Cyber-Security Rulemaking for Fuel Cycle Facilities

In 2014, the U.S. Nuclear Regulatory Commission (NRC) staff issued SECY 14-0147, "Cyber Security for Fuel Cycle Facilities," dated December 30, 2014 (Note: this document is not publicly available because it contains sensitive, security-related information). In SECY-14-0147, the NRC staff concluded that cyber security requirements for fuel cycle facility licensees need to be addressed because of: (1) an increasing and persistent cyber security threat; (2) the potential exploitation of vulnerabilities through a variety of attack vectors; (3) the inherent difficulty of detecting the compromise of digital assets; and (4) the potential consequences associated with a cyber attack. In the staff requirements memorandum (SRM) to SECY 14-0147, "Staff Requirements – SECY 14 0147 – Cyber Security for Fuel Cycle Facilities," dated March 24, 2015, the Commission directed the NRC staff to proceed directly with a cyber security rulemaking to apply a disciplined, graded approach to the identification of digital assets and a graded, consequence based approach to their protection.

The NRC is developing a proposed rule to establish new cyber security regulations in Part 73 of Title 10 of the Code of Federal Regulations (10 CFR), "Physical Protection of Plants and Materials," for fuel cycle facilities. This proposed rule would add one new section in 10 CFR 73.53, "Cyber Security for Fuel Cycle Facilities" and make conforming changes to 10 CFR parts 40 (10 CFR 40.31 and 40.35), 70 (10 CFR 70.22 and 70.32) and 73 (10 CFR 73.8 and 73.46). The proposed requirements of this new section would apply to each applicant or licensee subject to the requirements 10 CFR Part 70, "Domestic Licensing of Special Nuclear Material," Supbart H, "Additional Requirements for Certain Licensees Authorized To Possess a Critical Mass of Special Nuclear Material." The proposed rule would also apply to each fuel cycle applicant or licensee of a uranium hexafluoride conversion or deconversion facility licensed under 10 CFR Part 40, "Domestic Licensing of Source Material." The proposed rule would require these licensees to develop and maintain a cyber security program consistent with the new regulations.

For more information, please see the following topics on this page:

Background

In recent years, the threat of cyber attacks has steadily risen, both globally and nationally. The U.S. Government has observed an increase in: (1) the number of cyber attacks; (2) the level of sophistication of such attacks; (3) the potential of these attacks to impact numerous digital assets, including digital assets at fuel cycle facilities; and (4) the emergence of these attacks to produce kinetic effects. Additionally, these attacks can be conducted anonymously from remote locations throughout the world.

In response to the terrorist attacks of September 11, 2001, the NRC issued a series of security orders, including Interim Compensatory Measures (ICM) Orders issued to fuel cycle facility licensees in 2002 and 2003 which contained a generic cyber security measure. The ICM orders lacked guidance on implementation of the generic cyber security measure, focusing on computer systems that conduct and maintain communications during emergency response actions.

In 2007, the Commission promulgated a rulemaking entitled, "Design Basis Threat" (72 Federal Register [FR] 12705), which required licensees to protect against acts of radiological sabotage and to prevent theft or diversion of special nuclear material. The rulemaking included a requirement for licensees to consider a cyber security threat as an element of the design basis threats (DBTs), but no specific guidance was provided.

In March 2009, the NRC further addressed cyber security for power reactors in a stand-alone section in 10 CFR 73.54. The development of associated guidance for implementing the requirements in 10 CFR 73.54 resulted in the publication of RG 5.71, "Cyber Security Programs for Nuclear Facilities."

In June 2012, the NRC staff completed SECY-12-0088, "The Nuclear Regulatory Commission Cyber Security Roadmap," which established the NRC staff’s approach for evaluating the need for cyber security requirements for the following four categories of NRC licensees and facilities: (1) fuel cycle facilities, (2) non-power reactors, (3) independent spent fuel storage installations, and (4) byproduct materials licensees.

In 2014, the NRC staff sought Commission approval to implement additional cyber security requirements for fuel cycle facilities. In the SRM to SECY-14-0147, the Commission directed the NRC staff to proceed directly with a cyber security rulemaking to apply a disciplined, graded approach to the identification of vital digital assets and a graded, consequence-based approach to their protection.

To top of page

Status of Rulemaking

Projected Schedule

Following the Commissions issuance of the SRM to SECY-14-0147, the following milestone dates were established and are being tracked by SECY.

Metric Deadlines for Fuel Cycle Cyber Security Proposed Rulemaking

Description SECY Dates Completed
Complete the regulatory basis 03/24/2016 ML15355A461
Provide the proposed rule and draft regulatory guidance to the Commission 10/01/2017 ML17018A218
Provide the final rule and final regulatory guidance to the EDO for the Commission TBD Pending Commission Direction

Interactions with the Advisory Committee on Reactor Safeguards (ACRS)

As part of the proposed rule development, the NRC staff briefed the Digital Instrumentation and Control Systems sub-committee of the Advisory Committee on Reactor Safeguards (ACRS) on the draft version of the proposed rule and related draft regulatory guide. The November 2, 2016 meeting was open to the public and a transcript of the meeting is available. A follow-up briefing was provided to the ACRS DI&C sub-committee on February 23, 2017 and a transcript is available for the public portion of the meeting. Additional information on ACRS-related meetings are available on the NRC public website under "Advisory Committee on Reactor Safeguards Document Collections".

To top of page

Public Involvement

The NRC has a long-standing practice of conducting regulatory activities in an open manner. Rulemaking documents are available to the public on the Federal Government’s Regulations website under docket number NRC-2015-0179. The Part 73.53 cyber security rulemaking effort is also tracked under the Cumulative Effects of Regulation (CER) website. The NRC staff maintains the status of proposed regulatory actions on the CER Integrated Schedule which is updated quarterly. The NRC staff also conducts periodic public meetings as part of CER to inform industry and the public on the status of regulatory activities.

The NRC staff will seek comments on the proposed rule and proposed regulatory guide once they are made available for public comment in the Federal Register (FR), subject to Commission approval.  The NRC staff typically holds a public meeting during the comment period to facilitate sharing of comments on the proposed rule and related guidance.

For general information about the available opportunities for public involvement in NRC activities, see Public Meetings and Involvement, Hearing Opportunities and License Applications, and NUREG/BR-0215, "Public Involvement in the Regulatory Process." 

To top of page

Public Meetings and Materials

The NRC staff have held a number of public meetings to discuss agency activities related to the cyber-security initiative for fuel cycle facilities. Documents associated with these meetings are available below.

Completed Meetings
Date of Meeting Title
March 29, 2017 Summary of March 29, 2017, Meeting With The Industry and Stakeholders to Discuss Fuel Cycle Regulatory Activities and Cumulative Effects of Regulation
February 23, 2017 ACRS Digital Instrument and Control Sub-Committee Transcript for Follow-up Briefing on Cyber Security (public portion)
November 2, 2016 ACRS Digital Instrument and Control Sub-Committee Transcript for Initial Briefing on Cyber Security (public portion)
October 12, 2016

NEI Fuel Cycle Cyber Security Implementation Costs Presentation

Summary of October 12, 2016, Meeting with the Industry and Stakeholders to Discuss the Cumulative Effects of Regulation and Fuel Cycle Regulatory Activities

August 25, 2016

Proposed Rule Language and Related Draft Regulatory Guide to Support the Public Meeting on August 25, 2016

August 25, 2016 Summary of Public Meeting - Fuel Cycle Cyber Security Proposed Rulemaking Discussion

May 19, 2016

CA Note - Public Availability of Draft Proposed Rule Text for Fuel Cycle Facilities Cyber Security

Presentations at May 19, 2016 Public Meeting - Draft Proposed Rule Text for Fuel Cycle Cyber Security

Summary of the May 19, 2016, Public Meeting - Draft Proposed Rule Text for Fuel Cycle Cyber Security

March 17, 2016 Summary of Atlanta Public Meeting - Discuss Fuel Cycle Cyber Security Draft Proposed Rule and Guidance
February 18, 2016 Summary of Public Meeting to Discuss Concepts for the Proposed Cyber Security Rulemaking at Fuel Cycle Facilities
December 10, 2015

Documents to Support December 10, 2015 Public Meeting on Cyber Security for Fuel Cycle

Summary of Public Meeting to Discuss Technical Issues Regarding Cyber Security Proposed Rulemaking for Fuel Cycle Facilities

October 22, 2015

Publication of Three Documents Including Technical Issues for Consideration, Draft List of Cyber Controls, and Slide Presentation to Support the Fuel Cycle Cyber Security Technical Meeting with the Public on October 22, 2015

Meeting Summary and Slides for Fuel Cycle Cyber Security Public Meeting at NIST Presentation and Technical Discussion on Proposed Part 37 Rulemaking and Guidance

September 23, 2015

Draft Regulatory Basis for Cyber Security at Fuel Cycle Facilities

Federal Register Notice for Draft Regulatory Basis for Cyber Security at Fuel Cycle Facilities

Meeting Summary for Fuel Cycle Cyber Security Public Meeting to Discuss the Draft Regulatory Basis

July 13, 2015

Cyber Security Public Meeting Summary

June 11, 2015 Summary Of Meeting With The Industry And Stakeholders To Discuss Fuel Cycle Regulatory Activities And Cumulative Effects Of Regulation
Documents
Date Title
February 1, 2017 Preliminary Draft Regulatory Guide DG-5062: Cyber Security Programs for Nuclear Fuel Cycle Facilities (Published to support February 23, 2017 ACRS meeting)
October 6, 2016 Preliminary Draft Regulatory Guide DG-5062: Cyber Security Programs for Nuclear Fuel Cycle Facilities (Published to support November 2, 2016 ACRS meeting)
October 6, 2016 Fuel Cycle Cyber Security Draft Proposed Rule Text for 10 CFR 73.53 (Published to support November 2, 2016 ACRS meeting)
March 3, 2016 Final Regulatory Basis- Cyber Security Facilities

To top of page

Page Last Reviewed/Updated Monday, October 7, 2024