Cyber Security Programs for Nuclear Power Reactors, 42623-42624 [2018-18231]
Download as PDF
<![CDATA[
Federal Register / Vol. 83, No. 164 / Thursday, August 23, 2018 / Proposed Rules
10 CFR Chapter I
[NRC–2018–0182]
Cyber Security Programs for Nuclear
Power Reactors
Nuclear Regulatory
Commission.
ACTION: Draft regulatory guide; request
for comment.
AGENCY:
The U.S. Nuclear Regulatory
Commission (NRC) is issuing for public
comment Draft Regulatory Guide (DG)
DG–5061, ‘‘Cyber Security Programs for
Nuclear Power Reactors.’’ This revision
incorporates lessons learned from
operating experience since the original
publication of the guide. Specifically,
this revision clarifies issues identified
from interim cybersecurity milestone
inspections, additional insights gained
through the Security Frequently Asked
Questions (SFAQs) process,
documented cybersecurity attacks, new
technologies, and new regulations. This
revision also considers the changes in
the most recent revision to the National
Institute of Standards and Technology
(NIST) Special Publications (SP) 800–
53, upon which Revision 0 of RG 5.71
was based.
DATES: Submit comments by October 22,
2018. Comments received after this date
will be considered if it is practical to do
so, but the NRC is able to ensure
consideration only for comments
received on or before this date.
Although a time limit is given,
comments and suggestions in
connection with items for inclusion in
guides currently being developed or
improvements in all published guides
are encouraged at any time.
ADDRESSES: You may submit comments
by any of the following methods:
• Federal Rulemaking Website: Go to
https://www.regulations.gov and search
for Docket ID NRC–2018–0182. Address
questions about NRC dockets to Jennifer
Borges; telephone: 301–287–9127;
email: Jennifer.Borges@nrc.gov. For
technical questions, contact the
individuals listed in the FOR FURTHER
INFORMATION CONTACT section of this
document.
• Mail comments to: May Ma, Office
of Administration, Mail Stop: ON 2A13,
U.S. Nuclear Regulatory Commission,
Washington, DC 20555–0001.
For additional direction on accessing
information and submitting comments,
see ‘‘Accessing Information and
Submitting Comments’’ in the
SUPPLEMENTARY INFORMATION section of
this document.
daltland on DSKBBV9HB2PROD with PROPOSALS
SUMMARY:
VerDate Sep<11>2014
16:29 Aug 22, 2018
Kim
Lawson-Jenkins, Office of Nuclear
Security and Incident Response,
telephone: 301–287–3656; email:
Kim.Lawson-Jenkins@nrc.gov, and
Mekonen Bayssie, Office of Nuclear
Regulatory Research, telephone: 301–
415–1699; email: Mekonen.Bayssie@
nrc.gov. Both are staff of the U.S.
Nuclear Regulatory Commission,
Washington, DC 20555–0001.
SUPPLEMENTARY INFORMATION:
FOR FURTHER INFORMATION CONTACT:
NUCLEAR REGULATORY
COMMISSION
Jkt 244001
I. Obtaining Information and
Submitting Comments
A. Obtaining Information
Please refer to Docket ID NRC–2018–
0182 when contacting the NRC about
the availability of information regarding
this document. You may obtain
publically-available information related
to this document, by any of the
following methods:
• Federal Rulemaking Website: Go to
https://www.regulations.gov and search
for Docket ID NRC–2018–0182.
• NRC’s Agencywide Documents
Access and Management System
(ADAMS): You may access publiclyavailable documents online in the
ADAMS Public Documents collection at
https://www.nrc.gov/reading-rm/
adams.html. To begin the search, select
‘‘Begin Web-based ADAMS Search.’’ For
problems with ADAMS, please contact
the NRC’s Public Document Room (PDR)
reference staff at 1–800–397–4209, 301–
415–4737, or by email to pdr.resource@
nrc.gov. DG–5061 is available in
ADAMS under Accession No.
ML18016A129.
• NRC’s PDR: You may examine and
purchase copies of public documents at
the NRC’s PDR, Room O1–F21, One
White Flint North, 11555 Rockville
Pike, Rockville, Maryland 20852.
B. Submitting Comments
Please include Docket ID NRC–2018–
0182 in your comment submission. The
NRC cautions you not to include
identifying or contact information that
you do not want to be publicly
disclosed in your comment submission.
The NRC posts all comment
submissions at https://
www.regulations.gov as well as enters
the comment submissions into ADAMS.
The NRC does not routinely edit
comment submissions to remove
identifying or contact information.
If you are requesting or aggregating
comments from other persons for
submission to the NRC, then you should
inform those persons not to include
identifying or contact information that
they do not want to be publicly
disclosed in their comment submission.
PO 00000
Frm 00014
Fmt 4702
Sfmt 4702
42623
Your request should state that the NRC
does not routinely edit comment
submissions to remove such information
before making the comment
submissions available to the public or
entering the comment submissions into
ADAMS.
II. Additional Information
The NRC is issuing for public
comment a DG in the NRC’s ‘‘Regulatory
Guide’’ series. This series was
developed to describe and make
available to the public information
regarding methods that are acceptable to
the NRC staff for implementing specific
parts of the NRC’s regulations,
techniques that the staff uses in
evaluating specific issues or postulated
events, and data that the staff needs in
its review of applications for permits
and licenses.
The DG, titled ‘‘Cyber Security
Programs for Nuclear Power Plants,’’ is
temporarily identified by its task
number, DG–5061. DG–5061 is a
proposed revision (Revision 1) to RG
5.71, ‘‘Cyber Security Programs for
Nuclear Power Plants.’’ It provides NRC
licensees with guidance on meeting the
cybersecurity requirements described in
title 10 of the Code of Federal
Regulations (10 CFR) § 73.54,
‘‘Protection of digital computer and
communication systems and networks.’’
This revision clarifies issues
identified from interim cybersecurity
milestone inspections, additional
insights gained through the SFAQs
process, documented cybersecurity
attacks, new technologies, and new
regulations. In addition, it considers
changes in NIST SP 800–53, upon
which Revision 0 of RG 5.71 was based.
In 2010, the Commission issued Staff
Requirements Memorandum (SRM),
SRM–COMWCO–10–0001 (ADAMS
Accession No. ML102940009) which
clarified the scope of the cyber security
rule in regards to balance of plant (BOP)
systems. This revision to RG 5.71
includes guidance for structures,
systems, and components (SSCs) in the
BOP.
In 2015, the NRC published the
regulation 10 CFR 73.77, and its
associated guidance, RG 5.83, that
provides guidance on cyber security
event notifications. This rule
established requirements clarifying the
types of cyber attacks that require
notification to the NRC, the timeliness
for making the notifications, how
licensees make notifications, and how to
submit follow-up written reports to the
NRC.
E:\FR\FM\23AUP1.SGM
23AUP1
42624
Federal Register / Vol. 83, No. 164 / Thursday, August 23, 2018 / Proposed Rules
daltland on DSKBBV9HB2PROD with PROPOSALS
III. Backfitting and Issue Finality
DG–5061 describes a method that the
staff of the NRC considers acceptable for
use by nuclear power plant licensees in
meeting the requirements for the
cybersecurity requirements in 10 CFR
73.54. The revision updates the
guidance by incorporating lessons
learned and guidance documents since
the original publication of the guide.
On October 21, 2010, the Commission
issued SRM–COMWCO–10–0001,
which clarified the scope of the cyber
security rule. In the SRM, the
Commission determined as a matter of
policy that the NRC’s cyber security
regulation (10 CFR 73.54) should be
interpreted to include Systems
Structures and Components in the
Balance of Plant that have a nexus to
radiological health and safety at NRClicensed nuclear power plants. The
Commission clarified the scope of the
rule to include digital assets previously
covered by cyber security regulations of
the Federal Energy Regulatory
Commission. In response to this SRM,
the licensees updated their cyber
security plans to incorporate BOP
systems into their cyber security plans.
This revision includes guidance for
SSCs in the BOP.
Issuance of this DG, if finalized,
would not constitute backfitting as
defined in 10 CFR 50.109 (the Backfit
Rule) and would not otherwise be
inconsistent with the issue finality
provisions in 10 CFR part 52. As
discussed in the ‘‘Implementation’’
section of this DG, the NRC has no
current intention to impose this guide,
if finalized, on holders of current
operating licenses or combined licenses.
However, the scope of issue finality
provided extends only to the matters
resolved in the license or regulatory
approval. Early site permits, design
certification rules, and standard design
approvals typically do not address or
resolve compliance with operational
programs such as the cybersecurity
requirements in 10 CFR 73.54.
Therefore, the various issue finality
provisions would not apply to
applications referencing an early site
permit, design certification rule, or
standard design approval with respect
to the security matters addressed in this
draft regulatory guide.
Dated at Rockville, Maryland, this 20th day
of August, 2018.
For the Nuclear Regulatory Commission.
Thomas H. Boyce,
Chief, Regulatory Guide and Generic Issues
Branch, Division of Engineering, Office of
Nuclear Regulatory Research.
[FR Doc. 2018–18231 Filed 8–22–18; 8:45 am]
BILLING CODE 7590–01–P
VerDate Sep<11>2014
16:29 Aug 22, 2018
Jkt 244001
POSTAL SERVICE
39 CFR Part 111
USPS Marketing Mail Content
Standards
Postal ServiceTM.
Advance notice of proposed
rulemaking; request for comments.
AGENCY:
ACTION:
The Postal Service is
contemplating amendment of the
Mailing Standards of the United States
Postal Service, Domestic Mail Manual
(DMM®), to revise content standards for
USPS Marketing Mail® letter-size and
flat-size pieces regardless of level of
sortation. This proposed change would
limit all USPS Marketing Mail, regular
and nonprofit, letter-size and flat-size,
to content that is only paper-based/
printed matter; no merchandise or goods
will be allowed of any type regardless
of ‘‘value.’’ All items not eligible to be
sent as USPS Marketing Mail letter-size
or flat-size pieces would need to shift to
another product (e.g., Priority Mail®,
Parcel Select®) to be mailed. In an effort
to obtain as much customer and mailer
feedback as possible, the Postal Service
will post this advance notice of
proposed rulemaking for an extended
comment period.
DATES: Comments on this advance
notice of proposed rulemaking are due
October 22, 2018.
ADDRESSES: Mail or deliver written
comments to the Manager, Product
Classification, U.S. Postal Service, 475
L’Enfant Plaza SW, Room 4446,
Washington, DC 20260–5015.
Comments and questions can also be
emailed to ProductClassification@
usps.gov using the subject line ‘‘USPS
Marketing Mail Content Eligibility.’’
FOR FURTHER INFORMATION CONTACT:
Direct questions to Elke Reuning-Elliott
by email at elke.reuning-elliott@ups.gov
or phone (202) 268–4063.
SUPPLEMENTARY INFORMATION: In order to
improve both processing and the
delivery of goods and merchandise
moving through the mail stream, the
Postal Service proposes to limit content
in USPS Marketing Mail, regular and
nonprofit, letter-size and flat-size
pieces, to paper-based/printed matter
content. The limitation to nonmerchandise, paper-based/printed
matter content would serve three goals:
(1) Facilitate levels of service expected
for the processing and delivery of
merchandise that include end-to-end
tracking and visibility, (2) move
fulfillment of merchandise and goods
out of USPS Marketing Mail, consistent
with the transfer of fulfillment parcels
out of Standard Mail (the predecessor to
SUMMARY:
PO 00000
Frm 00015
Fmt 4702
Sfmt 4702
USPS Marketing Mail) in Docket No.
MC2010–36, and (3) reduce operational
inefficiencies when machines are
unable to process letter-size or flat-size
shaped inflexible items. Shifting goods
and merchandise out of the letter-size
and flat-size categories helps improve
processing capabilities and ultimately
shifts these items to mail streams with
full end-to-end tracking capability
consistent with market expectations.
The Postal Service has many products
available to support this shift and seeks
to align postal processing with the
intentions of its mailing customers. This
shift also simplifies the mailing
experience: Letter-size and flat-size
pieces will move through processing
and delivery more efficiently. Packages
with goods and merchandise will have
an Intelligent Mail® package barcode
(IMpb®) and will travel through the
package network stream.
Ruth Stevenson,
Attorney, Federal Compliance.
[FR Doc. 2018–18105 Filed 8–22–18; 8:45 am]
BILLING CODE 7710–12–P
ENVIRONMENTAL PROTECTION
AGENCY
40 CFR Part 52
[EPA–R03–OAR–2018–0490; FRL–9982–
74—Region 3]
Air Plan Approval; Maryland;
Continuous Opacity Monitoring
Requirements for Municipal Waste
Combustors and Cement Plants
Environmental Protection
Agency (EPA).
ACTION: Proposed rule.
AGENCY:
The Environmental Protection
Agency (EPA) is proposing to approve a
state implementation plan (SIP) revision
submitted by the State of Maryland (SIP
Revision 16–04). This revision pertains
to clarifying continuous opacity
monitoring requirements and visible
emission standards for municipal waste
combustors (MWCs) and Portland
cement plants. This action is being
taken under the Clean Air Act (CAA).
DATES: Written comments must be
received on or before September 24,
2018.
SUMMARY:
Submit your comments,
identified by Docket ID No. EPA–R03–
OAR–2018–0490 at https://
www.regulations.gov, or via email to
Spielberger.susan@epa.gov. For
comments submitted at Regulations.gov,
follow the online instructions for
submitting comments. Once submitted,
ADDRESSES:
E:\FR\FM\23AUP1.SGM
23AUP1
]]>Agencies
[Federal Register Volume 83, Number 164 (Thursday, August 23, 2018)]
[Proposed Rules]
[Pages 42623-42624]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2018-18231]
[[Page 42623]]
=======================================================================
-----------------------------------------------------------------------
NUCLEAR REGULATORY COMMISSION
10 CFR Chapter I
[NRC-2018-0182]
Cyber Security Programs for Nuclear Power Reactors
AGENCY: Nuclear Regulatory Commission.
ACTION: Draft regulatory guide; request for comment.
-----------------------------------------------------------------------
SUMMARY: The U.S. Nuclear Regulatory Commission (NRC) is issuing for
public comment Draft Regulatory Guide (DG) DG-5061, ``Cyber Security
Programs for Nuclear Power Reactors.'' This revision incorporates
lessons learned from operating experience since the original
publication of the guide. Specifically, this revision clarifies issues
identified from interim cybersecurity milestone inspections, additional
insights gained through the Security Frequently Asked Questions (SFAQs)
process, documented cybersecurity attacks, new technologies, and new
regulations. This revision also considers the changes in the most
recent revision to the National Institute of Standards and Technology
(NIST) Special Publications (SP) 800-53, upon which Revision 0 of RG
5.71 was based.
DATES: Submit comments by October 22, 2018. Comments received after
this date will be considered if it is practical to do so, but the NRC
is able to ensure consideration only for comments received on or before
this date. Although a time limit is given, comments and suggestions in
connection with items for inclusion in guides currently being developed
or improvements in all published guides are encouraged at any time.
ADDRESSES: You may submit comments by any of the following methods:
Federal Rulemaking Website: Go to https://www.regulations.gov and search for Docket ID NRC-2018-0182. Address
questions about NRC dockets to Jennifer Borges; telephone: 301-287-
9127; email: [email protected]. For technical questions, contact
the individuals listed in the FOR FURTHER INFORMATION CONTACT section
of this document.
Mail comments to: May Ma, Office of Administration, Mail
Stop: ON 2A13, U.S. Nuclear Regulatory Commission, Washington, DC
20555-0001.
For additional direction on accessing information and submitting
comments, see ``Accessing Information and Submitting Comments'' in the
SUPPLEMENTARY INFORMATION section of this document.
FOR FURTHER INFORMATION CONTACT: Kim Lawson-Jenkins, Office of Nuclear
Security and Incident Response, telephone: 301-287-3656; email:
[email protected], and Mekonen Bayssie, Office of Nuclear
Regulatory Research, telephone: 301-415-1699; email:
[email protected]. Both are staff of the U.S. Nuclear Regulatory
Commission, Washington, DC 20555-0001.
SUPPLEMENTARY INFORMATION:
I. Obtaining Information and Submitting Comments
A. Obtaining Information
Please refer to Docket ID NRC-2018-0182 when contacting the NRC
about the availability of information regarding this document. You may
obtain publically-available information related to this document, by
any of the following methods:
Federal Rulemaking Website: Go to https://www.regulations.gov and search for Docket ID NRC-2018-0182.
NRC's Agencywide Documents Access and Management System
(ADAMS): You may access publicly- available documents online in the
ADAMS Public Documents collection at https://www.nrc.gov/reading-rm/adams.html. To begin the search, select ``Begin Web-based ADAMS
Search.'' For problems with ADAMS, please contact the NRC's Public
Document Room (PDR) reference staff at 1-800-397-4209, 301-415-4737, or
by email to [email protected]. DG-5061 is available in ADAMS under
Accession No. ML18016A129.
NRC's PDR: You may examine and purchase copies of public
documents at the NRC's PDR, Room O1-F21, One White Flint North, 11555
Rockville Pike, Rockville, Maryland 20852.
B. Submitting Comments
Please include Docket ID NRC-2018-0182 in your comment submission.
The NRC cautions you not to include identifying or contact information
that you do not want to be publicly disclosed in your comment
submission. The NRC posts all comment submissions at https://www.regulations.gov as well as enters the comment submissions into
ADAMS. The NRC does not routinely edit comment submissions to remove
identifying or contact information.
If you are requesting or aggregating comments from other persons
for submission to the NRC, then you should inform those persons not to
include identifying or contact information that they do not want to be
publicly disclosed in their comment submission. Your request should
state that the NRC does not routinely edit comment submissions to
remove such information before making the comment submissions available
to the public or entering the comment submissions into ADAMS.
II. Additional Information
The NRC is issuing for public comment a DG in the NRC's
``Regulatory Guide'' series. This series was developed to describe and
make available to the public information regarding methods that are
acceptable to the NRC staff for implementing specific parts of the
NRC's regulations, techniques that the staff uses in evaluating
specific issues or postulated events, and data that the staff needs in
its review of applications for permits and licenses.
The DG, titled ``Cyber Security Programs for Nuclear Power
Plants,'' is temporarily identified by its task number, DG-5061. DG-
5061 is a proposed revision (Revision 1) to RG 5.71, ``Cyber Security
Programs for Nuclear Power Plants.'' It provides NRC licensees with
guidance on meeting the cybersecurity requirements described in title
10 of the Code of Federal Regulations (10 CFR) Sec. 73.54,
``Protection of digital computer and communication systems and
networks.''
This revision clarifies issues identified from interim
cybersecurity milestone inspections, additional insights gained through
the SFAQs process, documented cybersecurity attacks, new technologies,
and new regulations. In addition, it considers changes in NIST SP 800-
53, upon which Revision 0 of RG 5.71 was based.
In 2010, the Commission issued Staff Requirements Memorandum (SRM),
SRM-COMWCO-10-0001 (ADAMS Accession No. ML102940009) which clarified
the scope of the cyber security rule in regards to balance of plant
(BOP) systems. This revision to RG 5.71 includes guidance for
structures, systems, and components (SSCs) in the BOP.
In 2015, the NRC published the regulation 10 CFR 73.77, and its
associated guidance, RG 5.83, that provides guidance on cyber security
event notifications. This rule established requirements clarifying the
types of cyber attacks that require notification to the NRC, the
timeliness for making the notifications, how licensees make
notifications, and how to submit follow-up written reports to the NRC.
[[Page 42624]]
III. Backfitting and Issue Finality
DG-5061 describes a method that the staff of the NRC considers
acceptable for use by nuclear power plant licensees in meeting the
requirements for the cybersecurity requirements in 10 CFR 73.54. The
revision updates the guidance by incorporating lessons learned and
guidance documents since the original publication of the guide.
On October 21, 2010, the Commission issued SRM-COMWCO-10-0001,
which clarified the scope of the cyber security rule. In the SRM, the
Commission determined as a matter of policy that the NRC's cyber
security regulation (10 CFR 73.54) should be interpreted to include
Systems Structures and Components in the Balance of Plant that have a
nexus to radiological health and safety at NRC-licensed nuclear power
plants. The Commission clarified the scope of the rule to include
digital assets previously covered by cyber security regulations of the
Federal Energy Regulatory Commission. In response to this SRM, the
licensees updated their cyber security plans to incorporate BOP systems
into their cyber security plans. This revision includes guidance for
SSCs in the BOP.
Issuance of this DG, if finalized, would not constitute backfitting
as defined in 10 CFR 50.109 (the Backfit Rule) and would not otherwise
be inconsistent with the issue finality provisions in 10 CFR part 52.
As discussed in the ``Implementation'' section of this DG, the NRC has
no current intention to impose this guide, if finalized, on holders of
current operating licenses or combined licenses.
However, the scope of issue finality provided extends only to the
matters resolved in the license or regulatory approval. Early site
permits, design certification rules, and standard design approvals
typically do not address or resolve compliance with operational
programs such as the cybersecurity requirements in 10 CFR 73.54.
Therefore, the various issue finality provisions would not apply to
applications referencing an early site permit, design certification
rule, or standard design approval with respect to the security matters
addressed in this draft regulatory guide.
Dated at Rockville, Maryland, this 20th day of August, 2018.
For the Nuclear Regulatory Commission.
Thomas H. Boyce,
Chief, Regulatory Guide and Generic Issues Branch, Division of
Engineering, Office of Nuclear Regulatory Research.
[FR Doc. 2018-18231 Filed 8-22-18; 8:45 am]
BILLING CODE 7590-01-P
