United States Nuclear Regulatory Commission - Protecting People and the Environment

The U.S. Nuclear Regulatory Commission's Cyber Security Regulatory Framework for Nuclear Power Reactors (NUREG/CR-7141)

On this page:

Download complete document

Publication Information

Manuscript Completed: September 2014
Date Published: November 2014

Prepared by:
C. Chenoweth
J. Green
T. Shaw
M. Shinn
G. Simonds

MAR, Incorporated
1803 Research Boulevard
Suite #204
Rockville, MD 20850-6106

Jonah Pezeshki, Security Specialist (Cyber)

Office of Nuclear Security and Incident Response
U.S. Nuclear Regulatory Commission
Washington DC 20555-0001

Availability Notice

Abstract

This report, NUREG/CR-7141, "the U.S. NRC Cyber Security Regulatory Framework for Nuclear Power Reactors" is a knowledge management product that provides an overview of, and historic perspective of the development of Regulatory Guide (RG) 5.71, "Cyber Security Programs for Nuclear Facilities." Further, this report provides a comparative analysis between the programmatic guidance contained within RG 5.71 and both the National Institute of Standards and Technology (NIST) Risk Management Framework found in NIST Special Publication 800-37, "Guide for Applying the Risk Management Framework to Federal Information Systems," Revision 1, and the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards. This framework correlates the high baseline security controls published by NIST in Special Publication 800-53, "Recommended Security Controls for Federal Information Systems and Organizations," Revision 3, to those contained in Appendices B and C of RG 5.71 ("Technical Security Controls" and "Operational and Management Security Controls", respectively). This report is not regulatory guidance and does not supersede policy decisions made by the NRC on behalf of security programs defined in the NRC's regulations, or rules. Nor does this report impose any new requirements or interpretations of NRC regulations that could be used for complying with a license's approved cyber security plan, as defined in Title 10 of the Code of Federal Regulations (CFR) Part 73.54, "Protection of Digital Computer and Communication Systems and Networks" (10 CFR 73.54).

Page Last Reviewed/Updated Tuesday, May 17, 2016