| Insights | Nuclear Update Site

NRC Issues Cyber Security Event Notification Rule

The NRC has issued a final rule establishing cyber security event notification requirements for power reactor licensees. The 2009  cyber security rulemaking creating 10 CFR § 73.55—which requires power reactor licensees to protect digital equipment and networks that perform safety, security, and emergency preparedness functions—did not include mandatory reporting requirements. The final rule creates a new § 73.77 that requires licensees to notify the NRC of certain cyber security events within specified time frames. The NRC intends to use these notifications to assess licensees’ cyber security programs and to evaluate trends or threats with potential safety implications. Under the new rule, licensees must notify the NRC within one hour of discovery of a cyber attack that adversely impacts equipment, systems, or networks that fall under § 73.54; within four hours of discovery of an attack that could have had an adverse impact, or a suspected or actual attack initiated by personnel with access to the affected systems or networks; and within eight hours of discovery of information that indicates planning for a cyber attack. Licensees must comply with the rule by May 2, 2016.

To view the federal register entry, click here.