NRC and NERC Execute Memorandum of Understanding Regarding Enforcement of Cyber Security Requirements

January 12, 2010

On January 11, the Nuclear Regulatory Commission (NRC) and the North American Electric Reliability Corporation (NERC) published a Memorandum of Understanding (MOU) regarding the enforcement of NRC cyber security regulations and NERC Critical Infrastructure Protection (CIP) Reliability Standards at commercial nuclear power plants. This MOU provides further detail on what the NRC and NERC view as their separate responsibilities regarding cyber security at nuclear power plants, and explains how they will coordinate execution of these responsibilities going forward.

Under the terms of the Federal Energy Regulatory Commission's (FERC's) Order No. 706-B, the "balance of plant" facilities at nuclear power plants are subject to the mandatory CIP Reliability Standards previously approved by FERC. This MOU clarifies this definition, explaining that NERC's CIP Reliability Standards apply to the digital assets at nuclear facilities related to "continuity of power." In addition, the MOU explains that the NRC's regulatory responsibility regarding cyber security is limited to "those digital assets, including digital control and data acquisition systems and networks, which can affect safety, security, and emergency preparedness functions" for nuclear power plants.

According to the MOU, the enforcement responsibilities of these two entities will follow this jurisdictional distinction. Each entity will each undertake the enforcement actions appropriate to its unique jurisdictional authority, but will inform the other regarding such actions. In the event that an event at a nuclear power plant results in NRC regulatory violations and CIP Reliability Standard violations, the NRC and NERC agreed to consult and coordinate regarding their enforcement actions. Finally, before NERC imposes a sanction on a nuclear power plant for a violation of a CIP Reliability Standard, NERC agreed to consult with the NRC to avoid any adverse effects on nuclear safety, security, or emergency preparedness.

To the extent a nuclear power plant licensee believes that certain facilities within the "balance of plant" are subject to both the CIP Reliability Standards and the NRC's cyber security regulations, FERC had directed NERC to provide for an exceptions process whereby NERC would grant relief from compliance with the CIP Reliability Standards. In the MOU, NERC committed to consulting with the NRC on each such request so as to ensure an appropriate jurisdictional determination.

The execution of this MOU is a significant step towards CIP Reliability Standard compliance for nuclear power plants. Although the deadlines for CIP Reliability Standard compliance by nuclear power plants have not yet been established, NERC will re-file a proposed implementation plan for CIP Reliability Standards at nuclear power plants in the near future.

If you have any questions or would like more information on any of the issues discussed in the LawFlash, please contact any of the following Morgan Lewis attorneys:

Washington, D.C.
Stephen M. Spina
J. Daniel Skees