Cyber Security Programs for Nuclear Power Reactors, 42623-42624 [2018-18231]

Download as PDF Federal Register / Vol. 83, No. 164 / Thursday, August 23, 2018 / Proposed Rules 10 CFR Chapter I [NRC–2018–0182] Cyber Security Programs for Nuclear Power Reactors Nuclear Regulatory Commission. ACTION: Draft regulatory guide; request for comment. AGENCY: The U.S. Nuclear Regulatory Commission (NRC) is issuing for public comment Draft Regulatory Guide (DG) DG–5061, ‘‘Cyber Security Programs for Nuclear Power Reactors.’’ This revision incorporates lessons learned from operating experience since the original publication of the guide. Specifically, this revision clarifies issues identified from interim cybersecurity milestone inspections, additional insights gained through the Security Frequently Asked Questions (SFAQs) process, documented cybersecurity attacks, new technologies, and new regulations. This revision also considers the changes in the most recent revision to the National Institute of Standards and Technology (NIST) Special Publications (SP) 800– 53, upon which Revision 0 of RG 5.71 was based. DATES: Submit comments by October 22, 2018. Comments received after this date will be considered if it is practical to do so, but the NRC is able to ensure consideration only for comments received on or before this date. Although a time limit is given, comments and suggestions in connection with items for inclusion in guides currently being developed or improvements in all published guides are encouraged at any time. ADDRESSES: You may submit comments by any of the following methods: • Federal Rulemaking Website: Go to http://www.regulations.gov and search for Docket ID NRC–2018–0182. Address questions about NRC dockets to Jennifer Borges; telephone: 301–287–9127; email: Jennifer.Borges@nrc.gov. For technical questions, contact the individuals listed in the FOR FURTHER INFORMATION CONTACT section of this document. • Mail comments to: May Ma, Office of Administration, Mail Stop: ON 2A13, U.S. Nuclear Regulatory Commission, Washington, DC 20555–0001. For additional direction on accessing information and submitting comments, see ‘‘Accessing Information and Submitting Comments’’ in the SUPPLEMENTARY INFORMATION section of this document. daltland on DSKBBV9HB2PROD with PROPOSALS SUMMARY: VerDate Sep<11>2014 16:29 Aug 22, 2018 Kim Lawson-Jenkins, Office of Nuclear Security and Incident Response, telephone: 301–287–3656; email: Kim.Lawson-Jenkins@nrc.gov, and Mekonen Bayssie, Office of Nuclear Regulatory Research, telephone: 301– 415–1699; email: Mekonen.Bayssie@ nrc.gov. Both are staff of the U.S. Nuclear Regulatory Commission, Washington, DC 20555–0001. SUPPLEMENTARY INFORMATION: FOR FURTHER INFORMATION CONTACT: NUCLEAR REGULATORY COMMISSION Jkt 244001 I. Obtaining Information and Submitting Comments A. Obtaining Information Please refer to Docket ID NRC–2018– 0182 when contacting the NRC about the availability of information regarding this document. You may obtain publically-available information related to this document, by any of the following methods: • Federal Rulemaking Website: Go to http://www.regulations.gov and search for Docket ID NRC–2018–0182. • NRC’s Agencywide Documents Access and Management System (ADAMS): You may access publiclyavailable documents online in the ADAMS Public Documents collection at http://www.nrc.gov/reading-rm/ adams.html. To begin the search, select ‘‘Begin Web-based ADAMS Search.’’ For problems with ADAMS, please contact the NRC’s Public Document Room (PDR) reference staff at 1–800–397–4209, 301– 415–4737, or by email to pdr.resource@ nrc.gov. DG–5061 is available in ADAMS under Accession No. ML18016A129. • NRC’s PDR: You may examine and purchase copies of public documents at the NRC’s PDR, Room O1–F21, One White Flint North, 11555 Rockville Pike, Rockville, Maryland 20852. B. Submitting Comments Please include Docket ID NRC–2018– 0182 in your comment submission. The NRC cautions you not to include identifying or contact information that you do not want to be publicly disclosed in your comment submission. The NRC posts all comment submissions at http:// www.regulations.gov as well as enters the comment submissions into ADAMS. The NRC does not routinely edit comment submissions to remove identifying or contact information. If you are requesting or aggregating comments from other persons for submission to the NRC, then you should inform those persons not to include identifying or contact information that they do not want to be publicly disclosed in their comment submission. PO 00000 Frm 00014 Fmt 4702 Sfmt 4702 42623 Your request should state that the NRC does not routinely edit comment submissions to remove such information before making the comment submissions available to the public or entering the comment submissions into ADAMS. II. Additional Information The NRC is issuing for public comment a DG in the NRC’s ‘‘Regulatory Guide’’ series. This series was developed to describe and make available to the public information regarding methods that are acceptable to the NRC staff for implementing specific parts of the NRC’s regulations, techniques that the staff uses in evaluating specific issues or postulated events, and data that the staff needs in its review of applications for permits and licenses. The DG, titled ‘‘Cyber Security Programs for Nuclear Power Plants,’’ is temporarily identified by its task number, DG–5061. DG–5061 is a proposed revision (Revision 1) to RG 5.71, ‘‘Cyber Security Programs for Nuclear Power Plants.’’ It provides NRC licensees with guidance on meeting the cybersecurity requirements described in title 10 of the Code of Federal Regulations (10 CFR) § 73.54, ‘‘Protection of digital computer and communication systems and networks.’’ This revision clarifies issues identified from interim cybersecurity milestone inspections, additional insights gained through the SFAQs process, documented cybersecurity attacks, new technologies, and new regulations. In addition, it considers changes in NIST SP 800–53, upon which Revision 0 of RG 5.71 was based. In 2010, the Commission issued Staff Requirements Memorandum (SRM), SRM–COMWCO–10–0001 (ADAMS Accession No. ML102940009) which clarified the scope of the cyber security rule in regards to balance of plant (BOP) systems. This revision to RG 5.71 includes guidance for structures, systems, and components (SSCs) in the BOP. In 2015, the NRC published the regulation 10 CFR 73.77, and its associated guidance, RG 5.83, that provides guidance on cyber security event notifications. This rule established requirements clarifying the types of cyber attacks that require notification to the NRC, the timeliness for making the notifications, how licensees make notifications, and how to submit follow-up written reports to the NRC. E:\FR\FM\23AUP1.SGM 23AUP1 42624 Federal Register / Vol. 83, No. 164 / Thursday, August 23, 2018 / Proposed Rules daltland on DSKBBV9HB2PROD with PROPOSALS III. Backfitting and Issue Finality DG–5061 describes a method that the staff of the NRC considers acceptable for use by nuclear power plant licensees in meeting the requirements for the cybersecurity requirements in 10 CFR 73.54. The revision updates the guidance by incorporating lessons learned and guidance documents since the original publication of the guide. On October 21, 2010, the Commission issued SRM–COMWCO–10–0001, which clarified the scope of the cyber security rule. In the SRM, the Commission determined as a matter of policy that the NRC’s cyber security regulation (10 CFR 73.54) should be interpreted to include Systems Structures and Components in the Balance of Plant that have a nexus to radiological health and safety at NRClicensed nuclear power plants. The Commission clarified the scope of the rule to include digital assets previously covered by cyber security regulations of the Federal Energy Regulatory Commission. In response to this SRM, the licensees updated their cyber security plans to incorporate BOP systems into their cyber security plans. This revision includes guidance for SSCs in the BOP. Issuance of this DG, if finalized, would not constitute backfitting as defined in 10 CFR 50.109 (the Backfit Rule) and would not otherwise be inconsistent with the issue finality provisions in 10 CFR part 52. As discussed in the ‘‘Implementation’’ section of this DG, the NRC has no current intention to impose this guide, if finalized, on holders of current operating licenses or combined licenses. However, the scope of issue finality provided extends only to the matters resolved in the license or regulatory approval. Early site permits, design certification rules, and standard design approvals typically do not address or resolve compliance with operational programs such as the cybersecurity requirements in 10 CFR 73.54. Therefore, the various issue finality provisions would not apply to applications referencing an early site permit, design certification rule, or standard design approval with respect to the security matters addressed in this draft regulatory guide. Dated at Rockville, Maryland, this 20th day of August, 2018. For the Nuclear Regulatory Commission. Thomas H. Boyce, Chief, Regulatory Guide and Generic Issues Branch, Division of Engineering, Office of Nuclear Regulatory Research. [FR Doc. 2018–18231 Filed 8–22–18; 8:45 am] BILLING CODE 7590–01–P VerDate Sep<11>2014 16:29 Aug 22, 2018 Jkt 244001 POSTAL SERVICE 39 CFR Part 111 USPS Marketing Mail Content Standards Postal ServiceTM. Advance notice of proposed rulemaking; request for comments. AGENCY: ACTION: The Postal Service is contemplating amendment of the Mailing Standards of the United States Postal Service, Domestic Mail Manual (DMM®), to revise content standards for USPS Marketing Mail® letter-size and flat-size pieces regardless of level of sortation. This proposed change would limit all USPS Marketing Mail, regular and nonprofit, letter-size and flat-size, to content that is only paper-based/ printed matter; no merchandise or goods will be allowed of any type regardless of ‘‘value.’’ All items not eligible to be sent as USPS Marketing Mail letter-size or flat-size pieces would need to shift to another product (e.g., Priority Mail®, Parcel Select®) to be mailed. In an effort to obtain as much customer and mailer feedback as possible, the Postal Service will post this advance notice of proposed rulemaking for an extended comment period. DATES: Comments on this advance notice of proposed rulemaking are due October 22, 2018. ADDRESSES: Mail or deliver written comments to the Manager, Product Classification, U.S. Postal Service, 475 L’Enfant Plaza SW, Room 4446, Washington, DC 20260–5015. Comments and questions can also be emailed to ProductClassification@ usps.gov using the subject line ‘‘USPS Marketing Mail Content Eligibility.’’ FOR FURTHER INFORMATION CONTACT: Direct questions to Elke Reuning-Elliott by email at elke.reuning-elliott@ups.gov or phone (202) 268–4063. SUPPLEMENTARY INFORMATION: In order to improve both processing and the delivery of goods and merchandise moving through the mail stream, the Postal Service proposes to limit content in USPS Marketing Mail, regular and nonprofit, letter-size and flat-size pieces, to paper-based/printed matter content. The limitation to nonmerchandise, paper-based/printed matter content would serve three goals: (1) Facilitate levels of service expected for the processing and delivery of merchandise that include end-to-end tracking and visibility, (2) move fulfillment of merchandise and goods out of USPS Marketing Mail, consistent with the transfer of fulfillment parcels out of Standard Mail (the predecessor to SUMMARY: PO 00000 Frm 00015 Fmt 4702 Sfmt 4702 USPS Marketing Mail) in Docket No. MC2010–36, and (3) reduce operational inefficiencies when machines are unable to process letter-size or flat-size shaped inflexible items. Shifting goods and merchandise out of the letter-size and flat-size categories helps improve processing capabilities and ultimately shifts these items to mail streams with full end-to-end tracking capability consistent with market expectations. The Postal Service has many products available to support this shift and seeks to align postal processing with the intentions of its mailing customers. This shift also simplifies the mailing experience: Letter-size and flat-size pieces will move through processing and delivery more efficiently. Packages with goods and merchandise will have an Intelligent Mail® package barcode (IMpb®) and will travel through the package network stream. Ruth Stevenson, Attorney, Federal Compliance. [FR Doc. 2018–18105 Filed 8–22–18; 8:45 am] BILLING CODE 7710–12–P ENVIRONMENTAL PROTECTION AGENCY 40 CFR Part 52 [EPA–R03–OAR–2018–0490; FRL–9982– 74—Region 3] Air Plan Approval; Maryland; Continuous Opacity Monitoring Requirements for Municipal Waste Combustors and Cement Plants Environmental Protection Agency (EPA). ACTION: Proposed rule. AGENCY: The Environmental Protection Agency (EPA) is proposing to approve a state implementation plan (SIP) revision submitted by the State of Maryland (SIP Revision 16–04). This revision pertains to clarifying continuous opacity monitoring requirements and visible emission standards for municipal waste combustors (MWCs) and Portland cement plants. This action is being taken under the Clean Air Act (CAA). DATES: Written comments must be received on or before September 24, 2018. SUMMARY: Submit your comments, identified by Docket ID No. EPA–R03– OAR–2018–0490 at http:// www.regulations.gov, or via email to Spielberger.susan@epa.gov. For comments submitted at Regulations.gov, follow the online instructions for submitting comments. Once submitted, ADDRESSES: E:\FR\FM\23AUP1.SGM 23AUP1

Agencies

[Federal Register Volume 83, Number 164 (Thursday, August 23, 2018)]
[Proposed Rules]
[Pages 42623-42624]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2018-18231]



[[Page 42623]]

=======================================================================
-----------------------------------------------------------------------

NUCLEAR REGULATORY COMMISSION

10 CFR Chapter I

[NRC-2018-0182]


Cyber Security Programs for Nuclear Power Reactors

AGENCY: Nuclear Regulatory Commission.

ACTION: Draft regulatory guide; request for comment.

-----------------------------------------------------------------------

SUMMARY: The U.S. Nuclear Regulatory Commission (NRC) is issuing for 
public comment Draft Regulatory Guide (DG) DG-5061, ``Cyber Security 
Programs for Nuclear Power Reactors.'' This revision incorporates 
lessons learned from operating experience since the original 
publication of the guide. Specifically, this revision clarifies issues 
identified from interim cybersecurity milestone inspections, additional 
insights gained through the Security Frequently Asked Questions (SFAQs) 
process, documented cybersecurity attacks, new technologies, and new 
regulations. This revision also considers the changes in the most 
recent revision to the National Institute of Standards and Technology 
(NIST) Special Publications (SP) 800-53, upon which Revision 0 of RG 
5.71 was based.

DATES: Submit comments by October 22, 2018. Comments received after 
this date will be considered if it is practical to do so, but the NRC 
is able to ensure consideration only for comments received on or before 
this date. Although a time limit is given, comments and suggestions in 
connection with items for inclusion in guides currently being developed 
or improvements in all published guides are encouraged at any time.

ADDRESSES: You may submit comments by any of the following methods:
     Federal Rulemaking Website: Go to http://www.regulations.gov and search for Docket ID NRC-2018-0182. Address 
questions about NRC dockets to Jennifer Borges; telephone: 301-287-
9127; email: [email protected]. For technical questions, contact 
the individuals listed in the FOR FURTHER INFORMATION CONTACT section 
of this document.
     Mail comments to: May Ma, Office of Administration, Mail 
Stop: ON 2A13, U.S. Nuclear Regulatory Commission, Washington, DC 
20555-0001.
    For additional direction on accessing information and submitting 
comments, see ``Accessing Information and Submitting Comments'' in the 
SUPPLEMENTARY INFORMATION section of this document.

FOR FURTHER INFORMATION CONTACT: Kim Lawson-Jenkins, Office of Nuclear 
Security and Incident Response, telephone: 301-287-3656; email: 
[email protected], and Mekonen Bayssie, Office of Nuclear 
Regulatory Research, telephone: 301-415-1699; email: 
[email protected]. Both are staff of the U.S. Nuclear Regulatory 
Commission, Washington, DC 20555-0001.

SUPPLEMENTARY INFORMATION:

I. Obtaining Information and Submitting Comments

A. Obtaining Information

    Please refer to Docket ID NRC-2018-0182 when contacting the NRC 
about the availability of information regarding this document. You may 
obtain publically-available information related to this document, by 
any of the following methods:
     Federal Rulemaking Website: Go to http://www.regulations.gov and search for Docket ID NRC-2018-0182.
     NRC's Agencywide Documents Access and Management System 
(ADAMS): You may access publicly- available documents online in the 
ADAMS Public Documents collection at http://www.nrc.gov/reading-rm/adams.html. To begin the search, select ``Begin Web-based ADAMS 
Search.'' For problems with ADAMS, please contact the NRC's Public 
Document Room (PDR) reference staff at 1-800-397-4209, 301-415-4737, or 
by email to [email protected]. DG-5061 is available in ADAMS under 
Accession No. ML18016A129.
     NRC's PDR: You may examine and purchase copies of public 
documents at the NRC's PDR, Room O1-F21, One White Flint North, 11555 
Rockville Pike, Rockville, Maryland 20852.

B. Submitting Comments

    Please include Docket ID NRC-2018-0182 in your comment submission. 
The NRC cautions you not to include identifying or contact information 
that you do not want to be publicly disclosed in your comment 
submission. The NRC posts all comment submissions at http://www.regulations.gov as well as enters the comment submissions into 
ADAMS. The NRC does not routinely edit comment submissions to remove 
identifying or contact information.
    If you are requesting or aggregating comments from other persons 
for submission to the NRC, then you should inform those persons not to 
include identifying or contact information that they do not want to be 
publicly disclosed in their comment submission. Your request should 
state that the NRC does not routinely edit comment submissions to 
remove such information before making the comment submissions available 
to the public or entering the comment submissions into ADAMS.

II. Additional Information

    The NRC is issuing for public comment a DG in the NRC's 
``Regulatory Guide'' series. This series was developed to describe and 
make available to the public information regarding methods that are 
acceptable to the NRC staff for implementing specific parts of the 
NRC's regulations, techniques that the staff uses in evaluating 
specific issues or postulated events, and data that the staff needs in 
its review of applications for permits and licenses.
    The DG, titled ``Cyber Security Programs for Nuclear Power 
Plants,'' is temporarily identified by its task number, DG-5061. DG-
5061 is a proposed revision (Revision 1) to RG 5.71, ``Cyber Security 
Programs for Nuclear Power Plants.'' It provides NRC licensees with 
guidance on meeting the cybersecurity requirements described in title 
10 of the Code of Federal Regulations (10 CFR) Sec.  73.54, 
``Protection of digital computer and communication systems and 
networks.''
    This revision clarifies issues identified from interim 
cybersecurity milestone inspections, additional insights gained through 
the SFAQs process, documented cybersecurity attacks, new technologies, 
and new regulations. In addition, it considers changes in NIST SP 800-
53, upon which Revision 0 of RG 5.71 was based.
    In 2010, the Commission issued Staff Requirements Memorandum (SRM), 
SRM-COMWCO-10-0001 (ADAMS Accession No. ML102940009) which clarified 
the scope of the cyber security rule in regards to balance of plant 
(BOP) systems. This revision to RG 5.71 includes guidance for 
structures, systems, and components (SSCs) in the BOP.
    In 2015, the NRC published the regulation 10 CFR 73.77, and its 
associated guidance, RG 5.83, that provides guidance on cyber security 
event notifications. This rule established requirements clarifying the 
types of cyber attacks that require notification to the NRC, the 
timeliness for making the notifications, how licensees make 
notifications, and how to submit follow-up written reports to the NRC.

[[Page 42624]]

III. Backfitting and Issue Finality

    DG-5061 describes a method that the staff of the NRC considers 
acceptable for use by nuclear power plant licensees in meeting the 
requirements for the cybersecurity requirements in 10 CFR 73.54. The 
revision updates the guidance by incorporating lessons learned and 
guidance documents since the original publication of the guide.
    On October 21, 2010, the Commission issued SRM-COMWCO-10-0001, 
which clarified the scope of the cyber security rule. In the SRM, the 
Commission determined as a matter of policy that the NRC's cyber 
security regulation (10 CFR 73.54) should be interpreted to include 
Systems Structures and Components in the Balance of Plant that have a 
nexus to radiological health and safety at NRC-licensed nuclear power 
plants. The Commission clarified the scope of the rule to include 
digital assets previously covered by cyber security regulations of the 
Federal Energy Regulatory Commission. In response to this SRM, the 
licensees updated their cyber security plans to incorporate BOP systems 
into their cyber security plans. This revision includes guidance for 
SSCs in the BOP.
    Issuance of this DG, if finalized, would not constitute backfitting 
as defined in 10 CFR 50.109 (the Backfit Rule) and would not otherwise 
be inconsistent with the issue finality provisions in 10 CFR part 52. 
As discussed in the ``Implementation'' section of this DG, the NRC has 
no current intention to impose this guide, if finalized, on holders of 
current operating licenses or combined licenses.
    However, the scope of issue finality provided extends only to the 
matters resolved in the license or regulatory approval. Early site 
permits, design certification rules, and standard design approvals 
typically do not address or resolve compliance with operational 
programs such as the cybersecurity requirements in 10 CFR 73.54. 
Therefore, the various issue finality provisions would not apply to 
applications referencing an early site permit, design certification 
rule, or standard design approval with respect to the security matters 
addressed in this draft regulatory guide.

    Dated at Rockville, Maryland, this 20th day of August, 2018.

    For the Nuclear Regulatory Commission.
Thomas H. Boyce,
Chief, Regulatory Guide and Generic Issues Branch, Division of 
Engineering, Office of Nuclear Regulatory Research.
[FR Doc. 2018-18231 Filed 8-22-18; 8:45 am]
BILLING CODE 7590-01-P