§ 73.110 Technology-inclusive requirements for protection of digital computer and communication systems and networks.
(a) Each licensee that is licensed to operate a commercial nuclear plant under 10 CFR part 53 and elects to implement the requirements of this section must establish, implement, and maintain a cybersecurity program that is commensurate with the potential consequences resulting from cyberattacks, up to and including the design-basis threat as described in § 73.1. The cybersecurity program must provide reasonable assurance that digital computer and communication systems and networks are adequately protected against cyberattacks that are capable of causing the following consequences:
(1) Adversely impacting the safety, security, and emergency preparedness functions performed by digital assets that prevent a postulated fission product release resulting in offsite doses exceeding the values in § 53.210 of this chapter.
(2) Adversely impacting the security functions performed by digital assets necessary for implementing the physical security requirements in § 53.860(a) of this chapter.
(b) To protect digital computer and communication systems and networks associated with the functions described in paragraphs (a)(1) and (2) of this section, the licensee must—
(1) Analyze the potential consequences resulting from cyberattacks on digital computer and communication systems and networks and identify those assets that must be protected to demonstrate compliance with paragraph (a) of this section; and
(2) Implement the cybersecurity program in accordance with paragraph (d) of this section.
(c) The licensee must protect the systems and networks identified in paragraph (b)(1) of this section in a manner that is commensurate with the potential consequences resulting from cyberattacks that:
(1) Adversely impact the integrity or confidentiality of data and/or software;
(2) Deny access to systems, services, and/or data; and
(3) Adversely impact the operation of systems, networks, and associated equipment.
(d) The cybersecurity program must be designed in a manner that is commensurate with the potential consequences resulting from cyberattacks through the following steps:
(1) Implement security controls to protect the assets identified under paragraph (b)(1) of this section from cyberattacks, commensurate with their safety and security significance;
(2) Apply and maintain defense-in-depth protective strategies to ensure the capability to detect, delay, respond to, and recover from cyberattacks capable of causing the consequences identified in paragraph (a) of this section;
(3) Mitigate the adverse effects of cyberattacks capable of causing the consequences identified in paragraph (a) of this section; and
(4) Ensure that the functions of protected assets identified under paragraph (b)(1) of this section are not adversely impacted due to cyberattacks.
(e) The licensee must implement the following requirements in a manner that is commensurate with the potential consequences resulting from cyberattacks:
(1) As part of the cybersecurity program, the licensee must comply with the requirements in § 73.54(d)(1), (2), and (4), and must ensure that modifications to assets, identified under paragraph (b)(1) of this section are evaluated before implementation to ensure that the cybersecurity performance objectives identified in paragraph (a) of this section are maintained.
(2) The licensee must establish, implement, and maintain a cybersecurity plan that implements the cybersecurity program requirements of this section.
(i) The cybersecurity plan must describe how the requirements of this section will be implemented and must account for the site-specific conditions that affect implementation.
(ii) The cybersecurity plan must include measures for incident response and recovery for cyberattacks. The cybersecurity plan must include the analysis identified under paragraph (b)(1) of this section and describe how the licensee will—
(A) Apply and maintain defense-in-depth protective strategies as required in paragraph (d)(2) of this section;
(B) Maintain the capability for timely detection and response to cyberattacks;
(C) Mitigate the consequences of cyberattacks;
(D) Correct exploited vulnerabilities; and
(E) Restore affected systems, networks, and/or equipment affected by cyberattacks.
(3) The licensee must develop and maintain written policies and implementing procedures to implement the cybersecurity plan. Policies, implementing procedures, and other supporting technical information used by the licensee need not be submitted for Commission review and approval as part of the cybersecurity plan but are subject to inspection by NRC staff on a periodic basis.
(4) The licensee must establish and implement cybersecurity reviews to assess the effectiveness of the implementation of the cybersecurity program.
(i) The licensee must review each element of the cybersecurity program at a frequency commensurate with the importance or significance to safety of plant operations to ensure timely identification and documentation of vulnerabilities, improvements, and corrective actions.
(ii) Cybersecurity reviews must be performed by individuals independent of those personnel responsible for program management and any individual who has direct responsibility for implementing the cybersecurity program.
(iii) The licensee must establish and perform self-assessments to ensure the effective implementation of the cybersecurity program.
(iv) The results and recommendations of the cybersecurity program reviews, management's findings regarding program effectiveness, and any actions taken as a result of recommendations from prior program reviews, must be documented in a report and must be maintained in an auditable form and available for inspection.
(5) The licensee must retain all records and supporting technical documentation required to demonstrate compliance with the requirements of this section as a record until the Commission terminates the license for which the records were developed and must maintain superseded portions of these records for at least three (3) years after the record is superseded, unless otherwise specified by the Commission.