemption authority. Subsequently in SRM--SECY-12-0125, dated November 
12, 2012 (ADAMS Accession No. ML12326A653), the Commission directed the 
NRC staff to revise the Firearms Guidelines accordingly, and publish a 
supplemental proposed enhanced weapons rule for public comment as soon 
as possible.
    On December 20, 2013, in COMSECY-13-0031, ``Bifurcation of the 
Enhanced Weapons, Firearms Background Checks, and Security Event 
Notifications Rule'' (ADAMS Accession No. ML13280A366), the NRC staff 
informed the Commission of its plan to bifurcate the cyber security 
event notifications from the Enhanced Weapons rule due to delays 
resulting from the Firearms Guidelines revision. The bifurcation would 
allow the NRC staff to prepare a separate final rule for cyber security 
event notifications, therefore avoiding any further delay associated 
with the aforementioned Firearms Guidelines revision. In addition, this 
action would supplement the existing cyber security requirements (i.e., 
Sec.  73.54, ``Protection of Digital Computer and Communication Systems 
and Networks'') included in the 2009 power reactor security rule (76 FR 
6199; February 3, 2011).
    As part of the 2011 proposed enhanced weapons rule, the NRC 
received comments on the proposed cyber security event notification 
requirements. Changes between the proposed rule and this final cyber 
security event notifications rule reflect those public comments. 
Additionally, Draft Regulatory Guide (DG)-5019, Revision 1, ``Reporting 
and Recording Safeguards Events'' (ADAMS Accession No. ML100830413), 
was published for public comment on February 3, 2011 (76 FR 6085). The 
portions of the DG related to cyber security event notifications were 
also separated out from the original draft guide, and are now included 
in a new final regulatory guide (RG) (RG 5.83, ``Cyber Security Event 
Notifications,'' ADAMS Accession No. ML14269A388). Changes between DG-
5019, Revision 1, and RG 5.83 reflect public comment. This approach 
(i.e., publish draft guidance with proposed rules and final guidance 
with final rules) is consistent with the agency's efforts to 
incorporate enhancements in the rulemaking process to address 
Cumulative Effects of Regulation (CER), as approved by SRM--SECY-0032, 
``Consideration of the Cumulative Effects of Regulation in the 
Rulemaking Process,'' dated October 11, 2011 (ADAMS Accession No. 
ML112840466).

II. Discussion

    The NRC is adding cyber security event notification requirements 
for nuclear power reactor facilities. These additions are necessary 
because cyber security event notification requirements were not 
included in the NRC's final rule that added Sec.  73.54, ``Protection 
of Digital Computer and Communication Systems and Networks,'' to the 
NRC's regulations (74 FR 13926; March 27, 2009). Section 73.54 requires 
power reactor licensees to establish and maintain a cyber security 
program that provides high assurance that digital computer and 
communication systems and networks are adequately protected against 
cyber attacks, up to and including the design basis threat as described 
in Sec.  73.1. Cyber security event notification requirements will 
contribute to the NRC's analysis of the reliability and effectiveness 
of licensees' cyber security programs and play an important role in the 
continuing effort to protect digital computer and communication systems 
and networks associated with: Safety-related and important-to-safety 
functions; security functions; emergency preparedness functions, to 
include offsite communications; and support systems and equipment 
which, if compromised, would adversely impact safety, security, and 
emergency preparedness (SSEP) functions. Notifications conducted and 
written reports generated by licensees will be used by the NRC to 
respond to emergencies, monitor ongoing events, assess trends and 
patterns, identify precursors of more significant events, and inform 
other NRC licensees of cyber security-related events, enabling them to 
take preemptive actions, if necessary (e.g., increase their security 
posture). In addition, timely notifications assist the NRC in achieving 
its strategic communications mission by informing the U.S. Department 
of Homeland Security (DHS) and Federal intelligence and law enforcement 
agencies of cyber security-related events that could: (1) Endanger 
public health and safety or the common defense and security, (2) 
provide information for threat-assessment processes, or (3) generate 
public or media inquiries.
    The terrorist attacks of September, 11, 2001, demonstrated that 
adversaries were capable of simultaneously attacking multiple sectors 
of critical infrastructure. After those attacks, the NRC issued several 
Security Orders, as well as the Design Basis Threat (DBT) final rule 
(72 FR 12705; March 19, 2007) and the Power Reactor Security final rule 
(74 FR 13926; March 27, 2009). These Orders and final rules were steps 
taken by the NRC to ensure adequate protection of the public health and 
safety and common defense and security. The DBT final rule, in Sec.  
73.1, ``Purpose and Scope,'' describes in general terms the types of 
attacks licensees must protect against in order to prevent radiological 
sabotage and to prevent theft or diversion of strategic special nuclear 
material. An adversary attribute included under the DBT for 
radiological sabotage is a cyber attack, which is a type of attack that 
adversaries could remotely launch against multiple targets (i.e., 
nuclear power reactors) simultaneously. The Power Reactor Security 
final rule included specific

[[Page 67266]]

requirements to provide high assurance that digital computer and 
communication systems and networks are adequately protected against 
cyber attacks (Sec.  73.54). The addition of cyber security event 
notification requirements supplements Sec.  73.54 by enabling the 
timely notifications of potential and/or imminent cyber attacks 
directed against licensees. This allows for more timely assessment and 
dissemination of threat information, and improves the NRC's ability to 
respond and take the actions necessary to mitigate the adverse impacts 
of cyber attacks directed against licensees.
    Separating the cyber security event notification requirements from 
the Power Reactor Security proposed rule narrowed the applicability to 
licensees subject to the requirements of Sec.  73.54, which applies to 
operating nuclear power plants after the effective date of the final 
cyber security rule. Under the original proposed rule published on 
October 26, 2006 (71 FR 62664), cyber security event notifications were 
included with other event notifications (physical security, enhanced 
weapons, etc.) requiring a broader range of applicability (e.g., Fuel 
Cycle Facilities).
    The NRC considered other options for licensees to report cyber 
attacks to the NRC. The NRC considered taking no additional regulatory 
actions and relying upon the continuation of voluntary reporting 
initiatives currently in place through security advisories. These 
voluntary reporting initiatives have allowed the NRC to identify 
certain cyber security-related events that might have had a negative 
impact upon licensees (e.g., vendor software updates containing 
malware) as well as provided licensees with threat information that 
assist them in protecting against cyber security-related threats. 
However, the security advisories are not mandatory requirements and do 
not provide timeliness requirements (one-hour, four-hour, eight-hour), 
which can be instrumental in the NRC's ability to respond to cyber 
security-related events, to evaluate cyber security-related activities 
for threat implications, and to accomplish the agency's strategic 
communications mission.

III. Opportunities for Public Participation

A. Public and Stakeholder Meetings

    As part of its comprehensive assessment of the NRC's cyber security 
event notification regulations and guidance development for this rule, 
the NRC staff held two meetings with internal and external 
stakeholders.
    On June 1, 2011, staff held a public meeting to discuss the 
proposed Enhanced Weapons, Firearms Background Checks, and Security 
Event Notifications rulemaking, which included the cyber security event 
notification requirements. The meeting was in workshop format, and was 
held at the NRC Headquarters in Rockville, Maryland; it was attended by 
more than 50 people. Additional individuals remotely participated in 
the meeting through audio teleconferencing and webinar. Presenters at 
the meeting included NRC staff, the Bureau of Alcohol, Tobacco, 
Firearms and Explosives, and the Federal Bureau of Investigations 
(FBI). Since the NRC was not accepting public comments, the meeting was 
not transcribed; however, a meeting summary and the handouts from the 
meeting are available in ADAMS under Accession No. ML111720007.
    The NRC staff also met with internal and external stakeholders on 
July 31, 2014. This public meeting was to discuss the draft final rule 
implementation date for the cyber security event notification 
requirements. The public meeting was held at the NRC Headquarters in 
Rockville, Maryland, and it was attended by six individuals in person 
and eight individuals remotely through audio teleconferencing and 
webinar. The NRC staff presented the current status of the draft final 
cyber security event notifications rule and the draft final 
implementation date. The NRC transcribed the meeting in order to 
capture public input on the draft final implementation date. The 
feedback from this meeting, as well as all the previous interactions, 
informed the NRC's schedule for the implementation of the new cyber 
security event notification requirements. The meeting summary, 
handouts, and a transcript of the meeting are available in ADAMS under 
Accession No. ML14240A404.

B. Opportunity for Public Comment

    The proposed rule was published in the Federal Register on February 
3, 2011 (76 FR 6199), and the public comment period closed on August 4, 
2011. On the same day the NRC also published a separate notice 
requesting comment on DG-5019, Revision 1, ``Reporting and Recording 
Safeguards Events.'' The NRC received a total of 14 submittals on the 
proposed rule and draft guidance relating to enhanced weapons, firearms 
background checks and security event notifications (which included 
cyber security event notifications). The majority of comments came from 
the Nuclear Energy Institute (NEI) on behalf of the nuclear power 
reactor licensees.

IV. Public Comment Analysis

    The proposed enhanced weapons rule was published February 03, 2011 
(76 FR 6199), and the public comment period closed on August 04, 2011. 
On the same day the NRC also published a separate notice requesting 
comment on DG-5019, Revision 1, ``Reporting and Recording Safeguards 
Events.''
    The NRC received 14 submittals on the proposed rule and draft 
guidance. The NRC also received one comment on the proposed 
implementation date during the July 31, 2014, public meeting. Comments 
specific to cyber security event notifications in the proposed enhanced 
weapons rule and DG-5019, Revision 1, were identified and are addressed 
in this final rule. The comments specific to the proposed rule on 
Enhanced Weapons, Firearms Background Checks, and Security Event 
Notifications (76 FR 6200) are not addressed in this final rule and 
will be addressed in a subsequent rulemaking. In addition, certain 
event notification comments in the proposed rule that were generic 
(e.g., comments referring to four-hour notifications in general) are 
addressed for cyber security events in this final rule. The submittals 
containing comments specific to cyber security event notifications were 
consolidated into a single document (ADAMS Accession No. ML14226A596) 
that assigns the comment designators (e.g., NEI-155) used in this final 
rule. In the proposed rule and draft guidance, the cyber security event 
notifications aligned with physical security event notifications with a 
focus on compensated and uncompensated events. However, based on public 
comments, the final rule and regulatory guidance now aligns more 
closely with Sec.  73.54 with a focus on adverse impacts to SSEP 
functions.

A. Public Comments on Proposed Rule

    Comment 1: One commenter stated that neither Sec.  73.71 nor 
appendix G to 10 CFR part 73 contains an effective date for cyber 
security reporting requirements, and recommended that the reporting 
requirements align with the date the cyber security plan becomes 
effective. [NEI-155]
    Response: The NRC disagrees with this comment. Notification of a 
cyber security event is necessary to assist the NRC in assessing and 
evaluating issues with potential cyber security-related implications in 
a timely manner, determining the significance and credibility of the 
identified issue(s), and providing recommendations and/or

[[Page 67267]]

courses of action to NRC management. Currently, licensees are reporting 
certain cyber security events voluntarily to the NRC. However, because 
this is done voluntarily there could be certain cyber security events 
that may not be reported to the NRC in a timely manner or reported at 
all. The cyber security event notifications final rule removes the 
voluntary aspects of reporting certain cyber security events, provides 
regulatory stability, and ensures the NRC is notified in a timely 
manner.
    Prompt notification of a cyber attack could be vital to the NRC's 
ability to take immediate action in response to a cyber attack and, if 
necessary, to notify other NRC licensees, Government agencies, and 
critical infrastructure facilities, to defend against a multiple sector 
(e.g., energy, financial, etc.) cyber attack. Like the attacks of 
September 2001, a cyber attack has the capability to be launched 
against multiple targets simultaneously or spread quickly throughout 
multiple sectors of critical infrastructure. In light of these 
potential consequences, the NRC does not want to delay the 
implementation of the cyber security event notification final rule to 
match the effective date of each licensee's cyber security plan (i.e., 
Milestone 8) because those cyber security plans may not be fully 
effective for several years.
    The final rule will become effective 30 days after publication in 
the Federal Register. The compliance date will be 180 days after 
publication (consistent with the implementation schedule described in 
the proposed rule) to allow licensees time to revise their event 
notification procedures and train personnel on event notifications 
specific to cyber security (i.e., identification, reporting). The cyber 
security event notification final rule is consistent with existing 
notification processes (i.e., Sec. Sec.  50.72 and 73.71) and aligns 
closely with Sec.  73.54 (e.g., adverse impacts to SSEP functions) as 
well as current voluntary reporting activities associated with cyber 
security requiring less time for implementation. In addition, the cyber 
security event notification final rule complements the implementation 
of Milestones 1 through 7. For example, the identification of critical 
systems and critical digital assets (Milestone 2), the implementation 
of a deterministic one-way device (Milestone 3), and access controls 
for portable media devices (Milestone 4) are all programs that when 
properly implemented and maintained, should identify and mitigate 
adverse impacts to SSEP functions. The cyber security event 
notification final rule requires licenses to notify the NRC when a 
cyber attack caused or could have caused an adverse impact to SSEP 
functions. These factors, along with the importance of the NRC 
strategic communications mission of informing the DHS and Federal 
intelligence and law enforcement agencies of cyber security-related 
events that could: 1) Endanger public health and safety or the common 
defense and security, 2) provide information for threat-assessment 
processes, or 3) generate public or media inquiries, support the need 
for the 180-day implementation schedule.
    Comment 2: One commenter indicated that critical digital assets 
(CDAs) that are not part of a target set should not have the same 
sensitivity as those CDAs that are contained within a target set. [NEI-
156]
    Response: The NRC disagrees with this comment. The NRC staff has 
recognized that a graded approach to controls required for CDAs is 
warranted based on the ability to detect and mitigate the consequences 
of a cyber attack. However, the cyber security event notification 
requirements focus on events that have or could have an adverse impact 
to SSEP functions, and thereby incorporates consideration of 
protections that prevent successful cyber attacks. Therefore, the 
notification requirements cover all CDAs and critical systems within 
the scope of Sec.  73.54, which includes: Safety-related and important-
to-safety functions; security functions; emergency preparedness 
functions, including offsite communications; and support systems and 
equipment which, if compromised, would adversely impact safety, 
security, or emergency preparedness functions.
    Comment 3: Two commenters recommended that the four-hour 
notification events should be incorporated into the eight-hour 
notification events, therefore eliminating the four-hour notification 
events. One commenter specifically recommended that suspicious events 
be moved from four-hour to eight-hour notifications. [NEI-17, 161, 
Hardin-2]
    Response: The NRC agrees in part, with this comment. The NRC agrees 
that suspicious cyber security events (i.e., activities that may 
indicate intelligence gathering or pre-operational planning related to 
a cyber attack) should be moved from four-hour notifications to eight-
hour notifications. However, notifications with a local, State, or 
other Federal agency is consistent with existing NRC regulations at 
Sec.  50.72(b)(2)(xi). In addition, unsuccessful cyber attacks has been 
clarified to align more closely with Sec.  73.54 and addresses cyber 
attacks that could have caused an adverse impact to SSEP functions and 
remains a four-hour notification so the NRC can conduct additional 
notifications as appropriate (e.g., other NRC licensees, Federal law 
enforcement agencies, the intelligence community) to mitigate the 
effects of a widespread cyber attack, or use as part of the National 
threat assessment process. Furthermore, unauthorized operation and 
tampering events have been clarified to address suspected or actual 
cyber attacks initiated by personnel with physical or electronic access 
and were moved in the final rule to four-hour notifications due to the 
implications of an internal threat. Accordingly, the NRC has revised 
the rule language and associated guidance consistent with this approach 
to address the broader recommendation of aligning more closely with 
Sec.  73.54.
    Comment 4: One commenter suggested adding the word ``significant'' 
in front of cyber security events. [NEI-167]
    Response: The NRC disagrees with this comment. Prefacing the phrase 
``cyber security events'' with ``significant'' does not add clarity to 
the rule. The NRC is requiring only those cyber security events 
associated with actual or potential adverse impacts to be reported. The 
NRC has changed the rule text and associated guidance to align more 
closely with Sec.  73.54 and distinguishes cyber security events by 
whether an adverse impact has occurred (or not) to SSEP functions as a 
result of a cyber attack.
    Comment 5: One commenter suggested removing the requirement in 
appendix G of 10 CFR part 73 regarding the recording of events in a 
safeguards event log. The commenter suggested licensees use the 
corrective action program instead of using a separate log. [NEI-18, 
194, 202]
    Response: The NRC agrees with this comment. The cyber security plan 
for each licensee describes the use of the corrective action program to 
track, trend, correct, and prevent recurrence of cyber security 
failures and deficiencies. Therefore, the cyber security event 
notification rule text (Sec.  73.77) has been revised to require 
licensees to use their corrective action program to record 
vulnerabilities, weaknesses, failures and deficiencies in their cyber 
security program. Regulatory Guide 5.83 has also been revised to 
reflect this change.
    Comment 6: The NRC received a comment regarding the use of the term 
``compensatory'' in the context of cyber security, stating that the 
term is unclear, and is not defined in the two cyber security plan 
(CSP) templates, Appendix A of RG 5.71, and Appendix A of NEI 08-09. 
[NEI-153, 165]

[[Page 67268]]

    Response: The NRC agrees with this comment. The term 
``compensatory'' is not defined in either CSP template or in other NRC 
guidance related to cyber security. Based on public comments, the NRC 
has developed a different approach for determining cyber security event 
notifications, one that is based on whether the cyber attack caused an 
adverse impact (or not) to SSEP functions. The final rule and RG 5.83 
have been revised to reflect this new approach.
    Comment 7: The NRC received one comment pertaining to use of the 
term ``uncompensated'' in the context of cyber security, stating that 
the term is unclear, and is not defined within the CSP. In addition, 
one of the commenters also stated that the term ``failure'' in the 
context of cyber security required clarification. [NEI-164, 207]
    Response: The NRC agrees with this comment. The terms 
``uncompensated'' and ``failure'' have been removed from the final rule 
language. Based on public comments, the NRC has developed a different 
approach for determining cyber security event notifications, one that 
is based on whether the cyber attack or event caused an adverse impact 
(or not) to SSEP functions. Regulatory Guide 5.83 has been revised to 
reflect this new approach.
    Comment 8: One commenter proposed changes to the rule language, 
paragraph I.(h)(1) in appendix G of 10 CFR part 73, adding the terms 
``credible,'' ``malicious,'' and ``radiological sabotage'' to add 
clarity. The commenter recommended rewriting the event to add in part, 
``a credible threat to commit or cause a malicious act to modify, 
destroy, or compromise any systems, networks, or equipment that falls 
within the scope of 10 CFR 73.54 of this part where a compromise of 
these systems has resulted or could result in radiological sabotage.'' 
[NEI-157, 206]
    Response: The NRC disagrees with this comment. Based on public 
comments, the NRC developed a different approach for determining cyber 
security event notifications, one that is based on whether a cyber 
attack caused an adverse impact (or not) to SSEP functions. This 
approach aligns more closely with Sec.  73.54 and the terms 
``credible,'' ``malicious,'' and ``radiological sabotage'' are not 
needed to provide clarity under this approach. Regulatory Guide 5.83 
has been revised to reflect this new approach.
    Comment 9: One commenter proposed revising the proposed rule 
language in paragraph I.(h)(2) in appendix G of 10 CFR part 73 to 
include language regarding the defense-in-depth protective strategies 
required by Sec.  73.54(c)(2). [NEI-158]
    Response: The NRC agrees with this comment. The NRC evaluated the 
proposed rule language and determined that items to be reported under 
this section are duplicative. Based on public comments, the NRC 
developed a different approach for determining cyber security event 
notifications, one based on whether the cyber attack caused an adverse 
impact (or not) to SSEP functions. Regulatory Guide 5.83 has been 
revised to reflect this approach.
    Comment 10: One commenter proposed language to paragraph I.(c)(1) 
in appendix G of 10 CFR part 73 to report only instances of suspicious 
or surveillance activity or attempts to access systems, networks, or 
equipment that is within the scope of Sec.  73.54. Additionally, the 
commenter recommended deleting proposed language that would include 
reporting of additional types of events like potential tampering or 
potential destruction of networks, systems, or equipment. [NEI-159]
    Response: The NRC disagrees with this comment. The commenter's 
reference to paragraph I.(c)(1) in appendix G of 10 CFR part 73 appears 
to be misquoted. The changes proposed by the commenter would amend 
paragraph II.(c)(1) in appendix G. The NRC believes that surveillance 
activities are captured within activities that indicate intelligence 
gathering or pre-operational planning and should be reported, and has 
made appropriate changes to this final rule. The NRC has clarified and 
relocated this requirement to the eight-hour notifications, now 
designated as Sec.  73.77(a)(3). Additionally, the NRC moved the 
reporting of potential tampering, or potential destruction of networks, 
systems or equipment from this requirement and they are now captured 
under Sec.  73.77(a)(1), (a)(2)(i), and (a)(2)(ii) of this final rule.
    Comment 11: One commenter indicated that paragraph I.(c)(2) in 
appendix G of 10 CFR part 73 in the proposed rule text should be 
completely removed because it duplicates other proposed rule text. 
[NEI-160]
    Response: The NRC agrees in part, with this comment. The 
commenter's reference to paragraph I.(c)(2) in appendix G of 10 CFR 
part 73 appears to be misquoted. The changes proposed by the commenter 
would amend paragraph II.(c)(2) in appendix G. The final rule text has 
been revised to remove all duplicative language and is aligned more 
closely with the requirements in Sec.  73.54 (i.e., adverse impacts to 
SSEP functions). This revised requirement is designated as Sec.  
73.77(a)(2)(i). Regulatory Guide 5.83 has been revised to reflect this 
change.
    Comment 12: One commenter proposed changes to paragraph III in 
appendix G of 10 CFR part 73 to clarify the language under eight-hour 
reportable events to be consistent with Sec.  73.54(c)(1), which 
implements security controls to protect CDAs and critical systems from 
cyber attacks. [NEI-162]
    Response: The NRC agrees in part, with this comment. Based on 
public comments, the NRC developed an approach that aligns more closely 
with Sec.  73.54. The implementation of security controls to protect 
CDAs from cyber attacks as described in Sec.  73.54(c)(1) is designed 
to prevent adverse impacts to SSEP functions. Therefore, in the final 
rule, a cyber attack that adversely impacted SSEP functions requires 
notification within one hour after discovery, and cyber attacks that 
could have caused an adverse impact to SSEP functions requires 
notification within four hours after discovery due to the potential 
consequences of these events. Regulatory Guide 5.83 has been revised to 
reflect this new approach.
    Comment 13: One commenter recommended adding ``that would'' to a 
proposed 24-hour recordable event provision in paragraph IV.(a)(2) in 
appendix G of 10 CFR part 73. Specifically, the commenter recommended 
that the proposed appendix G provision regarding compensated security 
events state in part as follows:

    (a) Any failure, degradation, or discovered vulnerability in a 
safeguards system, had compensatory measures not been established, 
that could . . . (2) Degrade the effectiveness of the licensee's or 
certificate holder's cyber security program that would allow 
unauthorized or undetected access to any systems, networks, or 
equipment that fall within the scope of Sec.  73.54 of this part.

The commenter stated that this re-worded provision would better align 
with another proposed provision in paragraph I.(h)(2) in appendix G of 
10 CFR part 73. [NEI-163]
    Response: The NRC disagrees with this comment. Adding the words, 
``that would'' to the rule text changes the context of the type of 
events that are required to be recorded. However, based on other public 
comments, the NRC re-evaluated the 24-hour recordable events for cyber 
security event notifications and developed an approach that aligns more 
closely with the CSP requirements. Under this approach, as reflected in 
the new Sec.  73.77(b)(1) provision being added as part of this

[[Page 67269]]

final rule, licensees will be required to use their corrective action 
program to record vulnerabilities, weaknesses, failures, and 
deficiencies in their cyber security program within twenty-four hours 
of their discovery. Regulatory Guide 5.83 has been updated to reflect 
this change.
    Comment 14: One commenter recommended revising the proposed rule 
language to align exactly with the rule language in Sec.  73.54(a)(2), 
which discusses protecting digital assets from cyber attacks that would 
adversely impact the operations of SSEP functions. Specifically, the 
commenter notes that the reporting rule text uses the word ``could'' 
instead of ``would.'' [NEI-168]
    Response: The NRC agrees in part, with this comment. The NRC agrees 
that the reporting rule text should align more closely with Sec.  
73.54. However, the NRC disagrees with changing the word ``could'' to 
``would,'' because these words are correctly used in their respective 
rules. Section 73.54 addresses hypothetical future cyber attacks that 
must be protected against, while this rule describes notifications that 
licensees are required to issue after an event has already occurred. 
Further, there are different types of cyber attacks that licensees are 
required to report. One type of attack required to be reported is a 
cyber attack that adversely impacted SSEP functions. This type of 
attack is to be reported within one-hour after discovery. Another type 
required to be reported is a cyber attack that could have caused an 
adverse impact to SSEP functions; this type of attack is to be reported 
within four-hours after discovery. The NRC has revised RG 5.83 to 
reflect this new approach that aligns more closely with Sec.  73.54 
regarding adverse impacts to SSEP functions.
    Comment 15: One commenter proposed deleting the requirement in 
paragraph II.(c)(2) in appendix G of 10 CFR part 73 because the 
commenter believes it is duplicated in paragraph I.(h)(2) in appendix 
G. [NEI-169]
    Response: The NRC agrees that the proposed paragraph II.(c)(2) in 
appendix G of 10 CFR part 73 is similar to paragraph I.(h)(2) in 
appendix G; therefore, the NRC has revised the final rule to make it 
clear exactly what types of cyber attacks are reported to the NRC. 
Specifically, the final rule language reflects a different approach for 
determining cyber security event notifications, eliminates duplicative 
requirements, and provides clarity based on whether the attack caused 
an adverse impact (or not) to SSEP functions. Regulatory Guide 5.83 has 
been revised to reflect this new approach.
    Comment 16: One commenter proposed rule language in paragraph 
I.(h)(2) in appendix G of 10 CFR part 73 that would change events that 
``could'' allow unauthorized or undetected access into systems, 
networks, or equipment to events that ``would'' allow unauthorized or 
undetected access into systems, networks, or equipment. [NEI-170]
    Response: The NRC disagrees with this comment, but has, for other 
reasons, revised the requirement in the final rule. The objective of 
this reporting requirement is not to have licensees confirm with the 
NRC that a cyber attack has occurred. Rather, the objective is to 
report conditions in which such an attack could have occurred. The NRC 
continues to believe that licensees should report events or 
circumstances that could have resulted in undetected or compromised 
conditions at the facility. However, the NRC staff evaluated the 
language in the proposed rule and determined that items reported under 
this section were duplicative and therefore removed this requirement 
from the final rule text. Regulatory Guide 5.83 was revised to reflect 
this change.
    Comment 17: One commenter recommended four and eight-hour 
notifications be consolidated into ``within 24-hours'' to mitigate 
event reporting violations. [B&W-30]
    Response: The NRC disagrees with this comment. The four and eight-
hour notifications include cyber attacks and activities (i.e., 
precursors to an attack) where the timeliness of information allows the 
NRC to conduct additional notifications (to DHS, other NRC licensees), 
assists the Federal Government and/or other NRC licensees to take 
mitigative measures to prevent a widespread cyber attack, and allows 
the NRC to respond to public and/or media inquiries. In addition, 
notifications to a local, State or other Federal agency is consistent 
with existing NRC regulations at Sec.  50.72(b)(2)(xi).
    Comment 18: One commenter recommended clarification on cyber 
security event notification requirements regarding exclusion of 
licensees not subject to Sec.  73.54. [NFS-11, 12]
    Response: The NRC agrees with this comment. The final rule text was 
revised and clarified to only apply to licensees subject to the 
provisions of Sec.  73.54.
    Comment 19: One commenter recommended that ``one-hour 
notifications'' should be related to a specific threat or attempted 
threat to the facility, and events that do not pose an actual threat 
should be ``eight-hour notifications.'' [NEI-22, 33]
    Response: The NRC disagrees with this comment. Based on public 
comments, the NRC developed a different approach for determining cyber 
security event notifications, one that is based on whether a cyber 
attack caused an adverse impact (or not) to SSEP functions. Cyber 
attacks that adversely impacted SSEP functions are now one-hour 
notifications. Cyber attacks that could have caused an adverse impact 
to SSEP functions are now four-hour notifications, and activities that 
may indicate intelligence gathering or pre-operational planning related 
to a cyber attack are now eight-hour notifications.
    Comment 20: One commenter recommended adding the word 
``malevolent'' to proposed requirements describing an unauthorized 
operation or tampering event to rule out human error events. [NEI-31, 
48]
    Response: The NRC disagrees with this comment. The word 
``malevolent'' is unnecessary because, under the new approach, 
notification of such events is not based on the intent of the act, but 
based on the potential consequences of the event (i.e., adverse impact 
(or not) to SSEP functions). No change has been made to the final rule 
based on this comment.
    Comment 21: One commenter recommended clarifying requirements 
regarding law enforcement interactions. The commenter recommended that 
notifications that could result in public or media inquiries should not 
duplicate notifications made under other NRC regulations such as Sec.  
50.72(b)(2)(xi). [NEI-35]
    Response: The NRC agrees with this comment. The final rule has been 
revised to eliminate duplication of notifications made under other NRC 
regulations. Regulatory Guide 5.83 has been revised to reflect this 
change.
    Comment 22: One commenter recommended clarification regarding 
retraction of reports determined later to be invalid. The commenter 
stated that the notification may not be invalid, but later be 
determined it does not meet the threshold of a one-, four-, or eight-
hour notification (i.e., recordable event). [NEI-40]
    Response: The NRC agrees with this comment. The final rule and RG 
5.83 have been revised to clarify that retraction of reports can 
include valid reports which later do not meet the threshold of a one-, 
four-, or eight-hour notification.
    Comment 23: One commenter recommended adding the term ``malicious 
intent'' to each of the eight-

[[Page 67270]]

hour reportable events regarding unauthorized operation or tampering 
events. [NEI-53, 112]
    Response: The NRC disagrees with this comment. The term ``malicious 
intent'' is unnecessary because, under the new approach, notification 
of such events is not based on the intent of the act, but based on the 
potential consequences of the event (i.e., adverse impact (or not) to 
SSEP functions).
    Comment 24: One commenter recommended that cyber attack reporting 
needs to be synchronized with NEI 08-09 and RG 5.71 to ensure reporting 
criteria are well-defined. [NEI-69]
    Response: The NRC agrees with this comment. The final rule reflects 
an approach that aligns more closely with Sec.  73.54 and RG 5.71 and 
provides additional clarity on cyber security event notification 
criteria (i.e., adverse impact to SSEP functions). Regulatory Guide 
5.83 has also been revised to reflect this new approach.
    Comment 25: One commenter recommended deleting the requirements and 
guidance for written follow-up reports on several reporting events 
(four and eight-hour notifications). [NEI-117]
    Response: The NRC disagrees with this comment. Submission of 
written follow-up reports is consistent with existing NRC regulations 
and provides the NRC with information that may not have been available 
at the time of the notification.
    Comment 26: One commenter recommended that the final rule require 
licensees to notify their local FBI Joint Terrorism Task Force (JTTF) 
of suspicious events as contained in voluntary guidance documents and 
eliminate or reduce the timeliness of reporting such events to the NRC. 
[Hardin-3]
    Response: The NRC disagrees with this comment. The reporting of 
events to the FBI JTTF is voluntary and as such, does not have a 
timeliness requirement. This final rule requires notification to the 
NRC within a stated time for activities that may indicate intelligence 
gathering or pre-operational planning related to a cyber attack. 
Notifications of activities that may indicate intelligence gathering or 
pre-operational planning related to a cyber attack will be evaluated 
and forwarded as appropriate by the NRC to federal law enforcement 
agencies and the intelligence community as part of the National threat 
assessment process.

B. Public Comments on Draft Guide-5019

    Comment 1: One commenter proposed removing the terms such as 
``could,'' ``likelihood,'' and ``likely to'' from DG-5019. [NEI-21, 
166]
    Response: The NRC disagrees with this comment. The use of the terms 
``could,'' ``likelihood,'' and ``likely to'' within DG-5019 is 
consistent with existing NRC reporting guidelines (NUREG-1022, ``Event 
Report Guidelines for 10 CFR 50.72 and 50.73'' (ADAMS Accession No. 
ML13032A220)).
    Comment 2: One commenter proposed revising section 2.3.2, item r, 
of DG-5019 to include, ``Confirmed cyber attacks on computer systems 
that adversely affected safety, security, and emergency preparedness 
systems are reportable'' instead of, ``may adversely affect'' and 
removing item aa of section 2.3.2 due to redundancy. [NEI-171]
    Response: The NRC agrees with this comment. The staff evaluated 
both items in section 2.3.2 of DG-5019 and revised RG 5.83 to reflect 
the proposed changes.
    Comment 3: One commenter proposed revising section 2.3.2, item 
bb.(2), of DG-5019 to include the word ``cyber'' before security 
program and security measures. [NEI-172]
    Response: The NRC agrees with this comment, yet has, for other 
reasons removed this material from the final guidance. The final 
guidance reflects changes made to the final rule that aligns more 
closely with Sec.  73.54 (i.e., adverse impacts to SSEP functions), and 
in the process, the NRC staff determined that item bb.(4) was no longer 
required.
    Comment 4: One commenter proposed revising section 2.3.2, item 
bb.(3), of DG-5019 to state that events caused inadvertently by an 
individual and not resulting in a threat to facility security, would be 
a recordable event, and events caused by a cyber attack resulting in an 
adverse impact to SSEP functions would be a one-hour reportable event. 
[NEI-173]
    Response: The NRC agrees with this comment. The item was revised in 
RG 5.83 to distinguish recordable inadvertent non-threatening events 
from those cyber attacks causing adverse impacts, which are one-hour 
notifications.
    Comment 5: One commenter recommended moving section 2.3.2, item 
bb.(4) from (one-hour notification examples) to section 2.6.2 (eight-
hour notification examples) in DG-5019 regarding attempts by 
unauthorized persons. [NEI-174]
    Response: The NRC disagrees with this comment, yet has, for other 
reasons, removed this material from the final guidance. The final 
guidance reflects changes made to the final rule that aligns more 
closely with Sec.  73.54 (i.e., adverse impacts to SSEP functions), and 
in the process, staff determined that item bb.(4) was no longer 
required.
    Comment 6: One commenter recommended moving section 2.3.2, item 
bb.(5), (one-hour notification examples) to section 2.6.2 (eight-hour 
notification examples) in DG-5019 regarding cyber attacks thwarted by 
security controls. [NEI-175]
    Response: The NRC disagrees with this comment, yet has, for other 
reasons, removed this material from the final guidance. The final 
guidance reflects changes made to the final rule that aligns more 
closely with Sec.  73.54 (i.e., adverse impacts to SSEP functions), and 
in the process, staff determined that item bb.(5) was no longer 
required.
    Comment 7: One commenter proposed removing the terms ``unauthorized 
software'' and ``firmware'' from section 2.3.2, item cc, because of 
redundancy with the term malware. [NEI-176]
    Response: The NRC disagrees with this comment, but for other 
reasons, the guidance has been revised. There is a difference between 
malware, and unauthorized software, or firmware, and therefore there is 
no redundancy. However, the staff re-evaluated the language and 
determined the example is not consistent with Sec.  73.54 and RG 5.71. 
Therefore, the example was not included in RG 5.83.
    Comment 8: One commenter proposed changes to section 2.3.2, item 
dd, of DG-5019 where the result was changed from compromising the CDA 
to an adverse impact to SSEP functions. [NEI-177]
    Response: The NRC agrees with the proposed changes to the item; 
however, due to changes in the final rule language, this item was 
clarified and moved to a four-hour notification example within RG 5.83.
    Comment 9: One commenter recommended removing section 2.3.2, item 
ee, of DG-5019, because there are no NRC regulations covering 
``sensitive cyber security data.'' [NEI-178]
    Response: The NRC agrees with this comment. The item has been 
removed from RG 5.83.
    Comment 10: One commenter recommended clarifying section 2.3.2, 
item ff, of DG-5019, and proposed the term ``cyber intrusion detection 
capability'' instead of the term ``cyber intrusion detection system.'' 
[NEI-179]
    Response: The NRC disagrees with this comment, yet has, for other 
reasons, removed this material from the final guidance. The item was 
not included in RG 5.83 because it was not consistent with Sec.  73.54 
and RG 5.71.
    Comment 11: One commenter recommended section 2.3.2, item hh, of

[[Page 67271]]

DG-5019 be revised to be consistent with Sec.  73.54(a)(2) by removing 
the term uncompensated. [NEI-181]
    Response: The NRC disagrees with this comment, yet has, for other 
reasons, removed this material from the final guidance. The staff 
reviewed the item and determined it was not consistent with 10 CFR 
73.54 and RG 5.71 and removed it from RG 5.83.
    Comment 12: The NRC received several comments regarding redundant 
material within section 2.3.2., item hh, of DG-5019. [NEI-180, 182, 
185]
    Response: The NRC agrees with this comment. Staff removed items gg, 
ii and ll from section 2.3.2 in RG 5.83 because they were redundant 
with item hh regarding unauthorized access to CDAs.
    Comment 13: One commenter recommended moving section 2.3.2, item 
jj, of DG-5019 from the one-hour notification examples to the four-hour 
notification examples in section 2.5.2 regarding discovery of falsified 
identification badges. [NEI-183]
    Response: The NRC agrees in part with this comment, that the item 
should be moved. However, under the new approach, this item is 
consistent with eight-hour notifications (i.e., activities that may 
indicate intelligence gathering or pre-operational planning related to 
a cyber attack) and was moved in final guidance to the eight-hour 
notification examples.
    Comment 14: One commenter recommended revising section 2.3.2, item 
kk, of DG-5019 replacing the term ``could'' with ``would.'' [NEI-184]
    Response: The NRC disagrees with this comment, yet has, for other 
reasons, removed this material from the final guidance. The NRC staff 
re-evaluated this item, determined it was not consistent with the final 
rule, and deleted it from RG 5.83.
    Comment 15: One commenter recommended removing section 2.3.2, item 
mm, of DG-5019 because it duplicates 2.3.2, item y, regarding 
safeguards reporting requirements. [NEI-186]
    Response: The NRC agrees with this comment. The item has been 
removed from RG 5.83.
    Comment 16: One commenter recommended removing section 2.3.2, item 
nn, of DG-5019 because there are no NRC requirements for maintaining 
cyber security response personnel staffing levels. [NEI-187]
    Response: The NRC agrees with this comment. The item has been 
removed from RG 5.83.
    Comment 17: One commenter recommended revising section 2.3.2, item 
oo, of DG-5019 to change the phrase, ``could increase the likelihood of 
an attempted attack'' to the phrase, ``would result in an attack.'' 
[NEI-188]
    Response: The NRC disagrees with this comment, yet has, for other 
reasons, revised this material in the final guidance. This item has 
been revised in RG 5.83 to include any event that allows unauthorized 
or undetected access to a CDA that could be exploited in an attack to 
be reported within four hours of discovery.
    Comment 18: One commenter recommended adding new examples to 
sections 2.3.2 and 2.5.2 of DG-5019. One example, (section 2.3.2) 
involved discovery of unauthorized user IDs and unauthorized 
configurations to cyber controls (e.g., firewall port opening, etc.). 
The other example (section 2.5.2) involved unauthorized attempts to 
probe CDAs including the use of social engineering techniques. [NEI-
189, 190]
    Response: The NRC agrees with the examples provided, and based on 
final rule text changes (cyber attacks initiated by personnel with 
physical or electronic access and activities that may indicate pre-
operational planning), these items were included in RG 5.83.
    Comment 19: One commenter recommended revising section 2.5.2, item 
kk, of DG-5019 to include the word cyber before the term security 
controls. [NEI-191]
    Response: The NRC agrees with this comment. The item was revised in 
RG 5.83 to include the word cyber before security controls.
    Comment 20: One commenter recommended removing section 2.5.2, item 
mm, of DG-5019 because it is redundant to section 2.5.2, item kk. [NEI-
192]
    Response: The NRC agrees with this comment. The item has been 
removed from RG 5.83.
    Comment 21: One commenter recommended revising section 2.5.2, item 
oo, of DG-5019 to add Levels 3 and 4 to the description so the item is 
consistent with the definition provided in the glossary for a CDA. 
[NEI-193]
    Response: The NRC disagrees with this comment, but for other 
reasons has revised the final guidance. The definition of a CDA in RG 
5.83 was revised for consistency with the definition provided in RG 
5.71.
    Comment 22: One commenter recommended revising section 2.5.2, item 
qq, of DG-5019 or removing it altogether because reporting the high 
number of malware attempts on lower security level networks that do not 
have the degree of protection of CDAs would be burdensome on the NRC 
and the licensee. [NEI-195]
    Response: The NRC agrees with this comment. Based on final rule 
text changes, this item was revised in RG 5.83 narrowing the scope to 
attacks discovered or manifested on a CDA, critical system or protected 
network reducing the number of potential notifications on the licensee 
and the NRC.
    Comment 23: One commenter recommended revising section 2.5.2, item 
rr, of DG-5019 to clarify the term ``cyber systems.'' [NEI-196]
    Response: The NRC agrees with this comment. In RG 5.83 this item 
was revised for consistency with RG 5.71 and uses the terms ``critical 
systems'' and ``CDAs.''
    Comment 24: One commenter recommended removing the 15-minute 
reference in section 2.5.2, item ss, of DG-5019. [NEI-197]
    Response: The NRC agrees with this comment. The final rule text 
does not contain any 15-minute notifications related to cyber security, 
and therefore, this item was revised in the final guidance to a four-
hour notification example.
    Comment 25: One commenter recommended revising or removing the 
paragraph before section 2.6.2, item h, in DG-5019 regarding cyber 
security events that interrupt or degrade the facility's SSEP 
functions. [NEI-198]
    Response: The NRC agrees with this comment, yet has, for other 
reasons removed this material from the final guidance. The final 
guidance reflects changes made to the final rule that aligns more 
closely with Sec.  73.54 (i.e., adverse impacts to SSEP functions), and 
in the process, staff determined that this item was no longer required.
    Comment 26: One commenter recommended revising section 2.6.2, item 
I, of DG-5019. The commenter recommended removing the term ``failed'' 
because a CDA could fail for non-malicious reasons and not be the 
result of a cyber attack or unauthorized activity. [NEI-199]
    Response: The NRC agrees with this comment. There are many reasons 
a critical digital asset can fail that are not related to unauthorized 
activity or cyber attacks. Regulatory Guide 5.83 has been revised to 
reflect this change.
    Comment 27: One commenter recommended revising section 5.3, item n, 
of DG-5019 because the term ``compensated'' is not defined. [NEI-200]
    Response: The NRC agrees with this comment. This item was removed 
from RG 5.83.
    Comment 28: One commenter recommended clarifying section 5.3, item 
o, of DG-5019 regarding individuals who are incorrectly authorized 
access to a CDA. [NEI-201]

[[Page 67272]]

    Response: The NRC agrees with this comment. This item was removed 
from RG 5.83.
    Comment 29: One commenter recommending adding items to section 5.3 
of DG-5019 to include examples of cyber events that are compensated as 
proposed by paragraph IV.(a) in appendix G of 10 CFR part 73. [NEI-203]
    Response: The NRC disagrees with this comment. The final rule 
language reflects a different approach, one based on whether the cyber 
attack or event caused an adverse impact (or not) to SSEP functions, 
instead of whether the cyber attack or event was compensated or 
uncompensated. Regulatory Guide 5.83 has been revised to reflect this 
new approach.
    Comment 30: One commenter recommended changes to the definitions 
provided in the glossary of DG-5019. The commenter proposed changing 
``cyber attack'' to be consistent with the definition provided in NEI 
08-09 and changing ``CDA'' to only include digital computer, 
communication systems, and networks that fall within level 3 or 4 
boundaries as well as a general comment that all definitions in the 
glossary be synchronized with code requirements and regulatory guides. 
[NEI-138, 204, 205]
    Response: The NRC agrees in part with this comment. The definitions 
of cyber attack and CDA in RG 5.83 have been revised to synchronize 
with the definitions in RG 5.71, not NEI 08-09.
    Comment 31: Two commenters proposed a definition of the term 
``discovery time of'' in DG-5019. The commenters suggested discovery 
occurs after initial notifications are made and a determination made 
that the event meets applicable reporting requirements. [NEI-19, B&W-
29]
    Response: The NRC disagrees with this comment. Internal 
notifications and gathering information to make a determination as to 
whether it meets applicable reporting requirements could take several 
hours, or even days, depending on the amount of information needed to 
reach a conclusion. The time to report an event is upon recognition; 
the licensee can withdraw a report (based on subsequent analysis of the 
circumstances) without prejudice to its security performance 
indicators. No changes have been made to the guidance.
    Comment 32: One commenter stated that the cyber security plan 
templates published by the NRC and NEI do not contain guidance for 
licensees to differentiate between events that are recordable versus 
reportable. [NEI-20, 154]
    Response: The NRC agrees with this comment. Neither cyber security 
plan template issued by the NRC or NEI contains guidance for licensees 
on which events are recordable or reportable. However, DG-5019 provided 
guidance to licensees on events that are reportable and recordable 
related to cyber security event notifications. Consistent with 
Commission policy, the NRC is publishing with this final rule, final 
guidance, RG 5.83, ``Cyber Security Event Notifications,'' which 
provides guidance to licensees on an acceptable method for meeting 
regulatory requirements. The final guidance has been revised to provide 
examples that differentiate between events that are reportable and 
recordable.
    Comment 33: One commenter recommended revisions to NRC Form 366. 
The commenter recommended the NRC specify the type of content licensees 
should include in the abstract section of the form. [NEI-44, 118]
    Response: The NRC disagrees with this comment. The NRC's Form 366 
will not be revised. Regulatory Guide 5.83 will provide the specific 
type of content that should be included in the abstract section of 
NRC's Form 366.
    Comment 34: One commenter recommended clarifying the guidance 
regarding elicitation of information from facility personnel relating 
to security or safe operation of the facility. The commenter suggested 
adding the phrase ``non-routine'' regarding the elicitation of 
information to distinguish general public or media inquiries from 
elicitations that could be indicative of suspicious activity. [NEI-52, 
95, 99]
    Response: The NRC agrees with this comment. Regulatory Guide 5.83 
has been revised to provide a distinction between common inquiries 
(e.g., public and media inquiries) and uncommon inquiries (e.g., 
activities that may indicate intelligence gathering or pre-operational 
planning related to a cyber attack).
    Comment 35: One commenter recommended clarifying the examples of 
one-hour notifications and including ``real life'' examples. [NEI-71]
    Response: The NRC agrees with this comment. The NRC staff reviewed 
previous ``real life'' examples and included them in final guidance. In 
addition, the new approach for one-hour notifications (i.e., adverse 
impacts to SSEP functions) provides additional clarity.
    Comment 36: One commenter recommended changes to the examples 
involving the compromise of CDAs. The commenter stated that section 
2.3.2 of DG-5019, items (aa) and (bb) were duplicative, and that two 
supporting examples (4 and 5) were not within the scope of one-hour 
notifications (i.e., adverse impact to SSEP functions). [NEI-94]
    Response: The NRC agrees with this comment. Regulatory Guide 5.83 
has been revised to delete one of the duplicate items and to remove the 
two supporting examples from the remaining item.
    Comment 37: One commenter recommended moving an example related to 
unauthorized attempts to steal business secrets or sensitive 
information to the cyber security event notification examples. [NEI-
100]
    Response: The NRC disagrees with this comment. The final rule 
reflects an approach that aligns more closely with Sec.  73.54 and RG 
5.71, and provides clarity to cyber security event notification 
criteria. Unauthorized attempts to access business and trade sensitive 
information is outside the scope of Sec.  73.54, and no changes to the 
rule or RG 5.83 were made based on this comment
    Comment 38: One commenter recommended clarifying the example 
regarding unsubstantiated cyber threats related to harassment, 
including threats that could represent tests of response capabilities. 
The commenter stated the example was confusing and too broad in scope. 
[NEI-111]
    Response: The NRC agrees with this comment. The NRC has revised the 
example to clarify the scope of the cyber attacks to be reported (i.e., 
a cyber attack that could have caused an adverse impact to SSEP 
functions).
    Comment 39: One commenter requested NRC clarify the guidance on 
unplanned missed cyber vulnerability assessments. [NEI-131]
    Response: The NRC agrees with this comment. Regulatory Guide 5.83 
was revised to clarify the treatment of missed cyber vulnerability 
assessments. The CSP states the periodicity that cyber vulnerability 
assessments are performed (quarterly). If a cyber vulnerability 
assessment exceeds the periodicity specified in the CSP, it would be 
considered a 24-hour recordable event.

C. Public Comments on Proposed Implementation Date From July 31, 2014, 
Public Meeting

    Comment 1: One commenter raised a concern that by issuing the Cyber 
Security Event Notifications (CSEN) final rulemaking now it may delay 
full implementation of Sec.  73.54 because of the impact on resources. 
The commenter stated that licensees may have to divert some resources 
from implementing the cyber security

[[Page 67273]]

program to implementing the CSEN requirements.
    Response: The NRC agrees in part with this comment. The NRC staff 
recognizes that this rule will have an impact on licensee resources 
(similar skillsets required for CSEN and cyber security program 
implementation). The NRC staff acknowledges this and is conducting CER 
related activities in an effort to minimize the impact (e.g., 
conducting a public meeting on the implementation date during final 
rulemaking, issuing final guidance with the final rule). In addition, 
the CSEN final rule is consistent with existing notification processes 
(i.e., Sec. Sec.  50.72 and 73.71) and aligns closely with Sec.  73.54 
and the current voluntary reporting initiatives thereby reducing the 
level of impact on implementation. However, the CSEN final rule removes 
the voluntary aspect of reporting certain cyber security events and 
provides regulatory stability and ensures the NRC is notified in a 
timely manner while maintaining its strategic communications mission 
outlined in the framework of the National Infrastructure Protection 
Plan developed by the DHS (see <a href="http://www.dhs.gov/sites/default/files/publications/National-Infrastructure-Protection-Plan-2013-508.pdf">http://www.dhs.gov/sites/default/files/publications/National-Infrastructure-Protection-Plan-2013-508.pdf</a>). 
Prompt notification of a cyber attack could be vital to the NRC's 
ability to take immediate action in response to a cyber attack and, if 
necessary, to notify other NRC licensees, Government agencies, and 
critical infrastructure facilities, to defend against a multiple sector 
cyber attack. A cyber attack has the capability to be launched against 
multiple targets simultaneously or spread quickly throughout multiple 
sectors of critical infrastructure; therefore, the NRC has not changed 
the 180-day implementation schedule.

V. Section-by-Section Analysis

    The following section-by-section analysis discusses the final 
revisions to the NRC's regulations regarding cyber security, and 
explains how the final rule differs from the language in the proposed 
rule. This final rule adds a new section (Sec.  73.77) to 10 CFR part 
73 and revises three existing sections (Sec. Sec.  73.8, 73.22, and 
73.54) to make conforming changes.

Section 73.8, Information Collection Requirements: OMB Approval

    The NRC is amending Sec.  73.8 to add Sec.  73.77 to paragraph (b) 
that provides the approved information collection requirements 
contained in 10 CFR part 73 under control number 3150-0002. In 
addition, the NRC is amending Sec.  73.8 to add Sec.  73.77 to 
paragraph (c)(1) that provides that NRC Form 366 is approved under 
control number 3150-0104.

Section 73.22, Protection of Safeguards Information: Specific 
Requirements

    The NRC is amending Sec.  73.22(f)(3) to add the sentence, ``Cyber 
security event notifications required to be reported pursuant to Sec.  
73.77 are considered to be extraordinary conditions'' to the end of the 
paragraph.

Section 73.54, Protection of Digital Computer and Communication Systems 
and Networks

    The NRC is amending Sec.  73.54 to add a new paragraph (d)(4) that 
reads, ``Conduct cyber security event notifications in accordance with 
the provisions of Sec.  73.77.'' This new requirement guides the 
licensee to the correct 10 CFR part 73 section for conducting cyber 
security event notifications.

Section 73.77, Cyber Security Event Notifications

    The NRC has moved cyber security event notifications requirements 
that were proposed to be added to Sec.  73.71 and appendix G to a newly 
created section (Sec.  73.77) within 10 CFR part 73.
    Section 73.77(a)(1) requires licensees to notify the NRC within 
one-hour after discovery of a cyber attack that adversely impacted 
safety-related or important-to-safety functions, security functions, or 
emergency preparedness functions (including offsite communications); or 
that compromised support systems and equipment resulting in adverse 
impacts to safety, security, or emergency preparedness functions within 
the scope of Sec.  73.54. This requirement differs from the proposed 
rule language, it has been revised to more closely align with Sec.  
73.54 and to remove the term ``uncompensated cyber security events'' 
because it was unclear and not defined within the CSP.
    Section 73.77(a)(2) requires licensees to notify the NRC within 
four-hours.
    Section 73.77(a)(2)(i) after discovery of a cyber attack that could 
have caused an adverse impact to safety-related or important-to-safety 
functions, security functions, or emergency preparedness functions 
(including offsite communications); or that could have compromised 
support systems and equipment, which if compromised, could have 
adversely impacted safety, security, or emergency preparedness 
functions within the scope of Sec.  73.54. This requirement differs 
from the proposed rule; it has been revised to more closely align with 
Sec.  73.54. In addition, the final rule distinguishes between four-
hour and eight-hour notifications.
    Section 73.77(a)(2)(ii) after discovery of a suspected or actual 
cyber attack initiated by personnel with physical or electronic access 
to digital computer and communication systems and networks within the 
scope of Sec.  73.54. This requirement differs from the proposed rule; 
it has been revised to capture cyber attacks (e.g., tampering) that may 
not have any impact on SSEP functions, but may indicate an internal 
threat.
    Section 73.77(a)(2)(iii) after notification of a local, State, or 
other Federal agency (e.g., local law enforcement, FBI, etc.) of an 
event related to implementation of their cyber security program. The 
final rule includes other types of agencies besides law enforcement 
(e.g., DHS, etc.) to maintain consistency with existing NRC reporting 
requirements (e.g., Sec.  50.72).
    Section 73.77(a)(3) requires licensees to notify the NRC within 
eight-hours after receipt or collection of information regarding 
observed behavior, activities, or statements that may indicate 
intelligence gathering or pre-operational planning related to a cyber 
attack against digital computer and communication systems and networks 
within the scope of Sec.  73.54. Requirements for ``suspicious cyber 
events'' have been revised and moved from four-hour notifications in 
the proposed rule to eight-hour notifications in the final rule. This 
requirement now captures activities that are associated with precursors 
to a cyber attack (e.g., activities related to intelligence gathering 
or pre-operational planning).
    Section 73.77(b) requires licensees to record certain cyber 
security events in their site corrective action program (CAP) within 
24-hours of their discovery. The proposed rule required licensees to 
use a Safeguards Event Log; to prevent duplication of effort, the final 
rule requires licensees to use their site CAP.
    Section 73.77(b)(1) requires licensees to use their site CAP to 
record vulnerabilities, weaknesses, failures, and deficiencies in their 
Sec.  73.54 cyber security program. This requirement has been revised 
to align with NRC physical protection program requirements in Sec.  
73.55(b)(10) regarding the use of the site CAP to track, trend, 
correct, and prevent recurrence of failures and deficiencies.
    Section 73.77(b)(2) requires licensees to record notifications made 
under paragraph (a) of Sec.  73.77.

[[Page 67274]]

    Section 73.77(c) provides the process for conducting cyber security 
event notifications.
    Section 73.77(c)(1) has been revised from the proposed rule to 
include the Emergency Notification System (ENS) as the primary means 
for conducting notifications, instead of any available telephone 
system. Using the ENS is consistent with existing NRC regulations for 
conducting notifications (e.g., Sec.  50.72).
    Section 73.77(c)(3) in the final rule was revised to remove a 
reference to paragraph III in appendix A of 10 CFR part 73 that 
provided instructions on requesting a transfer to a secure phone. The 
current appendix A in 10 CFR part 73 does not contain a paragraph III 
and conforming changes to appendix A are not part of this final rule. 
Section 73.77(c)(3) was revised to reference appendix A and request 
transfer to a secure phone.
    Sections 73.7(c)(6), ``Declaration of emergencies,'' and 
73.77(c)(7), ``Elimination of duplication,'' were moved in the final 
rule from the ``Written Security Follow-up Reports'' section into the 
``Notification Process'' section because they contain notification-
specific information. In addition, due to the narrowed scope of this 
final rule, the proposed rule referenced several sections of the NRC's 
regulations (e.g., Sec.  70.50) that are not being revised by this 
final rule.
    Section 73.77(d), ``Written security follow-up reports,'' 
establishes the necessary regulatory framework to facilitate consistent 
application of Commission requirements for written security follow-up 
reports for cyber security event notifications.

VI. Regulatory Flexibility Certification

    Under the Regulatory Flexibility Act (5 U.S.C. 605(b)), the NRC 
certifies that this rule does not have a significant economic impact on 
a substantial number of small entities. This final rule affects only 
the licensing and operation of nuclear power plants. The companies that 
own these plants do not fall within the scope of the definition of 
``small entities'' set forth in the Regulatory Flexibility Act or the 
size standards established by the NRC (10 CFR 2.810).

VII. Regulatory Analysis

    The NRC has prepared a final regulatory analysis for this final 
rule. The analysis examines the costs and benefits of the alternatives 
considered by the NRC. The regulatory analysis is available as 
indicated in Section XVII., ``Availability of Documents,'' of this 
document.

VIII. Backfitting and Issue Finality

    The final rule imposing new cyber security event notifications 
affects information collection and reporting requirements and is not 
considered to be a backfit, as presented in the charter for NRC's 
Committee to Review Generic Requirements. Therefore, a backfit analysis 
has not been completed for any of the provisions of this final rule.

IX. Cumulative Effects of Regulation

    While the proposed rule was issued prior to the formal CER 
requirements promulgated by SRM-SECY-0032, the intent of CER was still 
met. For example, the draft guidance was issued for comment concurrent 
with the proposed rule, a public meeting was conducted during the 
development of the proposed rule, a public meeting on implementation 
was conducted during the final rule stage, and the final guidance will 
be issued with the final rule.
    The NRC staff engaged external stakeholders at public meetings and 
by soliciting public comments on the proposed rule and draft guidance 
documents. A public meeting was held at NRC Headquarters on June 1, 
2011, to discuss the proposed rule, the draft implementation plan, and 
draft guidance.
    In addition, on July 31, 2014, a public meeting was held at the NRC 
Headquarters on the draft final implementation plan for the final rule 
(a type of meeting specifically contemplated by the NRC's CER effort). 
Prompt notification of a cyber attack is vital to the NRC's ability to 
take immediate action in response to a cyber attack, which contributes 
to protecting the public health and safety or the common defense and 
security. The NRC's strategic communications mission and the feedback 
from the public meetings informed the staff's recommended schedule for 
the final implementation date in the CSEN final rule.
    A fundamental CER process improvement is to publish the final 
guidance with the final rule so as to support effective implementation. 
This final rulemaking accomplishes this by ensuring that final guidance 
is complete and available concurrent with this final rule publication 
in the Federal Register.

X. Plain Writing

    The Plain Writing Act of 2010 (Pub. L. 111-274) requires Federal 
agencies to write documents in a clear, concise, and well-organized 
manner. The NRC has written this document to be consistent with the 
Plain Writing Act as well as the Presidential Memorandum, ``Plain 
Language in Government Writing,'' published June 10, 1998 (63 FR 
31883).

XI. Environmental Assessment and Final Finding of No Significant 
Environmental Impact

    The NRC has determined that this final rule is the type of action 
described in 10 CFR 51.22(c)(3)(iii). Therefore, neither an 
environmental impact statement nor environmental assessment has been 
prepared for this final rule.

XII. Paperwork Reduction Act

    This final rule contains new or amended information collection 
requirements that are subject to the Paperwork Reduction Act of 1995 
(44 U.S.C. 3501 et seq.). These requirements were approved by the 
Office of Management and Budget (OMB), approval number 3150-0230 and 
3150-0104.
    The burden to the public for these information collections is 
estimated to average 39.4 hours per response, including the time for 
reviewing instructions, searching existing data sources, gathering and 
maintaining the data needed, and completing and reviewing the 
information collection. Send comments on any aspect of these 
information collections, including suggestions for reducing the burden, 
to the Freedom of Information Act, Privacy, and Information Collections 
Branch (T-5 F53), U.S. Nuclear Regulatory Commission, Washington, DC 
20555-0001, or by email to <a href="/cdn-cgi/l/email-protection#531a3d353c303c3f3f363027207d0136203c26213036133d21307d343c25"><span class="__cf_email__" data-cfemail="9ad3f4fcf5f9f5f6f6fff9eee9b4c8ffe9f5efe8f9ffdaf4e8f9b4fdf5ec">[email&#160;protected]</span></a> and to the 
Desk Officer, Office of Information and Regulatory Affairs, NEOB-10202, 
(3150-0230 and 3150-0104), Office of Management and Budget, Washington, 
DC 20503 or by email to <a href="/cdn-cgi/l/email-protection#741b1d06152b070116191d07071d1b1a341b19165a111b045a131b02"><span class="__cf_email__" data-cfemail="81eee8f3e0def2f4e3ece8f2f2e8eeefc1eeece3afe4eef1afe6eef7">[email&#160;protected]</span></a>.

Public Protection Notification

    The NRC may not conduct or sponsor, and a person is not required to 
respond to, a request for information or an information collection 
requirement unless the requesting document displays a currently valid 
OMB control number.

XIII. Congressional Review Act

    In accordance with the Congressional Review Act of 1996 (5 U.S.C. 
801-808), the NRC has determined that this action is not a major rule 
and has verified this determination with the Office of Information and 
Regulatory Affairs of OMB.

XIV. Criminal Penalties

    For the purposes of Section 223 of the Atomic Energy Act of 1954, 
as amended

[[Page 67275]]

(AEA), the NRC is issuing this final rule that would amend Sec. Sec.  
73.8, 73.22, and 73.54, and add Sec.  73.77 under one or more of 
Sections 161b, 161i, or 161o of the AEA. Willful violations of the rule 
would be subject to criminal enforcement. Criminal penalties as they 
apply to regulations in 10 CFR part 73 are discussed in Sec.  73.81(a).

XV. Compatibility of Agreement State Regulations

    Under the ``Policy Statement on Adequacy and Compatibility of 
Agreement State Programs,'' approved by the Commission on June 20, 
1997, and published in the Federal Register (62 FR 46517; September 3, 
1997), this rule is classified as compatibility ``NRC.'' Compatibility 
is not required for Category ``NRC'' regulations. The NRC program 
elements in this category are those that relate directly to areas of 
regulation reserved to the NRC by the AEA or the provisions of 10 CFR, 
and although an Agreement State may not adopt program elements reserved 
to the NRC, it may wish to inform its licensees of certain requirements 
via a mechanism that is consistent with a particular State's 
administrative procedure laws, but does not confer regulatory authority 
on the State.

XVI. Availability of Guidance

    The NRC is issuing implementation guidance for this rule, RG 5.83, 
``Cyber Security Event Notifications'' (Docket ID NRC-2014-0036). The 
guidance is available in ADAMS under Accession No. ML14269A388. 
Regulatory Guide 5.83 is intended to describe a proposed method that 
the NRC staff considers acceptable for use in complying with the NRC's 
regulations on cyber security event notifications. Because the 
regulatory analysis for the final rule provides sufficient explanation 
for the rule and the implementing guidance, a separate regulatory 
analysis was not prepared for the regulatory guide.

XVII. Availability of Documents

    The documents identified in the following table are available to 
interested persons through the following methods, as indicated.

------------------------------------------------------------------------
                                         ADAMS  Accession No./ Federal
               Document                     Register  (FR) citation
------------------------------------------------------------------------
SECY-10-0085--Proposed Rule:           ML101110121
 ``Enhanced Weapons, Firearms
 Background Checks and Security Event
 Notifications'' (RIN: 3150-AI49)
 (June 27, 2010).
Staff Requirements--SECY-10-0085--     ML102920342
 Proposed Rule: Enhanced Weapons,
 Firearms Background Checks and
 Security Event Notifications (RIN:
 3150-AI49) (October 19, 2010).
Proposed Enhanced Weapons, Firearms    76 FR 6199
 Background Checks, and Security
 Event Notifications Rule (February
 3, 2011).
DG-5019, ``Reporting and Recording     76 FR 6085
 Safeguards Events'' (February 3,
 2011).
Summary of the June 1, 2011, Public    ML111720007
 Meeting to Discuss the Proposed
 Enhanced Weapons, Firearms
 Background Checks and Security Event
 Notifications Rulemaking (June 24,
 2011).
Bifurcation of the Enhanced Weapons,   ML13280A366
 Firearms Background Checks, and
 Security Event Notifications Rule
 (December 20, 2013).
Staff Requirements--COMSECY-13-0031--  ML14023A860
 Bifurcation of the Enhanced Weapons,
 Firearms Background Checks, and
 Security Event Notification Rule
 (January 22, 2014).
Regulatory Analysis for Final Rule on  ML14170B076
 Cyber Security Event Notifications
 (10 CFR Part 73).
Summary of the July 31, 2014, Public   ML14240A404
 Meeting to Discuss the Proposed
 Implementation Date of the Draft
 Cyber Security Event Notification
 Final Rule (August 29, 2014).
Regulatory Guide 5.83, ``Cyber         ML14269A388
 Security Event Notifications''
 (March 2015).
CSEN Public Comments Associated with   ML14226A596
 Final Rule.
Final Rule: Cyber Security Event       ML15203A233
 Notification OMB Supporting
 Statement.
------------------------------------------------------------------------

List of Subjects for 10 CFR Part 73

    Criminal penalties, Exports, Hazardous materials transportation, 
Incorporation by reference, Imports, Nuclear energy, Nuclear materials, 
Nuclear power plants and reactors, Penalties, Reporting and 
recordkeeping requirements, Security measures.

    For the reasons set out in the preamble and under the authority of 
the Atomic Energy Act of 1954, as amended; the Energy Reorganization 
Act of 1974, as amended; and 5 U.S.C. 552 and 553, the NRC is adopting 
the following amendments to 10 CFR part 73.

PART 73--PHYSICAL PROTECTION OF PLANTS AND MATERIALS

0
1. The authority citation for part 73 continues to read as follows:

    Authority: Atomic Energy Act of 1954, secs. 53, 147, 149, 161, 
170D, 170E, 170H, 170I, 223, 229, 234, 1701 (42 U.S.C. 2073, 2167, 
2169, 2201, 2210d, 2210e, 2210h, 2210i, 2273, 2278a, 2282, 2297f); 
Energy Reorganization Act of 1974, secs. 201, 202 (42 U.S.C. 5841, 
5842); Nuclear Waste Policy Act of 1982, secs. 135, 141 (42 U.S.C. 
10155, 10161); 44 U.S.C. 3504 note.

    Section 73.37(b)(2) also issued under Sec. 301, Public Law 96-295, 
94 Stat. 789 (42 U.S.C. 5841 note).

0
2. In Sec.  73.8, revise paragraphs (b) and (c)(1) to read as follows:


Sec.  73.8  Information collection requirements: OMB approval.

* * * * *
    (b) The approved information collection requirements contained in 
this part appear in Sec. Sec.  73.5, 73.20, 73.21, 73.24, 73.25, 73.26, 
73.27, 73.37, 73.38, 73.40, 73.45, 73.46, 73.50, 73.54, 73.55, 73.56, 
73.57, 73.58, 73.60, 73.67, 73.70, 73.71, 73.72, 73.73, 73.74, 73.77 
and appendices B, C, and G to this part.
    (c) * * *
    (1) In Sec. Sec.  73.71 and 73.77, NRC Form 366 is approved under 
control number 3150-0104.
* * * * *

0
3. In Sec.  73.22, add a sentence to the end of paragraph (f)(3) to 
read as follows:


Sec.  73.22  Protection of Safeguards Information: Specific 
requirements.

* * * * *
    (f) * * *
    (3) * * * Cyber security event notifications required to be 
reported pursuant to Sec.  73.77 are considered to be extraordinary 
conditions.
* * * * *

0
4. In Sec.  73.54, add paragraph (d)(4) to read as follows:


Sec.  73.54  Protection of digital computer and communication systems 
and networks.

* * * * *
    (d) * * *
    (4) Conduct cyber security event notifications in accordance with 
the provisions of Sec.  73.77.
* * * * *

0
5. Add Sec.  73.77 to read as follows:

[[Page 67276]]

Sec.  73.77  Cyber security event notifications.

    (a) Each licensee subject to the provisions of Sec.  73.54 shall 
notify the NRC Headquarters Operations Center via the Emergency 
Notification System (ENS), in accordance with paragraph (c) of this 
section:
    (1) Within one hour after discovery of a cyber attack that 
adversely impacted safety-related or important-to-safety functions, 
security functions, or emergency preparedness functions (including 
offsite communications); or that compromised support systems and 
equipment resulting in adverse impacts to safety, security, or 
emergency preparedness functions within the scope of Sec.  73.54.
    (2) Within four hours:
    (i) After discovery of a cyber attack that could have caused an 
adverse impact to safety-related or important-to-safety functions, 
security functions, or emergency preparedness functions (including 
offsite communications); or that could have compromised support systems 
and equipment, which if compromised, could have adversely impacted 
safety, security, or emergency preparedness functions within the scope 
of Sec.  73.54.
    (ii) After discovery of a suspected or actual cyber attack 
initiated by personnel with physical or electronic access to digital 
computer and communication systems and networks within the scope of 
Sec.  73.54.
    (iii) After notification of a local, State, or other Federal agency 
(e.g., law enforcement, FBI, etc.) of an event related to the 
licensee's implementation of their cyber security program for digital 
computer and communication systems and networks within the scope of 
Sec.  73.54 that does not otherwise require a notification under 
paragraph (a) of this section.
    (3) Within eight hours after receipt or collection of information 
regarding observed behavior, activities, or statements that may 
indicate intelligence gathering or pre-operational planning related to 
a cyber attack against digital computer and communication systems and 
networks within the scope of Sec.  73.54.
    (b) Twenty-four hour recordable events. (1) The licensee shall use 
the site corrective action program to record vulnerabilities, 
weaknesses, failures and deficiencies in their Sec.  73.54 cyber 
security program within twenty-four hours of their discovery.
    (2) The licensee shall use the site corrective action program to 
record notifications made under paragraph (a) of this section within 
twenty-four hours of their discovery.
    (c) Notification process. (1) Each licensee shall make telephonic 
notifications required by paragraph (a) of this section to the NRC 
Headquarters Operations Center via the ENS. If the ENS is inoperative 
or unavailable, the licensee shall make the notification via a 
commercial telephone service or other dedicated telephonic system or 
any other methods that will ensure a report is received by the NRC 
Headquarters Operations Center within the timeframe. Commercial 
telephone numbers for the NRC Headquarters Operations Center are 
specified in appendix A to this part.
    (2) Notifications required by this section that contain Safeguards 
Information may be made to the NRC Headquarters Operations Center 
without using secure communications systems under the exception in 
Sec.  73.22(f)(3) for emergency or extraordinary conditions.
    (3) Notifications required by this section that contain Safeguards 
Information and/or classified national security information and/or 
restricted data must be made to the NRC Headquarters Operations Center 
using secure communications systems appropriate to the sensitivity/
classification level of the message. Licensees making these types of 
telephonic notifications must contact the NRC Headquarters Operations 
Center at the commercial numbers specified in appendix A to this part 
and request a transfer to a secure telephone.
    (i) If the licensee's secure communications capability is 
unavailable (e.g., due to the nature of the security event), the 
licensee must provide as much information to the NRC as is required by 
this section, without revealing or discussing any Safeguards 
Information and/or Classified Information, in order to meet the 
timeliness requirements of this section. The licensee must also 
indicate to the NRC that its secure communications capability is 
unavailable.
    (ii) Licensees using a non-secure communications capability may be 
directed by the NRC Emergency Response management to provide classified 
information to the NRC over the non-secure system, due to the 
significance of the ongoing security event. In such circumstances, the 
licensee must document this direction and any information provided to 
the NRC over a non-secure communications capability in the written 
security follow-up report required in accordance with paragraph (d) of 
this section.
    (4) For events reported under paragraph (a)(1) of this section, the 
NRC may request that the licensee maintain an open and continuous 
communication channel with the NRC Headquarters Operations Center.
    (5) Licensees desiring to retract a previous security event report 
that has been determined to not meet the threshold of a reportable 
event must telephonically notify the NRC Headquarters Operations Center 
and indicate the report being retracted and basis for the retraction.
    (6) Declaration of emergencies. Notifications made to the NRC for 
the declaration of an emergency class shall be performed in accordance 
with Sec.  50.72 of this chapter, as applicable.
    (7) Elimination of duplication. Separate notifications and reports 
are not required for events that are also reportable in accordance with 
Sec. Sec.  50.72 and 50.73 of this chapter. However, these 
notifications should also indicate the applicable Sec.  73.77 reporting 
criteria.
    (d) Written security follow-up reports. Each licensee making an 
initial telephonic notification of security events to the NRC according 
to the provisions of paragraphs (a)(1), (a)(2)(i), and (a)(2)(ii) of 
this section must also submit a written security follow-up report to 
the NRC within 60 days of the telephonic notification in accordance 
with Sec.  73.4.
    (1) Licensees are not required to submit a written security follow-
up report following a telephonic notification made under Sec.  
73.77(a)(2)(iii) or (a)(3).
    (2) Each licensee shall submit to the NRC written security follow-
up reports that are of a quality that will permit legible reproduction 
and processing.
    (3) Licensees shall prepare the written security follow-up report 
on NRC Form 366.
    (4) In addition to the addressees specified in Sec.  73.4, the 
licensee shall also provide one copy of the written security follow-up 
report addressed to the Director, Office of Nuclear Security and 
Incident Response, or the Director's designee. Any written security 
follow-up reports containing classified information shall be 
transmitted to the NRC Headquarters' classified mailing address as 
specified in appendix A to this part.
    (5) The written security follow-up report must include sufficient 
information for NRC analysis and evaluation.
    (6) Significant supplemental information which becomes available 
after the initial telephonic notification to the NRC Headquarters 
Operations Center or after the submission of the written security 
follow-up report must be telephonically reported to the NRC 
Headquarters Operations Center under paragraph (c) of this section and 
also

[[Page 67277]]

submitted in a revised written security follow-up report (with the 
revisions indicated) as required under this section.
    (7) Errors discovered in a written security follow-up report must 
be corrected in a revised written security follow-up report with the 
revision(s) indicated.
    (8) The revised written security follow-up report must replace the 
previous written security follow-up report; the update must be complete 
and not be limited to only supplementary or revised information.
    (9) If the licensee subsequently retracts a telephonic notification 
made under this section as not meeting the threshold of a reportable 
event, and has not yet submitted a written security follow-up report 
then submission of a written security follow-up report is not required.
    (10) If the licensee subsequently retracts a telephonic 
notification made under this section as not meeting the threshold of a 
reportable event after it has submitted a written security follow-up 
report required by this paragraph, then the licensee shall submit a 
revised written security follow-up report in accordance with this 
paragraph.
    (11) Each written security follow-up report submitted containing 
Safeguards Information or Classified Information must be created, 
stored, marked, labeled, handled, and transmitted to the NRC according 
to the requirements of Sec. Sec.  73.21 and 73.22 or with part 95 of 
this chapter, as applicable.
    (12) Each licensee shall maintain a copy of the written security 
follow-up report of an event submitted under this section as a record 
for a period of three years from the date of the report or until the 
Commission terminates the license for which the records were developed, 
whichever comes first.

    Dated at Rockville, Maryland, this 23rd day of October, 2015.

    For the Nuclear Regulatory Commission.
Annette L. Vietti-Cook,
Secretary of the Commission.
[FR Doc. 2015-27855 Filed 10-30-15; 8:45 am]
BILLING CODE 7590-01-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>
<style > 
.pdfcab_responsive{
	min-height:400px;
	    background-color: white;
        width:100%;
        height:auto;
}
</style>
<link rel="preload" href="https://thefederalregister.org/doc/80_FR_67475/page/1.svg" as="image"> <link rel="preload" href="https://thefederalregister.org/doc/80_FR_67475/page/2.svg" as="image"> <link rel="preload" href="https://thefederalregister.org/doc/80_FR_67475/page/3.svg" as="image"> <link rel="preload" href="https://thefederalregister.org/doc/80_FR_67475/page/4.svg" as="image"> <link rel="preload" href="https://thefederalregister.org/doc/80_FR_67475/page/5.svg" as="image"> <link rel="preload" href="https://thefederalregister.org/doc/80_FR_67475/page/6.svg" as="image"> <link rel="preload" href="https://thefederalregister.org/doc/80_FR_67475/page/7.svg" as="image"> <link rel="preload" href="https://thefederalregister.org/doc/80_FR_67475/page/8.svg" as="image"> <link rel="preload" href="https://thefederalregister.org/doc/80_FR_67475/page/9.svg" as="image"> <div id=hashid style="display:none;">80_FR_67475</div>        <div id="page-content-wrapper">
            <div class="container-fluid"><br /><div id="1"><img id="page_1"  class="pdfcab_responsive" src="https://thefederalregister.org/doc/80_FR_67475/page/1.svg" style="width:612px;height:792px"
				onerror="this.src='https://thefederalregister.org/doc/80_FR_67475/page/1.png'; this.onerror=this.insertAdjacentHTML('beforebegin', '<iframe src=\'https://thefederalregister.org/80-FR/67264/2015-27855.pdf\' width=100% height=600px></iframe>');" alt="                                                  67264            Federal Register / Vol. 80, No. 211 / Monday, November 2, 2015 / Rules and Regulations

                                                  an accessible format (e.g., braille, large                 (a) ED regulations other than 2 CFR                   &bull; NRC&rsquo;s Agencywide Documents
                                                  print, audiotape, or compact disc) on                   part 200 or a statute prohibit these costs;           Access and Management System
                                                  request to the contact person listed                    or                                                    (ADAMS): You may obtain publicly-
                                                  under FOR FURTHER INFORMATION                              (b) The conditions of the award                    available documents online in the
                                                  CONTACT.                                                prohibit these costs.                                 ADAMS Public Documents collection at
                                                     Electronic Access to This Document:                  (Authority: 20 U.S.C. 1221e&ndash;3 and 3474; 2             http://www.nrc.gov/reading-rm/
                                                  The official version of this document is                CFR 200.308(d)(1))                                    adams.html. To begin the search, select
                                                  the document published in the Federal                   [FR Doc. 2015&ndash;27766 Filed 10&ndash;30&ndash;15; 8:45 am]          &lsquo;&lsquo;ADAMS Public Documents&rsquo;&rsquo; and then
                                                  Register. Free Internet access to the                   BILLING CODE 4000&ndash;01&ndash;P
                                                                                                                                                                select &lsquo;&lsquo;Begin Web-based ADAMS
                                                  official edition of the Federal Register                                                                      Search.&rsquo;&rsquo; For problems with ADAMS,
                                                  and the Code of Federal Regulations is                                                                        please contact the NRC&rsquo;s Public
                                                  available via the Federal Digital System                NUCLEAR REGULATORY                                    Document Room (PDR) reference staff at
                                                  at: www.gpo.gov/fdsys. At this site you                 COMMISSION                                            1&ndash;800&ndash;397&ndash;4209, 301&ndash;415&ndash;4737, or by
                                                  can view this document, as well as all                                                                        email to pdr.resource@nrc.gov. The
                                                  other documents of this Department                      10 CFR Part 73                                        ADAMS accession number for each
                                                  published in the Federal Register, in                                                                         document referenced (if it is available in
                                                                                                          [NRC&ndash;2014&ndash;0036]                                       ADAMS) is provided the first time that
                                                  text or Adobe Portable Document
                                                  Format (PDF). To use PDF you must                       RIN 3150&ndash;AJ37                                         it is mentioned in the SUPPLEMENTARY
                                                  have Adobe Acrobat Reader, which is                                                                           INFORMATION section.
                                                  available free at the site.                             Cyber Security Event Notifications                       &bull; NRC&rsquo;s PDR: You may examine and
                                                     You may also access documents of the                                                                       purchase copies of public documents at
                                                                                                          AGENCY:  Nuclear Regulatory
                                                  Department published in the Federal                                                                           the NRC&rsquo;s PDR, Room O1&ndash;F21, One
                                                                                                          Commission.
                                                  Register by using the article search                                                                          White Flint North, 11555 Rockville
                                                                                                          ACTION: Final rule.
                                                  feature at: www.federalregister.gov.                                                                          Pike, Rockville, Maryland 20852.
                                                  Specifically, through the advanced                      SUMMARY: The U.S. Nuclear Regulatory                  FOR FURTHER INFORMATION CONTACT:
                                                  search feature at this site, you can limit              Commission (NRC) is adopting new                      Robert H. Beall, Office of Nuclear
                                                  your search to documents published by                   cyber security regulations that govern                Reactor Regulation, telephone: 301&ndash;
                                                  the Department.                                         nuclear power reactor licensees. This                 415&ndash;3874, email: Robert.Beall@nrc.gov,
                                                                                                          final rule codifies certain reporting                 U.S. Nuclear Regulatory Commission,
                                                    Dated: October 27, 2015.
                                                                                                          activities associated with cyber security             Washington, DC 20555&ndash;0001.
                                                  Arne Duncan,
                                                                                                          events contained in security advisories               SUPPLEMENTARY INFORMATION:
                                                  Secretary of Education.                                 issued by the NRC. This rule establishes
                                                                                                                                                                Table of Contents:
                                                    For the reasons discussed in the                      new cyber security event notification
                                                                                                          requirements that contribute to the                   I. Background
                                                  preamble, and under the authority of 5                                                                        II. Discussion
                                                  U.S.C. 301 and the authorities listed                   NRC&rsquo;s analysis of the reliability and
                                                                                                                                                                III. Opportunities for Public Participation
                                                  below, the interim rule amending                        effectiveness of licensees&rsquo; cyber security            IV. Public Comment Analysis
                                                  chapter XXXIV of 2 CFR and subtitle A                   programs and plays an important role in               V. Section-by-Section Analysis
                                                  and chapter I of title 34 of the Code of                the continuing effort to provide high                 VI. Regulatory Flexibility Certification
                                                  Federal Regulations, which was                          assurance that digital computer and                   VII. Regulatory Analysis
                                                  published at 79 FR 75871 on December                    communication systems and networks                    VIII. Backfitting and Issue Finality
                                                  19, 2014, is adopted as a final rule with               are adequately protected against cyber                IX. Cumulative Effects of Regulation
                                                                                                          attacks, up to and including the design               X. Plain Writing
                                                  the following changes:                                                                                        XI. Environmental Assessment and Final
                                                                                                          basis threat.
                                                  Title 34&mdash;Education                                                                                                  Finding of No Significant Environmental
                                                                                                          DATES: Effective Date: This final rule is                   Impact
                                                  Subtitle A&mdash;Office of the Secretary,                     effective December 2, 2015. Compliance                XII. Paperwork Reduction Act
                                                  Department of Education                                 Date: Compliance with this final rule is              XIII. Congressional Review Act
                                                                                                          required by May 2, 2016, for those                    XIV. Criminal Penalties
                                                  PART 75&mdash;DIRECT GRANT                                    licensed to operate under parts 50 and                XV. Compatibility of Agreement State
                                                  PROGRAMS                                                52 of Title 10 of the Code of Federal                       Regulations
                                                                                                                                                                XVI. Availability of Guidance
                                                                                                          Regulations (10 CFR) and subject to                   XVII. Availability of Documents
                                                  ■ 1. The authority citation for part 75                 &sect; 73.54.
                                                  continues to read as follows:                                                                                 I. Background
                                                                                                          ADDRESSES: Please refer to Docket ID
                                                    Authority: 20 U.S.C. 1221e&ndash;3 and 3474,                NRC&ndash;2014&ndash;0036 when contacting the                        On July 9, 2008, in SECY&ndash;08&ndash;0099,
                                                  unless otherwise noted.                                 NRC about the availability of                         &lsquo;&lsquo;Final Rulemaking&mdash;Power Reactor
                                                  &sect; 75.135   [Amended]                                    information for this action. You may                  Security Requirements&rsquo;&rsquo; (Agencywide
                                                                                                          obtain publicly-available information                 Documents Access and Management
                                                  ■ 2. Section 75.135(b) is amended by                    related to this action by any of the                  System (ADAMS) Accession No.
                                                  removing &lsquo;&lsquo;34 CFR 80.36(d)(1),&rsquo;&rsquo; and                    following methods:                                    ML081650474), the NRC staff
                                                  adding in its place &lsquo;&lsquo;2 CFR 200.320(b),&rsquo;&rsquo;.                 &bull; Federal Rulemaking Web site: Go to               recommended the Commission approve
                                                  ■ 3. Section 75.263 is added to read as                 http://www.regulations.gov and search                 a final rule amending the NRC&rsquo;s Power
asabaliauskas on DSK5VPTVN1PROD with RULES




                                                  follows.                                                for Docket ID NRC&ndash;2014&ndash;0036. Address                  Reactor Security Requirements. The
                                                                                                          questions about NRC dockets to Carol                  NRC staff also recommended removing
                                                  &sect; 75.263 Pre-award costs; waiver of                     Gallagher; telephone: 301&ndash;415&ndash;3463;                   sections in the Power Reactor Security
                                                  approval.                                               email: Carol.Gallagher@nrc.gov. For                   Requirements rule on new and revised
                                                    A grantee may, notwithstanding any                    technical questions, contact the                      security notification requirements in
                                                  requirement in 2 CFR part 200, incur                    individuals listed in the FOR FURTHER                 &sect; 73.71 and appendix G of part 73 of
                                                  pre-award costs as specified in 2 CFR                   INFORMATION CONTACT section of this                   title 10 of the Code of Federal
                                                  200.308(d)(1) unless&mdash;                                   document.                                             Regulations (10 CFR), &lsquo;&lsquo;Reportable


                                             VerDate Sep&lt;11&gt;2014   17:39 Oct 30, 2015   Jkt 238001   PO 00000   Frm 00004   Fmt 4700   Sfmt 4700   E:\FR\FM\02NOR1.SGM   02NOR1" /></div><div id="ezoic-pub-ad-placeholder-134"></div><hr /><br/><div id="2"><img id="page_2"  class="pdfcab_responsive" src="https://thefederalregister.org/doc/80_FR_67475/page/2.svg" style="width:612px;height:792px"
				onerror="this.src='https://thefederalregister.org/doc/80_FR_67475/page/2.png'; this.onerror=null" alt="                                                                   Federal Register / Vol. 80, No. 211 / Monday, November 2, 2015 / Rules and Regulations                                          67265

                                                  Safeguards Events,&rsquo;&rsquo; and placing them in                bifurcate the cyber security event                    against cyber attacks, up to and
                                                  a new proposed enhanced weapons                         notifications from the Enhanced                       including the design basis threat as
                                                  rulemaking. In SRM&ndash;SECY&ndash;08&ndash;099,                         Weapons rule due to delays resulting                  described in &sect; 73.1. Cyber security event
                                                  dated December 17, 2008 (ADAMS                          from the Firearms Guidelines revision.                notification requirements will
                                                  Accession No. ML083520252), the                         The bifurcation would allow the NRC                   contribute to the NRC&rsquo;s analysis of the
                                                  Commission approved the Power                           staff to prepare a separate final rule for            reliability and effectiveness of licensees&rsquo;
                                                  Reactor Security final rule and the                     cyber security event notifications,                   cyber security programs and play an
                                                  bifurcation of the security notification                therefore avoiding any further delay                  important role in the continuing effort
                                                  requirements in &sect; 73.71 and appendix G                  associated with the aforementioned                    to protect digital computer and
                                                  to 10 CFR part 73 to the new proposed                   Firearms Guidelines revision. In                      communication systems and networks
                                                  enhanced weapons rule.                                  addition, this action would supplement                associated with: Safety-related and
                                                     On June 27, 2010, in SECY&ndash;10&ndash;0085,                   the existing cyber security requirements              important-to-safety functions; security
                                                  &lsquo;&lsquo;Proposed Rule: Enhanced Weapons,                      (i.e., &sect; 73.54, &lsquo;&lsquo;Protection of Digital               functions; emergency preparedness
                                                  Firearms Background Checks and                          Computer and Communication Systems                    functions, to include offsite
                                                  Security Event Notifications&rsquo;&rsquo; (ADAMS                   and Networks&rsquo;&rsquo;) included in the 2009                  communications; and support systems
                                                  Accession No. ML101110121), the NRC                     power reactor security rule (76 FR 6199;              and equipment which, if compromised,
                                                  staff recommended delegating to the                     February 3, 2011).                                    would adversely impact safety, security,
                                                  Office of the Executive Director for                       As part of the 2011 proposed                       and emergency preparedness (SSEP)
                                                  Operations the authority to issue new                   enhanced weapons rule, the NRC                        functions. Notifications conducted and
                                                  cyber security notification changes in                  received comments on the proposed                     written reports generated by licensees
                                                  the proposed enhanced weapons rule                      cyber security event notification                     will be used by the NRC to respond to
                                                  for publication in the Federal Register,                requirements. Changes between the                     emergencies, monitor ongoing events,
                                                  as well as issue draft implementing                     proposed rule and this final cyber                    assess trends and patterns, identify
                                                  guidance on the proposed rule. On                       security event notifications rule reflect             precursors of more significant events,
                                                  October 19, 2010, in SRM&ndash;SECY&ndash;10&ndash;                       those public comments. Additionally,                  and inform other NRC licensees of cyber
                                                  0085, &lsquo;&lsquo;Proposed Rule: Enhanced                         Draft Regulatory Guide (DG)&ndash;5019,                     security-related events, enabling them to
                                                  Weapons, Firearms Background Checks                     Revision 1, &lsquo;&lsquo;Reporting and Recording                 take preemptive actions, if necessary
                                                  and Security Event Notifications&rsquo;&rsquo;                      Safeguards Events&rsquo;&rsquo; (ADAMS Accession                  (e.g., increase their security posture). In
                                                  (ADAMS Accession No. ML102920342),                      No. ML100830413), was published for                   addition, timely notifications assist the
                                                  the Commission directed the NRC staff                   public comment on February 3, 2011 (76                NRC in achieving its strategic
                                                  to publish a proposed rule                              FR 6085). The portions of the DG related              communications mission by informing
                                                  implementing requirements for                           to cyber security event notifications                 the U.S. Department of Homeland
                                                  enhanced weapons, revised physical                      were also separated out from the                      Security (DHS) and Federal intelligence
                                                  security event notifications, and adding                original draft guide, and are now                     and law enforcement agencies of cyber
                                                  new cyber security event notifications.                 included in a new final regulatory guide              security-related events that could: (1)
                                                  This proposed rule was published in the                 (RG) (RG 5.83, &lsquo;&lsquo;Cyber Security Event                 Endanger public health and safety or the
                                                  Federal Register for comment on                         Notifications,&rsquo;&rsquo; ADAMS Accession No.                  common defense and security, (2)
                                                  February 3, 2011 (76 FR 6199). The                      ML14269A388). Changes between DG&ndash;                     provide information for threat-
                                                  public was provided a total of 180 days                 5019, Revision 1, and RG 5.83 reflect                 assessment processes, or (3) generate
                                                  to review and comment on the proposed                   public comment. This approach (i.e.,
                                                                                                                                                                public or media inquiries.
                                                  rule and associated guidance.                           publish draft guidance with proposed
                                                     In SECY&ndash;12&ndash;0125, &lsquo;&lsquo;Interim Actions                   rules and final guidance with final                      The terrorist attacks of September, 11,
                                                  to Execute Commission Preemption                        rules) is consistent with the agency&rsquo;s                2001, demonstrated that adversaries
                                                  Authority Under Section 161A of the                     efforts to incorporate enhancements in                were capable of simultaneously
                                                  Atomic Energy Act of 1954, as                           the rulemaking process to address                     attacking multiple sectors of critical
                                                  Amended,&rsquo;&rsquo; dated September 20, 2012                     Cumulative Effects of Regulation (CER),               infrastructure. After those attacks, the
                                                  (ADAMS Accession No. ML12171A089),                      as approved by SRM&mdash;SECY&ndash;0032,                         NRC issued several Security Orders, as
                                                  the NRC staff reported their discussions                &lsquo;&lsquo;Consideration of the Cumulative                     well as the Design Basis Threat (DBT)
                                                  with the U.S. Department of Justice on                  Effects of Regulation in the Rulemaking               final rule (72 FR 12705; March 19, 2007)
                                                  the need to revise the Firearms                         Process,&rsquo;&rsquo; dated October 11, 2011                     and the Power Reactor Security final
                                                  Guidelines to limit the firearms                        (ADAMS Accession No. ML112840466).                    rule (74 FR 13926; March 27, 2009).
                                                  background check requirement to only                                                                          These Orders and final rules were steps
                                                  licensees that apply for preemption                     II. Discussion                                        taken by the NRC to ensure adequate
                                                  authority. Subsequently in SRM&mdash;                            The NRC is adding cyber security                   protection of the public health and
                                                  SECY&ndash;12&ndash;0125, dated November 12,                        event notification requirements for                   safety and common defense and
                                                  2012 (ADAMS Accession No.                               nuclear power reactor facilities. These               security. The DBT final rule, in &sect; 73.1,
                                                  ML12326A653), the Commission                            additions are necessary because cyber                 &lsquo;&lsquo;Purpose and Scope,&rsquo;&rsquo; describes in
                                                  directed the NRC staff to revise the                    security event notification requirements              general terms the types of attacks
                                                  Firearms Guidelines accordingly, and                    were not included in the NRC&rsquo;s final                  licensees must protect against in order
                                                  publish a supplemental proposed                         rule that added &sect; 73.54, &lsquo;&lsquo;Protection of              to prevent radiological sabotage and to
                                                  enhanced weapons rule for public                        Digital Computer and Communication                    prevent theft or diversion of strategic
asabaliauskas on DSK5VPTVN1PROD with RULES




                                                  comment as soon as possible.                            Systems and Networks,&rsquo;&rsquo; to the NRC&rsquo;s                  special nuclear material. An adversary
                                                     On December 20, 2013, in                             regulations (74 FR 13926; March 27,                   attribute included under the DBT for
                                                  COMSECY&ndash;13&ndash;0031, &lsquo;&lsquo;Bifurcation of the                   2009). Section 73.54 requires power                   radiological sabotage is a cyber attack,
                                                  Enhanced Weapons, Firearms                              reactor licensees to establish and                    which is a type of attack that adversaries
                                                  Background Checks, and Security Event                   maintain a cyber security program that                could remotely launch against multiple
                                                  Notifications Rule&rsquo;&rsquo; (ADAMS Accession                   provides high assurance that digital                  targets (i.e., nuclear power reactors)
                                                  No. ML13280A366), the NRC staff                         computer and communication systems                    simultaneously. The Power Reactor
                                                  informed the Commission of its plan to                  and networks are adequately protected                 Security final rule included specific


                                             VerDate Sep&lt;11&gt;2014   17:39 Oct 30, 2015   Jkt 238001   PO 00000   Frm 00005   Fmt 4700   Sfmt 4700   E:\FR\FM\02NOR1.SGM   02NOR1" /></div><div id="ezoic-pub-ad-placeholder-135"></div><hr /><br/><div id="3"><img id="page_3"  class="pdfcab_responsive" src="https://thefederalregister.org/doc/80_FR_67475/page/3.svg" style="width:612px;height:792px"
				onerror="this.src='https://thefederalregister.org/doc/80_FR_67475/page/3.png'; this.onerror=null" alt="                                                  67266            Federal Register / Vol. 80, No. 211 / Monday, November 2, 2015 / Rules and Regulations

                                                  requirements to provide high assurance                     On June 1, 2011, staff held a public               Energy Institute (NEI) on behalf of the
                                                  that digital computer and                               meeting to discuss the proposed                       nuclear power reactor licensees.
                                                  communication systems and networks                      Enhanced Weapons, Firearms
                                                                                                                                                                IV. Public Comment Analysis
                                                  are adequately protected against cyber                  Background Checks, and Security Event
                                                  attacks (&sect; 73.54). The addition of cyber                Notifications rulemaking, which                          The proposed enhanced weapons rule
                                                  security event notification requirements                included the cyber security event                     was published February 03, 2011 (76 FR
                                                  supplements &sect; 73.54 by enabling the                     notification requirements. The meeting                6199), and the public comment period
                                                  timely notifications of potential and/or                was in workshop format, and was held                  closed on August 04, 2011. On the same
                                                  imminent cyber attacks directed against                 at the NRC Headquarters in Rockville,                 day the NRC also published a separate
                                                  licensees. This allows for more timely                  Maryland; it was attended by more than                notice requesting comment on DG&ndash;5019,
                                                  assessment and dissemination of threat                  50 people. Additional individuals                     Revision 1, &lsquo;&lsquo;Reporting and Recording
                                                  information, and improves the NRC&rsquo;s                     remotely participated in the meeting                  Safeguards Events.&rsquo;&rsquo;
                                                  ability to respond and take the actions                 through audio teleconferencing and                       The NRC received 14 submittals on
                                                  necessary to mitigate the adverse                       webinar. Presenters at the meeting                    the proposed rule and draft guidance.
                                                  impacts of cyber attacks directed against               included NRC staff, the Bureau of                     The NRC also received one comment on
                                                  licensees.                                              Alcohol, Tobacco, Firearms and                        the proposed implementation date
                                                                                                          Explosives, and the Federal Bureau of                 during the July 31, 2014, public
                                                     Separating the cyber security event                                                                        meeting. Comments specific to cyber
                                                  notification requirements from the                      Investigations (FBI). Since the NRC was
                                                                                                          not accepting public comments, the                    security event notifications in the
                                                  Power Reactor Security proposed rule                                                                          proposed enhanced weapons rule and
                                                                                                          meeting was not transcribed; however, a
                                                  narrowed the applicability to licensees                                                                       DG&ndash;5019, Revision 1, were identified
                                                                                                          meeting summary and the handouts
                                                  subject to the requirements of &sect; 73.54,                                                                       and are addressed in this final rule. The
                                                                                                          from the meeting are available in
                                                  which applies to operating nuclear                                                                            comments specific to the proposed rule
                                                                                                          ADAMS under Accession No.
                                                  power plants after the effective date of                                                                      on Enhanced Weapons, Firearms
                                                                                                          ML111720007.
                                                  the final cyber security rule. Under the                   The NRC staff also met with internal               Background Checks, and Security Event
                                                  original proposed rule published on                     and external stakeholders on July 31,                 Notifications (76 FR 6200) are not
                                                  October 26, 2006 (71 FR 62664), cyber                   2014. This public meeting was to                      addressed in this final rule and will be
                                                  security event notifications were                       discuss the draft final rule                          addressed in a subsequent rulemaking.
                                                  included with other event notifications                 implementation date for the cyber                     In addition, certain event notification
                                                  (physical security, enhanced weapons,                   security event notification requirements.             comments in the proposed rule that
                                                  etc.) requiring a broader range of                      The public meeting was held at the NRC                were generic (e.g., comments referring to
                                                  applicability (e.g., Fuel Cycle Facilities).            Headquarters in Rockville, Maryland,                  four-hour notifications in general) are
                                                     The NRC considered other options for                 and it was attended by six individuals                addressed for cyber security events in
                                                  licensees to report cyber attacks to the                in person and eight individuals                       this final rule. The submittals
                                                  NRC. The NRC considered taking no                       remotely through audio                                containing comments specific to cyber
                                                  additional regulatory actions and                       teleconferencing and webinar. The NRC                 security event notifications were
                                                  relying upon the continuation of                        staff presented the current status of the             consolidated into a single document
                                                  voluntary reporting initiatives currently               draft final cyber security event                      (ADAMS Accession No. ML14226A596)
                                                  in place through security advisories.                   notifications rule and the draft final                that assigns the comment designators
                                                  These voluntary reporting initiatives                   implementation date. The NRC                          (e.g., NEI&ndash;155) used in this final rule. In
                                                  have allowed the NRC to identify                        transcribed the meeting in order to                   the proposed rule and draft guidance,
                                                  certain cyber security-related events that              capture public input on the draft final               the cyber security event notifications
                                                  might have had a negative impact upon                   implementation date. The feedback from                aligned with physical security event
                                                  licensees (e.g., vendor software updates                this meeting, as well as all the previous             notifications with a focus on
                                                  containing malware) as well as provided                 interactions, informed the NRC&rsquo;s                      compensated and uncompensated
                                                  licensees with threat information that                  schedule for the implementation of the                events. However, based on public
                                                  assist them in protecting against cyber                 new cyber security event notification                 comments, the final rule and regulatory
                                                  security-related threats. However, the                  requirements. The meeting summary,                    guidance now aligns more closely with
                                                  security advisories are not mandatory                   handouts, and a transcript of the                     &sect; 73.54 with a focus on adverse impacts
                                                  requirements and do not provide                         meeting are available in ADAMS under                  to SSEP functions.
                                                  timeliness requirements (one-hour, four-                Accession No. ML14240A404.
                                                                                                                                                                A. Public Comments on Proposed Rule
                                                  hour, eight-hour), which can be                         B. Opportunity for Public Comment
                                                  instrumental in the NRC&rsquo;s ability to                                                                             Comment 1: One commenter stated
                                                  respond to cyber security-related events,                  The proposed rule was published in                 that neither &sect; 73.71 nor appendix G to
                                                  to evaluate cyber security-related                      the Federal Register on February 3,                   10 CFR part 73 contains an effective
                                                  activities for threat implications, and to              2011 (76 FR 6199), and the public                     date for cyber security reporting
                                                  accomplish the agency&rsquo;s strategic                       comment period closed on August 4,                    requirements, and recommended that
                                                  communications mission.                                 2011. On the same day the NRC also                    the reporting requirements align with
                                                                                                          published a separate notice requesting                the date the cyber security plan becomes
                                                  III. Opportunities for Public                           comment on DG&ndash;5019, Revision 1,                       effective. [NEI&ndash;155]
                                                  Participation                                           &lsquo;&lsquo;Reporting and Recording Safeguards                     Response: The NRC disagrees with
asabaliauskas on DSK5VPTVN1PROD with RULES




                                                  A. Public and Stakeholder Meetings                      Events.&rsquo;&rsquo; The NRC received a total of 14              this comment. Notification of a cyber
                                                                                                          submittals on the proposed rule and                   security event is necessary to assist the
                                                    As part of its comprehensive                          draft guidance relating to enhanced                   NRC in assessing and evaluating issues
                                                  assessment of the NRC&rsquo;s cyber security                  weapons, firearms background checks                   with potential cyber security-related
                                                  event notification regulations and                      and security event notifications (which               implications in a timely manner,
                                                  guidance development for this rule, the                 included cyber security event                         determining the significance and
                                                  NRC staff held two meetings with                        notifications). The majority of                       credibility of the identified issue(s), and
                                                  internal and external stakeholders.                     comments came from the Nuclear                        providing recommendations and/or


                                             VerDate Sep&lt;11&gt;2014   17:39 Oct 30, 2015   Jkt 238001   PO 00000   Frm 00006   Fmt 4700   Sfmt 4700   E:\FR\FM\02NOR1.SGM   02NOR1" /></div><hr /><br/><div id="4"><img id="page_4"  class="pdfcab_responsive" src="https://thefederalregister.org/doc/80_FR_67475/page/4.svg" style="width:612px;height:792px"
				onerror="this.src='https://thefederalregister.org/doc/80_FR_67475/page/4.png'; this.onerror=null" alt="                                                                   Federal Register / Vol. 80, No. 211 / Monday, November 2, 2015 / Rules and Regulations                                          67267

                                                  courses of action to NRC management.                    have caused an adverse impact to SSEP                 SSEP functions and remains a four-hour
                                                  Currently, licensees are reporting                      functions. These factors, along with the              notification so the NRC can conduct
                                                  certain cyber security events voluntarily               importance of the NRC strategic                       additional notifications as appropriate
                                                  to the NRC. However, because this is                    communications mission of informing                   (e.g., other NRC licensees, Federal law
                                                  done voluntarily there could be certain                 the DHS and Federal intelligence and                  enforcement agencies, the intelligence
                                                  cyber security events that may not be                   law enforcement agencies of cyber                     community) to mitigate the effects of a
                                                  reported to the NRC in a timely manner                  security-related events that could: 1)                widespread cyber attack, or use as part
                                                  or reported at all. The cyber security                  Endanger public health and safety or the              of the National threat assessment
                                                  event notifications final rule removes                  common defense and security, 2)                       process. Furthermore, unauthorized
                                                  the voluntary aspects of reporting                      provide information for threat-                       operation and tampering events have
                                                  certain cyber security events, provides                 assessment processes, or 3) generate                  been clarified to address suspected or
                                                  regulatory stability, and ensures the                   public or media inquiries, support the                actual cyber attacks initiated by
                                                  NRC is notified in a timely manner.                     need for the 180-day implementation                   personnel with physical or electronic
                                                     Prompt notification of a cyber attack                schedule.                                             access and were moved in the final rule
                                                  could be vital to the NRC&rsquo;s ability to                     Comment 2: One commenter                           to four-hour notifications due to the
                                                  take immediate action in response to a                  indicated that critical digital assets                implications of an internal threat.
                                                  cyber attack and, if necessary, to notify               (CDAs) that are not part of a target set              Accordingly, the NRC has revised the
                                                  other NRC licensees, Government                         should not have the same sensitivity as               rule language and associated guidance
                                                  agencies, and critical infrastructure                   those CDAs that are contained within a                consistent with this approach to address
                                                  facilities, to defend against a multiple                target set. [NEI&ndash;156]                                 the broader recommendation of aligning
                                                  sector (e.g., energy, financial, etc.) cyber               Response: The NRC disagrees with                   more closely with &sect; 73.54.
                                                  attack. Like the attacks of September                   this comment. The NRC staff has                          Comment 4: One commenter
                                                  2001, a cyber attack has the capability                 recognized that a graded approach to                  suggested adding the word &lsquo;&lsquo;significant&rsquo;&rsquo;
                                                  to be launched against multiple targets                 controls required for CDAs is warranted               in front of cyber security events. [NEI&ndash;
                                                  simultaneously or spread quickly                        based on the ability to detect and                    167]
                                                  throughout multiple sectors of critical                 mitigate the consequences of a cyber                     Response: The NRC disagrees with
                                                  infrastructure. In light of these potential             attack. However, the cyber security                   this comment. Prefacing the phrase
                                                  consequences, the NRC does not want to                  event notification requirements focus on              &lsquo;&lsquo;cyber security events&rsquo;&rsquo; with
                                                  delay the implementation of the cyber                   events that have or could have an                     &lsquo;&lsquo;significant&rsquo;&rsquo; does not add clarity to the
                                                  security event notification final rule to               adverse impact to SSEP functions, and                 rule. The NRC is requiring only those
                                                  match the effective date of each                        thereby incorporates consideration of                 cyber security events associated with
                                                  licensee&rsquo;s cyber security plan (i.e.,                   protections that prevent successful                   actual or potential adverse impacts to be
                                                  Milestone 8) because those cyber                        cyber attacks. Therefore, the notification            reported. The NRC has changed the rule
                                                  security plans may not be fully effective               requirements cover all CDAs and critical              text and associated guidance to align
                                                  for several years.                                      systems within the scope of &sect; 73.54,                  more closely with &sect; 73.54 and
                                                     The final rule will become effective                 which includes: Safety-related and                    distinguishes cyber security events by
                                                  30 days after publication in the Federal                important-to-safety functions; security               whether an adverse impact has occurred
                                                  Register. The compliance date will be                   functions; emergency preparedness                     (or not) to SSEP functions as a result of
                                                  180 days after publication (consistent                  functions, including offsite                          a cyber attack.
                                                  with the implementation schedule                        communications; and support systems                      Comment 5: One commenter
                                                  described in the proposed rule) to allow                and equipment which, if compromised,                  suggested removing the requirement in
                                                  licensees time to revise their event                    would adversely impact safety, security,              appendix G of 10 CFR part 73 regarding
                                                  notification procedures and train                       or emergency preparedness functions.                  the recording of events in a safeguards
                                                  personnel on event notifications specific                  Comment 3: Two commenters                          event log. The commenter suggested
                                                  to cyber security (i.e., identification,                recommended that the four-hour                        licensees use the corrective action
                                                  reporting). The cyber security event                    notification events should be                         program instead of using a separate log.
                                                  notification final rule is consistent with              incorporated into the eight-hour                      [NEI&ndash;18, 194, 202]
                                                  existing notification processes (i.e.,                  notification events, therefore                           Response: The NRC agrees with this
                                                  &sect;&sect; 50.72 and 73.71) and aligns closely                  eliminating the four-hour notification                comment. The cyber security plan for
                                                  with &sect; 73.54 (e.g., adverse impacts to                  events. One commenter specifically                    each licensee describes the use of the
                                                  SSEP functions) as well as current                      recommended that suspicious events be                 corrective action program to track,
                                                  voluntary reporting activities associated               moved from four-hour to eight-hour                    trend, correct, and prevent recurrence of
                                                  with cyber security requiring less time                 notifications. [NEI&ndash;17, 161, Hardin-2]                cyber security failures and deficiencies.
                                                  for implementation. In addition, the                       Response: The NRC agrees in part,                  Therefore, the cyber security event
                                                  cyber security event notification final                 with this comment. The NRC agrees that                notification rule text (&sect; 73.77) has been
                                                  rule complements the implementation                     suspicious cyber security events (i.e.,               revised to require licensees to use their
                                                  of Milestones 1 through 7. For example,                 activities that may indicate intelligence             corrective action program to record
                                                  the identification of critical systems and              gathering or pre-operational planning                 vulnerabilities, weaknesses, failures and
                                                  critical digital assets (Milestone 2), the              related to a cyber attack) should be                  deficiencies in their cyber security
                                                  implementation of a deterministic one-                  moved from four-hour notifications to                 program. Regulatory Guide 5.83 has also
                                                  way device (Milestone 3), and access                    eight-hour notifications. However,                    been revised to reflect this change.
asabaliauskas on DSK5VPTVN1PROD with RULES




                                                  controls for portable media devices                     notifications with a local, State, or other              Comment 6: The NRC received a
                                                  (Milestone 4) are all programs that when                Federal agency is consistent with                     comment regarding the use of the term
                                                  properly implemented and maintained,                    existing NRC regulations at                           &lsquo;&lsquo;compensatory&rsquo;&rsquo; in the context of cyber
                                                  should identify and mitigate adverse                    &sect; 50.72(b)(2)(xi). In addition,                       security, stating that the term is unclear,
                                                  impacts to SSEP functions. The cyber                    unsuccessful cyber attacks has been                   and is not defined in the two cyber
                                                  security event notification final rule                  clarified to align more closely with                  security plan (CSP) templates,
                                                  requires licenses to notify the NRC                     &sect; 73.54 and addresses cyber attacks that              Appendix A of RG 5.71, and Appendix
                                                  when a cyber attack caused or could                     could have caused an adverse impact to                A of NEI 08&ndash;09. [NEI&ndash;153, 165]


                                             VerDate Sep&lt;11&gt;2014   17:39 Oct 30, 2015   Jkt 238001   PO 00000   Frm 00007   Fmt 4700   Sfmt 4700   E:\FR\FM\02NOR1.SGM   02NOR1" /></div><hr /><br/><div id="5"><img id="page_5"  class="pdfcab_responsive" src="https://thefederalregister.org/doc/80_FR_67475/page/5.svg" style="width:612px;height:792px"
				onerror="this.src='https://thefederalregister.org/doc/80_FR_67475/page/5.png'; this.onerror=null" alt="                                                  67268            Federal Register / Vol. 80, No. 211 / Monday, November 2, 2015 / Rules and Regulations

                                                     Response: The NRC agrees with this                   protective strategies required by                     impacts to SSEP functions). This revised
                                                  comment. The term &lsquo;&lsquo;compensatory&rsquo;&rsquo; is                   &sect; 73.54(c)(2). [NEI&ndash;158]                              requirement is designated as
                                                  not defined in either CSP template or in                   Response: The NRC agrees with this                 &sect; 73.77(a)(2)(i). Regulatory Guide 5.83
                                                  other NRC guidance related to cyber                     comment. The NRC evaluated the                        has been revised to reflect this change.
                                                  security. Based on public comments, the                 proposed rule language and determined                    Comment 12: One commenter
                                                  NRC has developed a different approach                  that items to be reported under this                  proposed changes to paragraph III in
                                                  for determining cyber security event                    section are duplicative. Based on public              appendix G of 10 CFR part 73 to clarify
                                                  notifications, one that is based on                     comments, the NRC developed a                         the language under eight-hour
                                                  whether the cyber attack caused an                      different approach for determining                    reportable events to be consistent with
                                                  adverse impact (or not) to SSEP                         cyber security event notifications, one               &sect; 73.54(c)(1), which implements
                                                  functions. The final rule and RG 5.83                   based on whether the cyber attack                     security controls to protect CDAs and
                                                  have been revised to reflect this new                   caused an adverse impact (or not) to                  critical systems from cyber attacks.
                                                  approach.                                               SSEP functions. Regulatory Guide 5.83                 [NEI&ndash;162]
                                                     Comment 7: The NRC received one                      has been revised to reflect this                         Response: The NRC agrees in part,
                                                  comment pertaining to use of the term                   approach.                                             with this comment. Based on public
                                                  &lsquo;&lsquo;uncompensated&rsquo;&rsquo; in the context of                        Comment 10: One commenter                          comments, the NRC developed an
                                                  cyber security, stating that the term is                proposed language to paragraph I.(c)(1)               approach that aligns more closely with
                                                  unclear, and is not defined within the                  in appendix G of 10 CFR part 73 to                    &sect; 73.54. The implementation of security
                                                  CSP. In addition, one of the commenters                 report only instances of suspicious or                controls to protect CDAs from cyber
                                                  also stated that the term &lsquo;&lsquo;failure&rsquo;&rsquo; in the            surveillance activity or attempts to                  attacks as described in &sect; 73.54(c)(1) is
                                                  context of cyber security required                      access systems, networks, or equipment                designed to prevent adverse impacts to
                                                  clarification. [NEI&ndash;164, 207]                           that is within the scope of &sect; 73.54.                  SSEP functions. Therefore, in the final
                                                     Response: The NRC agrees with this                   Additionally, the commenter                           rule, a cyber attack that adversely
                                                  comment. The terms &lsquo;&lsquo;uncompensated&rsquo;&rsquo;                    recommended deleting proposed                         impacted SSEP functions requires
                                                  and &lsquo;&lsquo;failure&rsquo;&rsquo; have been removed from                  language that would include reporting                 notification within one hour after
                                                  the final rule language. Based on public                of additional types of events like                    discovery, and cyber attacks that could
                                                  comments, the NRC has developed a                       potential tampering or potential                      have caused an adverse impact to SSEP
                                                  different approach for determining                      destruction of networks, systems, or                  functions requires notification within
                                                  cyber security event notifications, one                 equipment. [NEI&ndash;159]                                  four hours after discovery due to the
                                                  that is based on whether the cyber                         Response: The NRC disagrees with                   potential consequences of these events.
                                                  attack or event caused an adverse                       this comment. The commenter&rsquo;s                         Regulatory Guide 5.83 has been revised
                                                  impact (or not) to SSEP functions.                      reference to paragraph I.(c)(1) in                    to reflect this new approach.
                                                  Regulatory Guide 5.83 has been revised                  appendix G of 10 CFR part 73 appears                     Comment 13: One commenter
                                                  to reflect this new approach.                           to be misquoted. The changes proposed                 recommended adding &lsquo;&lsquo;that would&rsquo;&rsquo; to a
                                                     Comment 8: One commenter                             by the commenter would amend                          proposed 24-hour recordable event
                                                  proposed changes to the rule language,                  paragraph II.(c)(1) in appendix G. The                provision in paragraph IV.(a)(2) in
                                                  paragraph I.(h)(1) in appendix G of 10                  NRC believes that surveillance activities             appendix G of 10 CFR part 73.
                                                  CFR part 73, adding the terms                           are captured within activities that                   Specifically, the commenter
                                                  &lsquo;&lsquo;credible,&rsquo;&rsquo; &lsquo;&lsquo;malicious,&rsquo;&rsquo; and                        indicate intelligence gathering or pre-               recommended that the proposed
                                                  &lsquo;&lsquo;radiological sabotage&rsquo;&rsquo; to add clarity.               operational planning and should be                    appendix G provision regarding
                                                  The commenter recommended rewriting                     reported, and has made appropriate                    compensated security events state in
                                                  the event to add in part, &lsquo;&lsquo;a credible                  changes to this final rule. The NRC has               part as follows:
                                                  threat to commit or cause a malicious                   clarified and relocated this requirement
                                                                                                                                                                  (a) Any failure, degradation, or discovered
                                                  act to modify, destroy, or compromise                   to the eight-hour notifications, now                  vulnerability in a safeguards system, had
                                                  any systems, networks, or equipment                     designated as &sect; 73.77(a)(3).                          compensatory measures not been established,
                                                  that falls within the scope of 10 CFR                   Additionally, the NRC moved the                       that could . . . (2) Degrade the effectiveness
                                                  73.54 of this part where a compromise                   reporting of potential tampering, or                  of the licensee&rsquo;s or certificate holder&rsquo;s cyber
                                                  of these systems has resulted or could                  potential destruction of networks,                    security program that would allow
                                                  result in radiological sabotage.&rsquo;&rsquo; [NEI&ndash;                systems or equipment from this                        unauthorized or undetected access to any
                                                  157, 206]                                               requirement and they are now captured                 systems, networks, or equipment that fall
                                                     Response: The NRC disagrees with                     under &sect; 73.77(a)(1), (a)(2)(i), and                   within the scope of &sect; 73.54 of this part.
                                                  this comment. Based on public                           (a)(2)(ii) of this final rule.                        The commenter stated that this re-
                                                  comments, the NRC developed a                              Comment 11: One commenter                          worded provision would better align
                                                  different approach for determining                      indicated that paragraph I.(c)(2) in                  with another proposed provision in
                                                  cyber security event notifications, one                 appendix G of 10 CFR part 73 in the                   paragraph I.(h)(2) in appendix G of 10
                                                  that is based on whether a cyber attack                 proposed rule text should be completely               CFR part 73. [NEI&ndash;163]
                                                  caused an adverse impact (or not) to                    removed because it duplicates other                     Response: The NRC disagrees with
                                                  SSEP functions. This approach aligns                    proposed rule text. [NEI&ndash;160]                         this comment. Adding the words, &lsquo;&lsquo;that
                                                  more closely with &sect; 73.54 and the terms                    Response: The NRC agrees in part,                  would&rsquo;&rsquo; to the rule text changes the
                                                  &lsquo;&lsquo;credible,&rsquo;&rsquo; &lsquo;&lsquo;malicious,&rsquo;&rsquo; and                        with this comment. The commenter&rsquo;s                    context of the type of events that are
                                                  &lsquo;&lsquo;radiological sabotage&rsquo;&rsquo; are not needed                reference to paragraph I.(c)(2) in                    required to be recorded. However, based
asabaliauskas on DSK5VPTVN1PROD with RULES




                                                  to provide clarity under this approach.                 appendix G of 10 CFR part 73 appears                  on other public comments, the NRC re-
                                                  Regulatory Guide 5.83 has been revised                  to be misquoted. The changes proposed                 evaluated the 24-hour recordable events
                                                  to reflect this new approach.                           by the commenter would amend                          for cyber security event notifications
                                                     Comment 9: One commenter                             paragraph II.(c)(2) in appendix G. The                and developed an approach that aligns
                                                  proposed revising the proposed rule                     final rule text has been revised to                   more closely with the CSP
                                                  language in paragraph I.(h)(2) in                       remove all duplicative language and is                requirements. Under this approach, as
                                                  appendix G of 10 CFR part 73 to include                 aligned more closely with the                         reflected in the new &sect; 73.77(b)(1)
                                                  language regarding the defense-in-depth                 requirements in &sect; 73.54 (i.e., adverse                provision being added as part of this


                                             VerDate Sep&lt;11&gt;2014   17:39 Oct 30, 2015   Jkt 238001   PO 00000   Frm 00008   Fmt 4700   Sfmt 4700   E:\FR\FM\02NOR1.SGM   02NOR1" /></div><hr /><br/><div id="6"><img id="page_6"  class="pdfcab_responsive" src="https://thefederalregister.org/doc/80_FR_67475/page/6.svg" style="width:612px;height:792px"
				onerror="this.src='https://thefederalregister.org/doc/80_FR_67475/page/6.png'; this.onerror=null" alt="                                                                   Federal Register / Vol. 80, No. 211 / Monday, November 2, 2015 / Rules and Regulations                                          67269

                                                  final rule, licensees will be required to               been revised to reflect this new                      actual threat should be &lsquo;&lsquo;eight-hour
                                                  use their corrective action program to                  approach.                                             notifications.&rsquo;&rsquo; [NEI&ndash;22, 33]
                                                  record vulnerabilities, weaknesses,                        Comment 16: One commenter                             Response: The NRC disagrees with
                                                  failures, and deficiencies in their cyber               proposed rule language in paragraph                   this comment. Based on public
                                                  security program within twenty-four                     I.(h)(2) in appendix G of 10 CFR part 73              comments, the NRC developed a
                                                  hours of their discovery. Regulatory                    that would change events that &lsquo;&lsquo;could&rsquo;&rsquo;               different approach for determining
                                                  Guide 5.83 has been updated to reflect                  allow unauthorized or undetected                      cyber security event notifications, one
                                                  this change.                                            access into systems, networks, or                     that is based on whether a cyber attack
                                                     Comment 14: One commenter                            equipment to events that &lsquo;&lsquo;would&rsquo;&rsquo; allow              caused an adverse impact (or not) to
                                                  recommended revising the proposed                       unauthorized or undetected access into                SSEP functions. Cyber attacks that
                                                  rule language to align exactly with the                 systems, networks, or equipment. [NEI&ndash;                adversely impacted SSEP functions are
                                                  rule language in &sect; 73.54(a)(2), which                   170]                                                  now one-hour notifications. Cyber
                                                  discusses protecting digital assets from                   Response: The NRC disagrees with                   attacks that could have caused an
                                                  cyber attacks that would adversely                      this comment, but has, for other reasons,             adverse impact to SSEP functions are
                                                  impact the operations of SSEP                           revised the requirement in the final rule.            now four-hour notifications, and
                                                  functions. Specifically, the commenter                  The objective of this reporting                       activities that may indicate intelligence
                                                  notes that the reporting rule text uses                 requirement is not to have licensees                  gathering or pre-operational planning
                                                  the word &lsquo;&lsquo;could&rsquo;&rsquo; instead of &lsquo;&lsquo;would.&rsquo;&rsquo;                confirm with the NRC that a cyber                     related to a cyber attack are now eight-
                                                  [NEI&ndash;168]                                               attack has occurred. Rather, the                      hour notifications.
                                                     Response: The NRC agrees in part,                    objective is to report conditions in                     Comment 20: One commenter
                                                  with this comment. The NRC agrees that                  which such an attack could have                       recommended adding the word
                                                                                                          occurred. The NRC continues to believe                &lsquo;&lsquo;malevolent&rsquo;&rsquo; to proposed requirements
                                                  the reporting rule text should align more
                                                                                                          that licensees should report events or                describing an unauthorized operation or
                                                  closely with &sect; 73.54. However, the NRC
                                                                                                          circumstances that could have resulted                tampering event to rule out human error
                                                  disagrees with changing the word
                                                                                                          in undetected or compromised                          events. [NEI&ndash;31, 48]
                                                  &lsquo;&lsquo;could&rsquo;&rsquo; to &lsquo;&lsquo;would,&rsquo;&rsquo; because these
                                                                                                          conditions at the facility. However, the                 Response: The NRC disagrees with
                                                  words are correctly used in their
                                                                                                          NRC staff evaluated the language in the               this comment. The word &lsquo;&lsquo;malevolent&rsquo;&rsquo;
                                                  respective rules. Section 73.54
                                                                                                          proposed rule and determined that                     is unnecessary because, under the new
                                                  addresses hypothetical future cyber
                                                                                                          items reported under this section were                approach, notification of such events is
                                                  attacks that must be protected against,
                                                                                                          duplicative and therefore removed this                not based on the intent of the act, but
                                                  while this rule describes notifications
                                                                                                          requirement from the final rule text.                 based on the potential consequences of
                                                  that licensees are required to issue after
                                                                                                          Regulatory Guide 5.83 was revised to                  the event (i.e., adverse impact (or not) to
                                                  an event has already occurred. Further,
                                                                                                          reflect this change.                                  SSEP functions). No change has been
                                                  there are different types of cyber attacks                 Comment 17: One commenter                          made to the final rule based on this
                                                  that licensees are required to report.                  recommended four and eight-hour                       comment.
                                                  One type of attack required to be                       notifications be consolidated into                       Comment 21: One commenter
                                                  reported is a cyber attack that adversely               &lsquo;&lsquo;within 24-hours&rsquo;&rsquo; to mitigate event                 recommended clarifying requirements
                                                  impacted SSEP functions. This type of                   reporting violations. [B&amp;W&ndash;30]                        regarding law enforcement interactions.
                                                  attack is to be reported within one-hour                   Response: The NRC disagrees with                   The commenter recommended that
                                                  after discovery. Another type required                  this comment. The four and eight-hour                 notifications that could result in public
                                                  to be reported is a cyber attack that                   notifications include cyber attacks and               or media inquiries should not duplicate
                                                  could have caused an adverse impact to                  activities (i.e., precursors to an attack)            notifications made under other NRC
                                                  SSEP functions; this type of attack is to               where the timeliness of information                   regulations such as &sect; 50.72(b)(2)(xi).
                                                  be reported within four-hours after                     allows the NRC to conduct additional                  [NEI&ndash;35]
                                                  discovery. The NRC has revised RG 5.83                  notifications (to DHS, other NRC                         Response: The NRC agrees with this
                                                  to reflect this new approach that aligns                licensees), assists the Federal                       comment. The final rule has been
                                                  more closely with &sect; 73.54 regarding                     Government and/or other NRC licensees                 revised to eliminate duplication of
                                                  adverse impacts to SSEP functions.                      to take mitigative measures to prevent a              notifications made under other NRC
                                                     Comment 15: One commenter                            widespread cyber attack, and allows the               regulations. Regulatory Guide 5.83 has
                                                  proposed deleting the requirement in                    NRC to respond to public and/or media                 been revised to reflect this change.
                                                  paragraph II.(c)(2) in appendix G of 10                 inquiries. In addition, notifications to a               Comment 22: One commenter
                                                  CFR part 73 because the commenter                       local, State or other Federal agency is               recommended clarification regarding
                                                  believes it is duplicated in paragraph                  consistent with existing NRC                          retraction of reports determined later to
                                                  I.(h)(2) in appendix G. [NEI&ndash;169]                       regulations at &sect; 50.72(b)(2)(xi).                     be invalid. The commenter stated that
                                                     Response: The NRC agrees that the                       Comment 18: One commenter                          the notification may not be invalid, but
                                                  proposed paragraph II.(c)(2) in appendix                recommended clarification on cyber                    later be determined it does not meet the
                                                  G of 10 CFR part 73 is similar to                       security event notification requirements              threshold of a one-, four-, or eight-hour
                                                  paragraph I.(h)(2) in appendix G;                       regarding exclusion of licensees not                  notification (i.e., recordable event).
                                                  therefore, the NRC has revised the final                subject to &sect; 73.54. [NFS&ndash;11, 12]                      [NEI&ndash;40]
                                                  rule to make it clear exactly what types                   Response: The NRC agrees with this                    Response: The NRC agrees with this
                                                  of cyber attacks are reported to the NRC.               comment. The final rule text was                      comment. The final rule and RG 5.83
asabaliauskas on DSK5VPTVN1PROD with RULES




                                                  Specifically, the final rule language                   revised and clarified to only apply to                have been revised to clarify that
                                                  reflects a different approach for                       licensees subject to the provisions of                retraction of reports can include valid
                                                  determining cyber security event                        &sect; 73.54.                                              reports which later do not meet the
                                                  notifications, eliminates duplicative                      Comment 19: One commenter                          threshold of a one-, four-, or eight-hour
                                                  requirements, and provides clarity                      recommended that &lsquo;&lsquo;one-hour                           notification.
                                                  based on whether the attack caused an                   notifications&rsquo;&rsquo; should be related to a                   Comment 23: One commenter
                                                  adverse impact (or not) to SSEP                         specific threat or attempted threat to the            recommended adding the term
                                                  functions. Regulatory Guide 5.83 has                    facility, and events that do not pose an              &lsquo;&lsquo;malicious intent&rsquo;&rsquo; to each of the eight-


                                             VerDate Sep&lt;11&gt;2014   17:39 Oct 30, 2015   Jkt 238001   PO 00000   Frm 00009   Fmt 4700   Sfmt 4700   E:\FR\FM\02NOR1.SGM   02NOR1" /></div><hr /><br/><div id="7"><img id="page_7"  class="pdfcab_responsive" src="https://thefederalregister.org/doc/80_FR_67475/page/7.svg" style="width:612px;height:792px"
				onerror="this.src='https://thefederalregister.org/doc/80_FR_67475/page/7.png'; this.onerror=null" alt="                                                  67270            Federal Register / Vol. 80, No. 211 / Monday, November 2, 2015 / Rules and Regulations

                                                  hour reportable events regarding                        &lsquo;&lsquo;could,&rsquo;&rsquo; &lsquo;&lsquo;likelihood,&rsquo;&rsquo; and &lsquo;&lsquo;likely to&rsquo;&rsquo;          in the process, staff determined that
                                                  unauthorized operation or tampering                     from DG&ndash;5019. [NEI&ndash;21, 166]                           item bb.(4) was no longer required.
                                                  events. [NEI&ndash;53, 112]                                      Response: The NRC disagrees with                      Comment 6: One commenter
                                                     Response: The NRC disagrees with                     this comment. The use of the terms                    recommended moving section 2.3.2,
                                                  this comment. The term &lsquo;&lsquo;malicious                      &lsquo;&lsquo;could,&rsquo;&rsquo; &lsquo;&lsquo;likelihood,&rsquo;&rsquo; and &lsquo;&lsquo;likely to&rsquo;&rsquo;          item bb.(5), (one-hour notification
                                                  intent&rsquo;&rsquo; is unnecessary because, under                  within DG&ndash;5019 is consistent with                     examples) to section 2.6.2 (eight-hour
                                                  the new approach, notification of such                  existing NRC reporting guidelines                     notification examples) in DG&ndash;5019
                                                  events is not based on the intent of the                (NUREG&ndash;1022, &lsquo;&lsquo;Event Report                           regarding cyber attacks thwarted by
                                                  act, but based on the potential                         Guidelines for 10 CFR 50.72 and 50.73&rsquo;&rsquo;               security controls. [NEI&ndash;175]
                                                  consequences of the event (i.e., adverse                (ADAMS Accession No.                                     Response: The NRC disagrees with
                                                  impact (or not) to SSEP functions).                     ML13032A220)).                                        this comment, yet has, for other reasons,
                                                     Comment 24: One commenter                               Comment 2: One commenter                           removed this material from the final
                                                  recommended that cyber attack                           proposed revising section 2.3.2, item r,              guidance. The final guidance reflects
                                                  reporting needs to be synchronized with                 of DG&ndash;5019 to include, &lsquo;&lsquo;Confirmed                    changes made to the final rule that
                                                  NEI 08&ndash;09 and RG 5.71 to ensure                         cyber attacks on computer systems that                aligns more closely with &sect; 73.54 (i.e.,
                                                  reporting criteria are well-defined.                    adversely affected safety, security, and              adverse impacts to SSEP functions), and
                                                  [NEI&ndash;69]                                                emergency preparedness systems are                    in the process, staff determined that
                                                     Response: The NRC agrees with this                   reportable&rsquo;&rsquo; instead of, &lsquo;&lsquo;may adversely              item bb.(5) was no longer required.
                                                  comment. The final rule reflects an                     affect&rsquo;&rsquo; and removing item aa of section                 Comment 7: One commenter
                                                  approach that aligns more closely with                  2.3.2 due to redundancy. [NEI&ndash;171]                    proposed removing the terms
                                                  &sect; 73.54 and RG 5.71 and provides                           Response: The NRC agrees with this                 &lsquo;&lsquo;unauthorized software&rsquo;&rsquo; and
                                                  additional clarity on cyber security                    comment. The staff evaluated both items               &lsquo;&lsquo;firmware&rsquo;&rsquo; from section 2.3.2, item cc,
                                                  event notification criteria (i.e., adverse              in section 2.3.2 of DG&ndash;5019 and revised               because of redundancy with the term
                                                  impact to SSEP functions). Regulatory                   RG 5.83 to reflect the proposed changes.              malware. [NEI&ndash;176]
                                                  Guide 5.83 has also been revised to                        Comment 3: One commenter                              Response: The NRC disagrees with
                                                  reflect this new approach.                              proposed revising section 2.3.2, item                 this comment, but for other reasons, the
                                                     Comment 25: One commenter                            bb.(2), of DG&ndash;5019 to include the word                guidance has been revised. There is a
                                                  recommended deleting the requirements                   &lsquo;&lsquo;cyber&rsquo;&rsquo; before security program and                 difference between malware, and
                                                  and guidance for written follow-up                      security measures. [NEI&ndash;172]                          unauthorized software, or firmware, and
                                                  reports on several reporting events (four                  Response: The NRC agrees with this                 therefore there is no redundancy.
                                                  and eight-hour notifications). [NEI&ndash;117]                comment, yet has, for other reasons                   However, the staff re-evaluated the
                                                     Response: The NRC disagrees with                     removed this material from the final                  language and determined the example is
                                                  this comment. Submission of written                     guidance. The final guidance reflects                 not consistent with &sect; 73.54 and RG 5.71.
                                                  follow-up reports is consistent with                    changes made to the final rule that                   Therefore, the example was not
                                                  existing NRC regulations and provides                   aligns more closely with &sect; 73.54 (i.e.,               included in RG 5.83.
                                                  the NRC with information that may not                   adverse impacts to SSEP functions), and                  Comment 8: One commenter
                                                  have been available at the time of the                  in the process, the NRC staff determined              proposed changes to section 2.3.2, item
                                                  notification.                                           that item bb.(4) was no longer required.              dd, of DG&ndash;5019 where the result was
                                                     Comment 26: One commenter                               Comment 4: One commenter                           changed from compromising the CDA to
                                                  recommended that the final rule require                 proposed revising section 2.3.2, item                 an adverse impact to SSEP functions.
                                                  licensees to notify their local FBI Joint               bb.(3), of DG&ndash;5019 to state that events               [NEI&ndash;177]
                                                  Terrorism Task Force (JTTF) of                          caused inadvertently by an individual                    Response: The NRC agrees with the
                                                  suspicious events as contained in                       and not resulting in a threat to facility             proposed changes to the item; however,
                                                  voluntary guidance documents and                        security, would be a recordable event,                due to changes in the final rule
                                                  eliminate or reduce the timeliness of                   and events caused by a cyber attack                   language, this item was clarified and
                                                  reporting such events to the NRC.                       resulting in an adverse impact to SSEP                moved to a four-hour notification
                                                  [Hardin-3]                                              functions would be a one-hour                         example within RG 5.83.
                                                     Response: The NRC disagrees with                     reportable event. [NEI&ndash;173]                              Comment 9: One commenter
                                                  this comment. The reporting of events to                   Response: The NRC agrees with this                 recommended removing section 2.3.2,
                                                  the FBI JTTF is voluntary and as such,                  comment. The item was revised in RG                   item ee, of DG&ndash;5019, because there are
                                                  does not have a timeliness requirement.                 5.83 to distinguish recordable                        no NRC regulations covering &lsquo;&lsquo;sensitive
                                                  This final rule requires notification to                inadvertent non-threatening events from               cyber security data.&rsquo;&rsquo; [NEI&ndash;178]
                                                  the NRC within a stated time for                        those cyber attacks causing adverse                      Response: The NRC agrees with this
                                                  activities that may indicate intelligence               impacts, which are one-hour                           comment. The item has been removed
                                                  gathering or pre-operational planning                   notifications.                                        from RG 5.83.
                                                  related to a cyber attack. Notifications of                Comment 5: One commenter                              Comment 10: One commenter
                                                  activities that may indicate intelligence               recommended moving section 2.3.2,                     recommended clarifying section 2.3.2,
                                                  gathering or pre-operational planning                   item bb.(4) from (one-hour notification               item ff, of DG&ndash;5019, and proposed the
                                                  related to a cyber attack will be                       examples) to section 2.6.2 (eight-hour                term &lsquo;&lsquo;cyber intrusion detection
                                                  evaluated and forwarded as appropriate                  notification examples) in DG&ndash;5019                     capability&rsquo;&rsquo; instead of the term &lsquo;&lsquo;cyber
                                                  by the NRC to federal law enforcement                   regarding attempts by unauthorized                    intrusion detection system.&rsquo;&rsquo; [NEI&ndash;179]
asabaliauskas on DSK5VPTVN1PROD with RULES




                                                  agencies and the intelligence                           persons. [NEI&ndash;174]                                       Response: The NRC disagrees with
                                                  community as part of the National threat                   Response: The NRC disagrees with                   this comment, yet has, for other reasons,
                                                  assessment process.                                     this comment, yet has, for other reasons,             removed this material from the final
                                                                                                          removed this material from the final                  guidance. The item was not included in
                                                  B. Public Comments on Draft Guide-                      guidance. The final guidance reflects                 RG 5.83 because it was not consistent
                                                  5019                                                    changes made to the final rule that                   with &sect; 73.54 and RG 5.71.
                                                    Comment 1: One commenter                              aligns more closely with &sect; 73.54 (i.e.,                  Comment 11: One commenter
                                                  proposed removing the terms such as                     adverse impacts to SSEP functions), and               recommended section 2.3.2, item hh, of


                                             VerDate Sep&lt;11&gt;2014   17:39 Oct 30, 2015   Jkt 238001   PO 00000   Frm 00010   Fmt 4700   Sfmt 4700   E:\FR\FM\02NOR1.SGM   02NOR1" /></div><hr /><br/><div id="8"><img id="page_8"  class="pdfcab_responsive" src="https://thefederalregister.org/doc/80_FR_67475/page/8.svg" style="width:612px;height:792px"
				onerror="this.src='https://thefederalregister.org/doc/80_FR_67475/page/8.png'; this.onerror=null" alt="                                                                   Federal Register / Vol. 80, No. 211 / Monday, November 2, 2015 / Rules and Regulations                                           67271

                                                  DG&ndash;5019 be revised to be consistent                     of an attempted attack&rsquo;&rsquo; to the phrase,               changes, this item was revised in RG
                                                  with &sect; 73.54(a)(2) by removing the term                 &lsquo;&lsquo;would result in an attack.&rsquo;&rsquo; [NEI&ndash;188]              5.83 narrowing the scope to attacks
                                                  uncompensated. [NEI&ndash;181]                                   Response: The NRC disagrees with                   discovered or manifested on a CDA,
                                                     Response: The NRC disagrees with                     this comment, yet has, for other reasons,             critical system or protected network
                                                  this comment, yet has, for other reasons,               revised this material in the final                    reducing the number of potential
                                                  removed this material from the final                    guidance. This item has been revised in               notifications on the licensee and the
                                                  guidance. The staff reviewed the item                   RG 5.83 to include any event that allows              NRC.
                                                  and determined it was not consistent                    unauthorized or undetected access to a                   Comment 23: One commenter
                                                  with 10 CFR 73.54 and RG 5.71 and                       CDA that could be exploited in an attack              recommended revising section 2.5.2,
                                                  removed it from RG 5.83.                                to be reported within four hours of                   item rr, of DG&ndash;5019 to clarify the term
                                                     Comment 12: The NRC received                         discovery.                                            &lsquo;&lsquo;cyber systems.&rsquo;&rsquo; [NEI&ndash;196]
                                                  several comments regarding redundant                       Comment 18: One commenter                             Response: The NRC agrees with this
                                                  material within section 2.3.2., item hh,                recommended adding new examples to                    comment. In RG 5.83 this item was
                                                  of DG&ndash;5019. [NEI&ndash;180, 182, 185]                         sections 2.3.2 and 2.5.2 of DG&ndash;5019.                  revised for consistency with RG 5.71
                                                     Response: The NRC agrees with this                   One example, (section 2.3.2) involved                 and uses the terms &lsquo;&lsquo;critical systems&rsquo;&rsquo;
                                                  comment. Staff removed items gg, ii and                 discovery of unauthorized user IDs and                and &lsquo;&lsquo;CDAs.&rsquo;&rsquo;
                                                  ll from section 2.3.2 in RG 5.83 because                unauthorized configurations to cyber                     Comment 24: One commenter
                                                  they were redundant with item hh                        controls (e.g., firewall port opening,                recommended removing the 15-minute
                                                  regarding unauthorized access to CDAs.                  etc.). The other example (section 2.5.2)              reference in section 2.5.2, item ss, of
                                                     Comment 13: One commenter                            involved unauthorized attempts to                     DG&ndash;5019. [NEI&ndash;197]
                                                  recommended moving section 2.3.2,                       probe CDAs including the use of social                   Response: The NRC agrees with this
                                                  item jj, of DG&ndash;5019 from the one-hour                   engineering techniques. [NEI&ndash;189, 190]                comment. The final rule text does not
                                                  notification examples to the four-hour                     Response: The NRC agrees with the                  contain any 15-minute notifications
                                                  notification examples in section 2.5.2                  examples provided, and based on final                 related to cyber security, and therefore,
                                                  regarding discovery of falsified                        rule text changes (cyber attacks initiated            this item was revised in the final
                                                  identification badges. [NEI&ndash;183]                        by personnel with physical or electronic              guidance to a four-hour notification
                                                     Response: The NRC agrees in part                     access and activities that may indicate               example.
                                                  with this comment, that the item should                 pre-operational planning), these items                   Comment 25: One commenter
                                                  be moved. However, under the new                        were included in RG 5.83.                             recommended revising or removing the
                                                  approach, this item is consistent with                     Comment 19: One commenter                          paragraph before section 2.6.2, item h,
                                                  eight-hour notifications (i.e., activities              recommended revising section 2.5.2,                   in DG&ndash;5019 regarding cyber security
                                                  that may indicate intelligence gathering                item kk, of DG&ndash;5019 to include the                    events that interrupt or degrade the
                                                  or pre-operational planning related to a                word cyber before the term security                   facility&rsquo;s SSEP functions. [NEI&ndash;198]
                                                  cyber attack) and was moved in final                    controls. [NEI&ndash;191]                                      Response: The NRC agrees with this
                                                  guidance to the eight-hour notification                    Response: The NRC agrees with this                 comment, yet has, for other reasons
                                                  examples.                                               comment. The item was revised in RG                   removed this material from the final
                                                     Comment 14: One commenter                            5.83 to include the word cyber before                 guidance. The final guidance reflects
                                                  recommended revising section 2.3.2,                     security controls.                                    changes made to the final rule that
                                                  item kk, of DG&ndash;5019 replacing the term                     Comment 20: One commenter                          aligns more closely with &sect; 73.54 (i.e.,
                                                  &lsquo;&lsquo;could&rsquo;&rsquo; with &lsquo;&lsquo;would.&rsquo;&rsquo; [NEI&ndash;184]                     recommended removing section 2.5.2,                   adverse impacts to SSEP functions), and
                                                     Response: The NRC disagrees with                     item mm, of DG&ndash;5019 because it is                     in the process, staff determined that this
                                                  this comment, yet has, for other reasons,               redundant to section 2.5.2, item kk.                  item was no longer required.
                                                  removed this material from the final                    [NEI&ndash;192]                                                Comment 26: One commenter
                                                  guidance. The NRC staff re-evaluated                       Response: The NRC agrees with this                 recommended revising section 2.6.2,
                                                  this item, determined it was not                        comment. The item has been removed                    item I, of DG&ndash;5019. The commenter
                                                  consistent with the final rule, and                     from RG 5.83.                                         recommended removing the term
                                                  deleted it from RG 5.83.                                   Comment 21: One commenter                          &lsquo;&lsquo;failed&rsquo;&rsquo; because a CDA could fail for
                                                     Comment 15: One commenter                            recommended revising section 2.5.2,                   non-malicious reasons and not be the
                                                  recommended removing section 2.3.2,                     item oo, of DG&ndash;5019 to add Levels 3 and               result of a cyber attack or unauthorized
                                                  item mm, of DG&ndash;5019 because it                          4 to the description so the item is                   activity. [NEI&ndash;199]
                                                  duplicates 2.3.2, item y, regarding                     consistent with the definition provided                  Response: The NRC agrees with this
                                                  safeguards reporting requirements.                      in the glossary for a CDA. [NEI&ndash;193]                  comment. There are many reasons a
                                                  [NEI&ndash;186]                                                  Response: The NRC disagrees with                   critical digital asset can fail that are not
                                                     Response: The NRC agrees with this                   this comment, but for other reasons has               related to unauthorized activity or cyber
                                                  comment. The item has been removed                      revised the final guidance. The                       attacks. Regulatory Guide 5.83 has been
                                                  from RG 5.83.                                           definition of a CDA in RG 5.83 was                    revised to reflect this change.
                                                     Comment 16: One commenter                            revised for consistency with the                         Comment 27: One commenter
                                                  recommended removing section 2.3.2,                     definition provided in RG 5.71.                       recommended revising section 5.3, item
                                                  item nn, of DG&ndash;5019 because there are                      Comment 22: One commenter                          n, of DG&ndash;5019 because the term
                                                  no NRC requirements for maintaining                     recommended revising section 2.5.2,                   &lsquo;&lsquo;compensated&rsquo;&rsquo; is not defined. [NEI&ndash;
                                                  cyber security response personnel                       item qq, of DG&ndash;5019 or removing it                    200]
asabaliauskas on DSK5VPTVN1PROD with RULES




                                                  staffing levels. [NEI&ndash;187]                              altogether because reporting the high                    Response: The NRC agrees with this
                                                     Response: The NRC agrees with this                   number of malware attempts on lower                   comment. This item was removed from
                                                  comment. The item has been removed                      security level networks that do not have              RG 5.83.
                                                  from RG 5.83.                                           the degree of protection of CDAs would                   Comment 28: One commenter
                                                     Comment 17: One commenter                            be burdensome on the NRC and the                      recommended clarifying section 5.3,
                                                  recommended revising section 2.3.2,                     licensee. [NEI&ndash;195]                                   item o, of DG&ndash;5019 regarding
                                                  item oo, of DG&ndash;5019 to change the                          Response: The NRC agrees with this                 individuals who are incorrectly
                                                  phrase, &lsquo;&lsquo;could increase the likelihood                 comment. Based on final rule text                     authorized access to a CDA. [NEI&ndash;201]


                                             VerDate Sep&lt;11&gt;2014   17:39 Oct 30, 2015   Jkt 238001   PO 00000   Frm 00011   Fmt 4700   Sfmt 4700   E:\FR\FM\02NOR1.SGM   02NOR1" /></div><hr /><br/><div id="9"><img id="page_9"  class="pdfcab_responsive" src="https://thefederalregister.org/doc/80_FR_67475/page/9.svg" style="width:612px;height:792px"
				onerror="this.src='https://thefederalregister.org/doc/80_FR_67475/page/9.png'; this.onerror=null" alt="                                                  67272            Federal Register / Vol. 80, No. 211 / Monday, November 2, 2015 / Rules and Regulations

                                                     Response: The NRC agrees with this                      Response: The NRC agrees with this                 examples (4 and 5) were not within the
                                                  comment. This item was removed from                     comment. Neither cyber security plan                  scope of one-hour notifications (i.e.,
                                                  RG 5.83.                                                template issued by the NRC or NEI                     adverse impact to SSEP functions).
                                                     Comment 29: One commenter                            contains guidance for licensees on                    [NEI&ndash;94]
                                                  recommending adding items to section                    which events are recordable or                           Response: The NRC agrees with this
                                                  5.3 of DG&ndash;5019 to include examples of                   reportable. However, DG&ndash;5019 provided                 comment. Regulatory Guide 5.83 has
                                                  cyber events that are compensated as                    guidance to licensees on events that are              been revised to delete one of the
                                                  proposed by paragraph IV.(a) in                         reportable and recordable related to                  duplicate items and to remove the two
                                                  appendix G of 10 CFR part 73. [NEI&ndash;                     cyber security event notifications.                   supporting examples from the
                                                  203]                                                    Consistent with Commission policy, the                remaining item.
                                                     Response: The NRC disagrees with                     NRC is publishing with this final rule,                  Comment 37: One commenter
                                                  this comment. The final rule language                   final guidance, RG 5.83, &lsquo;&lsquo;Cyber Security             recommended moving an example
                                                  reflects a different approach, one based                Event Notifications,&rsquo;&rsquo; which provides                 related to unauthorized attempts to steal
                                                  on whether the cyber attack or event                    guidance to licensees on an acceptable                business secrets or sensitive information
                                                  caused an adverse impact (or not) to                    method for meeting regulatory                         to the cyber security event notification
                                                  SSEP functions, instead of whether the                  requirements. The final guidance has                  examples. [NEI&ndash;100]
                                                  cyber attack or event was compensated                   been revised to provide examples that                    Response: The NRC disagrees with
                                                  or uncompensated. Regulatory Guide                      differentiate between events that are                 this comment. The final rule reflects an
                                                  5.83 has been revised to reflect this new               reportable and recordable.                            approach that aligns more closely with
                                                  approach.                                                  Comment 33: One commenter                          &sect; 73.54 and RG 5.71, and provides
                                                     Comment 30: One commenter                            recommended revisions to NRC Form                     clarity to cyber security event
                                                  recommended changes to the definitions                  366. The commenter recommended the                    notification criteria. Unauthorized
                                                  provided in the glossary of DG&ndash;5019.                    NRC specify the type of content
                                                  The commenter proposed changing                                                                               attempts to access business and trade
                                                                                                          licensees should include in the abstract              sensitive information is outside the
                                                  &lsquo;&lsquo;cyber attack&rsquo;&rsquo; to be consistent with the              section of the form. [NEI&ndash;44, 118]
                                                  definition provided in NEI 08&ndash;09 and                                                                          scope of &sect; 73.54, and no changes to the
                                                                                                             Response: The NRC disagrees with
                                                  changing &lsquo;&lsquo;CDA&rsquo;&rsquo; to only include digital                                                                      rule or RG 5.83 were made based on this
                                                                                                          this comment. The NRC&rsquo;s Form 366 will
                                                  computer, communication systems, and                                                                          comment
                                                                                                          not be revised. Regulatory Guide 5.83
                                                  networks that fall within level 3 or 4                  will provide the specific type of content                Comment 38: One commenter
                                                  boundaries as well as a general                         that should be included in the abstract               recommended clarifying the example
                                                  comment that all definitions in the                     section of NRC&rsquo;s Form 366.                            regarding unsubstantiated cyber threats
                                                  glossary be synchronized with code                         Comment 34: One commenter                          related to harassment, including threats
                                                  requirements and regulatory guides.                     recommended clarifying the guidance                   that could represent tests of response
                                                  [NEI&ndash;138, 204, 205]                                     regarding elicitation of information from             capabilities. The commenter stated the
                                                     Response: The NRC agrees in part                     facility personnel relating to security or            example was confusing and too broad in
                                                  with this comment. The definitions of                   safe operation of the facility. The                   scope. [NEI&ndash;111]
                                                  cyber attack and CDA in RG 5.83 have                    commenter suggested adding the phrase                    Response: The NRC agrees with this
                                                  been revised to synchronize with the                    &lsquo;&lsquo;non-routine&rsquo;&rsquo; regarding the elicitation             comment. The NRC has revised the
                                                  definitions in RG 5.71, not NEI 08&ndash;09.                  of information to distinguish general                 example to clarify the scope of the cyber
                                                     Comment 31: Two commenters                           public or media inquiries from                        attacks to be reported (i.e., a cyber attack
                                                  proposed a definition of the term                       elicitations that could be indicative of              that could have caused an adverse
                                                  &lsquo;&lsquo;discovery time of&rsquo;&rsquo; in DG&ndash;5019. The                   suspicious activity. [NEI&ndash;52, 95, 99]                 impact to SSEP functions).
                                                  commenters suggested discovery occurs                      Response: The NRC agrees with this                    Comment 39: One commenter
                                                  after initial notifications are made and                comment. Regulatory Guide 5.83 has                    requested NRC clarify the guidance on
                                                  a determination made that the event                     been revised to provide a distinction                 unplanned missed cyber vulnerability
                                                  meets applicable reporting                              between common inquiries (e.g., public                assessments. [NEI&ndash;131]
                                                  requirements. [NEI&ndash;19, B&amp;W&ndash;29]                          and media inquiries) and uncommon                        Response: The NRC agrees with this
                                                     Response: The NRC disagrees with                     inquiries (e.g., activities that may                  comment. Regulatory Guide 5.83 was
                                                  this comment. Internal notifications and                indicate intelligence gathering or pre-               revised to clarify the treatment of
                                                  gathering information to make a                         operational planning related to a cyber               missed cyber vulnerability assessments.
                                                  determination as to whether it meets                    attack).                                              The CSP states the periodicity that cyber
                                                  applicable reporting requirements could                    Comment 35: One commenter                          vulnerability assessments are performed
                                                  take several hours, or even days,                       recommended clarifying the examples                   (quarterly). If a cyber vulnerability
                                                  depending on the amount of                              of one-hour notifications and including               assessment exceeds the periodicity
                                                  information needed to reach a                           &lsquo;&lsquo;real life&rsquo;&rsquo; examples. [NEI&ndash;71]                      specified in the CSP, it would be
                                                  conclusion. The time to report an event                    Response: The NRC agrees with this                 considered a 24-hour recordable event.
                                                  is upon recognition; the licensee can                   comment. The NRC staff reviewed
                                                                                                                                                                C. Public Comments on Proposed
                                                  withdraw a report (based on subsequent                  previous &lsquo;&lsquo;real life&rsquo;&rsquo; examples and
                                                                                                                                                                Implementation Date From July 31,
                                                  analysis of the circumstances) without                  included them in final guidance. In
                                                                                                                                                                2014, Public Meeting
                                                  prejudice to its security performance                   addition, the new approach for one-hour
                                                  indicators. No changes have been made                   notifications (i.e., adverse impacts to                  Comment 1: One commenter raised a
asabaliauskas on DSK5VPTVN1PROD with RULES




                                                  to the guidance.                                        SSEP functions) provides additional                   concern that by issuing the Cyber
                                                     Comment 32: One commenter stated                     clarity.                                              Security Event Notifications (CSEN)
                                                  that the cyber security plan templates                     Comment 36: One commenter                          final rulemaking now it may delay full
                                                  published by the NRC and NEI do not                     recommended changes to the examples                   implementation of &sect; 73.54 because of
                                                  contain guidance for licensees to                       involving the compromise of CDAs. The                 the impact on resources. The
                                                  differentiate between events that are                   commenter stated that section 2.3.2 of                commenter stated that licensees may
                                                  recordable versus reportable. [NEI&ndash;20,                  DG&ndash;5019, items (aa) and (bb) were                     have to divert some resources from
                                                  154]                                                    duplicative, and that two supporting                  implementing the cyber security


                                             VerDate Sep&lt;11&gt;2014   17:39 Oct 30, 2015   Jkt 238001   PO 00000   Frm 00012   Fmt 4700   Sfmt 4700   E:\FR\FM\02NOR1.SGM   02NOR1" /></div><hr /><br/><div id="10"><img id="page_10"  class="pdfcab_responsive" src="https://thefederalregister.org/doc/80_FR_67475/page/10.svg" style="width:612px;height:792px"
				onerror="this.src='https://thefederalregister.org/doc/80_FR_67475/page/10.png'; this.onerror=null" alt="                                                                   Federal Register / Vol. 80, No. 211 / Monday, November 2, 2015 / Rules and Regulations                                          67273

                                                  program to implementing the CSEN                        provides that NRC Form 366 is                         addition, the final rule distinguishes
                                                  requirements.                                           approved under control number 3150&ndash;                   between four-hour and eight-hour
                                                     Response: The NRC agrees in part                     0104.                                                 notifications.
                                                  with this comment. The NRC staff                                                                                 Section 73.77(a)(2)(ii) after discovery
                                                  recognizes that this rule will have an                  Section 73.22, Protection of Safeguards
                                                                                                          Information: Specific Requirements                    of a suspected or actual cyber attack
                                                  impact on licensee resources (similar                                                                         initiated by personnel with physical or
                                                  skillsets required for CSEN and cyber                     The NRC is amending &sect; 73.22(f)(3) to                electronic access to digital computer
                                                  security program implementation). The                   add the sentence, &lsquo;&lsquo;Cyber security event              and communication systems and
                                                  NRC staff acknowledges this and is                      notifications required to be reported                 networks within the scope of &sect; 73.54.
                                                  conducting CER related activities in an                 pursuant to &sect; 73.77 are considered to be              This requirement differs from the
                                                  effort to minimize the impact (e.g.,                    extraordinary conditions&rsquo;&rsquo; to the end of              proposed rule; it has been revised to
                                                  conducting a public meeting on the                      the paragraph.                                        capture cyber attacks (e.g., tampering)
                                                  implementation date during final                                                                              that may not have any impact on SSEP
                                                                                                          Section 73.54, Protection of Digital
                                                  rulemaking, issuing final guidance with                                                                       functions, but may indicate an internal
                                                                                                          Computer and Communication Systems
                                                  the final rule). In addition, the CSEN                                                                        threat.
                                                                                                          and Networks
                                                  final rule is consistent with existing
                                                  notification processes (i.e., &sect;&sect; 50.72 and                 The NRC is amending &sect; 73.54 to add                    Section 73.77(a)(2)(iii) after
                                                  73.71) and aligns closely with &sect; 73.54                  a new paragraph (d)(4) that reads,                    notification of a local, State, or other
                                                  and the current voluntary reporting                     &lsquo;&lsquo;Conduct cyber security event                        Federal agency (e.g., local law
                                                  initiatives thereby reducing the level of               notifications in accordance with the                  enforcement, FBI, etc.) of an event
                                                  impact on implementation. However,                      provisions of &sect; 73.77.&rsquo;&rsquo; This new                     related to implementation of their cyber
                                                  the CSEN final rule removes the                         requirement guides the licensee to the                security program. The final rule
                                                  voluntary aspect of reporting certain                   correct 10 CFR part 73 section for                    includes other types of agencies besides
                                                  cyber security events and provides                      conducting cyber security event                       law enforcement (e.g., DHS, etc.) to
                                                  regulatory stability and ensures the NRC                notifications.                                        maintain consistency with existing NRC
                                                  is notified in a timely manner while                                                                          reporting requirements (e.g., &sect; 50.72).
                                                                                                          Section 73.77, Cyber Security Event
                                                  maintaining its strategic                                                                                        Section 73.77(a)(3) requires licensees
                                                                                                          Notifications
                                                  communications mission outlined in the                                                                        to notify the NRC within eight-hours
                                                  framework of the National Infrastructure                   The NRC has moved cyber security                   after receipt or collection of information
                                                  Protection Plan developed by the DHS                    event notifications requirements that                 regarding observed behavior, activities,
                                                  (see http://www.dhs.gov/sites/default/                  were proposed to be added to &sect; 73.71                  or statements that may indicate
                                                  files/publications/National-                            and appendix G to a newly created                     intelligence gathering or pre-operational
                                                  Infrastructure-Protection-Plan-2013-                    section (&sect; 73.77) within 10 CFR part 73.              planning related to a cyber attack
                                                  508.pdf). Prompt notification of a cyber                   Section 73.77(a)(1) requires licensees             against digital computer and
                                                  attack could be vital to the NRC&rsquo;s ability              to notify the NRC within one-hour after               communication systems and networks
                                                  to take immediate action in response to                 discovery of a cyber attack that                      within the scope of &sect; 73.54.
                                                  a cyber attack and, if necessary, to notify             adversely impacted safety-related or                  Requirements for &lsquo;&lsquo;suspicious cyber
                                                  other NRC licensees, Government                         important-to-safety functions, security               events&rsquo;&rsquo; have been revised and moved
                                                  agencies, and critical infrastructure                   functions, or emergency preparedness                  from four-hour notifications in the
                                                  facilities, to defend against a multiple                functions (including offsite                          proposed rule to eight-hour notifications
                                                  sector cyber attack. A cyber attack has                 communications); or that compromised                  in the final rule. This requirement now
                                                  the capability to be launched against                   support systems and equipment                         captures activities that are associated
                                                  multiple targets simultaneously or                      resulting in adverse impacts to safety,               with precursors to a cyber attack (e.g.,
                                                  spread quickly throughout multiple                      security, or emergency preparedness                   activities related to intelligence
                                                  sectors of critical infrastructure;                     functions within the scope of &sect; 73.54.                gathering or pre-operational planning).
                                                  therefore, the NRC has not changed the                  This requirement differs from the                        Section 73.77(b) requires licensees to
                                                  180-day implementation schedule.                        proposed rule language, it has been                   record certain cyber security events in
                                                                                                          revised to more closely align with                    their site corrective action program
                                                  V. Section-by-Section Analysis                          &sect; 73.54 and to remove the term                        (CAP) within 24-hours of their
                                                    The following section-by-section                      &lsquo;&lsquo;uncompensated cyber security events&rsquo;&rsquo;               discovery. The proposed rule required
                                                  analysis discusses the final revisions to               because it was unclear and not defined                licensees to use a Safeguards Event Log;
                                                  the NRC&rsquo;s regulations regarding cyber                   within the CSP.                                       to prevent duplication of effort, the final
                                                  security, and explains how the final rule                  Section 73.77(a)(2) requires licensees
                                                                                                                                                                rule requires licensees to use their site
                                                  differs from the language in the                        to notify the NRC within four-hours.
                                                                                                             Section 73.77(a)(2)(i) after discovery             CAP.
                                                  proposed rule. This final rule adds a
                                                  new section (&sect; 73.77) to 10 CFR part 73                 of a cyber attack that could have caused                 Section 73.77(b)(1) requires licensees
                                                  and revises three existing sections                     an adverse impact to safety-related or                to use their site CAP to record
                                                  (&sect;&sect; 73.8, 73.22, and 73.54) to make                     important-to-safety functions, security               vulnerabilities, weaknesses, failures,
                                                  conforming changes.                                     functions, or emergency preparedness                  and deficiencies in their &sect; 73.54 cyber
                                                                                                          functions (including offsite                          security program. This requirement has
                                                  Section 73.8, Information Collection                    communications); or that could have                   been revised to align with NRC physical
asabaliauskas on DSK5VPTVN1PROD with RULES




                                                  Requirements: OMB Approval                              compromised support systems and                       protection program requirements in
                                                    The NRC is amending &sect; 73.8 to add                     equipment, which if compromised,                      &sect; 73.55(b)(10) regarding the use of the
                                                  &sect; 73.77 to paragraph (b) that provides                  could have adversely impacted safety,                 site CAP to track, trend, correct, and
                                                  the approved information collection                     security, or emergency preparedness                   prevent recurrence of failures and
                                                  requirements contained in 10 CFR part                   functions within the scope of &sect; 73.54.                deficiencies.
                                                  73 under control number 3150&ndash;0002. In                   This requirement differs from the                        Section 73.77(b)(2) requires licensees
                                                  addition, the NRC is amending &sect; 73.8 to                 proposed rule; it has been revised to                 to record notifications made under
                                                  add &sect; 73.77 to paragraph (c)(1) that                    more closely align with &sect; 73.54. In                   paragraph (a) of &sect; 73.77.


                                             VerDate Sep&lt;11&gt;2014   17:39 Oct 30, 2015   Jkt 238001   PO 00000   Frm 00013   Fmt 4700   Sfmt 4700   E:\FR\FM\02NOR1.SGM   02NOR1" /></div><hr /><br/><div id="11"><img id="page_11"  class="pdfcab_responsive" src="https://thefederalregister.org/doc/80_FR_67475/page/11.svg" style="width:612px;height:792px"
				onerror="this.src='https://thefederalregister.org/doc/80_FR_67475/page/11.png'; this.onerror=null" alt="                                                  67274            Federal Register / Vol. 80, No. 211 / Monday, November 2, 2015 / Rules and Regulations

                                                     Section 73.77(c) provides the process                VIII. Backfitting and Issue Finality                  Presidential Memorandum, &lsquo;&lsquo;Plain
                                                  for conducting cyber security event                       The final rule imposing new cyber                   Language in Government Writing,&rsquo;&rsquo;
                                                  notifications.                                          security event notifications affects                  published June 10, 1998 (63 FR 31883).
                                                     Section 73.77(c)(1) has been revised                 information collection and reporting                  XI. Environmental Assessment and
                                                  from the proposed rule to include the                   requirements and is not considered to                 Final Finding of No Significant
                                                  Emergency Notification System (ENS) as                  be a backfit, as presented in the charter             Environmental Impact
                                                  the primary means for conducting                        for NRC&rsquo;s Committee to Review Generic
                                                  notifications, instead of any available                                                                          The NRC has determined that this
                                                                                                          Requirements. Therefore, a backfit                    final rule is the type of action described
                                                  telephone system. Using the ENS is                      analysis has not been completed for any
                                                  consistent with existing NRC                                                                                  in 10 CFR 51.22(c)(3)(iii). Therefore,
                                                                                                          of the provisions of this final rule.                 neither an environmental impact
                                                  regulations for conducting notifications
                                                  (e.g., &sect; 50.72).                                        IX. Cumulative Effects of Regulation                  statement nor environmental assessment
                                                     Section 73.77(c)(3) in the final rule                                                                      has been prepared for this final rule.
                                                                                                             While the proposed rule was issued
                                                  was revised to remove a reference to                    prior to the formal CER requirements                  XII. Paperwork Reduction Act
                                                  paragraph III in appendix A of 10 CFR                   promulgated by SRM&ndash;SECY&ndash;0032, the
                                                  part 73 that provided instructions on                                                                           This final rule contains new or
                                                                                                          intent of CER was still met. For                      amended information collection
                                                  requesting a transfer to a secure phone.                example, the draft guidance was issued
                                                  The current appendix A in 10 CFR part                                                                         requirements that are subject to the
                                                                                                          for comment concurrent with the                       Paperwork Reduction Act of 1995 (44
                                                  73 does not contain a paragraph III and                 proposed rule, a public meeting was
                                                  conforming changes to appendix A are                                                                          U.S.C. 3501 et seq.). These requirements
                                                                                                          conducted during the development of                   were approved by the Office of
                                                  not part of this final rule. Section                    the proposed rule, a public meeting on
                                                  73.77(c)(3) was revised to reference                                                                          Management and Budget (OMB),
                                                                                                          implementation was conducted during                   approval number 3150&ndash;0230 and 3150&ndash;
                                                  appendix A and request transfer to a                    the final rule stage, and the final
                                                  secure phone.                                                                                                 0104.
                                                                                                          guidance will be issued with the final                  The burden to the public for these
                                                     Sections 73.7(c)(6), &lsquo;&lsquo;Declaration of                rule.                                                 information collections is estimated to
                                                  emergencies,&rsquo;&rsquo; and 73.77(c)(7),                            The NRC staff engaged external                     average 39.4 hours per response,
                                                  &lsquo;&lsquo;Elimination of duplication,&rsquo;&rsquo; were                    stakeholders at public meetings and by                including the time for reviewing
                                                  moved in the final rule from the                        soliciting public comments on the                     instructions, searching existing data
                                                  &lsquo;&lsquo;Written Security Follow-up Reports&rsquo;&rsquo;                  proposed rule and draft guidance                      sources, gathering and maintaining the
                                                  section into the &lsquo;&lsquo;Notification Process&rsquo;&rsquo;               documents. A public meeting was held                  data needed, and completing and
                                                  section because they contain                            at NRC Headquarters on June 1, 2011, to               reviewing the information collection.
                                                  notification-specific information. In                   discuss the proposed rule, the draft                  Send comments on any aspect of these
                                                  addition, due to the narrowed scope of                  implementation plan, and draft                        information collections, including
                                                  this final rule, the proposed rule                      guidance.                                             suggestions for reducing the burden, to
                                                  referenced several sections of the NRC&rsquo;s                   In addition, on July 31, 2014, a public            the Freedom of Information Act,
                                                  regulations (e.g., &sect; 70.50) that are not                meeting was held at the NRC                           Privacy, and Information Collections
                                                  being revised by this final rule.                       Headquarters on the draft final                       Branch (T&ndash;5 F53), U.S. Nuclear
                                                     Section 73.77(d), &lsquo;&lsquo;Written security                 implementation plan for the final rule (a             Regulatory Commission, Washington,
                                                  follow-up reports,&rsquo;&rsquo; establishes the                    type of meeting specifically                          DC 20555&ndash;0001, or by email to
                                                  necessary regulatory framework to                       contemplated by the NRC&rsquo;s CER effort).                Infocollects.Resource@nrc.gov and to
                                                  facilitate consistent application of                    Prompt notification of a cyber attack is              the Desk Officer, Office of Information
                                                  Commission requirements for written                     vital to the NRC&rsquo;s ability to take                    and Regulatory Affairs, NEOB&ndash;10202,
                                                  security follow-up reports for cyber                    immediate action in response to a cyber               (3150&ndash;0230 and 3150&ndash;0104), Office of
                                                  security event notifications.                           attack, which contributes to protecting               Management and Budget, Washington,
                                                                                                          the public health and safety or the                   DC 20503 or by email to oira_
                                                  VI. Regulatory Flexibility Certification
                                                                                                          common defense and security. The                      submission@omb.eop.gov.
                                                     Under the Regulatory Flexibility Act                 NRC&rsquo;s strategic communications
                                                  (5 U.S.C. 605(b)), the NRC certifies that               mission and the feedback from the                     Public Protection Notification
                                                  this rule does not have a significant                   public meetings informed the staff&rsquo;s                    The NRC may not conduct or sponsor,
                                                  economic impact on a substantial                        recommended schedule for the final                    and a person is not required to respond
                                                  number of small entities. This final rule               implementation date in the CSEN final                 to, a request for information or an
                                                  affects only the licensing and operation                rule.                                                 information collection requirement
                                                  of nuclear power plants. The companies                     A fundamental CER process                          unless the requesting document
                                                  that own these plants do not fall within                improvement is to publish the final                   displays a currently valid OMB control
                                                  the scope of the definition of &lsquo;&lsquo;small                  guidance with the final rule so as to                 number.
                                                  entities&rsquo;&rsquo; set forth in the Regulatory                  support effective implementation. This
                                                  Flexibility Act or the size standards                   final rulemaking accomplishes this by                 XIII. Congressional Review Act
                                                  established by the NRC (10 CFR 2.810).                  ensuring that final guidance is complete                 In accordance with the Congressional
                                                  VII. Regulatory Analysis                                and available concurrent with this final              Review Act of 1996 (5 U.S.C. 801&ndash;808),
                                                                                                          rule publication in the Federal Register.             the NRC has determined that this action
asabaliauskas on DSK5VPTVN1PROD with RULES




                                                     The NRC has prepared a final                                                                               is not a major rule and has verified this
                                                  regulatory analysis for this final rule.                X. Plain Writing
                                                                                                                                                                determination with the Office of
                                                  The analysis examines the costs and                       The Plain Writing Act of 2010 (Pub.                 Information and Regulatory Affairs of
                                                  benefits of the alternatives considered                 L. 111&ndash;274) requires Federal agencies to              OMB.
                                                  by the NRC. The regulatory analysis is                  write documents in a clear, concise, and
                                                  available as indicated in Section XVII.,                well-organized manner. The NRC has                    XIV. Criminal Penalties
                                                  &lsquo;&lsquo;Availability of Documents,&rsquo;&rsquo; of this                  written this document to be consistent                  For the purposes of Section 223 of the
                                                  document.                                               with the Plain Writing Act as well as the             Atomic Energy Act of 1954, as amended


                                             VerDate Sep&lt;11&gt;2014   17:39 Oct 30, 2015   Jkt 238001   PO 00000   Frm 00014   Fmt 4700   Sfmt 4700   E:\FR\FM\02NOR1.SGM   02NOR1" /></div><hr /><br/><div id="12"><img id="page_12"  class="pdfcab_responsive" src="https://thefederalregister.org/doc/80_FR_67475/page/12.svg" style="width:612px;height:792px"
				onerror="this.src='https://thefederalregister.org/doc/80_FR_67475/page/12.png'; this.onerror=null" alt="                                                                     Federal Register / Vol. 80, No. 211 / Monday, November 2, 2015 / Rules and Regulations                                                                     67275

                                                  (AEA), the NRC is issuing this final rule                       &lsquo;&lsquo;NRC.&rsquo;&rsquo; Compatibility is not required for                       NRC&ndash;2014&ndash;0036). The guidance is
                                                  that would amend &sect;&sect; 73.8, 73.22, and                            Category &lsquo;&lsquo;NRC&rsquo;&rsquo; regulations. The NRC                            available in ADAMS under Accession
                                                  73.54, and add &sect; 73.77 under one or                             program elements in this category are                            No. ML14269A388. Regulatory Guide
                                                  more of Sections 161b, 161i, or 161o of                         those that relate directly to areas of                           5.83 is intended to describe a proposed
                                                  the AEA. Willful violations of the rule                         regulation reserved to the NRC by the                            method that the NRC staff considers
                                                  would be subject to criminal                                    AEA or the provisions of 10 CFR, and                             acceptable for use in complying with
                                                  enforcement. Criminal penalties as they                         although an Agreement State may not                              the NRC&rsquo;s regulations on cyber security
                                                  apply to regulations in 10 CFR part 73                          adopt program elements reserved to the                           event notifications. Because the
                                                  are discussed in &sect; 73.81(a).                                    NRC, it may wish to inform its licensees                         regulatory analysis for the final rule
                                                                                                                  of certain requirements via a mechanism                          provides sufficient explanation for the
                                                  XV. Compatibility of Agreement State
                                                                                                                  that is consistent with a particular                             rule and the implementing guidance, a
                                                  Regulations
                                                                                                                  State&rsquo;s administrative procedure laws,                           separate regulatory analysis was not
                                                    Under the &lsquo;&lsquo;Policy Statement on                               but does not confer regulatory authority                         prepared for the regulatory guide.
                                                  Adequacy and Compatibility of                                   on the State.
                                                  Agreement State Programs,&rsquo;&rsquo; approved                                                                                             XVII. Availability of Documents
                                                  by the Commission on June 20, 1997,                             XVI. Availability of Guidance                                      The documents identified in the
                                                  and published in the Federal Register                             The NRC is issuing implementation                              following table are available to
                                                  (62 FR 46517; September 3, 1997), this                          guidance for this rule, RG 5.83, &lsquo;&lsquo;Cyber                         interested persons through the following
                                                  rule is classified as compatibility                             Security Event Notifications&rsquo;&rsquo; (Docket ID                        methods, as indicated.

                                                                                                                                                                                                                           ADAMS
                                                                                                                                                                                                                        Accession No./
                                                                                                                           Document                                                                                    Federal Register
                                                                                                                                                                                                                         (FR) citation

                                                  SECY&ndash;10&ndash;0085&mdash;Proposed Rule: &lsquo;&lsquo;Enhanced Weapons, Firearms Background Checks and Security Event Notifications&rsquo;&rsquo;                                                       ML101110121
                                                    (RIN: 3150&ndash;AI49) (June 27, 2010).
                                                  Staff Requirements&mdash;SECY&ndash;10&ndash;0085&mdash;Proposed Rule: Enhanced Weapons, Firearms Background Checks and Security                                                            ML102920342
                                                    Event Notifications (RIN: 3150&ndash;AI49) (October 19, 2010).
                                                  Proposed Enhanced Weapons, Firearms Background Checks, and Security Event Notifications Rule (February 3, 2011) ....                                                76 FR 6199
                                                  DG&ndash;5019, &lsquo;&lsquo;Reporting and Recording Safeguards Events&rsquo;&rsquo; (February 3, 2011) ........................................................................                  76 FR 6085
                                                  Summary of the June 1, 2011, Public Meeting to Discuss the Proposed Enhanced Weapons, Firearms Background                                                           ML111720007
                                                    Checks and Security Event Notifications Rulemaking (June 24, 2011).
                                                  Bifurcation of the Enhanced Weapons, Firearms Background Checks, and Security Event Notifications Rule (December                                                    ML13280A366
                                                    20, 2013).
                                                  Staff Requirements&mdash;COMSECY&ndash;13&ndash;0031&mdash;Bifurcation of the Enhanced Weapons, Firearms Background Checks, and                                                             ML14023A860
                                                    Security Event Notification Rule (January 22, 2014).
                                                  Regulatory Analysis for Final Rule on Cyber Security Event Notifications (10 CFR Part 73) ...................................................                       ML14170B076
                                                  Summary of the July 31, 2014, Public Meeting to Discuss the Proposed Implementation Date of the Draft Cyber Security                                                ML14240A404
                                                    Event Notification Final Rule (August 29, 2014).
                                                  Regulatory Guide 5.83, &lsquo;&lsquo;Cyber Security Event Notifications&rsquo;&rsquo; (March 2015) .............................................................................            ML14269A388
                                                  CSEN Public Comments Associated with Final Rule .................................................................................................................   ML14226A596
                                                  Final Rule: Cyber Security Event Notification OMB Supporting Statement ...............................................................................              ML15203A233



                                                  List of Subjects for 10 CFR Part 73                             Reorganization Act of 1974, secs. 201, 202                       ■ 3. In &sect; 73.22, add a sentence to the end
                                                                                                                  (42 U.S.C. 5841, 5842); Nuclear Waste Policy                     of paragraph (f)(3) to read as follows:
                                                    Criminal penalties, Exports,                                  Act of 1982, secs. 135, 141 (42 U.S.C. 10155,
                                                  Hazardous materials transportation,                             10161); 44 U.S.C. 3504 note.                                     &sect; 73.22 Protection of Safeguards
                                                  Incorporation by reference, Imports,                                                                                             Information: Specific requirements.
                                                  Nuclear energy, Nuclear materials,                                 Section 73.37(b)(2) also issued under
                                                                                                                  Sec. 301, Public Law 96&ndash;295, 94 Stat.                            *     *     *    *     *
                                                  Nuclear power plants and reactors,
                                                  Penalties, Reporting and recordkeeping                          789 (42 U.S.C. 5841 note).                                         (f) * * *
                                                  requirements, Security measures.                                ■ 2. In &sect; 73.8, revise paragraphs (b) and                          (3) * * * Cyber security event
                                                    For the reasons set out in the                                (c)(1) to read as follows:                                       notifications required to be reported
                                                  preamble and under the authority of the                         &sect; 73.8 Information collection
                                                                                                                                                                                   pursuant to &sect; 73.77 are considered to be
                                                  Atomic Energy Act of 1954, as amended;                          requirements: OMB approval.                                      extraordinary conditions.
                                                  the Energy Reorganization Act of 1974,                          *     *     *    *     *                                         *     *     *    *     *
                                                  as amended; and 5 U.S.C. 552 and 553,                             (b) The approved information                                   ■ 4. In &sect; 73.54, add paragraph (d)(4) to
                                                  the NRC is adopting the following                               collection requirements contained in                             read as follows:
                                                  amendments to 10 CFR part 73.                                   this part appear in &sect;&sect; 73.5, 73.20, 73.21,
                                                                                                                  73.24, 73.25, 73.26, 73.27, 73.37, 73.38,                        &sect; 73.54 Protection of digital computer and
                                                  PART 73&mdash;PHYSICAL PROTECTION OF                                                                                                   communication systems and networks.
                                                                                                                  73.40, 73.45, 73.46, 73.50, 73.54, 73.55,
                                                  PLANTS AND MATERIALS
asabaliauskas on DSK5VPTVN1PROD with RULES




                                                                                                                  73.56, 73.57, 73.58, 73.60, 73.67, 73.70,                        *     *     *     *    *
                                                  ■ 1. The authority citation for part 73                         73.71, 73.72, 73.73, 73.74, 73.77 and                              (d) * * *
                                                  continues to read as follows:                                   appendices B, C, and G to this part.                               (4) Conduct cyber security event
                                                                                                                    (c) * * *
                                                    Authority: Atomic Energy Act of 1954,                           (1) In &sect;&sect; 73.71 and 73.77, NRC Form                            notifications in accordance with the
                                                  secs. 53, 147, 149, 161, 170D, 170E, 170H,
                                                                                                                  366 is approved under control number                             provisions of &sect; 73.77.
                                                  170I, 223, 229, 234, 1701 (42 U.S.C. 2073,                                                                                       *     *     *     *    *
                                                  2167, 2169, 2201, 2210d, 2210e, 2210h,                          3150&ndash;0104.
                                                  2210i, 2273, 2278a, 2282, 2297f); Energy                        *     *     *    *     *                                         ■   5. Add &sect; 73.77 to read as follows:


                                             VerDate Sep&lt;11&gt;2014      17:39 Oct 30, 2015    Jkt 238001    PO 00000      Frm 00015     Fmt 4700    Sfmt 4700     E:\FR\FM\02NOR1.SGM         02NOR1" /></div><hr /><br/><div id="13"><img id="page_13"  class="pdfcab_responsive" src="https://thefederalregister.org/doc/80_FR_67475/page/13.svg" style="width:612px;height:792px"
				onerror="this.src='https://thefederalregister.org/doc/80_FR_67475/page/13.png'; this.onerror=null" alt="                                                  67276            Federal Register / Vol. 80, No. 211 / Monday, November 2, 2015 / Rules and Regulations

                                                  &sect; 73.77   Cyber security event notifications.              (c) Notification process. (1) Each                 channel with the NRC Headquarters
                                                     (a) Each licensee subject to the                     licensee shall make telephonic                        Operations Center.
                                                  provisions of &sect; 73.54 shall notify the                  notifications required by paragraph (a)                  (5) Licensees desiring to retract a
                                                  NRC Headquarters Operations Center                      of this section to the NRC Headquarters               previous security event report that has
                                                  via the Emergency Notification System                   Operations Center via the ENS. If the                 been determined to not meet the
                                                  (ENS), in accordance with paragraph (c)                 ENS is inoperative or unavailable, the                threshold of a reportable event must
                                                  of this section:                                        licensee shall make the notification via              telephonically notify the NRC
                                                     (1) Within one hour after discovery of               a commercial telephone service or other               Headquarters Operations Center and
                                                  a cyber attack that adversely impacted                  dedicated telephonic system or any                    indicate the report being retracted and
                                                  safety-related or important-to-safety                   other methods that will ensure a report               basis for the retraction.
                                                  functions, security functions, or                       is received by the NRC Headquarters                      (6) Declaration of emergencies.
                                                  emergency preparedness functions                        Operations Center within the timeframe.               Notifications made to the NRC for the
                                                  (including offsite communications); or                  Commercial telephone numbers for the                  declaration of an emergency class shall
                                                  that compromised support systems and                    NRC Headquarters Operations Center                    be performed in accordance with &sect; 50.72
                                                  equipment resulting in adverse impacts                  are specified in appendix A to this part.             of this chapter, as applicable.
                                                  to safety, security, or emergency                          (2) Notifications required by this                    (7) Elimination of duplication.
                                                  preparedness functions within the scope                 section that contain Safeguards                       Separate notifications and reports are
                                                  of &sect; 73.54.                                             Information may be made to the NRC                    not required for events that are also
                                                     (2) Within four hours:                               Headquarters Operations Center without                reportable in accordance with &sect;&sect; 50.72
                                                     (i) After discovery of a cyber attack                using secure communications systems                   and 50.73 of this chapter. However,
                                                  that could have caused an adverse                       under the exception in &sect; 73.22(f)(3) for              these notifications should also indicate
                                                  impact to safety-related or important-to-               emergency or extraordinary conditions.                the applicable &sect; 73.77 reporting criteria.
                                                                                                             (3) Notifications required by this                    (d) Written security follow-up reports.
                                                  safety functions, security functions, or
                                                                                                          section that contain Safeguards                       Each licensee making an initial
                                                  emergency preparedness functions
                                                                                                          Information and/or classified national                telephonic notification of security
                                                  (including offsite communications); or
                                                                                                          security information and/or restricted                events to the NRC according to the
                                                  that could have compromised support
                                                                                                          data must be made to the NRC                          provisions of paragraphs (a)(1), (a)(2)(i),
                                                  systems and equipment, which if
                                                                                                          Headquarters Operations Center using                  and (a)(2)(ii) of this section must also
                                                  compromised, could have adversely
                                                                                                          secure communications systems                         submit a written security follow-up
                                                  impacted safety, security, or emergency
                                                                                                          appropriate to the sensitivity/                       report to the NRC within 60 days of the
                                                  preparedness functions within the scope
                                                                                                          classification level of the message.                  telephonic notification in accordance
                                                  of &sect; 73.54.
                                                                                                          Licensees making these types of                       with &sect; 73.4.
                                                     (ii) After discovery of a suspected or                                                                        (1) Licensees are not required to
                                                  actual cyber attack initiated by                        telephonic notifications must contact
                                                                                                                                                                submit a written security follow-up
                                                  personnel with physical or electronic                   the NRC Headquarters Operations
                                                                                                                                                                report following a telephonic
                                                  access to digital computer and                          Center at the commercial numbers
                                                                                                                                                                notification made under &sect; 73.77(a)(2)(iii)
                                                  communication systems and networks                      specified in appendix A to this part and
                                                                                                                                                                or (a)(3).
                                                  within the scope of &sect; 73.54.                            request a transfer to a secure telephone.                (2) Each licensee shall submit to the
                                                     (iii) After notification of a local, State,             (i) If the licensee&rsquo;s secure                       NRC written security follow-up reports
                                                  or other Federal agency (e.g., law                      communications capability is                          that are of a quality that will permit
                                                  enforcement, FBI, etc.) of an event                     unavailable (e.g., due to the nature of               legible reproduction and processing.
                                                  related to the licensee&rsquo;s implementation                the security event), the licensee must                   (3) Licensees shall prepare the written
                                                  of their cyber security program for                     provide as much information to the NRC                security follow-up report on NRC Form
                                                  digital computer and communication                      as is required by this section, without               366.
                                                  systems and networks within the scope                   revealing or discussing any Safeguards                   (4) In addition to the addressees
                                                  of &sect; 73.54 that does not otherwise                      Information and/or Classified                         specified in &sect; 73.4, the licensee shall
                                                  require a notification under paragraph                  Information, in order to meet the                     also provide one copy of the written
                                                  (a) of this section.                                    timeliness requirements of this section.              security follow-up report addressed to
                                                     (3) Within eight hours after receipt or              The licensee must also indicate to the                the Director, Office of Nuclear Security
                                                  collection of information regarding                     NRC that its secure communications                    and Incident Response, or the Director&rsquo;s
                                                  observed behavior, activities, or                       capability is unavailable.                            designee. Any written security follow-
                                                  statements that may indicate                               (ii) Licensees using a non-secure                  up reports containing classified
                                                  intelligence gathering or pre-operational               communications capability may be                      information shall be transmitted to the
                                                  planning related to a cyber attack                      directed by the NRC Emergency                         NRC Headquarters&rsquo; classified mailing
                                                  against digital computer and                            Response management to provide                        address as specified in appendix A to
                                                  communication systems and networks                      classified information to the NRC over                this part.
                                                  within the scope of &sect; 73.54.                            the non-secure system, due to the                        (5) The written security follow-up
                                                     (b) Twenty-four hour recordable                      significance of the ongoing security                  report must include sufficient
                                                  events. (1) The licensee shall use the site             event. In such circumstances, the                     information for NRC analysis and
                                                  corrective action program to record                     licensee must document this direction                 evaluation.
                                                  vulnerabilities, weaknesses, failures and               and any information provided to the                      (6) Significant supplemental
asabaliauskas on DSK5VPTVN1PROD with RULES




                                                  deficiencies in their &sect; 73.54 cyber                     NRC over a non-secure communications                  information which becomes available
                                                  security program within twenty-four                     capability in the written security follow-            after the initial telephonic notification
                                                  hours of their discovery.                               up report required in accordance with                 to the NRC Headquarters Operations
                                                     (2) The licensee shall use the site                  paragraph (d) of this section.                        Center or after the submission of the
                                                  corrective action program to record                        (4) For events reported under                      written security follow-up report must
                                                  notifications made under paragraph (a)                  paragraph (a)(1) of this section, the NRC             be telephonically reported to the NRC
                                                  of this section within twenty-four hours                may request that the licensee maintain                Headquarters Operations Center under
                                                  of their discovery.                                     an open and continuous communication                  paragraph (c) of this section and also


                                             VerDate Sep&lt;11&gt;2014   17:39 Oct 30, 2015   Jkt 238001   PO 00000   Frm 00016   Fmt 4700   Sfmt 4700   E:\FR\FM\02NOR1.SGM   02NOR1" /></div><hr /><br/><div id="14"><img id="page_14"  class="pdfcab_responsive" src="https://thefederalregister.org/doc/80_FR_67475/page/14.svg" style="width:612px;height:792px"
				onerror="this.src='https://thefederalregister.org/doc/80_FR_67475/page/14.png'; this.onerror=null" alt="                                                                   Federal Register / Vol. 80, No. 211 / Monday, November 2, 2015 / Rules and Regulations                                       67277

                                                  submitted in a revised written security                 SUMMARY: The Farm Credit                              annual public notification process, is
                                                  follow-up report (with the revisions                    Administration (FCA or our) amended                   publishing for notice an index of the 18
                                                  indicated) as required under this                       our regulations related to mergers and                Board policy statements currently in
                                                  section.                                                consolidations of Farm Credit System                  existence. Most of the policy statements
                                                    (7) Errors discovered in a written                    banks and associations to clarify the                 remain unchanged since our last
                                                  security follow-up report must be                       merger review and approval process and                Federal Register notice on October 22,
                                                  corrected in a revised written security                 incorporate existing practices in the                 2014 (79 FR 63033), except for three as
                                                  follow-up report with the revision(s)                   regulations. In accordance with the law,              discussed below on Equal Employment
                                                  indicated.                                              the effective date of the rule is no earlier          Opportunity and Diversity, Travel, and
                                                    (8) The revised written security                      than 30 days from the date of                         Rules for the Transaction of Business of
                                                  follow-up report must replace the                       publication in the Federal Register                   the FCA Board.
                                                  previous written security follow-up                     during which either or both Houses of                 DATES: November 2, 2015.
                                                  report; the update must be complete and                 Congress are in session.                              FOR FURTHER INFORMATION CONTACT:
                                                  not be limited to only supplementary or
                                                                                                          DATES: Effective Date: Under the                      Dale L. Aultman, Secretary to Board,
                                                  revised information.
                                                                                                          authority of 12 U.S.C. 2252, the                         Farm Credit Administration, 1501
                                                    (9) If the licensee subsequently
                                                                                                          regulation amending 12 CFR part 611                      Farm Credit Drive, McLean Virginia
                                                  retracts a telephonic notification made
                                                                                                          published on August 24, 2015 (80 FR                      22102&ndash;5090, (703) 883&ndash;4009, TTY
                                                  under this section as not meeting the
                                                                                                          51113) is effective November 2, 2015.                    (703) 883&ndash;4056;
                                                  threshold of a reportable event, and has
                                                                                                          FOR FURTHER INFORMATION CONTACT:                      or
                                                  not yet submitted a written security                                                                          Mary Alice Donner, Senior Counsel,
                                                  follow-up report then submission of a                   Shirley Hixson, Policy Analyst, Office of
                                                                                                             Regulatory Policy, Farm Credit                        Office of General Counsel, Farm
                                                  written security follow-up report is not                                                                         Credit Administration, 1501 Farm
                                                  required.                                                  Administration, McLean, VA 22102&ndash;
                                                                                                             5090, (703) 883&ndash;4318, TTY (703) 883&ndash;                  Credit Drive, McLean Virginia 22102&ndash;
                                                    (10) If the licensee subsequently
                                                                                                             4056,                                                 5090, (703) 883&ndash;4020, TTY (703) 883&ndash;
                                                  retracts a telephonic notification made
                                                                                                          or                                                       4020.
                                                  under this section as not meeting the
                                                                                                          Laura McFarland, Senior Counsel,                      SUPPLEMENTARY INFORMATION: A list of
                                                  threshold of a reportable event after it
                                                  has submitted a written security follow-                   Office of General Counsel, Farm                    the 18 FCA Board policy statements is
                                                  up report required by this paragraph,                      Credit Administration, McLean, VA                  set forth below. FCA Board policy
                                                  then the licensee shall submit a revised                   22102&ndash;5090, (703) 883&ndash;4071, TTY                    statements may be viewed online at
                                                  written security follow-up report in                       (703) 883&ndash;4056.                                    www.fca.gov/handbook.nsf.
                                                  accordance with this paragraph.                         SUPPLEMENTARY INFORMATION: The Farm                      On August 18, 2015, the FCA Board
                                                    (11) Each written security follow-up                  Credit Administration (FCA or our)                    updated FCA&ndash;PS&ndash;62 on, &lsquo;&lsquo;Equal
                                                  report submitted containing Safeguards                  amended our regulations related to                    Employment Opportunity and
                                                  Information or Classified Information                   mergers and consolidations of Farm                    Diversity.&rsquo;&rsquo; The policy was published in
                                                  must be created, stored, marked,                        Credit System banks and associations to               the Federal Register on August 26, 2015
                                                  labeled, handled, and transmitted to the                clarify the merger review and approval                (80 FR 51806).
                                                  NRC according to the requirements of                    process and incorporate existing                         On August 31, 2015, the FCA Board
                                                  &sect;&sect; 73.21 and 73.22 or with part 95 of                   practices in the regulations. In                      updated FCA&ndash;PS&ndash;44 on, &lsquo;&lsquo;Travel&rsquo;&rsquo; and
                                                  this chapter, as applicable.                            accordance with 12 U.S.C. 2252, the                   FCA&ndash;PS&ndash;64 on, &lsquo;&lsquo;Rules for the
                                                    (12) Each licensee shall maintain a                   effective date of the final rule is no                Transaction of Business of the Farm
                                                  copy of the written security follow-up                  earlier than 30 days from the date of                 Credit Administration Board.&rsquo;&rsquo; Those
                                                  report of an event submitted under this                 publication in the Federal Register                   were not previously published in the
                                                  section as a record for a period of three               during which either or both Houses of                 Federal Register and are set forth below
                                                  years from the date of the report or until              Congress are in session. Based on the                 in their entirety.
                                                  the Commission terminates the license                   records of the sessions of Congress, the              FCA Board Policy Statements
                                                  for which the records were developed,                   effective date of the regulations is                  FCA&ndash;PS&ndash;34 Disclosure of the Issuance
                                                  whichever comes first.                                  November 2, 2015.                                       and Termination of Enforcement
                                                    Dated at Rockville, Maryland, this 23rd day           (12 U.S.C. 2252(a)(9) and (10))                         Documents
                                                  of October, 2015.                                         Date: October 27, 2015.                             FCA&ndash;PS&ndash;37 Communications During
                                                    For the Nuclear Regulatory Commission.                Dale L. Aultman,                                        Rulemaking
                                                  Annette L. Vietti-Cook,                                 Secretary, Farm Credit Administration Board.          FCA&ndash;PS&ndash;41 Alternative Means of
                                                  Secretary of the Commission.                                                                                    Dispute Resolution
                                                                                                          [FR Doc. 2015&ndash;27895 Filed 10&ndash;30&ndash;15; 8:45 am]
                                                  [FR Doc. 2015&ndash;27855 Filed 10&ndash;30&ndash;15; 8:45 am]                                                                  FCA&ndash;PS&ndash;44 Travel
                                                                                                          BILLING CODE 6705&ndash;01&ndash;P
                                                  BILLING CODE 7590&ndash;01&ndash;P
                                                                                                                                                                FCA&ndash;PS&ndash;53 Examination Philosophy
                                                                                                                                                                FCA&ndash;PS&ndash;59 Regulatory Philosophy
                                                                                                                                                                FCA&ndash;PS&ndash;62 Equal Employment
                                                                                                          FARM CREDIT ADMINISTRATION                              Opportunity and Diversity
                                                  FARM CREDIT ADMINISTRATION                                                                                    FCA&ndash;PS&ndash;64 Rules for the Transaction
                                                                                                          12 CFR Chapter VI
                                                                                                                                                                  of Business of the Farm Credit
                                                  12 CFR Part 611
                                                                                                          Farm Credit Administration Board                        Administration Board
asabaliauskas on DSK5VPTVN1PROD with RULES




                                                  RIN 3052&ndash;AC72
                                                                                                          Policy Statements                                     FCA&ndash;PS&ndash;65 Release of Consolidated
                                                                                                                                                                  Reporting System Information
                                                  Organization; Mergers, Consolidations,                  AGENCY:   Farm Credit Administration.                 FCA&ndash;PS&ndash;67 Nondiscrimination on the
                                                  and Charter Amendments of Banks or                      ACTION:   Notice of policy statements and               Basis of Disability in Agency
                                                  Associations                                            index.                                                  Programs and Activities
                                                  AGENCY: Farm Credit Administration.                                                                           FCA&ndash;PS&ndash;68 FCS Building Association
                                                                                                          SUMMARY: The Farm Credit                                Management Operations Policies and
                                                  ACTION: Notice of effective date.
                                                                                                          Administration (FCA), as part of its                    Practices


                                             VerDate Sep&lt;11&gt;2014   17:39 Oct 30, 2015   Jkt 238001   PO 00000   Frm 00017   Fmt 4700   Sfmt 4700   E:\FR\FM\02NOR1.SGM   02NOR1" /></div><hr /><br/><br />Document Created: 2018-03-01 11:29:43<br />Document Modified: 2018-03-01 11:29:43</div></div>
<table class=table><tr><td>Category</td><td><td>Regulatory Information</td></td></tr><tr><td>Collection</td><td><td>Federal Register</td></td></tr><tr><td>sudoc Class</td><td><td>AE 2.7:<br/>GS 4.107:<br/>AE 2.106:</td></td></tr><tr><td>Publisher</td><td><td>Office of the Federal Register, National Archives and Records Administration</td></td></tr><tr><td>Section</td><td><td>Rules and Regulations</td></td></tr><tr><td>Action</td><td><td>Final rule.</td></td></tr><tr><td>Dates</td><td><td>Effective Date: This final rule is effective December 2, 2015. Compliance Date: Compliance with this final rule is required by May 2, 2016, for those licensed to operate under parts 50 and 52 of Title 10 of the Code of Federal Regulations (10 CFR) and subject to Sec. 73.54.</td></td></tr><tr><td>Contact</td><td><td>Robert H. Beall, Office of Nuclear Reactor Regulation, telephone: 301-415-3874, email: <a class="__cf_email__" data-cfemail="64360b060116104a2601050808240a16074a030b12" href="/cdn-cgi/l/email-protection">[email protected]</a>, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001.</td></td></tr><tr><td>FR Citation</td><td><td>80
                        FR
                        67264 </td></td></tr><tr><td>RIN Number</td><td><td>3150-AJ37</td></td></tr><tr><td>CFR Associated</td><td><td>Criminal Penalties; Exports; Hazardous Materials Transportation; Incorporation by Reference; Imports; Nuclear Energy; Nuclear Materials; Nuclear Power Plants and Reactors; Penalties; Reporting and Recordkeeping Requirements



                                    and
                                Security Measures</td></td></tr>
</table>
</div><hr>
2025 <a href="https://thefederalregister.org/" title="FR Federal Register">Federal Register</a> | <a href="/disclaimer.php">Disclaimer</a> | <a href="/privacy-policy.php">Privacy Policy</a> <br />
<small><a href="https://uscode.ecfr.io" title="US Code">USC</a> | <a href="https://gov.ecfr.io" title="Code of Federal Regulations">CFR</a> | <a href="https://ecfr.io" title="Electronic Code of Federal Regulations">eCFR</a></small>
<hr >
</div>
</body>
</html>