83 FR 42623 - Cyber Security Programs for Nuclear Power Reactors
NUCLEAR REGULATORY COMMISSION Federal Register Volume 83, Issue 164 (August 23, 2018)
Federal Register Volume 83, Issue 164 (August 23, 2018)
| Page Range | 42623-42624 | |
| FR Document | 2018-18231 |
[Federal Register Volume 83, Number 164 (Thursday, August 23, 2018)] [Proposed Rules] [Pages 42623-42624] From the Federal Register Online [www.thefederalregister.org] [FR Doc No: 2018-18231] [[Page 42623]] ======================================================================= ----------------------------------------------------------------------- NUCLEAR REGULATORY COMMISSION 10 CFR Chapter I [NRC-2018-0182] Cyber Security Programs for Nuclear Power Reactors AGENCY: Nuclear Regulatory Commission. ACTION: Draft regulatory guide; request for comment. ----------------------------------------------------------------------- SUMMARY: The U.S. Nuclear Regulatory Commission (NRC) is issuing for public comment Draft Regulatory Guide (DG) DG-5061, ``Cyber Security Programs for Nuclear Power Reactors.'' This revision incorporates lessons learned from operating experience since the original publication of the guide. Specifically, this revision clarifies issues identified from interim cybersecurity milestone inspections, additional insights gained through the Security Frequently Asked Questions (SFAQs) process, documented cybersecurity attacks, new technologies, and new regulations. This revision also considers the changes in the most recent revision to the National Institute of Standards and Technology (NIST) Special Publications (SP) 800-53, upon which Revision 0 of RG 5.71 was based. DATES: Submit comments by October 22, 2018. Comments received after this date will be considered if it is practical to do so, but the NRC is able to ensure consideration only for comments received on or before this date. Although a time limit is given, comments and suggestions in connection with items for inclusion in guides currently being developed or improvements in all published guides are encouraged at any time. ADDRESSES: You may submit comments by any of the following methods:Federal Rulemaking Website: Go to http://www.regulations.gov and search for Docket ID NRC-2018-0182. Address questions about NRC dockets to Jennifer Borges; telephone: 301-287- 9127; email: [email protected]. For technical questions, contact the individuals listed in the FOR FURTHER INFORMATION CONTACT section of this document. Mail comments to: May Ma, Office of Administration, Mail Stop: ON 2A13, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001. For additional direction on accessing information and submitting comments, see ``Accessing Information and Submitting Comments'' in the SUPPLEMENTARY INFORMATION section of this document. FOR FURTHER INFORMATION CONTACT: Kim Lawson-Jenkins, Office of Nuclear Security and Incident Response, telephone: 301-287-3656; email: [email protected], and Mekonen Bayssie, Office of Nuclear Regulatory Research, telephone: 301-415-1699; email: [email protected]. Both are staff of the U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001. SUPPLEMENTARY INFORMATION: I. Obtaining Information and Submitting Comments A. Obtaining Information Please refer to Docket ID NRC-2018-0182 when contacting the NRC about the availability of information regarding this document. You may obtain publically-available information related to this document, by any of the following methods: Federal Rulemaking Website: Go to http://www.regulations.gov and search for Docket ID NRC-2018-0182. NRC's Agencywide Documents Access and Management System (ADAMS): You may access publicly- available documents online in the ADAMS Public Documents collection at http://www.nrc.gov/reading-rm/adams.html. To begin the search, select ``Begin Web-based ADAMS Search.'' For problems with ADAMS, please contact the NRC's Public Document Room (PDR) reference staff at 1-800-397-4209, 301-415-4737, or by email to [email protected]. DG-5061 is available in ADAMS under Accession No. ML18016A129. NRC's PDR: You may examine and purchase copies of public documents at the NRC's PDR, Room O1-F21, One White Flint North, 11555 Rockville Pike, Rockville, Maryland 20852. B. Submitting Comments Please include Docket ID NRC-2018-0182 in your comment submission. The NRC cautions you not to include identifying or contact information that you do not want to be publicly disclosed in your comment submission. The NRC posts all comment submissions at http://www.regulations.gov as well as enters the comment submissions into ADAMS. The NRC does not routinely edit comment submissions to remove identifying or contact information. If you are requesting or aggregating comments from other persons for submission to the NRC, then you should inform those persons not to include identifying or contact information that they do not want to be publicly disclosed in their comment submission. Your request should state that the NRC does not routinely edit comment submissions to remove such information before making the comment submissions available to the public or entering the comment submissions into ADAMS. II. Additional Information The NRC is issuing for public comment a DG in the NRC's ``Regulatory Guide'' series. This series was developed to describe and make available to the public information regarding methods that are acceptable to the NRC staff for implementing specific parts of the NRC's regulations, techniques that the staff uses in evaluating specific issues or postulated events, and data that the staff needs in its review of applications for permits and licenses. The DG, titled ``Cyber Security Programs for Nuclear Power Plants,'' is temporarily identified by its task number, DG-5061. DG- 5061 is a proposed revision (Revision 1) to RG 5.71, ``Cyber Security Programs for Nuclear Power Plants.'' It provides NRC licensees with guidance on meeting the cybersecurity requirements described in title 10 of the Code of Federal Regulations (10 CFR) Sec. 73.54, ``Protection of digital computer and communication systems and networks.'' This revision clarifies issues identified from interim cybersecurity milestone inspections, additional insights gained through the SFAQs process, documented cybersecurity attacks, new technologies, and new regulations. In addition, it considers changes in NIST SP 800- 53, upon which Revision 0 of RG 5.71 was based. In 2010, the Commission issued Staff Requirements Memorandum (SRM), SRM-COMWCO-10-0001 (ADAMS Accession No. ML102940009) which clarified the scope of the cyber security rule in regards to balance of plant (BOP) systems. This revision to RG 5.71 includes guidance for structures, systems, and components (SSCs) in the BOP. In 2015, the NRC published the regulation 10 CFR 73.77, and its associated guidance, RG 5.83, that provides guidance on cyber security event notifications. This rule established requirements clarifying the types of cyber attacks that require notification to the NRC, the timeliness for making the notifications, how licensees make notifications, and how to submit follow-up written reports to the NRC. [[Page 42624]] III. Backfitting and Issue Finality DG-5061 describes a method that the staff of the NRC considers acceptable for use by nuclear power plant licensees in meeting the requirements for the cybersecurity requirements in 10 CFR 73.54. The revision updates the guidance by incorporating lessons learned and guidance documents since the original publication of the guide. On October 21, 2010, the Commission issued SRM-COMWCO-10-0001, which clarified the scope of the cyber security rule. In the SRM, the Commission determined as a matter of policy that the NRC's cyber security regulation (10 CFR 73.54) should be interpreted to include Systems Structures and Components in the Balance of Plant that have a nexus to radiological health and safety at NRC-licensed nuclear power plants. The Commission clarified the scope of the rule to include digital assets previously covered by cyber security regulations of the Federal Energy Regulatory Commission. In response to this SRM, the licensees updated their cyber security plans to incorporate BOP systems into their cyber security plans. This revision includes guidance for SSCs in the BOP. Issuance of this DG, if finalized, would not constitute backfitting as defined in 10 CFR 50.109 (the Backfit Rule) and would not otherwise be inconsistent with the issue finality provisions in 10 CFR part 52. As discussed in the ``Implementation'' section of this DG, the NRC has no current intention to impose this guide, if finalized, on holders of current operating licenses or combined licenses. However, the scope of issue finality provided extends only to the matters resolved in the license or regulatory approval. Early site permits, design certification rules, and standard design approvals typically do not address or resolve compliance with operational programs such as the cybersecurity requirements in 10 CFR 73.54. Therefore, the various issue finality provisions would not apply to applications referencing an early site permit, design certification rule, or standard design approval with respect to the security matters addressed in this draft regulatory guide. Dated at Rockville, Maryland, this 20th day of August, 2018. For the Nuclear Regulatory Commission. Thomas H. Boyce, Chief, Regulatory Guide and Generic Issues Branch, Division of Engineering, Office of Nuclear Regulatory Research. [FR Doc. 2018-18231 Filed 8-22-18; 8:45 am] BILLING CODE 7590-01-P
![Federal Register / Vol. 83, No. 164 / Thursday, August 23, 2018 / Proposed Rules 42623
NUCLEAR REGULATORY FOR FURTHER INFORMATION CONTACT: Kim Your request should state that the NRC
COMMISSION Lawson-Jenkins, Office of Nuclear does not routinely edit comment
Security and Incident Response, submissions to remove such information
10 CFR Chapter I telephone: 301–287–3656; email: before making the comment
[NRC–2018–0182] Kim.Lawson-Jenkins@nrc.gov, and submissions available to the public or
Mekonen Bayssie, Office of Nuclear entering the comment submissions into
Cyber Security Programs for Nuclear Regulatory Research, telephone: 301– ADAMS.
Power Reactors 415–1699; email: Mekonen.Bayssie@
nrc.gov. Both are staff of the U.S. II. Additional Information
AGENCY: Nuclear Regulatory Nuclear Regulatory Commission,
Commission. The NRC is issuing for public
Washington, DC 20555–0001. comment a DG in the NRC’s ‘‘Regulatory
ACTION: Draft regulatory guide; request
SUPPLEMENTARY INFORMATION: Guide’’ series. This series was
for comment.
I. Obtaining Information and developed to describe and make
SUMMARY: The U.S. Nuclear Regulatory Submitting Comments available to the public information
Commission (NRC) is issuing for public regarding methods that are acceptable to
comment Draft Regulatory Guide (DG) A. Obtaining Information the NRC staff for implementing specific
DG–5061, ‘‘Cyber Security Programs for Please refer to Docket ID NRC–2018– parts of the NRC’s regulations,
Nuclear Power Reactors.’’ This revision 0182 when contacting the NRC about techniques that the staff uses in
incorporates lessons learned from the availability of information regarding evaluating specific issues or postulated
operating experience since the original this document. You may obtain events, and data that the staff needs in
publication of the guide. Specifically, publically-available information related its review of applications for permits
this revision clarifies issues identified to this document, by any of the and licenses.
from interim cybersecurity milestone following methods: The DG, titled ‘‘Cyber Security
inspections, additional insights gained • Federal Rulemaking Website: Go to Programs for Nuclear Power Plants,’’ is
through the Security Frequently Asked http://www.regulations.gov and search
Questions (SFAQs) process, temporarily identified by its task
for Docket ID NRC–2018–0182. number, DG–5061. DG–5061 is a
documented cybersecurity attacks, new • NRC’s Agencywide Documents
technologies, and new regulations. This proposed revision (Revision 1) to RG
Access and Management System
revision also considers the changes in 5.71, ‘‘Cyber Security Programs for
(ADAMS): You may access publicly-
the most recent revision to the National Nuclear Power Plants.’’ It provides NRC
available documents online in the
Institute of Standards and Technology licensees with guidance on meeting the
ADAMS Public Documents collection at
(NIST) Special Publications (SP) 800– cybersecurity requirements described in
http://www.nrc.gov/reading-rm/
53, upon which Revision 0 of RG 5.71 title 10 of the Code of Federal
adams.html. To begin the search, select
was based. Regulations (10 CFR) § 73.54,
‘‘Begin Web-based ADAMS Search.’’ For
DATES: Submit comments by October 22,
‘‘Protection of digital computer and
problems with ADAMS, please contact
2018. Comments received after this date communication systems and networks.’’
the NRC’s Public Document Room (PDR)
will be considered if it is practical to do reference staff at 1–800–397–4209, 301– This revision clarifies issues
so, but the NRC is able to ensure 415–4737, or by email to pdr.resource@ identified from interim cybersecurity
consideration only for comments nrc.gov. DG–5061 is available in milestone inspections, additional
received on or before this date. ADAMS under Accession No. insights gained through the SFAQs
Although a time limit is given, ML18016A129. process, documented cybersecurity
comments and suggestions in • NRC’s PDR: You may examine and attacks, new technologies, and new
connection with items for inclusion in purchase copies of public documents at regulations. In addition, it considers
guides currently being developed or the NRC’s PDR, Room O1–F21, One changes in NIST SP 800–53, upon
improvements in all published guides White Flint North, 11555 Rockville which Revision 0 of RG 5.71 was based.
are encouraged at any time. Pike, Rockville, Maryland 20852. In 2010, the Commission issued Staff
ADDRESSES: You may submit comments Requirements Memorandum (SRM),
B. Submitting Comments
by any of the following methods: SRM–COMWCO–10–0001 (ADAMS
• Federal Rulemaking Website: Go to Please include Docket ID NRC–2018–
Accession No. ML102940009) which
http://www.regulations.gov and search 0182 in your comment submission. The
clarified the scope of the cyber security
for Docket ID NRC–2018–0182. Address NRC cautions you not to include
rule in regards to balance of plant (BOP)
questions about NRC dockets to Jennifer identifying or contact information that
systems. This revision to RG 5.71
Borges; telephone: 301–287–9127; you do not want to be publicly
includes guidance for structures,
email: Jennifer.Borges@nrc.gov. For disclosed in your comment submission.
systems, and components (SSCs) in the
technical questions, contact the The NRC posts all comment
BOP.
individuals listed in the FOR FURTHER submissions at http://
INFORMATION CONTACT section of this www.regulations.gov as well as enters In 2015, the NRC published the
document. the comment submissions into ADAMS. regulation 10 CFR 73.77, and its
• Mail comments to: May Ma, Office The NRC does not routinely edit associated guidance, RG 5.83, that
of Administration, Mail Stop: ON 2A13, comment submissions to remove provides guidance on cyber security
daltland on DSKBBV9HB2PROD with PROPOSALS
U.S. Nuclear Regulatory Commission, identifying or contact information. event notifications. This rule
Washington, DC 20555–0001. If you are requesting or aggregating established requirements clarifying the
For additional direction on accessing comments from other persons for types of cyber attacks that require
information and submitting comments, submission to the NRC, then you should notification to the NRC, the timeliness
see ‘‘Accessing Information and inform those persons not to include for making the notifications, how
Submitting Comments’’ in the identifying or contact information that licensees make notifications, and how to
SUPPLEMENTARY INFORMATION section of they do not want to be publicly submit follow-up written reports to the
this document. disclosed in their comment submission. NRC.
VerDate Sep<11>2014 16:29 Aug 22, 2018 Jkt 244001 PO 00000 Frm 00014 Fmt 4702 Sfmt 4702 E:\FR\FM\23AUP1.SGM 23AUP1](https://thefederalregister.org/doc/83_FR_42787/page/1.svg)
![42624 Federal Register / Vol. 83, No. 164 / Thursday, August 23, 2018 / Proposed Rules
III. Backfitting and Issue Finality POSTAL SERVICE USPS Marketing Mail) in Docket No.
DG–5061 describes a method that the MC2010–36, and (3) reduce operational
staff of the NRC considers acceptable for 39 CFR Part 111 inefficiencies when machines are
use by nuclear power plant licensees in unable to process letter-size or flat-size
USPS Marketing Mail Content shaped inflexible items. Shifting goods
meeting the requirements for the Standards
cybersecurity requirements in 10 CFR and merchandise out of the letter-size
73.54. The revision updates the AGENCY: Postal ServiceTM. and flat-size categories helps improve
guidance by incorporating lessons ACTION:Advance notice of proposed processing capabilities and ultimately
learned and guidance documents since rulemaking; request for comments. shifts these items to mail streams with
the original publication of the guide. full end-to-end tracking capability
On October 21, 2010, the Commission SUMMARY: The Postal Service is consistent with market expectations.
issued SRM–COMWCO–10–0001, contemplating amendment of the The Postal Service has many products
which clarified the scope of the cyber Mailing Standards of the United States available to support this shift and seeks
security rule. In the SRM, the Postal Service, Domestic Mail Manual to align postal processing with the
Commission determined as a matter of (DMM®), to revise content standards for intentions of its mailing customers. This
policy that the NRC’s cyber security USPS Marketing Mail® letter-size and shift also simplifies the mailing
regulation (10 CFR 73.54) should be flat-size pieces regardless of level of experience: Letter-size and flat-size
interpreted to include Systems sortation. This proposed change would pieces will move through processing
Structures and Components in the limit all USPS Marketing Mail, regular and delivery more efficiently. Packages
Balance of Plant that have a nexus to and nonprofit, letter-size and flat-size, with goods and merchandise will have
radiological health and safety at NRC- to content that is only paper-based/ an Intelligent Mail® package barcode
licensed nuclear power plants. The printed matter; no merchandise or goods (IMpb®) and will travel through the
Commission clarified the scope of the will be allowed of any type regardless package network stream.
rule to include digital assets previously of ‘‘value.’’ All items not eligible to be
sent as USPS Marketing Mail letter-size Ruth Stevenson,
covered by cyber security regulations of
or flat-size pieces would need to shift to Attorney, Federal Compliance.
the Federal Energy Regulatory
Commission. In response to this SRM, another product (e.g., Priority Mail®, [FR Doc. 2018–18105 Filed 8–22–18; 8:45 am]
the licensees updated their cyber Parcel Select®) to be mailed. In an effort BILLING CODE 7710–12–P
security plans to incorporate BOP to obtain as much customer and mailer
systems into their cyber security plans. feedback as possible, the Postal Service
This revision includes guidance for will post this advance notice of ENVIRONMENTAL PROTECTION
SSCs in the BOP. proposed rulemaking for an extended AGENCY
Issuance of this DG, if finalized, comment period.
would not constitute backfitting as DATES: Comments on this advance 40 CFR Part 52
defined in 10 CFR 50.109 (the Backfit notice of proposed rulemaking are due
[EPA–R03–OAR–2018–0490; FRL–9982–
Rule) and would not otherwise be October 22, 2018. 74—Region 3]
inconsistent with the issue finality ADDRESSES: Mail or deliver written
provisions in 10 CFR part 52. As comments to the Manager, Product Air Plan Approval; Maryland;
discussed in the ‘‘Implementation’’ Classification, U.S. Postal Service, 475 Continuous Opacity Monitoring
section of this DG, the NRC has no L’Enfant Plaza SW, Room 4446, Requirements for Municipal Waste
current intention to impose this guide, Washington, DC 20260–5015. Combustors and Cement Plants
if finalized, on holders of current Comments and questions can also be
operating licenses or combined licenses. emailed to ProductClassification@ AGENCY: Environmental Protection
However, the scope of issue finality usps.gov using the subject line ‘‘USPS Agency (EPA).
provided extends only to the matters Marketing Mail Content Eligibility.’’ ACTION: Proposed rule.
resolved in the license or regulatory FOR FURTHER INFORMATION CONTACT:
approval. Early site permits, design SUMMARY: The Environmental Protection
Direct questions to Elke Reuning-Elliott
certification rules, and standard design Agency (EPA) is proposing to approve a
by email at elke.reuning-elliott@ups.gov
approvals typically do not address or state implementation plan (SIP) revision
or phone (202) 268–4063.
resolve compliance with operational submitted by the State of Maryland (SIP
SUPPLEMENTARY INFORMATION: In order to
programs such as the cybersecurity Revision 16–04). This revision pertains
improve both processing and the to clarifying continuous opacity
requirements in 10 CFR 73.54. delivery of goods and merchandise
Therefore, the various issue finality monitoring requirements and visible
moving through the mail stream, the emission standards for municipal waste
provisions would not apply to Postal Service proposes to limit content
applications referencing an early site combustors (MWCs) and Portland
in USPS Marketing Mail, regular and cement plants. This action is being
permit, design certification rule, or nonprofit, letter-size and flat-size
standard design approval with respect taken under the Clean Air Act (CAA).
pieces, to paper-based/printed matter
to the security matters addressed in this DATES: Written comments must be
content. The limitation to non-
draft regulatory guide. merchandise, paper-based/printed received on or before September 24,
Dated at Rockville, Maryland, this 20th day matter content would serve three goals: 2018.
daltland on DSKBBV9HB2PROD with PROPOSALS
of August, 2018. (1) Facilitate levels of service expected ADDRESSES: Submit your comments,
For the Nuclear Regulatory Commission. for the processing and delivery of identified by Docket ID No. EPA–R03–
Thomas H. Boyce, merchandise that include end-to-end OAR–2018–0490 at http://
Chief, Regulatory Guide and Generic Issues tracking and visibility, (2) move www.regulations.gov, or via email to
Branch, Division of Engineering, Office of fulfillment of merchandise and goods Spielberger.susan@epa.gov. For
Nuclear Regulatory Research. out of USPS Marketing Mail, consistent comments submitted at Regulations.gov,
[FR Doc. 2018–18231 Filed 8–22–18; 8:45 am] with the transfer of fulfillment parcels follow the online instructions for
BILLING CODE 7590–01–P out of Standard Mail (the predecessor to submitting comments. Once submitted,
VerDate Sep<11>2014 16:29 Aug 22, 2018 Jkt 244001 PO 00000 Frm 00015 Fmt 4702 Sfmt 4702 E:\FR\FM\23AUP1.SGM 23AUP1](https://thefederalregister.org/doc/83_FR_42787/page/2.svg)
Document Created: 2018-08-23 00:33:12
Document Modified: 2018-08-23 00:33:12
| Category | Regulatory Information | |
| Collection | Federal Register | |
| sudoc Class | AE 2.7: GS 4.107: AE 2.106: | |
| Publisher | Office of the Federal Register, National Archives and Records Administration | |
| Section | Proposed Rules | |
| Action | Draft regulatory guide; request for comment. | |
| Dates | Submit comments by October 22, 2018. Comments received after this date will be considered if it is practical to do so, but the NRC is able to ensure consideration only for comments received on or before this date. Although a time limit is given, comments and suggestions in connection with items for inclusion in guides currently being developed or improvements in all published guides are encouraged at any time. | |
| Contact | Kim Lawson-Jenkins, Office of Nuclear Security and Incident Response, telephone: 301-287-3656; email: [email protected], and Mekonen Bayssie, Office of Nuclear Regulatory Research, telephone: 301-415-1699; email: [email protected] Both are staff of the U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001. | |
| FR Citation | 83 FR 42623 |
2025 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR