[Federal Register Volume 80, Number 172 (Friday, September 4, 2015)] [Proposed Rules] [Pages 53478-53480] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 2015-22051] ======================================================================= ----------------------------------------------------------------------- NUCLEAR REGULATORY COMMISSION 10 CFR Part 73 [NRC-2015-0179] RIN 3150-AJ64 Cyber Security at Fuel Cycle Facilities AGENCY: Nuclear Regulatory Commission. ACTION: Draft regulatory basis; request for comment. ----------------------------------------------------------------------- SUMMARY: The U.S. Nuclear Regulatory Commission (NRC) is requesting comments on a draft regulatory basis to support a rulemaking that would amend its regulations by adopting new cyber security requirements for certain nuclear fuel cycle facility (FCF) licensees in order to address safety and security consequences of concern. Potentially affected licensees include certain FCFs authorized to possess Category I, II, or III quantities of special nuclear material and uranium hexafluoride conversion and deconversion facilities. DATES: Submit comments by October 5, 2015. Comments received after this date will be considered if it is practical to do so, but the NRC is only able to ensure consideration of comments received on or before this date. ADDRESSES: You may submit comments by any of the following methods (unless this document describes a different method for submitting comments on a specific subject):Federal Rulemaking Web site: Go to http://www.regulations.gov and search for Docket ID NRC-2015-0179. Address questions about NRC dockets to Carol Gallagher; telephone: 301-415- 3463; email: [email protected]. For technical questions, contact the individual listed in the FOR FURTHER INFORMATION CONTACT section of this document. Email comments to: [email protected]. If you [[Page 53479]] do not receive an automatic email reply confirming receipt, then contact us at 301-415-1677. Fax comments to: Secretary, U.S. Nuclear Regulatory Commission at 301-415-1101. Mail comments to: Secretary, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, ATTN: Rulemakings and Adjudications Staff. Hand deliver comments to: 11555 Rockville Pike, Rockville, Maryland 20852, between 7:30 a.m. and 4:15 p.m. (Eastern Time) Federal workdays; telephone: 301-415-1677. For additional direction on obtaining information and submitting comments, see ``Obtaining Information and Submitting Comments'' in the SUPPLEMENTARY INFORMATION section of this document. FOR FURTHER INFORMATION CONTACT: Matthew Bartlett, Office of Nuclear Material Safety and Safeguards, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001; telephone: 301-415-7154, email: [email protected]. SUPPLEMENTARY INFORMATION: I. Obtaining Information and Submitting Comments A. Obtaining Information Please refer to Docket ID NRC-2015-0179 when contacting the NRC about the availability of information for this action. You may obtain publicly-available information related to this action by any of the following methods: Federal Rulemaking Web site: Go to http://www.regulations.gov and search for Docket ID NRC-2015-0179. NRC's Agencywide Documents Access and Management System (ADAMS): You may obtain publicly-available documents online in the ADAMS Public Documents collection at http://www.nrc.gov/reading-rm/adams.html. To begin the search, select ``ADAMS Public Documents'' and then select ``Begin Web-based ADAMS Search.'' For problems with ADAMS, please contact the NRC's Public Document Room (PDR) reference staff at 1-800-397-4209, 301-415-4737, or by email to [email protected]. The draft regulatory basis document is available in ADAMS under Accession No. ML15198A021. NRC's PDR: You may examine and purchase copies of public documents at the NRC's PDR, Room O1-F21, One White Flint North, 11555 Rockville Pike, Rockville, Maryland 20852. B. Submitting Comments Please include Docket ID NRC-2015-0179 in the subject line of your comment submission, in order to ensure that the NRC is able to make your comment submission available to the public in this docket. If your comment contains proprietary or sensitive information, please contact the individual listed in the FOR INFORMATION CONTACT section of this document to determine the most appropriate method for submitting your comment. The NRC cautions you not to include identifying or contact information that you do not want to be publicly disclosed in your comment submission. The NRC will post all comment submissions at http://www.regulations.gov as well as enter the comment submissions into ADAMS, and the NRC does not routinely edit comment submissions to remove identifying or contact information. If you are requesting or aggregating comments from other persons for submission to the NRC, then you should inform those persons not to include identifying or contact information that they do not want to be publicly disclosed in their comment submission. Your request should state that the NRC does not routinely edit comment submissions to remove such information before making the comment submissions available to the public or entering the comment into ADAMS. II. Discussion The NRC is requesting comments on a draft regulatory basis to support a rulemaking that would amend part 73 of Title 10 of the Code of Federal Regulations (10 CFR), ``Physical Protection of Plants and Materials,'' by adopting new cyber security regulations for FCF licensees. The specific objectives of this rulemaking effort are to establish new requirements for FCF licensees that: (1) Require licensees authorized to possess a Category I quantity of special nuclear material (SNM) to establish and maintain a cyber security program that provides high assurance that digital computer systems, communication systems, and networks associated with safety, security, emergency preparedness, and material control and accounting (SSEPMCA) functions are protected from cyber attacks up to and including the design basis threats defined in 10 CFR 73.1; (2) require certain licensees authorized to possess source material or a Category II or III quantity of SNM to establish and maintain a cyber security program that provides reasonable assurance that digital computer systems, communication systems, and networks associated with SSEPMCA functions are protected from cyber attacks; (3) codify existing cyber security requirements imposed on FCF licensees by security orders issued following the terrorist attacks of September 11, 2001, and applicable subsequent voluntary actions instituted by FCF licensees; (4) implement a graded, performance-based regulatory framework to prevent cyber attacks that could result in certain consequences of concern; and (5) implement cyber security reporting criteria. The scope of the draft regulatory basis includes cyber security for FCFs licensed under 10 CFR part 70 and uranium hexafluoride conversion and deconversion facilities licensed under 10 CFR part 40. These licensees have varying safety and security consequences of concern based on their functions and the type and quantity of material possessed. To account for these differences, the NRC plans to develop a graded, consequence-based approach for the identification and protection of digital assets associated with SSEPMCA functions. The draft regulatory basis, in part, explains why the NRC believes the existing regulations should be updated, revised, and enhanced; presents alternatives to rulemaking; and discusses costs and other impacts of the potential changes. III. Specific Requests for Comments The NRC requests that stakeholders consider answering the following questions when commenting on the draft regulatory basis: Is the NRC considering an appropriate approach for each objective described in the draft regulatory basis? Chapter 3 of the draft regulatory basis discusses the regulatory concerns the NRC expects to address through rulemaking. Chapter 4 presents the intended regulatory changes to address those regulatory concerns, and Chapter 5 discusses alternatives to rulemaking considered by the NRC staff. Are there other regulatory concerns within or related to the scope of the rulemaking efforts (see Chapter 1 of the draft regulatory basis) that the NRC should consider? Are there other approaches or alternatives the NRC should consider to resolve those regulatory concerns? Chapter 8 of the draft regulatory basis presents the NRC staff's initial consideration of costs and other impacts for a number of key aspects of the potential regulatory changes (i.e., cyber security programs, cyber incident reporting). This initial assessment is based on limited available data. The staff is seeking additional data and input relative to expected and/or unintentional impacts from the desired regulatory changes. What would be the [[Page 53480]] potential impacts to stakeholders/licensees from implementing any of the desired regulatory changes described in this draft regulatory basis (e.g., what would be a reasonable cost estimate for implementation of the cyber security programs, including startup and annual costs)? The NRC staff is aware of licensee voluntary efforts to address cyber security. Is there additional information related to these efforts that would inform the NRC staff's assessment or analysis? IV. Cumulative Effects of Regulation The Cumulative Effects of Regulation (CER) describes the challenges that licensees or other impacted entities (such as State agency partners) may face while implementing new regulatory positions, programs, and requirements (e.g., rules, generic letters, backfits, inspections). The CER is an organizational effectiveness challenge that results from a licensee or impacted entity implementing a number of complex positions, programs, or requirements within a limited implementation period and with available resources (which may include limited available expertise to address a specific issue). The NRC has implemented CER enhancements to the rulemaking process to facilitate public involvement throughout the rulemaking process. Therefore, the NRC is specifically requesting comment on the cumulative effects that may result from this proposed rulemaking. In developing comments on the draft regulatory basis, consider the following questions: (1) In light of any current or projected CER challenges, what should be a reasonable effective date, compliance date, or submittal date(s) from the time the final rule is published to the actual implementation of any new proposed requirements, including changes to programs, procedures, or the facility? (2) If current or projected CER challenges exist, what should be done to address this situation (e.g., if more time is required to implement the new requirements, what period of time would be sufficient, and why such a time frame is necessary)? (3) Do other regulatory actions (e.g., orders, generic communications, license amendment requests, and inspection findings of a generic nature) by NRC or other agencies influence the implementation of the potential proposed requirements? (4) Are there unintended consequences? Does the potential proposed action create conditions that would be contrary to the potential proposed action's purpose and objectives? If so, what are the consequences and how should they be addressed? Please provide information on the costs and benefits of the potential proposed action. This information will be used to support any regulatory analysis by the NRC. V. Availability of Documents The NRC may post additional materials related to this rulemaking activity to the Federal rulemaking Web site at www.regulations.gov under Docket ID NRC-2015-0179. By making these documents publicly available, the NRC seeks to inform stakeholders of the current status of the NRC's rulemaking development activities and to provide preparatory material for future public meetings. The Federal rulemaking Web site allows you to receive alerts when changes or additions occur in a docket folder. To subscribe: (1) Navigate to the docket folder (NRC-2015-0179); (2) click the ``Sign up for Email Alerts'' link; and (3) enter your email address and select how frequently you would like to receive emails (daily, weekly, or monthly). VI. Plain Writing The Plain Writing Act of 2010 (Pub. L. 111-274) requires Federal agencies to write documents in a clear, concise, well-organized manner. The NRC has written this document to be consistent with the Plain Writing Act as well as the Presidential Memorandum, ``Plain Language in Government Writing,'' published in the Federal Register on June 10, 1998 (63 FR 31883). The NRC requests comment on this document with respect to the clarity and effectiveness of the language used. Dated at Rockville, Maryland, this 27th day of August, 2015. For the Nuclear Regulatory Commission. Marissa G. Bailey, Director, Division of Fuel Cycle Safety, Safeguards, and Environmental Review, Office of Nuclear Materials Safety and Safeguards. [FR Doc. 2015-22051 Filed 9-3-15; 8:45 am] BILLING CODE 7590-01-P