The NRC held a public meeting on March 4 to discuss the issuance for public comment of draft regulatory guide (DG) DG-5061, Revision 1, Cyber Security Programs for Nuclear Power Reactors. DG-5061, Revision 1 would revise Regulatory Guide (RG) 5.71, which provides NRC licensees with guidance on meeting the cybersecurity requirements described in Section 73.54 of Title 10 of the Code of Federal Regulations, “Protection of digital computer and communication systems and networks.”
The NRC published Revision 0 of RG 5.71 in January 2010. In October of that year, the Commission issued a requirements memorandum that, as a policy matter, determined the NRC's cybersecurity regulation (10 CFR 73.54) should be interpreted to include structures, systems, and components (SSCs) in the balance of plant (BOP) that have a nexus to radiological health and safety at NRC-licensed nuclear power plants. In addition, the direction clarified the rule's scope to include digital assets previously covered by cybersecurity regulations of the Federal Energy Regulatory Commission.
In 2015, the NRC published 10 CFR 73.77, Cyber Security Event Notifications, and its associated guidance, RG 5.83, Cyber Security Event Notifications, which provides guidance on cybersecurity event notifications. This rule established requirements clarifying the types of cyberattacks that require NRC notification, the timeliness for making the notifications, how licensees make notifications, and how to submit follow-up written reports to the NRC.
Revision 0 of RG 5.71 does not reflect this new regulation and associated guidance.
During the meeting, the NRC staff emphasized the significant and comprehensive nature of the draft regulatory guide update and its decision against issuing a redline from the previous version for comparison due to the extensive nature of the revisions.
The 160-page document clarifies issues identified from cybersecurity inspections, insights gained through the security frequently asked questions (SFAQ) process, lessons learned from international and domestic cybersecurity attacks, innovative technologies, and new regulations. In addition, it considers changes in Revision 4 of the National Institute of Standards and Technology (NIST) Special Publication 800-53, leverages international standards and guidance, incorporates public comments from 2018, emphasizes the need for accurate critical digital assets (CDA) assessments, and gives the Commission direction regarding BOP SSCs.
The March 4 meeting was observational, which meant the NRC did not take comments. Nevertheless, the NRC did welcome questions.
One participant asked whether the NRC would extend the comment period to give the industry adequate time for review given the significant revisions. The NRC indicated it was considering that option. Another participant asked whether DG-5061, Revision 1 incorporated recent industry guidance. The NRC responded that DG-5061, Revision 1 considers industry guidance but was not completely aligned. Importantly, however, the NRC did take the position that there were no conflicts between industry guidance and its proposed revision to RG 5.71.
The draft regulatory guide update affects no changes in the NRC staff’s position but provides needed clarification on defense in depth for cybersecurity and includes textual updates that incorporate NRC Regulation 10 CFR 73.77—missing in Revision 0 of RG 5.71.
The NRC will continue gathering comments until May 2, 2022 and anticipates holding a second public meeting with a Q&A session in early April.
Morgan Lewis will continue to monitor and report on any developments.