Cyber-Security Rulemaking for Fuel Cycle Facilities
In 2014, the U.S. Nuclear Regulatory Commission (NRC) staff issued SECY 14-0147, "Cyber Security for Fuel Cycle Facilities," dated December 30, 2014 (Note: this document is not publicly available because it contains sensitive, security-related information). In SECY-14-0147, the NRC staff concluded that cyber security requirements for fuel cycle facility licensees need to be addressed because of: (1) an increasing and persistent cyber security threat; (2) the potential exploitation of vulnerabilities through a variety of attack vectors; (3) the inherent difficulty of detecting the compromise of digital assets; and (4) the potential consequences associated with a cyber attack. In the staff requirements memorandum (SRM) to SECY 14-0147, "Staff Requirements – SECY 14 0147 – Cyber Security for Fuel Cycle Facilities," dated March 24, 2015, the Commission directed the NRC staff to proceed directly with a cyber security rulemaking to apply a disciplined, graded approach to the identification of digital assets and a graded, consequence based approach to their protection.
The NRC is developing a proposed rule to establish new cyber security regulations in Part 73 of Title 10 of the Code of Federal Regulations (10 CFR), "Physical Protection of Plants and Materials," for fuel cycle facilities. This proposed rule would add one new section in 10 CFR 73.53, "Cyber Security for Fuel Cycle Facilities" and make conforming changes to 10 CFR parts 40 (10 CFR 40.31 and 40.35), 70 (10 CFR 70.22 and 70.32) and 73 (10 CFR 73.8 and 73.46). The proposed requirements of this new section would apply to each applicant or licensee subject to the requirements 10 CFR Part 70, "Domestic Licensing of Special Nuclear Material," Supbart H, "Additional Requirements for Certain Licensees Authorized To Possess a Critical Mass of Special Nuclear Material." The proposed rule would also apply to each fuel cycle applicant or licensee of a uranium hexafluoride conversion or deconversion facility licensed under 10 CFR Part 40, "Domestic Licensing of Source Material." The proposed rule would require these licensees to develop and maintain a cyber security program consistent with the new regulations.
For more information, please see the following topics on this page:
In recent years, the threat of cyber attacks has steadily risen, both globally and nationally. The U.S. Government has observed an increase in: (1) the number of cyber attacks; (2) the level of sophistication of such attacks; (3) the potential of these attacks to impact numerous digital assets, including digital assets at fuel cycle facilities; and (4) the emergence of these attacks to produce kinetic effects. Additionally, these attacks can be conducted anonymously from remote locations throughout the world.
In response to the terrorist attacks of September 11, 2001, the NRC issued a series of security orders, including Interim Compensatory Measures (ICM) Orders issued to fuel cycle facility licensees in 2002 and 2003 which contained a generic cyber security measure. The ICM orders lacked guidance on implementation of the generic cyber security measure, focusing on computer systems that conduct and maintain communications during emergency response actions.
In 2007, the Commission promulgated a rulemaking entitled, "Design Basis Threat" (72 Federal Register [FR] 12705), which required licensees to protect against acts of radiological sabotage and to prevent theft or diversion of special nuclear material. The rulemaking included a requirement for licensees to consider a cyber security threat as an element of the design basis threats (DBTs), but no specific guidance was provided.
In March 2009, the NRC further addressed cyber security for power reactors in a stand-alone section in 10 CFR 73.54. The development of associated guidance for implementing the requirements in 10 CFR 73.54 resulted in the publication of RG 5.71, "Cyber Security Programs for Nuclear Facilities."
In June 2012, the NRC staff completed SECY-12-0088, "The Nuclear Regulatory Commission Cyber Security Roadmap," which established the NRC staff’s approach for evaluating the need for cyber security requirements for the following four categories of NRC licensees and facilities: (1) fuel cycle facilities, (2) non-power reactors, (3) independent spent fuel storage installations, and (4) byproduct materials licensees.
In 2014, the NRC staff sought Commission approval to implement additional cyber security requirements for fuel cycle facilities. In the SRM to SECY-14-0147, the Commission directed the NRC staff to proceed directly with a cyber security rulemaking to apply a disciplined, graded approach to the identification of vital digital assets and a graded, consequence-based approach to their protection.
Status of Rulemaking
Following the Commissions issuance of the SRM to SECY-14-0147, the following milestone dates were established and are being tracked by SECY.
Metric Deadlines for Fuel Cycle Cyber Security Proposed Rulemaking
|Complete the regulatory basis
|Provide the proposed rule and draft regulatory guidance to the Commission
|Provide the final rule and final regulatory guidance to the EDO for the Commission
||Pending Commission Direction
Interactions with the Advisory Committee on Reactor Safeguards (ACRS)
As part of the proposed rule development, the NRC staff briefed the Digital Instrumentation and Control Systems sub-committee of the Advisory Committee on Reactor Safeguards (ACRS) on the draft version of the proposed rule and related draft regulatory guide. The November 2, 2016 meeting was open to the public and a transcript of the meeting is available. A follow-up briefing was provided to the ACRS DI&C sub-committee on February 23, 2017 and a transcript is available for the public portion of the meeting. Additional information on ACRS-related meetings are available on the NRC public website under "Advisory Committee on Reactor Safeguards Document Collections".
The NRC has a long-standing practice of conducting regulatory activities in an open manner. Rulemaking documents are available to the public on the Federal Government’s Regulations website under docket number NRC-2015-0179. The Part 73.53 cyber security rulemaking effort is also tracked under the Cumulative Effects of Regulation (CER) website. The NRC staff maintains the status of proposed regulatory actions on the CER Integrated Schedule which is updated quarterly. The NRC staff also conducts periodic public meetings as part of CER to inform industry and the public on the status of regulatory activities.
The NRC staff will seek comments on the proposed rule and proposed regulatory guide once they are made available for public comment in the Federal Register (FR), subject to Commission approval. The NRC staff typically holds a public meeting during the comment period to facilitate sharing of comments on the proposed rule and related guidance.
For general information about the available opportunities for public involvement in NRC activities, see Public Meetings and Involvement, Hearing Opportunities and License Applications, and NUREG/BR-0215, "Public Involvement in the Regulatory Process." For other security-related meetings, please see Public Meetings on Nuclear Security and Safeguards.
Public Meetings and Materials
The NRC staff have held a number of public meetings to discuss agency activities related to the cyber-security initiative for fuel cycle facilities. Documents associated with these meetings are available below.
|Date of Meeting
|March 29, 2017
||Summary of March 29, 2017, Meeting With The Industry and Stakeholders to Discuss Fuel Cycle Regulatory Activities and Cumulative Effects of Regulation
|February 23, 2017
||ACRS Digital Instrument and Control Sub-Committee Transcript for Follow-up Briefing on Cyber Security (public portion)
|November 2, 2016
||ACRS Digital Instrument and Control Sub-Committee Transcript for Initial Briefing on Cyber Security (public portion)
|October 12, 2016
NEI Fuel Cycle Cyber Security Implementation Costs Presentation
Summary of October 12, 2016, Meeting with the Industry and Stakeholders to Discuss the Cumulative Effects of Regulation and Fuel Cycle Regulatory Activities
|August 25, 2016
Proposed Rule Language and Related Draft Regulatory Guide to Support the Public Meeting on August 25, 2016
August 25, 2016 Summary of Public Meeting - Fuel Cycle Cyber Security Proposed Rulemaking Discussion
|May 19, 2016
CA Note - Public Availability of Draft Proposed Rule Text for Fuel Cycle Facilities Cyber Security
Presentations at May 19, 2016 Public Meeting - Draft Proposed Rule Text for Fuel Cycle Cyber Security
Summary of the May 19, 2016, Public Meeting - Draft Proposed Rule Text for Fuel Cycle Cyber Security
|March 17, 2016
||Summary of Atlanta Public Meeting - Discuss Fuel Cycle Cyber Security Draft Proposed Rule and Guidance
|February 18, 2016
||Summary of Public Meeting to Discuss Concepts for the Proposed Cyber Security Rulemaking at Fuel Cycle Facilities
|December 10, 2015
Documents to Support December 10, 2015 Public Meeting on Cyber Security for Fuel Cycle
Summary of Public Meeting to Discuss Technical Issues Regarding Cyber Security Proposed Rulemaking for Fuel Cycle Facilities
|October 22, 2015
Publication of Three Documents Including Technical Issues for Consideration, Draft List of Cyber Controls, and Slide Presentation to Support the Fuel Cycle Cyber Security Technical Meeting with the Public on October 22, 2015
Meeting Summary and Slides for Fuel Cycle Cyber Security Public Meeting at NIST Presentation and Technical Discussion on Proposed Part 37 Rulemaking and Guidance
|September 23, 2015
Draft Regulatory Basis for Cyber Security at Fuel Cycle Facilities
Federal Register Notice for Draft Regulatory Basis for Cyber Security at Fuel Cycle Facilities
Meeting Summary for Fuel Cycle Cyber Security Public Meeting to Discuss the Draft Regulatory Basis
|July 13, 2015
Cyber Security Public Meeting Summary
|June 11, 2015
||Summary Of Meeting With The Industry And Stakeholders To Discuss Fuel Cycle Regulatory Activities And Cumulative Effects Of Regulation