View Rule
View EO 12866 Meetings | Printer-Friendly Version Download RIN Data in XML |
NRC | RIN: 3150-AJ64 | Publication ID: Fall 2018 |
Title: Cyber Security at Fuel Cycle Facilities [NRC-2015-0179] | |
Abstract:
This rulemaking would amend the NRC's regulations to add cyber security requirements for certain nuclear fuel cycle facility applicants and licensees. The rule would require certain fuel cycle facilities to establish, implement, and maintain a cyber security program that is designed to protect public health and safety and the common defense and security. It would affect fuel cycle applicants or licensees that are or plan to be authorized to: (1) possess greater than a critical mass of special nuclear material and perform activities for which the NRC requires an integrated safety analysis or (2) engage in uranium hexafluoride conversion or deconversion.
|
|
Agency: Nuclear Regulatory Commission(NRC) | Priority: Other Significant |
RIN Status: Previously published in the Unified Agenda | Agenda Stage of Rulemaking: Proposed Rule Stage |
Major: No | Unfunded Mandates: No |
EO 13771 Designation: Independent agency | |
CFR Citation: 10 CFR 40 10 CFR 70 10 CFR 73 | |
Legal Authority: 42 U.S.C. 2201 42 U.S.C. 5841 |
Legal Deadline:
None |
||||||||||||||||||
Statement of Need: The NRC currently does not have a comprehensive regulatory framework for addressing cyber security at fuel cycle facilities (FCFs). Each FCF licensee is subject to either design basis threats (DBTs) or to the Interim Compensatory Measures (ICM) Orders issued to all FCF licensees subsequent to the events of September 11, 2001. Both the DBTs and the ICM Orders contain a provision that these licensees include consideration of a cyber attack when considering security vulnerabilities. However, the NRC’s current regulations do not provide specific requirements or guidance on how to implement these performance objectives. Since the issuance of the ICM Orders and the 2007 DBT rulemaking, the threats to digital assets have increased both globally and nationally. Cyber attacks have increased in number, become more sophisticated, resulted in physical consequences, and targeted digital assets similar to those used by FCF licensees. The rulemaking would establish requirements for FCF licensees to establish, implement, and maintain a cyber security program to detect, protect against, and respond to a cyber attack capable of causing a consequence of concern. The design of this cyber security program would provide flexibility to account for the various types of FCFs, promote common defense and security, and provide reasonable assurance that the public health and safety remain adequately protected against the evolving risk of cyber attacks. |
||||||||||||||||||
Summary of the Legal Basis: |
||||||||||||||||||
Alternatives: |
||||||||||||||||||
Anticipated Costs and Benefits: The NRC evaluated the provisions of the proposed rule in the Regulatory Basis and concluded that the provisions provide a substantial increase in the overall protection of public health and safety through effective implementation of the cyber security program to prevent safety consequences of concern. The analysis further demonstrated that the costs for the proposed rule provisions are cost justified for the additional protection provided. |
||||||||||||||||||
Risks: |
||||||||||||||||||
Timetable:
|
Regulatory Flexibility Analysis Required: No | Government Levels Affected: None |
Small Entities Affected: No | Federalism: No |
Included in the Regulatory Plan: Yes | |
RIN Data Printed in the FR: No | |
Agency Contact: Gary Comfort, Jr. Nuclear Regulatory Commission Office of Nuclear Material Safety and Safeguards, Washington, DC 20555-0001 Phone:301 415-8106 Email: gary.comfort@nrc.gov |