Cyber Security for Byproduct Materials Licensees, 22413-22414 [2018-10358]
Download as PDF
<![CDATA[
22413
Proposed Rules
Federal Register
Vol. 83, No. 94
Tuesday, May 15, 2018
This section of the FEDERAL REGISTER
contains notices to the public of the proposed
issuance of rules and regulations. The
purpose of these notices is to give interested
persons an opportunity to participate in the
rule making prior to the adoption of the final
rules.
NUCLEAR REGULATORY
COMMISSION
10 CFR Part 37
[NRC–2015–0019]
RIN 3150–AJ56
Cyber Security for Byproduct Materials
Licensees
Nuclear Regulatory
Commission.
ACTION: Discontinuation of rulemaking
activity.
AGENCY:
The U.S. Nuclear Regulatory
Commission (NRC) is discontinuing the
rulemaking activity that would have
developed cyber security requirements
for byproduct materials licensees
possessing risk-significant quantities of
radioactive materials. The purpose of
this action is to inform members of the
public of the discontinuation of the
rulemaking activity and to provide a
brief discussion of the NRC’s decision.
The rulemaking activity will no longer
be reported in the NRC’s portion of the
Unified Agenda of Regulatory and
Deregulatory Actions (the Unified
Agenda).
SUMMARY:
As of May 15, 2018, the
rulemaking activity discussed in this
document is discontinued.
ADDRESSES: Please refer to Docket ID
NRC–2015–0019 when contacting the
NRC about the availability of
information regarding this action. You
may obtain publicly available
information related to this document
using any of the following methods:
• Federal Rulemaking website: Go to
https://www.regulations.gov and search
for Docket ID NRC–2015–0019. Address
questions about NRC dockets to Carol
Gallagher; telephone: 301–415–3463;
email: Carol.Gallagher@nrc.gov. For
technical questions, contact the
individual listed in the FOR FURTHER
INFORMATION CONTACT section of this
document.
• NRC’s Agencywide Documents
Access and Management System
daltland on DSKBBV9HB2PROD with PROPOSALS
DATES:
VerDate Sep<11>2014
16:36 May 14, 2018
Jkt 244001
(ADAMS): You may obtain publiclyavailable documents online in the
ADAMS Public Documents collection at
https://www.nrc.gov/reading-rm/
adams.html. To begin the search, select
‘‘ADAMS Public Documents’’ and then
select ‘‘Begin Web-based ADAMS
Search.’’ For problems with ADAMS,
please contact the NRC’s Public
Document Room (PDR) reference staff at
1–800–397–4209, 301–415–4737, or by
email to pdr.resource@nrc.gov. The
ADAMS accession number for each
document referenced (if it is available in
ADAMS) is provided the first time that
it is mentioned in the SUPPLEMENTARY
INFORMATION section.
• NRC’s PDR: You may examine and
purchase copies of public documents at
the NRC’s PDR, Room O1F21, One
White Flint North, 11555 Rockville
Pike, Rockville, Maryland 20852.
FOR FURTHER INFORMATION CONTACT:
Vanessa Cox, Office of Nuclear Material
Safety and Safeguards, U.S. Nuclear
Regulatory Commission, Washington,
DC 20555–0001; telephone: 301–415–
8342; email: Vanessa.Cox@nrc.gov.
SUPPLEMENTARY INFORMATION:
I. Discussion
The NRC and Agreement States are
responsible for overseeing and
implementing the National Materials
Program to enable the safe and secure
use of radioactive materials licensed for
commercial, industrial, academic, and
medical uses. The program includes
thousands of byproduct materials
licensees in varying operating
environments, ranging from small
industrial radiography and well-logging
businesses to large manufacturing
facilities, universities, and medical
facilities. The majority of the licensees
that possess risk-significant quantities of
radioactive materials are regulated by
Agreement States. Risk-significant
quantities of radioactive material are
defined as those meeting the thresholds
for Category 1 and Category 2 included
in appendix A to part 37 of title 10 of
the Code of Federal Regulations (10
CFR), ‘‘Physical Protection of Category 1
and Category 2 Quantities of
Radioactive Material.’’
In a Commission paper, SECY–12–
0088, ‘‘The Nuclear Regulatory
Commission Cyber Security Roadmap,’’
dated June 25, 2012 (ADAMS Accession
No. ML12135A050), the NRC staff
described its plan to evaluate the need
PO 00000
Frm 00001
Fmt 4702
Sfmt 4702
for cyber security requirements for NRC
and Agreement State licensees and
facilities, including byproduct materials
licensees. As described in that paper,
the NRC staff planned to form a working
group, with Agreement State
participation, to develop self-assessment
tools for licensees and conduct a limited
number of site visits. Based on the
results of these assessments and site
visits, the working group intended to
prepare a paper outlining potential
actions for Commission consideration.
In July 2013, the NRC established the
Byproduct Materials Cyber Security
Working Group, comprised of
headquarters and regional NRC staff and
representation from the Organization of
Agreement States. The purpose of the
working group was to identify potential
cyber security vulnerabilities among
commercial, medical, industrial, and
academic users of risk-significant
radioactive materials and determine if
the results warranted regulatory action.
The working group worked with the
NRC’s Intelligence Liaison and Threat
Assessment Branch, which regularly
monitors the threats associated with
cyber security and shares cyber threat
information with licensees, as
appropriate.
The working group identified four
sets of digital assets that the NRC should
evaluate with respect to cyber threat
protection:
(1) Digital/microprocessor-based
systems and devices that support the
physical security of the licensee’s
facilities. These include access control
systems, physical intrusion detection
and alarm systems, video camera
monitoring systems, digital video
recorders, door alarms, motion sensors,
keycard readers, and biometric
scanners;
(2) Equipment and devices with
software-based control, operation, and
automation features, such as panoramic
irradiators and gamma knives;
(3) Computers and systems used to
maintain source inventories, audit data,
and records necessary for compliance
with security requirements and
regulations; and
(4) Digital technology used to support
incident response communications and
coordination such as digital packet
radio systems, digital repeater stations,
and digital trunk radio systems.
On January 6, 2016, the NRC staff
submitted a memorandum to the
E:\FR\FM\15MYP1.SGM
15MYP1
daltland on DSKBBV9HB2PROD with PROPOSALS
22414
Federal Register / Vol. 83, No. 94 / Tuesday, May 15, 2018 / Proposed Rules
Commission titled ‘‘Staff Activities
Related to the Evaluation of Materials
Cyber Security Vulnerabilities’’
(ADAMS Accession No. ML15201A509).
This memorandum informed the
Commission of the ongoing evaluation
to determine the cyber security risk to
each of the four sets of digital assets for
risk-significant radioactive materials
licensees, and described the twopronged approach focused on
information gathering and consequence
analysis that was used.
As part of the information gathering
effort, the NRC staff distributed a
voluntary survey, ‘‘Questionnaire on
Cyber Security at Byproduct Materials
Licensees’’ (ADAMS Accession No.
ML15246A306) on April 29, 2016, to all
NRC and Agreement State licensees that
possessed Category 1 and 2 quantities of
radioactive materials. The purpose of
the questionnaire was to identify what
key digital assets existed at each
licensee type, how they were connected
to internal/external networks and the
internet, and what technical and
procedural security measures were in
place for protection and operation of
these systems and devices. The NRC
staff also conducted outreach to
stakeholders to encourage completion of
the questionnaire, and site visits to
manufacturers and panoramic irradiator
licensees.
The consequence analysis was
conducted in parallel with the
information gathering effort, and
evaluated the potential for onsite and
offsite consequences that could occur if
the availability, integrity, or
confidentiality of data or systems
associated with nuclear materials were
compromised by a cyber attack.
Given the regulatory responsibilities
of the U.S. Food and Drug
Administration (FDA), the NRC limited
its evaluation of the software systems
used in medical applications to the
systems related to the radiation safety
and physical protection authority of the
NRC. The NRC has a memorandum of
understanding with the FDA that
clarifies the respective roles of each
agency in regulating the safe use of
radiopharmaceuticals and sealed
sources, and other medical devices
containing radioactive material
(ADAMS Accession No. ML023520399).
Additional information on the FDA’s
activities, role, and expectations for the
continued cyber security of medical
devices can be found at https://
www.fda.gov/downloads/
medicaldevices/digitalhealth/
ucm544684.pdf.
On February 28, 2017, the NRC staff
provided an update to the Commission
on the status of agency activities
VerDate Sep<11>2014
16:36 May 14, 2018
Jkt 244001
pertaining to cyber security at licensee
facilities in a Commission paper, SECY–
17–0034, ‘‘Update to the U.S. Nuclear
Regulatory Commission Cyber Security
Roadmap’’ (ADAMS Accession No.
ML16354A258). The update noted the
NRC staff’s further consideration of
cyber security requirements for
radioactive materials licensees since the
January 2016 memorandum.
Additionally, the paper stated that the
working group planned to complete its
evaluation of the questionnaire
responses, consequence analysis, and
any follow-up communication with
stakeholders and develop
recommendations for a path forward.
Subsequently, the NRC completed its
evaluation of cyber security
requirements for byproduct materials
licensees in October 2017.
The NRC staff concluded that
byproduct materials licensees that
possess risk-significant quantities of
radioactive material do not rely solely
on digital assets to ensure safety or
physical protection. Rather, these
licensees generally use a combination of
measures, such as doors, locks, barriers,
human resources, and operational
processes, to ensure security, which
reflects a defense-in-depth approach to
physical protection and safety. As a
result, the staff concluded that a
compromise of any of the digital assets
identified in the January 6, 2016,
Commission memorandum would not
result in a direct dispersal of risksignificant quantities of radioactive
material, or exposure of individuals to
radiation, without a concurrent and
targeted breach of the physical
protection measures in force for these
licensees.
Therefore, the NRC staff determined
that the current cyber security threat
and potential consequences do not
warrant regulatory action. However, the
NRC staff determined that it would be
prudent to issue an Information Notice
(IN) to communicate effective practices
for cyber security to byproduct materials
licensees possessing risk-significant
quantities of radioactive material. The
IN will provide licensees with a better
understanding of contemporary cyber
security issues and strategies to protect
digital assets (e.g., computers, digital
alarm systems), including those used to
facilitate compliance with physical
security requirements, such as those in
10 CFR part 37. The IN, which will
reference existing cyber security
guidance developed by the NRC’s Office
of Nuclear Reactor Regulation and other
Federal agencies, will be issued later in
2018.
PO 00000
Frm 00002
Fmt 4702
Sfmt 4702
II. Conclusion
For the reasons discussed in this
document, the NRC is discontinuing
rulemaking activity to develop cyber
security requirements for byproduct
materials licensees possessing risksignificant quantities of radioactive
materials. In the next edition of the
Unified Agenda, the NRC will update
the entry for this rulemaking activity
and refer to this document to indicate
that the rulemaking has been
discontinued. This rulemaking activity
will appear in the ‘‘Completed Actions’’
section of the next edition of the Unified
Agenda, but will not appear in future
editions. If the NRC decides to pursue
similar or related rulemaking activities
in the future, it will inform the public
through a new rulemaking entry in the
Unified Agenda.
Dated at Rockville, Maryland, this 10th day
of May, 2018.
For the Nuclear Regulatory Commission.
Victor McCree,
Executive Director for Operations.
[FR Doc. 2018–10358 Filed 5–14–18; 8:45 am]
BILLING CODE 7590–01–P
DEPARTMENT OF TRANSPORTATION
Federal Aviation Administration
14 CFR Part 39
[Docket No. FAA–2018–0410; Product
Identifier 2018–NM–030–AD]
RIN 2120–AA64
Airworthiness Directives; Airbus
Federal Aviation
Administration (FAA), DOT.
ACTION: Notice of proposed rulemaking
(NPRM).
AGENCY:
We propose to adopt a new
airworthiness directive (AD) for all
Airbus Model A350–941 airplanes. This
proposed AD was prompted by an
inspection on the production line that
revealed evidence of paint peeling on
the forward and aft cargo frame forks
around the hook bolt hole. This
proposed AD would require a detailed
visual inspection for any deficiency of
the frame forks around the hook bolt
hole on certain forward and aft cargo
doors and applicable corrective actions.
We are proposing this AD to address the
unsafe condition on these products.
DATES: We must receive comments on
this proposed AD by June 29, 2018.
ADDRESSES: You may send comments,
using the procedures found in 14 CFR
11.43 and 11.45, by any of the following
methods:
SUMMARY:
E:\FR\FM\15MYP1.SGM
15MYP1
]]>Agencies
[Federal Register Volume 83, Number 94 (Tuesday, May 15, 2018)]
[Proposed Rules]
[Pages 22413-22414]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2018-10358]
�========================================================================
�Proposed Rules
� Federal Register
�________________________________________________________________________
�
�This section of the FEDERAL REGISTER contains notices to the public of
�the proposed issuance of rules and regulations. The purpose of these
�notices is to give interested persons an opportunity to participate in
�the rule making prior to the adoption of the final rules.
�
�========================================================================
�
��Federal Register / Vol. 83, No. 94 / Tuesday, May 15, 2018 / Proposed
Rules��
[[Page 22413]]
NUCLEAR REGULATORY COMMISSION
10 CFR Part 37
[NRC-2015-0019]
RIN 3150-AJ56
Cyber Security for Byproduct Materials Licensees
AGENCY: Nuclear Regulatory Commission.
ACTION: Discontinuation of rulemaking activity.
-----------------------------------------------------------------------
SUMMARY: The U.S. Nuclear Regulatory Commission (NRC) is discontinuing
the rulemaking activity that would have developed cyber security
requirements for byproduct materials licensees possessing risk-
significant quantities of radioactive materials. The purpose of this
action is to inform members of the public of the discontinuation of the
rulemaking activity and to provide a brief discussion of the NRC's
decision. The rulemaking activity will no longer be reported in the
NRC's portion of the Unified Agenda of Regulatory and Deregulatory
Actions (the Unified Agenda).
DATES: As of May 15, 2018, the rulemaking activity discussed in this
document is discontinued.
ADDRESSES: Please refer to Docket ID NRC-2015-0019 when contacting the
NRC about the availability of information regarding this action. You
may obtain publicly available information related to this document
using any of the following methods:
Federal Rulemaking website: Go to https://www.regulations.gov and search for Docket ID NRC-2015-0019. Address
questions about NRC dockets to Carol Gallagher; telephone: 301-415-
3463; email: [email protected]. For technical questions, contact
the individual listed in the FOR FURTHER INFORMATION CONTACT section of
this document.
NRC's Agencywide Documents Access and Management System
(ADAMS): You may obtain publicly-available documents online in the
ADAMS Public Documents collection at https://www.nrc.gov/reading-rm/adams.html. To begin the search, select ``ADAMS Public Documents'' and
then select ``Begin Web-based ADAMS Search.'' For problems with ADAMS,
please contact the NRC's Public Document Room (PDR) reference staff at
1-800-397-4209, 301-415-4737, or by email to [email protected]. The
ADAMS accession number for each document referenced (if it is available
in ADAMS) is provided the first time that it is mentioned in the
SUPPLEMENTARY INFORMATION section.
NRC's PDR: You may examine and purchase copies of public
documents at the NRC's PDR, Room O1F21, One White Flint North, 11555
Rockville Pike, Rockville, Maryland 20852.
FOR FURTHER INFORMATION CONTACT: Vanessa Cox, Office of Nuclear
Material Safety and Safeguards, U.S. Nuclear Regulatory Commission,
Washington, DC 20555-0001; telephone: 301-415-8342; email:
[email protected].
SUPPLEMENTARY INFORMATION:
I. Discussion
The NRC and Agreement States are responsible for overseeing and
implementing the National Materials Program to enable the safe and
secure use of radioactive materials licensed for commercial,
industrial, academic, and medical uses. The program includes thousands
of byproduct materials licensees in varying operating environments,
ranging from small industrial radiography and well-logging businesses
to large manufacturing facilities, universities, and medical
facilities. The majority of the licensees that possess risk-significant
quantities of radioactive materials are regulated by Agreement States.
Risk-significant quantities of radioactive material are defined as
those meeting the thresholds for Category 1 and Category 2 included in
appendix A to part 37 of title 10 of the Code of Federal Regulations
(10 CFR), ``Physical Protection of Category 1 and Category 2 Quantities
of Radioactive Material.''
In a Commission paper, SECY-12-0088, ``The Nuclear Regulatory
Commission Cyber Security Roadmap,'' dated June 25, 2012 (ADAMS
Accession No. ML12135A050), the NRC staff described its plan to
evaluate the need for cyber security requirements for NRC and Agreement
State licensees and facilities, including byproduct materials
licensees. As described in that paper, the NRC staff planned to form a
working group, with Agreement State participation, to develop self-
assessment tools for licensees and conduct a limited number of site
visits. Based on the results of these assessments and site visits, the
working group intended to prepare a paper outlining potential actions
for Commission consideration.
In July 2013, the NRC established the Byproduct Materials Cyber
Security Working Group, comprised of headquarters and regional NRC
staff and representation from the Organization of Agreement States. The
purpose of the working group was to identify potential cyber security
vulnerabilities among commercial, medical, industrial, and academic
users of risk-significant radioactive materials and determine if the
results warranted regulatory action. The working group worked with the
NRC's Intelligence Liaison and Threat Assessment Branch, which
regularly monitors the threats associated with cyber security and
shares cyber threat information with licensees, as appropriate.
The working group identified four sets of digital assets that the
NRC should evaluate with respect to cyber threat protection:
(1) Digital/microprocessor-based systems and devices that support
the physical security of the licensee's facilities. These include
access control systems, physical intrusion detection and alarm systems,
video camera monitoring systems, digital video recorders, door alarms,
motion sensors, keycard readers, and biometric scanners;
(2) Equipment and devices with software-based control, operation,
and automation features, such as panoramic irradiators and gamma
knives;
(3) Computers and systems used to maintain source inventories,
audit data, and records necessary for compliance with security
requirements and regulations; and
(4) Digital technology used to support incident response
communications and coordination such as digital packet radio systems,
digital repeater stations, and digital trunk radio systems.
On January 6, 2016, the NRC staff submitted a memorandum to the
[[Page 22414]]
Commission titled ``Staff Activities Related to the Evaluation of
Materials Cyber Security Vulnerabilities'' (ADAMS Accession No.
ML15201A509). This memorandum informed the Commission of the ongoing
evaluation to determine the cyber security risk to each of the four
sets of digital assets for risk-significant radioactive materials
licensees, and described the two-pronged approach focused on
information gathering and consequence analysis that was used.
As part of the information gathering effort, the NRC staff
distributed a voluntary survey, ``Questionnaire on Cyber Security at
Byproduct Materials Licensees'' (ADAMS Accession No. ML15246A306) on
April 29, 2016, to all NRC and Agreement State licensees that possessed
Category 1 and 2 quantities of radioactive materials. The purpose of
the questionnaire was to identify what key digital assets existed at
each licensee type, how they were connected to internal/external
networks and the internet, and what technical and procedural security
measures were in place for protection and operation of these systems
and devices. The NRC staff also conducted outreach to stakeholders to
encourage completion of the questionnaire, and site visits to
manufacturers and panoramic irradiator licensees.
The consequence analysis was conducted in parallel with the
information gathering effort, and evaluated the potential for onsite
and offsite consequences that could occur if the availability,
integrity, or confidentiality of data or systems associated with
nuclear materials were compromised by a cyber attack.
Given the regulatory responsibilities of the U.S. Food and Drug
Administration (FDA), the NRC limited its evaluation of the software
systems used in medical applications to the systems related to the
radiation safety and physical protection authority of the NRC. The NRC
has a memorandum of understanding with the FDA that clarifies the
respective roles of each agency in regulating the safe use of
radiopharmaceuticals and sealed sources, and other medical devices
containing radioactive material (ADAMS Accession No. ML023520399).
Additional information on the FDA's activities, role, and expectations
for the continued cyber security of medical devices can be found at
https://www.fda.gov/downloads/medicaldevices/digitalhealth/ucm544684.pdf.
On February 28, 2017, the NRC staff provided an update to the
Commission on the status of agency activities pertaining to cyber
security at licensee facilities in a Commission paper, SECY-17-0034,
``Update to the U.S. Nuclear Regulatory Commission Cyber Security
Roadmap'' (ADAMS Accession No. ML16354A258). The update noted the NRC
staff's further consideration of cyber security requirements for
radioactive materials licensees since the January 2016 memorandum.
Additionally, the paper stated that the working group planned to
complete its evaluation of the questionnaire responses, consequence
analysis, and any follow-up communication with stakeholders and develop
recommendations for a path forward.
Subsequently, the NRC completed its evaluation of cyber security
requirements for byproduct materials licensees in October 2017.
The NRC staff concluded that byproduct materials licensees that
possess risk-significant quantities of radioactive material do not rely
solely on digital assets to ensure safety or physical protection.
Rather, these licensees generally use a combination of measures, such
as doors, locks, barriers, human resources, and operational processes,
to ensure security, which reflects a defense-in-depth approach to
physical protection and safety. As a result, the staff concluded that a
compromise of any of the digital assets identified in the January 6,
2016, Commission memorandum would not result in a direct dispersal of
risk-significant quantities of radioactive material, or exposure of
individuals to radiation, without a concurrent and targeted breach of
the physical protection measures in force for these licensees.
Therefore, the NRC staff determined that the current cyber security
threat and potential consequences do not warrant regulatory action.
However, the NRC staff determined that it would be prudent to issue an
Information Notice (IN) to communicate effective practices for cyber
security to byproduct materials licensees possessing risk-significant
quantities of radioactive material. The IN will provide licensees with
a better understanding of contemporary cyber security issues and
strategies to protect digital assets (e.g., computers, digital alarm
systems), including those used to facilitate compliance with physical
security requirements, such as those in 10 CFR part 37. The IN, which
will reference existing cyber security guidance developed by the NRC's
Office of Nuclear Reactor Regulation and other Federal agencies, will
be issued later in 2018.
II. Conclusion
For the reasons discussed in this document, the NRC is
discontinuing rulemaking activity to develop cyber security
requirements for byproduct materials licensees possessing risk-
significant quantities of radioactive materials. In the next edition of
the Unified Agenda, the NRC will update the entry for this rulemaking
activity and refer to this document to indicate that the rulemaking has
been discontinued. This rulemaking activity will appear in the
``Completed Actions'' section of the next edition of the Unified
Agenda, but will not appear in future editions. If the NRC decides to
pursue similar or related rulemaking activities in the future, it will
inform the public through a new rulemaking entry in the Unified Agenda.
Dated at Rockville, Maryland, this 10th day of May, 2018.
For the Nuclear Regulatory Commission.
Victor McCree,
Executive Director for Operations.
[FR Doc. 2018-10358 Filed 5-14-18; 8:45 am]
BILLING CODE 7590-01-P
