[Federal Register Volume 80, Number 172 (Friday, September 4, 2015)]
[Proposed Rules]
[Pages 53478-53480]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2015-22051]


=======================================================================
-----------------------------------------------------------------------

NUCLEAR REGULATORY COMMISSION

10 CFR Part 73

[NRC-2015-0179]
RIN 3150-AJ64


Cyber Security at Fuel Cycle Facilities

AGENCY: Nuclear Regulatory Commission.

ACTION: Draft regulatory basis; request for comment.

-----------------------------------------------------------------------

SUMMARY: The U.S. Nuclear Regulatory Commission (NRC) is requesting 
comments on a draft regulatory basis to support a rulemaking that would 
amend its regulations by adopting new cyber security requirements for 
certain nuclear fuel cycle facility (FCF) licensees in order to address 
safety and security consequences of concern. Potentially affected 
licensees include certain FCFs authorized to possess Category I, II, or 
III quantities of special nuclear material and uranium hexafluoride 
conversion and deconversion facilities.

DATES: Submit comments by October 5, 2015. Comments received after this 
date will be considered if it is practical to do so, but the NRC is 
only able to ensure consideration of comments received on or before 
this date.

ADDRESSES: You may submit comments by any of the following methods 
(unless this document describes a different method for submitting 
comments on a specific subject):
     Federal Rulemaking Web site: Go to http://www.regulations.gov and search for Docket ID NRC-2015-0179. Address 
questions about NRC dockets to Carol Gallagher; telephone: 301-415-
3463; email: [email protected]. For technical questions, contact 
the individual listed in the FOR FURTHER INFORMATION CONTACT section of 
this document.
     Email comments to: [email protected]. If you

[[Page 53479]]

do not receive an automatic email reply confirming receipt, then 
contact us at 301-415-1677.
     Fax comments to: Secretary, U.S. Nuclear Regulatory 
Commission at 301-415-1101.
     Mail comments to: Secretary, U.S. Nuclear Regulatory 
Commission, Washington, DC 20555-0001, ATTN: Rulemakings and 
Adjudications Staff.
     Hand deliver comments to: 11555 Rockville Pike, Rockville, 
Maryland 20852, between 7:30 a.m. and 4:15 p.m. (Eastern Time) Federal 
workdays; telephone: 301-415-1677.
    For additional direction on obtaining information and submitting 
comments, see ``Obtaining Information and Submitting Comments'' in the 
SUPPLEMENTARY INFORMATION section of this document.

FOR FURTHER INFORMATION CONTACT: Matthew Bartlett, Office of Nuclear 
Material Safety and Safeguards, U.S. Nuclear Regulatory Commission, 
Washington, DC 20555-0001; telephone: 301-415-7154, email: 
[email protected].

SUPPLEMENTARY INFORMATION:

I. Obtaining Information and Submitting Comments

A. Obtaining Information

    Please refer to Docket ID NRC-2015-0179 when contacting the NRC 
about the availability of information for this action. You may obtain 
publicly-available information related to this action by any of the 
following methods:
     Federal Rulemaking Web site: Go to http://www.regulations.gov and search for Docket ID NRC-2015-0179.
     NRC's Agencywide Documents Access and Management System 
(ADAMS): You may obtain publicly-available documents online in the 
ADAMS Public Documents collection at http://www.nrc.gov/reading-rm/adams.html. To begin the search, select ``ADAMS Public Documents'' and 
then select ``Begin Web-based ADAMS Search.'' For problems with ADAMS, 
please contact the NRC's Public Document Room (PDR) reference staff at 
1-800-397-4209, 301-415-4737, or by email to [email protected]. The 
draft regulatory basis document is available in ADAMS under Accession 
No. ML15198A021.
     NRC's PDR: You may examine and purchase copies of public 
documents at the NRC's PDR, Room O1-F21, One White Flint North, 11555 
Rockville Pike, Rockville, Maryland 20852.

B. Submitting Comments

    Please include Docket ID NRC-2015-0179 in the subject line of your 
comment submission, in order to ensure that the NRC is able to make 
your comment submission available to the public in this docket.
    If your comment contains proprietary or sensitive information, 
please contact the individual listed in the FOR INFORMATION CONTACT 
section of this document to determine the most appropriate method for 
submitting your comment.
    The NRC cautions you not to include identifying or contact 
information that you do not want to be publicly disclosed in your 
comment submission. The NRC will post all comment submissions at http://www.regulations.gov as well as enter the comment submissions into 
ADAMS, and the NRC does not routinely edit comment submissions to 
remove identifying or contact information.
    If you are requesting or aggregating comments from other persons 
for submission to the NRC, then you should inform those persons not to 
include identifying or contact information that they do not want to be 
publicly disclosed in their comment submission. Your request should 
state that the NRC does not routinely edit comment submissions to 
remove such information before making the comment submissions available 
to the public or entering the comment into ADAMS.

II. Discussion

    The NRC is requesting comments on a draft regulatory basis to 
support a rulemaking that would amend part 73 of Title 10 of the Code 
of Federal Regulations (10 CFR), ``Physical Protection of Plants and 
Materials,'' by adopting new cyber security regulations for FCF 
licensees. The specific objectives of this rulemaking effort are to 
establish new requirements for FCF licensees that: (1) Require 
licensees authorized to possess a Category I quantity of special 
nuclear material (SNM) to establish and maintain a cyber security 
program that provides high assurance that digital computer systems, 
communication systems, and networks associated with safety, security, 
emergency preparedness, and material control and accounting (SSEPMCA) 
functions are protected from cyber attacks up to and including the 
design basis threats defined in 10 CFR 73.1; (2) require certain 
licensees authorized to possess source material or a Category II or III 
quantity of SNM to establish and maintain a cyber security program that 
provides reasonable assurance that digital computer systems, 
communication systems, and networks associated with SSEPMCA functions 
are protected from cyber attacks; (3) codify existing cyber security 
requirements imposed on FCF licensees by security orders issued 
following the terrorist attacks of September 11, 2001, and applicable 
subsequent voluntary actions instituted by FCF licensees; (4) implement 
a graded, performance-based regulatory framework to prevent cyber 
attacks that could result in certain consequences of concern; and (5) 
implement cyber security reporting criteria.
    The scope of the draft regulatory basis includes cyber security for 
FCFs licensed under 10 CFR part 70 and uranium hexafluoride conversion 
and deconversion facilities licensed under 10 CFR part 40. These 
licensees have varying safety and security consequences of concern 
based on their functions and the type and quantity of material 
possessed. To account for these differences, the NRC plans to develop a 
graded, consequence-based approach for the identification and 
protection of digital assets associated with SSEPMCA functions. The 
draft regulatory basis, in part, explains why the NRC believes the 
existing regulations should be updated, revised, and enhanced; presents 
alternatives to rulemaking; and discusses costs and other impacts of 
the potential changes.

III. Specific Requests for Comments

    The NRC requests that stakeholders consider answering the following 
questions when commenting on the draft regulatory basis:
     Is the NRC considering an appropriate approach for each 
objective described in the draft regulatory basis?
     Chapter 3 of the draft regulatory basis discusses the 
regulatory concerns the NRC expects to address through rulemaking. 
Chapter 4 presents the intended regulatory changes to address those 
regulatory concerns, and Chapter 5 discusses alternatives to rulemaking 
considered by the NRC staff. Are there other regulatory concerns within 
or related to the scope of the rulemaking efforts (see Chapter 1 of the 
draft regulatory basis) that the NRC should consider? Are there other 
approaches or alternatives the NRC should consider to resolve those 
regulatory concerns?
     Chapter 8 of the draft regulatory basis presents the NRC 
staff's initial consideration of costs and other impacts for a number 
of key aspects of the potential regulatory changes (i.e., cyber 
security programs, cyber incident reporting). This initial assessment 
is based on limited available data. The staff is seeking additional 
data and input relative to expected and/or unintentional impacts from 
the desired regulatory changes. What would be the

[[Page 53480]]

potential impacts to stakeholders/licensees from implementing any of 
the desired regulatory changes described in this draft regulatory basis 
(e.g., what would be a reasonable cost estimate for implementation of 
the cyber security programs, including startup and annual costs)?
     The NRC staff is aware of licensee voluntary efforts to 
address cyber security. Is there additional information related to 
these efforts that would inform the NRC staff's assessment or analysis?

IV. Cumulative Effects of Regulation

    The Cumulative Effects of Regulation (CER) describes the challenges 
that licensees or other impacted entities (such as State agency 
partners) may face while implementing new regulatory positions, 
programs, and requirements (e.g., rules, generic letters, backfits, 
inspections). The CER is an organizational effectiveness challenge that 
results from a licensee or impacted entity implementing a number of 
complex positions, programs, or requirements within a limited 
implementation period and with available resources (which may include 
limited available expertise to address a specific issue). The NRC has 
implemented CER enhancements to the rulemaking process to facilitate 
public involvement throughout the rulemaking process. Therefore, the 
NRC is specifically requesting comment on the cumulative effects that 
may result from this proposed rulemaking. In developing comments on the 
draft regulatory basis, consider the following questions:
    (1) In light of any current or projected CER challenges, what 
should be a reasonable effective date, compliance date, or submittal 
date(s) from the time the final rule is published to the actual 
implementation of any new proposed requirements, including changes to 
programs, procedures, or the facility?
    (2) If current or projected CER challenges exist, what should be 
done to address this situation (e.g., if more time is required to 
implement the new requirements, what period of time would be 
sufficient, and why such a time frame is necessary)?
    (3) Do other regulatory actions (e.g., orders, generic 
communications, license amendment requests, and inspection findings of 
a generic nature) by NRC or other agencies influence the implementation 
of the potential proposed requirements?
    (4) Are there unintended consequences? Does the potential proposed 
action create conditions that would be contrary to the potential 
proposed action's purpose and objectives? If so, what are the 
consequences and how should they be addressed?
    Please provide information on the costs and benefits of the 
potential proposed action. This information will be used to support any 
regulatory analysis by the NRC.

V. Availability of Documents

    The NRC may post additional materials related to this rulemaking 
activity to the Federal rulemaking Web site at www.regulations.gov 
under Docket ID NRC-2015-0179. By making these documents publicly 
available, the NRC seeks to inform stakeholders of the current status 
of the NRC's rulemaking development activities and to provide 
preparatory material for future public meetings.
    The Federal rulemaking Web site allows you to receive alerts when 
changes or additions occur in a docket folder. To subscribe: (1) 
Navigate to the docket folder (NRC-2015-0179); (2) click the ``Sign up 
for Email Alerts'' link; and (3) enter your email address and select 
how frequently you would like to receive emails (daily, weekly, or 
monthly).

VI. Plain Writing

    The Plain Writing Act of 2010 (Pub. L. 111-274) requires Federal 
agencies to write documents in a clear, concise, well-organized manner. 
The NRC has written this document to be consistent with the Plain 
Writing Act as well as the Presidential Memorandum, ``Plain Language in 
Government Writing,'' published in the Federal Register on June 10, 
1998 (63 FR 31883). The NRC requests comment on this document with 
respect to the clarity and effectiveness of the language used.

    Dated at Rockville, Maryland, this 27th day of August, 2015.
    For the Nuclear Regulatory Commission.
Marissa G. Bailey,
Director, Division of Fuel Cycle Safety, Safeguards, and Environmental 
Review, Office of Nuclear Materials Safety and Safeguards.
[FR Doc. 2015-22051 Filed 9-3-15; 8:45 am]
 BILLING CODE 7590-01-P