83 FR 22413 - Cyber Security for Byproduct Materials Licensees

NUCLEAR REGULATORY COMMISSION

Federal Register Volume 83, Issue 94 (May 15, 2018)

Page Range		22413-22414
FR Document		2018-10358

The U.S. Nuclear Regulatory Commission (NRC) is discontinuing the rulemaking activity that would have developed cyber security requirements for byproduct materials licensees possessing risk- significant quantities of radioactive materials. The purpose of this action is to inform members of the public of the discontinuation of the rulemaking activity and to provide a brief discussion of the NRC's decision. The rulemaking activity will no longer be reported in the NRC's portion of the Unified Agenda of Regulatory and Deregulatory Actions (the Unified Agenda).

Federal Register, Volume 83 Issue 94 (Tuesday, May 15, 2018)

[Federal Register Volume 83, Number 94 (Tuesday, May 15, 2018)]
[Proposed Rules]
[Pages 22413-22414]
From the Federal Register Online  [www.thefederalregister.org]
[FR Doc No: 2018-10358]


========================================================================
Proposed Rules
                                                Federal Register
________________________________________________________________________

This section of the FEDERAL REGISTER contains notices to the public of 
the proposed issuance of rules and regulations. The purpose of these 
notices is to give interested persons an opportunity to participate in 
the rule making prior to the adoption of the final rules.

========================================================================


Federal Register / Vol. 83, No. 94 / Tuesday, May 15, 2018 / Proposed 
Rules

[[Page 22413]]



NUCLEAR REGULATORY COMMISSION

10 CFR Part 37

[NRC-2015-0019]
RIN 3150-AJ56


Cyber Security for Byproduct Materials Licensees

AGENCY: Nuclear Regulatory Commission.

ACTION: Discontinuation of rulemaking activity.

-----------------------------------------------------------------------

SUMMARY: The U.S. Nuclear Regulatory Commission (NRC) is discontinuing 
the rulemaking activity that would have developed cyber security 
requirements for byproduct materials licensees possessing risk-
significant quantities of radioactive materials. The purpose of this 
action is to inform members of the public of the discontinuation of the 
rulemaking activity and to provide a brief discussion of the NRC's 
decision. The rulemaking activity will no longer be reported in the 
NRC's portion of the Unified Agenda of Regulatory and Deregulatory 
Actions (the Unified Agenda).

DATES: As of May 15, 2018, the rulemaking activity discussed in this 
document is discontinued.

ADDRESSES: Please refer to Docket ID NRC-2015-0019 when contacting the 
NRC about the availability of information regarding this action. You 
may obtain publicly available information related to this document 
using any of the following methods:
     Federal Rulemaking website: Go to http://www.regulations.gov and search for Docket ID NRC-2015-0019. Address 
questions about NRC dockets to Carol Gallagher; telephone: 301-415-
3463; email: Carol.Gallagher@nrc.gov. For technical questions, contact 
the individual listed in the FOR FURTHER INFORMATION CONTACT section of 
this document.
     NRC's Agencywide Documents Access and Management System 
(ADAMS): You may obtain publicly-available documents online in the 
ADAMS Public Documents collection at http://www.nrc.gov/reading-rm/adams.html. To begin the search, select ``ADAMS Public Documents'' and 
then select ``Begin Web-based ADAMS Search.'' For problems with ADAMS, 
please contact the NRC's Public Document Room (PDR) reference staff at 
1-800-397-4209, 301-415-4737, or by email to pdr.resource@nrc.gov. The 
ADAMS accession number for each document referenced (if it is available 
in ADAMS) is provided the first time that it is mentioned in the 
SUPPLEMENTARY INFORMATION section.
     NRC's PDR: You may examine and purchase copies of public 
documents at the NRC's PDR, Room O1F21, One White Flint North, 11555 
Rockville Pike, Rockville, Maryland 20852.

FOR FURTHER INFORMATION CONTACT: Vanessa Cox, Office of Nuclear 
Material Safety and Safeguards, U.S. Nuclear Regulatory Commission, 
Washington, DC 20555-0001; telephone: 301-415-8342; email: 
Vanessa.Cox@nrc.gov.

SUPPLEMENTARY INFORMATION: 

I. Discussion

    The NRC and Agreement States are responsible for overseeing and 
implementing the National Materials Program to enable the safe and 
secure use of radioactive materials licensed for commercial, 
industrial, academic, and medical uses. The program includes thousands 
of byproduct materials licensees in varying operating environments, 
ranging from small industrial radiography and well-logging businesses 
to large manufacturing facilities, universities, and medical 
facilities. The majority of the licensees that possess risk-significant 
quantities of radioactive materials are regulated by Agreement States. 
Risk-significant quantities of radioactive material are defined as 
those meeting the thresholds for Category 1 and Category 2 included in 
appendix A to part 37 of title 10 of the Code of Federal Regulations 
(10 CFR), ``Physical Protection of Category 1 and Category 2 Quantities 
of Radioactive Material.''
    In a Commission paper, SECY-12-0088, ``The Nuclear Regulatory 
Commission Cyber Security Roadmap,'' dated June 25, 2012 (ADAMS 
Accession No. ML12135A050), the NRC staff described its plan to 
evaluate the need for cyber security requirements for NRC and Agreement 
State licensees and facilities, including byproduct materials 
licensees. As described in that paper, the NRC staff planned to form a 
working group, with Agreement State participation, to develop self-
assessment tools for licensees and conduct a limited number of site 
visits. Based on the results of these assessments and site visits, the 
working group intended to prepare a paper outlining potential actions 
for Commission consideration.
    In July 2013, the NRC established the Byproduct Materials Cyber 
Security Working Group, comprised of headquarters and regional NRC 
staff and representation from the Organization of Agreement States. The 
purpose of the working group was to identify potential cyber security 
vulnerabilities among commercial, medical, industrial, and academic 
users of risk-significant radioactive materials and determine if the 
results warranted regulatory action. The working group worked with the 
NRC's Intelligence Liaison and Threat Assessment Branch, which 
regularly monitors the threats associated with cyber security and 
shares cyber threat information with licensees, as appropriate.
    The working group identified four sets of digital assets that the 
NRC should evaluate with respect to cyber threat protection:
    (1) Digital/microprocessor-based systems and devices that support 
the physical security of the licensee's facilities. These include 
access control systems, physical intrusion detection and alarm systems, 
video camera monitoring systems, digital video recorders, door alarms, 
motion sensors, keycard readers, and biometric scanners;
    (2) Equipment and devices with software-based control, operation, 
and automation features, such as panoramic irradiators and gamma 
knives;
    (3) Computers and systems used to maintain source inventories, 
audit data, and records necessary for compliance with security 
requirements and regulations; and
    (4) Digital technology used to support incident response 
communications and coordination such as digital packet radio systems, 
digital repeater stations, and digital trunk radio systems.
    On January 6, 2016, the NRC staff submitted a memorandum to the

[[Page 22414]]

Commission titled ``Staff Activities Related to the Evaluation of 
Materials Cyber Security Vulnerabilities'' (ADAMS Accession No. 
ML15201A509). This memorandum informed the Commission of the ongoing 
evaluation to determine the cyber security risk to each of the four 
sets of digital assets for risk-significant radioactive materials 
licensees, and described the two-pronged approach focused on 
information gathering and consequence analysis that was used.
    As part of the information gathering effort, the NRC staff 
distributed a voluntary survey, ``Questionnaire on Cyber Security at 
Byproduct Materials Licensees'' (ADAMS Accession No. ML15246A306) on 
April 29, 2016, to all NRC and Agreement State licensees that possessed 
Category 1 and 2 quantities of radioactive materials. The purpose of 
the questionnaire was to identify what key digital assets existed at 
each licensee type, how they were connected to internal/external 
networks and the internet, and what technical and procedural security 
measures were in place for protection and operation of these systems 
and devices. The NRC staff also conducted outreach to stakeholders to 
encourage completion of the questionnaire, and site visits to 
manufacturers and panoramic irradiator licensees.
    The consequence analysis was conducted in parallel with the 
information gathering effort, and evaluated the potential for onsite 
and offsite consequences that could occur if the availability, 
integrity, or confidentiality of data or systems associated with 
nuclear materials were compromised by a cyber attack.
    Given the regulatory responsibilities of the U.S. Food and Drug 
Administration (FDA), the NRC limited its evaluation of the software 
systems used in medical applications to the systems related to the 
radiation safety and physical protection authority of the NRC. The NRC 
has a memorandum of understanding with the FDA that clarifies the 
respective roles of each agency in regulating the safe use of 
radiopharmaceuticals and sealed sources, and other medical devices 
containing radioactive material (ADAMS Accession No. ML023520399). 
Additional information on the FDA's activities, role, and expectations 
for the continued cyber security of medical devices can be found at 
https://www.fda.gov/downloads/medicaldevices/digitalhealth/ucm544684.pdf.
    On February 28, 2017, the NRC staff provided an update to the 
Commission on the status of agency activities pertaining to cyber 
security at licensee facilities in a Commission paper, SECY-17-0034, 
``Update to the U.S. Nuclear Regulatory Commission Cyber Security 
Roadmap'' (ADAMS Accession No. ML16354A258). The update noted the NRC 
staff's further consideration of cyber security requirements for 
radioactive materials licensees since the January 2016 memorandum. 
Additionally, the paper stated that the working group planned to 
complete its evaluation of the questionnaire responses, consequence 
analysis, and any follow-up communication with stakeholders and develop 
recommendations for a path forward.
    Subsequently, the NRC completed its evaluation of cyber security 
requirements for byproduct materials licensees in October 2017.
    The NRC staff concluded that byproduct materials licensees that 
possess risk-significant quantities of radioactive material do not rely 
solely on digital assets to ensure safety or physical protection. 
Rather, these licensees generally use a combination of measures, such 
as doors, locks, barriers, human resources, and operational processes, 
to ensure security, which reflects a defense-in-depth approach to 
physical protection and safety. As a result, the staff concluded that a 
compromise of any of the digital assets identified in the January 6, 
2016, Commission memorandum would not result in a direct dispersal of 
risk-significant quantities of radioactive material, or exposure of 
individuals to radiation, without a concurrent and targeted breach of 
the physical protection measures in force for these licensees.
    Therefore, the NRC staff determined that the current cyber security 
threat and potential consequences do not warrant regulatory action. 
However, the NRC staff determined that it would be prudent to issue an 
Information Notice (IN) to communicate effective practices for cyber 
security to byproduct materials licensees possessing risk-significant 
quantities of radioactive material. The IN will provide licensees with 
a better understanding of contemporary cyber security issues and 
strategies to protect digital assets (e.g., computers, digital alarm 
systems), including those used to facilitate compliance with physical 
security requirements, such as those in 10 CFR part 37. The IN, which 
will reference existing cyber security guidance developed by the NRC's 
Office of Nuclear Reactor Regulation and other Federal agencies, will 
be issued later in 2018.

II. Conclusion

    For the reasons discussed in this document, the NRC is 
discontinuing rulemaking activity to develop cyber security 
requirements for byproduct materials licensees possessing risk-
significant quantities of radioactive materials. In the next edition of 
the Unified Agenda, the NRC will update the entry for this rulemaking 
activity and refer to this document to indicate that the rulemaking has 
been discontinued. This rulemaking activity will appear in the 
``Completed Actions'' section of the next edition of the Unified 
Agenda, but will not appear in future editions. If the NRC decides to 
pursue similar or related rulemaking activities in the future, it will 
inform the public through a new rulemaking entry in the Unified Agenda.

    Dated at Rockville, Maryland, this 10th day of May, 2018.

    For the Nuclear Regulatory Commission.
Victor McCree,
Executive Director for Operations.
[FR Doc. 2018-10358 Filed 5-14-18; 8:45 am]
 BILLING CODE 7590-01-P

22414 Federal Register / Vol. 83, No. 94 / Tuesday, May 15, 2018 / Proposed Rules

Commission titled ‘‘Staff Activities pertaining to cyber security at licensee II. Conclusion
Related to the Evaluation of Materials facilities in a Commission paper, SECY– For the reasons discussed in this
Cyber Security Vulnerabilities’’ 17–0034, ‘‘Update to the U.S. Nuclear document, the NRC is discontinuing
(ADAMS Accession No. ML15201A509). Regulatory Commission Cyber Security rulemaking activity to develop cyber
This memorandum informed the Roadmap’’ (ADAMS Accession No. security requirements for byproduct
Commission of the ongoing evaluation ML16354A258). The update noted the materials licensees possessing risk-
to determine the cyber security risk to NRC staff’s further consideration of significant quantities of radioactive
each of the four sets of digital assets for cyber security requirements for materials. In the next edition of the
risk-significant radioactive materials radioactive materials licensees since the Unified Agenda, the NRC will update
licensees, and described the two- January 2016 memorandum. the entry for this rulemaking activity
pronged approach focused on Additionally, the paper stated that the and refer to this document to indicate
information gathering and consequence working group planned to complete its that the rulemaking has been
analysis that was used. evaluation of the questionnaire discontinued. This rulemaking activity
As part of the information gathering responses, consequence analysis, and will appear in the ‘‘Completed Actions’’
effort, the NRC staff distributed a any follow-up communication with
voluntary survey, ‘‘Questionnaire on section of the next edition of the Unified
stakeholders and develop Agenda, but will not appear in future
Cyber Security at Byproduct Materials recommendations for a path forward.
Licensees’’ (ADAMS Accession No. editions. If the NRC decides to pursue
ML15246A306) on April 29, 2016, to all Subsequently, the NRC completed its similar or related rulemaking activities
NRC and Agreement State licensees that evaluation of cyber security in the future, it will inform the public
possessed Category 1 and 2 quantities of requirements for byproduct materials through a new rulemaking entry in the
radioactive materials. The purpose of licensees in October 2017. Unified Agenda.
the questionnaire was to identify what The NRC staff concluded that Dated at Rockville, Maryland, this 10th day
key digital assets existed at each byproduct materials licensees that of May, 2018.
licensee type, how they were connected possess risk-significant quantities of For the Nuclear Regulatory Commission.
to internal/external networks and the radioactive material do not rely solely Victor McCree,
internet, and what technical and on digital assets to ensure safety or Executive Director for Operations.
procedural security measures were in physical protection. Rather, these [FR Doc. 2018–10358 Filed 5–14–18; 8:45 am]
place for protection and operation of licensees generally use a combination of BILLING CODE 7590–01–P
these systems and devices. The NRC measures, such as doors, locks, barriers,
staff also conducted outreach to human resources, and operational
stakeholders to encourage completion of processes, to ensure security, which DEPARTMENT OF TRANSPORTATION
the questionnaire, and site visits to reflects a defense-in-depth approach to
manufacturers and panoramic irradiator physical protection and safety. As a Federal Aviation Administration
licensees. result, the staff concluded that a
The consequence analysis was compromise of any of the digital assets 14 CFR Part 39
conducted in parallel with the identified in the January 6, 2016,
information gathering effort, and [Docket No. FAA–2018–0410; Product
Commission memorandum would not Identifier 2018–NM–030–AD]
evaluated the potential for onsite and result in a direct dispersal of risk-
offsite consequences that could occur if significant quantities of radioactive RIN 2120–AA64
the availability, integrity, or material, or exposure of individuals to
confidentiality of data or systems radiation, without a concurrent and Airworthiness Directives; Airbus
associated with nuclear materials were targeted breach of the physical
compromised by a cyber attack. AGENCY: Federal Aviation
protection measures in force for these Administration (FAA), DOT.
Given the regulatory responsibilities
licensees. ACTION: Notice of proposed rulemaking
of the U.S. Food and Drug
Administration (FDA), the NRC limited Therefore, the NRC staff determined (NPRM).
its evaluation of the software systems that the current cyber security threat
used in medical applications to the and potential consequences do not SUMMARY: We propose to adopt a new
systems related to the radiation safety warrant regulatory action. However, the airworthiness directive (AD) for all
and physical protection authority of the NRC staff determined that it would be Airbus Model A350–941 airplanes. This
NRC. The NRC has a memorandum of prudent to issue an Information Notice proposed AD was prompted by an
understanding with the FDA that (IN) to communicate effective practices inspection on the production line that
clarifies the respective roles of each for cyber security to byproduct materials revealed evidence of paint peeling on
agency in regulating the safe use of licensees possessing risk-significant the forward and aft cargo frame forks
radiopharmaceuticals and sealed quantities of radioactive material. The around the hook bolt hole. This
sources, and other medical devices IN will provide licensees with a better proposed AD would require a detailed
containing radioactive material understanding of contemporary cyber visual inspection for any deficiency of
(ADAMS Accession No. ML023520399). security issues and strategies to protect the frame forks around the hook bolt
Additional information on the FDA’s digital assets (e.g., computers, digital hole on certain forward and aft cargo
activities, role, and expectations for the alarm systems), including those used to doors and applicable corrective actions.
daltland on DSKBBV9HB2PROD with PROPOSALS

continued cyber security of medical facilitate compliance with physical We are proposing this AD to address the
devices can be found at https:// security requirements, such as those in unsafe condition on these products.
www.fda.gov/downloads/ 10 CFR part 37. The IN, which will DATES: We must receive comments on
medicaldevices/digitalhealth/ reference existing cyber security this proposed AD by June 29, 2018.
ucm544684.pdf. guidance developed by the NRC’s Office ADDRESSES: You may send comments,
On February 28, 2017, the NRC staff of Nuclear Reactor Regulation and other using the procedures found in 14 CFR
provided an update to the Commission Federal agencies, will be issued later in 11.43 and 11.45, by any of the following
on the status of agency activities 2018. methods:

VerDate Sep<11>2014 16:36 May 14, 2018 Jkt 244001 PO 00000 Frm 00002 Fmt 4702 Sfmt 4702 E:\FR\FM\15MYP1.SGM 15MYP1

Document Created: 2018-05-15 00:33:50
Document Modified: 2018-05-15 00:33:50

Category		Regulatory Information
Collection		Federal Register
sudoc Class		AE 2.7: GS 4.107: AE 2.106:
Publisher		Office of the Federal Register, National Archives and Records Administration
Section		Proposed Rules
Action		Discontinuation of rulemaking activity.
Dates		As of May 15, 2018, the rulemaking activity discussed in this document is discontinued.
Contact		Vanessa Cox, Office of Nuclear Material Safety and Safeguards, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001; telephone: 301-415-8342; email: [email protected]
FR Citation		83 FR 22413
RIN Number		3150-AJ56