View Rule

This rulemaking would amend the NRC's regulations to add cyber security requirements for certain nuclear fuel cycle facility applicants and licensees. The rule would require certain fuel cycle facilities to establish, implement, and maintain a cyber security program that is designed to protect public health and safety and the common defense and security. It would affect fuel cycle applicants or licensees that are or plan to be authorized to: (1) possess greater than a critical mass of special nuclear material and perform activities for which the NRC requires an integrated safety analysis or (2) engage in uranium hexafluoride conversion or deconversion.

Statement of Need:

The NRC currently does not have a comprehensive regulatory framework for addressing cyber security at fuel cycle facilities (FCFs). Each FCF licensee is subject to either design basis threats (DBTs) or to the Interim Compensatory Measures (ICM) Orders issued to all FCF licensees subsequent to the events of September 11, 2001. Both the DBTs and the ICM Orders contain a provision that these licensees include consideration of a cyber attack when considering security vulnerabilities. However, the NRC’s current regulations do not provide specific requirements or guidance on how to implement these performance objectives. Since the issuance of the ICM Orders and the 2007 DBT rulemaking, the threats to digital assets have increased both globally and nationally. Cyber attacks have increased in number, become more sophisticated, resulted in physical consequences, and targeted digital assets similar to those used by FCF licensees. The rulemaking would establish requirements for FCF licensees to establish, implement, and maintain a cyber security program to detect, protect against, and respond to a cyber attack capable of causing a consequence of concern. The design of this cyber security program would provide flexibility to account for the various types of FCFs, promote common defense and security, and provide reasonable assurance that the public health and safety remain adequately protected against the evolving risk of cyber attacks. 

Summary of the Legal Basis:

The legal basis for the proposed action is 42 U.S.C. 2201 and 42 U.S.C. 5841.

Alternatives:

As an alternative to the rulemaking, the NRC staff considered the "no-action" alternative. Under this option the NRC would not modify 10 CFR part 73. The NRC considered a number of additional approaches to improving cyber security at FCFs, including issuing generic communications, developing new guidance documents, and revising existing inspection modules or enforcement guidance. Because these approaches would not fully address the regulatory issues, the NRC did not evaluate them as alternatives to the proposed action. Because the Commission had previously rejected the issuance of orders to resolve these regulatory issues, orders were not evaluated as an alternative for this rulemaking.

Anticipated Costs and Benefits:

The NRC evaluated the provisions of the proposed rule in the Regulatory Basis and concluded that the provisions provide a substantial increase in the overall protection of public health and safety through effective implementation of the cyber security program to prevent safety consequences of concern. The analysis further demonstrated that the costs for the proposed rule provisions are cost justified for the additional protection provided.

Risks:

In the absence of specific NRC requirements, FCF licensees have implemented limited, ad hoc, voluntary cyber security measures. Voluntary cyber security measures do not include a complete set of controls for digital assets, which leaves facilities susceptible to potential vulnerabilities and the programs may not be enforceable unless licensees incorporate them into their licensing basis. This may result in a cyber security program that is unable to adequately address the evolving cyber security threat confronting FCF licensees.