[Licensee/Applicant] developed and [annually] reviews and updates the following:
\u2022 a formal, documented security planning, assessment and authorization policy that describes the
purpose, scope, roles, responsibilities, management commitments, and coordination among
[Licensee/Applicant] [departments] and the implementation of this cyber security program, the
controls in Appendices B and C to RG 5.71, and
\u2022 a formal, documented procedure to facilitate the implementation of the cyber security program
and the security assessment.
", "controlId": "A.3.1.1", "family": "Program Implementation", "enhancements": "", "sortId": "A.003.001.001", "references": "", "relatedControls": "", "otherId": "A.003.001.001" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "8faa0b85-b23a-4414-87ac-ff0590cd55d6", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Cyber Security Team", "description": "[Licensee/Applicant] established and maintains a cyber security team (CST) consisting of individuals
with broad knowledge in the following areas:
\u2022 Information and digital system technology\u2014This includes cyber security, software development,
offsite communications, computer system admini stration, computer engineering, and computer
networking. Individuals with knowledge of the digital systems involved in plant operations,
including digital instrumentation and control systems, and those involved in plant information
systems, are included. Plant operational systems include programmable logic controllers, control
Appendix A to RG 5.71, Page A-3 systems, and distributed control systems. In formation systems include computer systems and
databases containing information used in the design, operation, and maintenance CDAs. The
networking arena includes knowledge of both site- and corporate-wide networks.
\u2022 Nuclear facility operations, engineering, and safety\u2014This includes overall facility operations and
plant technical specification compliance. [Licensee/Applicant] staff representing this technical area trace the impact of a potential vulnerability or series of vulnerabilities in a CDA (or
connected digital asset) outward through plant systems and subsystems to ensure that the overall impact on the SSEP functions of the plant is evaluated.
\u2022 Physical security and emergency preparedness\u2014This includes the site\u2019s physical security and
emergency preparedness systems and programs.
The roles and responsibilities of the CST include the following:
\u2022 performing or overseeing each stage of the cyber security management processes;
\u2022 documenting all key observations, analyses, and findings during the assessment process so that
this information can be used in the application of security controls;
\u2022 evaluating or reevaluating assumptions and conclusions about current cyber security threats;
potential vulnerabilities to, and consequences from, an attack; the effectiveness of existing cyber security controls, defensive strategies, and attack mitigation methods; and cyber security
awareness and training of those working with, or responsible for, CDAs and cyber security controls throughout their system life cycles;
\u2022 confirming information acquired during reviews by conducting comprehensive walkdowns of
CDAs and connected digital assets and associated cyber security controls, including walkdown
inspections with physical and electronic validation activities;
\u2022 identifying and implementing potential new cyber security controls, as needed;
\u2022 preparing documentation and overseeing implementation of the cyber security controls provided
in Appendices B and C to RG 5.71, documenting the basis for not implementing certain cyber
security controls provided in Appendix B to RG 5.71, or documenting the basis for the implementation of alternate or compensating measures in lieu of any cyber security controls
provided in Appendix B to RG 5.71; and
\u2022 assuring the retention of all assessment documentation, including notes and supporting
information, in accordance with 10 CFR 73.55(q) a nd the record retention requirements specified
in Section 5 of this plan.
The CST conducts objective security assessments, makes [determinations] that are not constrained by
operational goals, and resolves these issues using the process described in Section 3.1.6 of this plan.
", "controlId": "A.3.1.2", "family": "Program Implementation", "enhancements": "", "sortId": "A.003.001.002", "references": "", "relatedControls": "", "otherId": "A.003.001.002" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "bb59505a-f0ac-4773-b399-4e0f86abdb6d", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Identification of Critical Digital Assets ", "description": "To identify the CDAs at [Site], [Licensee/Applicant]\u2019s CST:
\u2022 Identified and documented plant systems, equipment, communication systems, and networks that
are associated with the SSEP functions describe d in 10 CFR 73.54(a)(1), as well as the support
systems associated with these SSEP functions. These systems are hereafter referred to as critical
systems (CSs). The CST identified CSs by conducting an initial consequence analysis of [Site]
plant systems, equipment, communication systems, and networks to determine those which, if
compromised, exploited, or failed, could impact the SSEP functions of the nuclear facility,
without taking into account existing mitigating measures. For those support systems or
equipment that are associated with SSEP functions, [Licensee/Applicant] performed a
dependency and pathway analysis to determine whether those systems or equipment are CSs.
\u2022 Identified and documented CDAs that have a direct, supporting, or indirect role in the proper
functioning of CSs.
For each CS examined, the [Licensee/Applicant] documented the following:
\u2022 a general description of each system, asset, or network identified as a CDA
\u2022 the identification of CDAs within each CS
\u2022 a brief description of the function provided by each CDA
\u2022 an analysis that identifies the potential consequence to both the CS and the SSEP functions if a
compromise of the CDA were to occur
\u2022 the identification of the digital devices that have direct or indirect roles in the function of the
CDA (e.g., protection, control, monito ring, reporting, or communications)
\u2022 security functional requirements or specifications that include the following:
\u2013 information security requirements necessary for vendors and developers to maintain the
integrity of acquired systems
\u2013 secure configuration, installation, and operation of the CDA;
\u2013 effective use and maintenance of security features/functions; and
\u2013 known vulnerabilities regarding configuration and use of administrative (i.e., privileged)
functions,
\u2013 user-accessible security features/functions and how to effectively use those security
features/functions,
\u2013 methods for user interaction with CDAs, which enables individuals to use the system in a
more secure manner,
\u2013 user responsibilities in maintaining the security of the CDA
", "controlId": "A.3.1.3", "family": "Program Implementation", "enhancements": "", "sortId": "A.003.001.003", "references": "", "relatedControls": "", "otherId": "A.003.001.003" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "84d15ff9-99aa-418a-89f5-cfa81e83d3c8", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Reviews and Validation Testing ", "description": "[Licensee/Applicant]\u2019s CST conducted a review and performed validation activities and for each CDA,
the CST:
\u2022 its direct and indirect connectivity pathways,
\u2022 infrastructure interdependencies, and
\u2022 the application of defensive strategies, including defensive models, security controls, and other
defensive measures.
The CST validated the above activities through comprehensive walkdowns which included:
\u2022 performance of a physical inspection of the connections and configuration of each CDA;
including tracing all communication connections into and out of the CDA to each termination point along all communication pathways;
\u2022 examination of the physical security established to protect each CDA and its communication
pathways;
\u2022 examination of the configuration and assessment of the effectiveness of existing security controls
(e.g., firewalls, intrusion detection systems, diodes) along the communication pathways;
\u2022 examination of each CS and/or CDA\u2019s interdependencies with other CS and/or CDAs and trust
relationships between the CS and/or CDAs;
\u2022 examination of the interdependencies with infrastructure support systems, emphasizing potential
compromises of electrical power, environmental controls, and fire suppression equipment;
\u2022 examination of systems, networks, and communication systems and networks that are present
within the plant and could be potential pathways for attacks; and
\u2022 resolution of CDA and CS information and configuration discrepancies identified during the
reviews, including the presence of undocumented or missing connections, and other cyber
security-related irregularities associated with the CDA.
The CST performed an electronic validation when physical walkdown inspections were impractical to
trace a communication pathway fully to its conclusion. The team used only electronic validation methods that provide connection validation equivalent to, or better than, physical walkdowns (e.g., use of a digital
voltage meter, physical continuity validation).
", "controlId": "A.3.1.4", "family": "Program Implementation", "enhancements": "", "sortId": "A.003.001.004", "references": "", "relatedControls": "", "otherId": "A.003.001.004" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "fce904a8-1264-4e7c-9dfa-10819ef654ab", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Defense-in-Depth Protective Strategies ", "description": "[Licensee/Applicant] implemented, documented, and maintains a defense-in-depth protective strategy to
ensure the capability to detect, respond to, and recover from cyber attacks on CDAs. The defensive strategy consists of security controls implemented in accordance with Section 3.1 of this plan and the
defensive model described in Section 3.2 of RG 5.71, defense-in-depth in Appendix C Section 6, detailed
defense architecture of Appendix C Section 7, and maintains the cyber security program in accordance
with in Section 4 of Appendix A. The defensive model employed at the site establishes the logical and
physical boundaries between CDAs with similar security risks and CDAs with lower security risks.
", "controlId": "A.3.1.5", "family": "Program Implementation", "enhancements": "", "sortId": "A.003.001.005", "references": "", "relatedControls": "", "otherId": "A.003.001.005" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "c625940c-eeb3-45c3-9f5d-f86f8d672934", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Application of Security Controls", "description": "[Licensee/Applicant] established defense-in-depth protective strategies by implementing and
documenting the following:
\u2022 the defensive model described in Section 3.2 of RG 5.71,
\u2022 the physical and administrative security controls established by the [Site] Physical Security
Program and physical barriers, such as locked doors, locked cabinets, and locating CDAs in the
[Site] protected area or vital area, which are part of the overall security controls used to protect
CDAs from attacks,
\u2022 the operational and management controls describe d in Appendix C to RG 5.71 and verification of
their effectiveness for each CDA, and
\u2022 the technical controls described in Appendix B to RG 5.71 consistent with the process described
below.
With respect to technical security controls, [Licensee/Applicant] used the information collected in
Section 3.1.4 of this plan to conduct one or more of the following for each CDA:
\u2022 implementation of all of the security controls specified in Appendix B to RG 5.71
\u2022 for a security control that could not be applied, implementation of alternative controls that
eliminate threat/attack vectors associated with one or more of the security controls enumerated in
Appendix B to RG 5.71 by:
\u2013 documenting the basis for employing alternative countermeasures
\u2013 performing and documenting an attack vector and attack tree analysis of the CDA and
alternative controls to confirm that the countermeasures provide the same or greater
protection as the corresponding security control identified in Appendix B to RG 5.71
\u2013 ensuring that the alternative controls provide at least the same degree of protection as the
corresponding security control identified in Appendix B to RG 5.71
\u2022 not implementing one or more of the security controls enumerated in Appendix B to RG 5.71 by:
\u2013 performing an attack vector and attack tree analyses of the specific security controls for
the CDA that will not be implemented
\u2013 documenting that the attack vector does not exist (i.e., is not applicable), thereby
demonstrating that those specific security controls are not necessary
[Licensee/Applicant] did not apply a security control when it was determined that the control would
adversely impact SSEP functions. When a security control was determined to have an adverse effect,
then alternate controls were used to mitigate the l ack of the security control for the CDA in accordance
with the process described above.
[Licensee/Applicant] performed an effectiveness analysis, as described in Section 4.1.2, and vulnerability
assessments/scans, as described in Section 4.1.3, of the CDAs to verify that the security program provides high assurance that CDA are adequately protected from cyber attack, up to an including the DBT and has
closed any identified gaps.
", "controlId": "A.3.1.6", "family": "Program Implementation", "enhancements": "", "sortId": "A.003.001.006", "references": "", "relatedControls": "", "otherId": "A.003.001.006" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "79f3835b-22e4-4d90-90f4-fd5912786ea0", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Incorporating the Cyber Security Program into the Physical Protection Program ", "description": "Chapter 23 of the physical security plan references the [Site] Cyber Security Program, in accordance with
10 CFR 73.54(b)(3), 10 CFR 73.55(a)(1), and 10 CFR 73.55(c)(6). [Licensee/Applicant] also considered
cyber attacks during the development and identification of target sets, as required by the Physical Security
Program and 10 CFR 73.55(f)(2).
[Licensee/Applicant] integrated the management of physical and cyber security as follows:
\u2022 established a unified security organization which incorporates both cyber and physical security
and is independent from operations,
\u2022 documented physical and cyber security interdependencies,
\u2022 developed policies and procedures to integrate and unify management and physical and cyber
security controls,
\u2022 incorporated unified policies and procedures to secure CDAs from attacks up to and including the
DBT,
\u2022 coordinated acquisition of physical or cyber security services, training, devices, and equipment,
\u2022 coordinated interdependent physical and cyber security activities and training with physical and
cyber security personnel,
\u2022 integrated and coordinated incident response capabilities with physical and cyber incident
response personnel,
\u2022 trained senior management regarding the needs of both disciplines, and
\u2022 periodically exercise the entire security organization using realistic scenarios combining both
physical and cyber simulated attacks.
The Cyber Security Program is reviewed as a component of the Physical Security Program, as required by
10 CFR 73.55(m).
", "controlId": "A.3.2", "family": "Program Implementation", "enhancements": "", "sortId": "A.003.002", "references": "", "relatedControls": "", "otherId": "A.003.002" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "24f3c644-a12c-4581-8b93-a7e7b936ee4d", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Policies and Implementing Procedures ", "description": "[Licensee/Applicant] developed policies and implementing procedures to meet the security control
objectives provided in Appendices B and C to RG 5.71. [Licensee/Applicant] documented, reviewed,
approved, issued, used, and revised these policies a nd implementing procedures as described in Section 4
of this plan. In addition, personnel responsible for the implementation and oversight of the program
Appendix A to RG 5.71, Page A-7 report to [Chief Nuclear Officer, Chief Nuclear Operations Officer, Vice President of Nuclear Operations,
Vice-President] who is accountable for nuclear plant operation.
[Licensee/Applicant]\u2019s procedures establish the specific responsibilities of the positions described in
Section 10.10 of Appendix C to RG 5.71.
", "controlId": "A.3.3", "family": "Program Implementation", "enhancements": "", "sortId": "A.003.003", "references": "", "relatedControls": "", "otherId": "A.003.003" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "917ec6f6-e7e6-4cd1-8d78-078e10d2ff55", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Maintaining the Cyber Security Program", "description": "This section establishes the programmatic elements necessary to maintain security throughout the life
cycle of CDAs. [Licensee/Applicant] implemented the elements of this section to maintain high
assurance that CDAs associated with the SSEP functions of [Site] are adequately protected from cyber
attacks.
[Licensee/Applicant] employs a life cycle approach consistent with the controls described in Appendix C
to RG 5.71. This approach ensures that the security controls established and implemented for CDAs are
adequately maintained to achieve the site\u2019s overall cyber security program objectives. For proposed new
digital assets, or existing digital assets that are undergoing modification, [Licensee/Applicant] implements
the process described in Section 4.2 of this plan.
[Licensee/Applicant] maintains records in accordance with Section 5 of this plan.
", "controlId": "A.4", "family": "Program Implementation", "enhancements": "", "sortId": "A.004", "references": "", "relatedControls": "", "otherId": "A.004" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "727b2267-4ece-4655-9c15-3911a7de4ca2", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Continuous Monitoring and Assessment ", "description": "This section establishes the programmatic elements necessary to maintain security throughout the life
cycle of CDAs. [Licensee/Applicant] implemented the elements of this section to maintain high
assurance that CDAs associated with the SSEP functions of [Site] are adequately protected from cyber
attacks.
[Licensee/Applicant] employs a life cycle approach consistent with the controls described in Appendix C
to RG 5.71. This approach ensures that the security controls established and implemented for CDAs are
adequately maintained to achieve the site\u2019s overall cyber security program objectives. For proposed new
digital assets, or existing digital assets that are undergoing modification, [Licensee/Applicant] implements
the process described in Section 4.2 of this plan.
[Licensee/Applicant] maintains records in accordance with Section 5 of this plan.[Licensee/Applicant] continuously monitors security controls consistent with Appendix C to RG 5.71.
Automated support tools are also used, as appropriate, to accomplish near real-time cyber security management for CDAs. The continuous monitoring program includes the following:
\u2022 ongoing assessments to verify that the security controls implemented for each CDA remain in
place throughout the life cycle,
\u2022 verification that rogue assets have not been connected to the infrastructure,
\u2022 periodic assessments of the need for and effectiveness of the security controls identified in
Appendices B and C to RG 5.71, and
\u2022 periodic security program review to evaluate and improve the effectiveness of the program.
This element of the program is mutually supportive of the activities conducted to manage configuration
changes of CDAs. Continuous monitoring may require periodic updates to the cyber security plan.
", "controlId": "A.4.1", "family": "Program Implementation", "enhancements": "", "sortId": "A.004.001", "references": "", "relatedControls": "", "otherId": "A.004.001" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "58ce6c7c-928f-405e-9dfa-d4c5d0a96435", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Periodic Assessment of Security Controls ", "description": "[Licensee/Applicant] performs periodic assessments to verify that the security controls implemented for
each CDA remain robust, resilient, and effective in place throughout the life cycle. The CST verifies the
status of these security controls [on at least an annual basis] or in accordance with the specific requirements for each security control, as described in Appendices B and C to RG 5.71, whichever is
more frequent.
", "controlId": "A.4.1.1", "family": "Program Implementation", "enhancements": "", "sortId": "A.004.001.001", "references": "", "relatedControls": "", "otherId": "A.004.001.001" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "4aafc88b-ad94-4258-99e8-65704e8e5639", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Effectiveness Analysis ", "description": "[Licensee/Applicant] performs periodic assessments to verify that the security controls implemented for
each CDA remain robust, resilient, and effective in place throughout the life cycle. The CST verifies the
status of these security controls [on at least an annual basis] or in accordance with the specific requirements for each security control, as described in Appendices B and C to RG 5.71, whichever is
more frequent. The CST monitors and measures the effectiveness and efficiency of the Cyber Security Program
and the security controls to ensure that both are implemented correctly, operating as intended, and continuing to provide high assurance that C DAs are protected against cyber attacks up to and
including the DBT. Reviews of the security program and controls includes, but are not limited to,
periodic testing of the security controls, re-evaluation of the capabilities of the adversaries of the
DBT, audits of the Physical and Cyber Security Programs and implementing procedures;
safety/security interface activities; the Testing, Maintenance, and Calibration Program; operating
experience; and feedback from the NRC and local, State, and Federal law enforcement
authorities.
The insights gained from these analyses are used to:
\u2022 improve performance and effectiveness of the cyber security program,
\u2022 manage and evaluate risk,
\u2022 improve the effectiveness of implemented security controls described in Appendices B and C to
RG 5.71,
\u2022 ascertain whether new security controls are required to protect CDAs from cyber attack,
\u2022 to verify that existing security controls are functioning properly and are effective at protecting
CDAs from cyber attack, and
\u2022 to facilitate corrective action of any gaps discovered in the security program.
The CST verifies the effectiveness of security controls [on at least an annual basis] or in accordance with
the specific requirements for each security control, as described in Appendices B and C to RG 5.71, whichever is more frequent. The CST reviews records of maintenance and repairs on CDA components
to ensure that CDAs which perform security functions are maintained per recommendations provided by
the manufacturer.
", "controlId": "A.4.1.2", "family": "Program Implementation", "enhancements": "", "sortId": "A.004.001.002", "references": "", "relatedControls": "", "otherId": "A.004.001.002" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "72510f26-fb6a-4f5c-9b8b-0852524a70fc", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Vulnerability Assessments and Scans ", "description": "[Licensee/Applicant]\u2019s CST conducts periodic vulnerability scanning and assessments of the security
controls, defensive architecture and of all CDAs to identify security deficiencies. The CST performs
assessments of security controls and scans for vulnerabilities in CDAs and the environment [no less
frequently than once a quarter] or as specified in the security controls in Appendices B and C to RG 5.71,
whichever is more frequent, and when new vulnerabilities that could potentially affect the effectiveness
the security program and security of the CDAs are identified. In addition, the CST employs up-to-date vulnerability scanning tools and techniques that promote interoperability among tools and automate parts
of the vulnerability management process.
[Licensee/Applicant]\u2019s CST analyzes vulnerability assessment and scan reports and addresses
vulnerabilities that could be exploited to compromise CDAs and vulnerabilities that could adversely
impact SSEP functions. The CST shares information obtained from the vulnerability assessment and
scanning process with appropriate personnel to ensure that similar vulnerabilities that may adversely impact the effectiveness of the security of interconnected or similar CDAs and/or may adversely impact
SSEP functions are understood, evaluated, and mitigated.
[Licensee/Applicant] ensures that the assessment and scanning process does not adversely impact SSEP
functions. If this should occur, CDAs will be removed from service or replicated (to the extent feasible) before assessment and scanning is conducted. If [Licensee/Applicant] cannot conduct vulnerability
assessments or scanning on a production CDA because of the potential for an adverse impact on SSEP
functions, alternate controls (e.g., providing a replicated system or CDA to conduct scanning) will be
employed.
", "controlId": "A.4.1.3", "family": "Program Implementation", "enhancements": "", "sortId": "A.004.001.003", "references": "", "relatedControls": "", "otherId": "A.004.001.003" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "0d58b906-94c9-4320-83b4-923332b8ae08", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Change Control ", "description": "[Licensee/Applicant] systematically plans, approves, tests, and documents changes to the environment of
the CDAs, the addition of CDAs to the environment and changes to existing CDAs in a manner that
provides a high level of assurance that the SSEP functions are protected from cyber attacks. During the
operation and maintenance life cycle phases, the program establishes that changes made to CDAs use the
[design control and configuration management procedures or other procedural processes] to ensure that the existing security controls are effective and that any pathway that can be exploited to compromise a
CDA is protected from cyber attacks.
During the retirement phase, the [design control and configuration management procedures or other
procedural processes] address safety, reliability, and security engineering activities.
", "controlId": "A.4.2", "family": "Program Implementation", "enhancements": "", "sortId": "A.004.002", "references": "", "relatedControls": "", "otherId": "A.004.002" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "6d7f97dc-1d19-4fba-bbb1-d31ee8efb65f", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Configuration Management ", "description": "[Licensee/Applicant] has implemented and documented the configuration management controls described
in Appendix C, Section 11 to RG 5.71. [Licensee/Applicant] implements a configuration and change
management process, as described in Section 4.2 of this plan and Section 11 of RG 5.71, to ensure that
the site\u2019s Cyber Security Program objectives remain satisfied. [Licensee/Applicant] ensures that
modifications to CDAs are evaluated in accordance with Section 4.2 of this plan before any modification
is implemented so as to maintain the cyber security performance objectives articulated in 10 CFR 73.54(a)(1).
During the operation and maintenance phases of a CDA life cycle, the [Licensee/Applicant] ensures that
changes made are conducted using these configuration management procedures to avoid the introduction
of additional vulnerabilities, weaknesses, or risks into the system. This process also ensures timely and
effective implementation of each security control specified in Appendices B and C to RG 5.71.
", "controlId": "A.4.2.1", "family": "Program Implementation", "enhancements": "", "sortId": "A.004.002.001", "references": "", "relatedControls": "", "otherId": "A.004.002.001" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "e0b9fe84-d126-429c-8532-107848d48ced", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Security Impact Analysis of Changes and Environment ", "description": "[Licensee/Applicant]\u2019s CST performs a security impact analysis in accordance with section 4.1.2 before
implementing a design or configuration change to a C DA or when changes to the environment occur so as
to manage potential risks introduced by the changes.
[Licensee/Applicant]\u2019s CST evaluates, documents, an d incorporates into the security impact analysis
safety and security interdependencies of other CDAs or systems, as well as updates and documents the
following:
\u2022 the location of the CDA and connected assets,
\u2022 connectivity pathways (direct and indirect),
\u2022 infrastructure interdependencies,
\u2022 application of defensive strategies, including defensive models, security controls, and other
defensive strategy measures, and
\u2022 plantwide physical and cyber security policies and procedures that secure CDAs from a cyber
attack, including attack mitigation and incident response and recovery.
[Licensee/Applicant] performs these impact analyses as part of the change approval process to assess the
impacts of the changes on the security posture of CDAs and security controls, as described in
Section 4.1.2 of this plan, and to address any identified gaps to protect CDAs from cyber attack, up to and
including the DBT as described in Section 4.2.6.
[Licensee/Applicant] manages CDAs for the cyber security of SSEP functions through an ongoing
evaluation of threats and vulnerabilities and implementation of each of the security controls provided in
Appendices B and C to RG 5.71 during all phases of th e life cycle. Additionally, [Licensee/Applicant]
has established and documented procedures for screening, evaluating, mitigating, and dispositioning
threat and vulnerability notifications received fro m credible sources. Dispositioning includes
implementation of security controls to mitigate newly reported or discovered threats and vulnerabilities.
", "controlId": "A.4.2.2", "family": "Program Implementation", "enhancements": "", "sortId": "A.004.002.002", "references": "", "relatedControls": "", "otherId": "A.004.002.002" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "20234ebc-71c7-45f8-a4a1-d86d77a271d5", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Security Reassessment and Authorization ", "description": "[Licensee/Applicant] has established, implemented, documented, and maintains a process that ensures
that modifications to CDAs are evaluated before implementation so that security controls remain effective
and that any pathway that can be exploited to compromise the modified CDA is addressed to protect
CDAs and SSEP functions from cyber attacks. The program establishes that additions and modifications are evaluated, using a proven and accepted method, before implementation to provide high assurance of
adequate protection against cyber attacks, up to and including the DBT, using the process discussed in
Section 4.1.2 of this plan.
[Licensee/Applicant] disseminates, reviews, and updates the following when a CDA modification is
conducted:
\u2022 a formal, documented security assessment and authorization policy which addresses the purpose,
scope, roles, responsibilities, management commitment, coordination among
[Licensee/Applicant] entities, and compliance to reflect all modifications or additions, and
\u2022 a formal, documented procedure to facilitate the implementation of the security reassessment and
authorization policy and associated controls.
", "controlId": "A.4.2.3", "family": "Program Implementation", "enhancements": "", "sortId": "A.004.002.003", "references": "", "relatedControls": "", "otherId": "A.004.002.003" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "c13c974b-44a3-492a-8498-ac0c1713e777", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Updating Cyber Security Practices ", "description": "The [Licensee/Applicant]\u2019s CST reviews, updates and modifies [Site] cyber security policies, procedures,
practices, existing cyber security controls, detailed descriptions of network architecture (including logical and physical diagrams), information on security devices, and any other information associated with the
state of the security program or security controls provided in Appendices B and C to RG 5.71 when
changes occur to CDAs or the environment. This information includes the following:
\u2022 plant- and corporate-wide information on the policies, procedures, and current practices related to
cyber security;
\u2022 detailed network architectures and diagrams;
\u2022 configuration information on security devices or CDAs;
\u2022 new plant- or corporate-wide cyber security defensive strategies or security controls being
developed and policies, procedures, practices, and technologies related to their deployment,
\u2022 the site\u2019s physical and operational security program;
\u2022 cyber security requirements for vendors and contractors;
\u2022 identified potential pathways for attacks;
\u2022 recent cyber security studies or audits (to gain insight into areas of potential vulnerabilities); and
\u2022 identified infrastructure support systems (e.g., electrical power; heating, ventilation, and air
conditioning; communications; fire suppression) whose failure or manipulation could impact the
proper functioning of CSs.
", "controlId": "A.4.2.4", "family": "Program Implementation", "enhancements": "", "sortId": "A.004.002.004", "references": "", "relatedControls": "", "otherId": "A.004.002.004" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "9a99dc35-44e6-48e0-aa88-a8e2f4194ebc", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Review and Validation Testing of a Modification or Addition of a Critical Digital Asset ", "description": "The [Licensee/Applicant]\u2019s CST conducts and documents the results of reviews and validation tests of
each CDA modification and addition using the proces s described in Section 3.1.4 of this plan.
", "controlId": "A.4.2.5", "family": "Program Implementation", "enhancements": "", "sortId": "A.004.002.005", "references": "", "relatedControls": "", "otherId": "A.004.002.005" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "03c600a2-ae81-4c26-a799-e54451aa2c75", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Application of Security Controls Associated with a Modification or Addition ", "description": "When new CDAs are introduced into the environment, the [Licensee/Applicant]:
\u2022 deploys the CDA into the appropriate level of the defensive model described in Section 3.1.5 of
this plan,
\u2022 applies the technical controls identified in Appendix B to RG 5.71 in a manner consistent with the
process described in Section 3.2 of RG 5.71, and
\u2022 confirms that the operational and management controls described in Appendix C of RG 5.71 are
applied and effective for the CDA.
When CDAs are modified, the [Licensee/Applicant]:
\u2022 verifies that the CDA is deployed into the proper level of the defensive model described in
Section 3.2 of RG 5.71,
\u2022 performs a security impact analysis, as described in Section 4.2.2 of this plan,
\u2022 verifies that the technical controls identified in Appendix B to RG 5.71 are implemented in a
manner consistent with the process described in Section 3.1.6 of this plan,
\u2022 verifies that the security controls discussed above are implemented effectively, consistent with
the process described in Section 4.1.2 of this plan, and
\u2022 confirms that the operational and management controls discussed in Appendix C to RG 5.71 are
applied and effective for the CDA.
", "controlId": "A.4.2.6", "family": "Program Implementation", "enhancements": "", "sortId": "A.004.002.006", "references": "", "relatedControls": "", "otherId": "A.004.002.006" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "51aa3e8d-9a88-4df8-8e35-8415498f502c", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Cyber Security Program Review ", "description": "[Licensee/Applicant] Cyber Security Program establishes the necessary measures and governing
procedures to implement periodic reviews of applicable program elements, in accordance with the requirements of 10 CFR 73.55(m).
[Licensee/Applicant] reviews the program\u2019s effectiveness [at least every 24 months]. In addition, reviews
are conducted as follows:
\u2022 within 12 months of the initial implementation of the program;
\u2022 within 12 months of a change to personnel, procedures, equipment, or facilities that potentially
could adversely affect security;
\u2022 as necessary based upon site-specific analyses, assessments, or other performance indicators; and
\u2022 by individuals independent of those personnel responsible for program implementation and
management.
[Licensee/Applicant] documents the results and recommendations of program reviews, management\u2019s
findings regarding program effectiveness, and any actions taken as a result of recommendations from
prior program review, in a report to the [Site\u2019s] [plant manager and to licensee corporate management] at
least one level higher than the individual having responsibility for day-to-day plant operation.
[Licensee/Applicant] maintains these reports in an auditable form, available for inspection, and enters
findings from program reviews into the site\u2019s Corrective Action Program.
", "controlId": "A.4.3", "family": "Program Implementation", "enhancements": "", "sortId": "A.004.003", "references": "", "relatedControls": "", "otherId": "A.004.003" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "38e90176-97b4-4e6f-911f-2633b03ad2f4", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "DOCUMENT CONTROL AND RECORDS RETENTION AND HANDLING ", "description": "[Licensee/Applicant] has established the necessary measures and governing procedures to ensure that
sufficient records of items and activities affecting cyber security are developed, reviewed, approved,
issued, used, and revised to reflect completed work. [Licensee/Applicant] will retain records and
supporting technical documentation required to satisfy the requirements of 10 CFR 73.54 and
10 CFR 73.55, \u201cRequirements for Physical Protection of Licensed Activities in Nuclear Power Reactors against Radiological Sabotage,\u201d until the NRC terminates the facility operating license. Records required
for retention include, but are not limited to, all digital records, log files, audit files, and nondigital records
that capture, record, and analyze network and CDA events. These records are retained to document
access history and discover the source of cyber attacks or other security-related incidents affecting CDAs
or SSEP functions or both. [Licensee/Applicant] will retain superseded portions of these records for at
least 3 years after the record is superseded, unless otherwise specified by the NRC.
", "controlId": "A.5", "family": "Program Implementation", "enhancements": "", "sortId": "A.005", "references": "", "relatedControls": "", "otherId": "A.005" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "746ccd20-9eae-406b-afcb-9da391b52b58", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Access Control Policy and Procedures", "description": "[Licensee/Applicant] developed, disseminated, and [annually] reviews and updates a formal, documented,
\u201ccritical digital asset\u201d (CDA) access control policy which addresses the purpose, scope, roles,
responsibilities, management commitments, and internal coordination of such policy.
[Licensee/Applicant] has also developed formal, documented procedures to facilitate the implementation
of the access control policy and associated access security controls.
The objective of the access control policy is to provide high assurance that only authorized individuals, or
processes acting on their behalf, can access CDAs and perform authorized activities. The access control
policy addresses the following system-specific requirements: account management, access enforcement,
information flow enforcement, separation of functions, least privilege, unsuccessful login attempts,
system use notification, previous login notification, session lock, supervision and review/access control, permitted actions without identification or authentication, automated marking, automated labeling,
network access control, open/insecure protocol restrictions, wireless access restrictions, insecure and
rogue connections and access control for portable and mobile devices and use of external CDAs
proprietary protocol visibility, third party products and controls, and use of external systems.
The access control policy addresses the following:
\u2022 access control rights (i.e., which individuals and processes can access what resources) and access
control privileges (i.e., what these individuals and processes can do with the resources accessed),
\u2022 management of CDAs (i.e., establishing, activating, modifying, reviewing, disabling, and
removing accounts),
\u2022 protection of password/key databases to prevent unauthorized access to master user and password
lists,
\u2022 auditing of CDAs [annually] or immediately upon changes in personnel responsibilities or major
changes in system configurations or functionality, and
\u2022 separation of duties (i.e., through assigned access authorizations).
", "controlId": "B.1.1", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.001.001", "references": "", "relatedControls": "", "otherId": "B.001.001" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "ab6e5d4e-4086-4437-83c5-6cc7a57d0770", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Account Management", "description": "[Licensee/Applicant] is responsible for the following:
\u2022 managing and documenting CDA accounts, including authorizing, establishing, activating,
modifying, reviewing, disabling, and removing accounts,
\u2022 reviewing CDA accounts in a manner consistent with the access control list provided in the
[design control package, access control program, cyber security procedures] and initiating
required actions on CDA accounts [no less frequently than once every 30 days],
\u2022 requiring access rights to be job function based,
\u2022 conducting reviews when as individuals job function changes to ensure that rights remain limited
to the individuals job function,
\u2022 reviewing and documenting CDA accounts at a maximum interval consistent with the most recent
version of Nuclear Energy Institute (NEI) 03-12, \u201cSecurity Plan, Training and Qualification Plan,
and Safeguards Contingency Plan,\u201d endorsed by the U.S. Nuclear Regulatory Commission
(NRC), and
\u2022 employing automated mechanisms that support CDA account management functions and enable
CDA to automatically: - terminate temporary, guest, and emergency accounts [no less frequently than once every
30 days]
- disable inactive accounts [no less frequently than once every 30 days]
- create and protect audit records for account creation, deletion, and modification
- document and notify system administrators of all account creation, deletion, and
modification activities so that system administrators are aware of any account
modifications and can investigate potential cyber attacks in a timely manner.
", "controlId": "B.1.2", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.001.002", "references": "", "relatedControls": "", "otherId": "B.001.002" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "d71c0385-a75c-4b8a-b877-467bcd17a84a", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Access Enforcement ", "description": "[Licensee/Applicant] is responsible for the following:
\u2022 enforcing assigned authorizations for controlling access to CDAs in accordance with established
policies and procedures,
\u2022 assigning all user rights and privileges on the CDA consistent with the user authorizations,
\u2022 defining and documenting privileged functions and security-relevant information for the CDAs,
\u2022 authorizing personnel access to privileged functions and security-relevant information consistent
with established policies and procedures,
\u2022 restricting access to privileged functions (deployed in hardware, software, and firmware) and
security-relevant information to authorized personnel (e.g., security administrators),
\u2022 defining and documenting privileged functions for CDAs,
\u2022 requiring dual authorization for critical privileged functions and the creation of any privileged
access for users, and
\u2022 ensuring and documenting that access enforcement mechanisms do not adversely impact the
operational performance of CDAs and employing alternate compensating security controls when access enforcement cannot be used.
", "controlId": "B.1.3", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.001.003", "references": "", "relatedControls": "", "otherId": "B.001.003" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "35c9cdb8-6eb8-4aa2-a112-1e6edeace032", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Information Flow Enforcement", "description": "[Licensee/Applicant] is responsible for the following:
\u2022 enforcing and documenting assigned authorizations for controlling the flow of information, in
near-real time, within CDAs and between interconnected systems in accordance with the established defensive strategy,
\u2022 maintaining documentation that demonstrates that [Licensee/Applicant] has analyzed and
addressed the types of permissible and impermissible flow of information between CDAs,
security boundary devices, and boundaries and the required level of authorization to allow
information flow as defined in the defensive strategy,
\u2022 implementing and documenting information flow control enforcement using protected processing
level (e.g., domain type-enforcement) as a basis for flow control decisions,
\u2022 implementing near-real time capabilities to detect, deter, prevent, and respond to illegal or
unauthorized information flows,
\u2022 preventing encrypted data from bypassing content-checking mechanisms,
\u2022 implementing one-way data flows using hardware mechanisms,
\u2022 implementing dynamic information flow control based on policy that allows or disallows
information flows based on changing conditions or operational considerations, and
\u2022 configuring CDAs such that user credentials are not transmitted in clear text and documenting
this requirement in the access control policy.
", "controlId": "B.1.4", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.001.004", "references": "", "relatedControls": "", "otherId": "B.001.004" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "14301726-91c6-4c98-a595-606ac64daf23", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Separation of Functions", "description": "[Licensee/Applicant] is responsible for the following:
\u2022 establishing and documenting divisions of responsibility and separating functions as needed to
eliminate conflicts of interest and to ensure independence in the responsibilities and functions of
individuals,
\u2022 enforcing separation of CDA functions through assigned access authorizations,
\u2022 implementing alternative controls and documenting the justification for alternative controls and
countermeasures for increased auditing for those situations in which a CDA cannot support the
differentiation of roles and a single individua l must perform all roles within the CDA, and
\u2022 restricts security functions to the least amount of users necessary to ensure the security of CDAs.
", "controlId": "B.1.5", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.001.005", "references": "", "relatedControls": "", "otherId": "B.001.005" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "bcb3ca98-bffc-4645-91d1-15ffca8c55d2", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Least Privilege ", "description": "[Licensee/Applicant] is responsible for the following:
\u2022 assigning the most restrictive set of rights and privileges or access needed by users for the
performance of specified tasks,
\u2022 configuring CDAs to enforce the most restrictive set of rights and privileges or access needed by
users, and
\u2022 implementing alternative controls and documenting the justification for alternative controls and
countermeasures for increased auditing for situations in which a CDA cannot support the
differentiation of privileges within the CDA and an individual must perform all roles within the CDA.
", "controlId": "B.1.6", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.001.006", "references": "", "relatedControls": "", "otherId": "B.001.006" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "540c7f11-2668-4314-86bb-942df4fbe53c", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Unsuccessful Login Attempts ", "description": "[Licensee/Applicant] ensures the following:
\u2022 Security controls are implemented to limit the number of invalid access attempts by a user. The
access control policy documents this requirement. The number of failed login attempts in a
specified time period may vary by CDA. For example, more than three invalid attempts within a
1-hour time period will automatically lock out the account. The [Licensee/Applicant] system
enforces the lock out mode automatically.
\u2022 The access control policy includes a requirement that only authorized individuals, who are not the
user, can unlock accounts once the maximum number of unsuccessful login attempts has been
exceeded. Alternatively, other verification techniques or mechanisms that incorporate identity challenges are used.
\u2022 The access control policy documents the justification and details for alternative controls or
countermeasures for those instances in which a CDA cannot support account/node locking or
delayed login attempts. If a CDA cannot perform account/node locking or delayed logins
because of significant adverse impact on performance, safety, or reliability, the
[Licensee/Applicant] employs alternative controls or countermeasures that include the following:
- real-time logging and recording of unsuccessful login attempts, and
- real-time alerting of designated personnel with the security expertise for the CDA
through alarms when the number of defined consecutive invalid access attempts is
exceeded.
", "controlId": "B.1.7", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.001.007", "references": "", "relatedControls": "", "otherId": "B.001.007" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "60fc72c0-260b-4345-99b2-9a69f4f43137", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "System Use Notification", "description": "[Licensee/Applicant] ensures the following:
\u2022 A \u201csystem use notification\u201d message is displayed before granting system access informing
potential users of the following: - The user is accessing a restricted system.
- System usage is monitored, recorded, and subject to audit.
- Unauthorized use of CDA is prohibited and subject to criminal and civil penalties. The
use of CDAs indicates consent to monitoring and recording.
\u2022 The CDA system use notification message provides privacy and security notices.
\u2022 The CDA system use notification message is approved before its use.
\u2022 The CDA system use notification message remains on the screen until the user takes explicit
actions to log on to the CDA.
\u2022 Physical notices are installed in those instances in which a CDA cannot support system use
notifications.
", "controlId": "B.1.8", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.001.008", "references": "", "relatedControls": "", "otherId": "B.001.008" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "d6b5a4f3-41c9-40dc-afd1-20fc64443ed8", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Previous Logon Notification ", "description": "[Licensee/Applicant] is responsible for the following:
\u2022 upon successful logon, configuring CDA to display the date and time of the last logon and the
number of unsuccessful logon attempts since the last successful logon, and
\u2022 requiring all end users to report any suspicious activity to the Cyber Security Program manager.
", "controlId": "B.1.9", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.001.009", "references": "", "relatedControls": "", "otherId": "B.001.009" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "e6d99e5a-3c8e-41fb-8000-9f70f8c11e35", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Session Lock ", "description": "[Licensee/Applicant] configures CDAs to do the following:
\u2022 initiate a session lock after [within 30 minutes of inactivity],
\u2022 provide the capability for users to directly initiate session lock mechanisms,
\u2022 maintain the session lock on a CDA until the user reestablishes access using identification and
authentication procedures, and
\u2022 implement alternative controls and document the justification for alternative controls or
countermeasures for those instances in which a CDA cannot support session locks and:
- physically restrict access to the CDA,
- monitor and record physical access to the CDA to detect and respond to intrusions in a
timely manner,
- use auditing or validation measures (e.g., security guard rounds, periodic monitoring of
tamper seals) to detect unauthorized access and modifications to the CDAs,
- ensure that individuals who have access to the CDA are qualified, and
- ensure that those individuals are trustworthy and reliable, in accordance with
10 CFR 73.56.
", "controlId": "B.1.10", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.001.010", "references": "", "relatedControls": "", "otherId": "B.001.010" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "d220efe7-190a-4491-8681-ac9939f3ec4e", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Supervision and Review \u2014 Access Control", "description": "[Licensee/Applicant] is responsible for the following:
\u2022 documenting, supervising, and reviewing the activities of users with respect to the enforcement
and usage of access controls, and
\u2022 employing automated mechanisms within CDAs to support and facilitate the review of user
activities.
", "controlId": "B.1.11", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.001.011", "references": "", "relatedControls": "", "otherId": "B.001.011" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "f6ce6fcb-423b-4403-bc9b-1607dae5125b", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Permitted Actions without Identification or Authentication ", "description": "[Licensee/Applicant] is responsible for the following:
\u2022 identifying and documenting specific user actions that can be performed on CDAs during normal
and emergency conditions without identification or authentication, and
\u2022 permitting actions to be performed without identification and authentication only to the extent
necessary to accomplish mission objectives, without adversely affecting safety, security, and
emergency preparedness (SSEP) functions, and in a manner consistent with NRC regulations.
", "controlId": "B.1.12", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.001.012", "references": "", "relatedControls": "", "otherId": "B.001.012" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "1b1829e2-5bbd-497b-8719-f80d6eab32be", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Automated Marking", "description": "[Licensee/Applicant] is responsible for the following:
\u2022 identifying and implementing standard naming conventions for identification of special
dissemination, handling, or distribution instruct ions in compliance with a policy and set of
procedures to ensure that sensitive information is protected from inadvertent disclosure and 10 CFR 73.21, \u201cProtection of Safeguards Information: Performance Requirements,\u201d and
\u2022 ensuring that CDAs are configured to mark hard and soft copy output using standard naming
conventions to identify any special dissemination, handling, or distribution instructions (e.g.,
Security Related Information).
", "controlId": "B.1.13", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.001.013", "references": "", "relatedControls": "", "otherId": "B.001.013" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "9c43f8e9-a476-41fa-b5d7-c48512e80e25", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Automated Labeling ", "description": "[Licensee/Applicant] labels hard and soft copy information in storage, in process, and in transmission.
", "controlId": "B.1.14", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.001.014", "references": "", "relatedControls": "", "otherId": "B.001.014" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "dbe531e4-23d9-4e14-9b2c-8e4e33e824a3", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Network Access Control ", "description": "[Licensee/Applicant] employs and documents mitigation techniques to secure CDAs through [media
access control address locking, physical or electrical isolation, static tables, encryption, or monitoring].
", "controlId": "B.1.15", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.001.015", "references": "", "relatedControls": "", "otherId": "B.001.015" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "e8275181-0c54-4438-98b5-c17bc8262fea", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "\u201cOpen/Insecure\u201d Protocol Restrictions ", "description": "[Licensee/Applicant] employs and documents mitigation techniques to secure CDAs through [media
access control address locking, physical or electrical isolation, static tables, encryption, or monitoring].[Licensee/Applicant] is responsible for the following:
\u2022 documenting and implementing additional precautions to protect networks and bus
communications from unauthorized access when protocols lack security controls,
\u2022 prohibiting the protocols from initiating commands except within the same boundary, and
\u2022 prohibiting these protocols from initiating commands that could change the state of the CDA
from a more secured posture to a less secured posture.
", "controlId": "B.1.16", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.001.016", "references": "", "relatedControls": "", "otherId": "B.001.016" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "6be5550c-c8a7-4c4d-9833-bd092452b409", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Wireless Access Restrictions", "description": "[Licensee/Applicant] is responsible for the following:
\u2022 only allowing wireless access through a boundary security control device and treating wireless
connections as outside of the security boundary,
\u2022 prohibiting the use of wireless technologies for CDAs associated with safety-related and
important-to-safety functions,
\u2022 disabling wireless capabilities when not utilized,
\u2022 establishing usage restrictions and implementation guidance for wireless technologies,
\u2022 documenting, justifying, authorizing, monitoring, and controlling wireless access to CDAs and
ensuring that the wireless access restrictions are consistent with defensive strategies and
defensive models, as articulated in RG 5.71, and
\u2022 conducting scans [no less frequently than once every week] for unauthorized wireless access
points, in accordance with this document, and disabling access points if unauthorized access
points are discovered.
", "controlId": "B.1.17", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.001.017", "references": "", "relatedControls": "", "otherId": "B.001.017" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "037f90db-3ea4-4d83-9cbd-f1cc42a0f509", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Insecure and Rogue Connections", "description": "[Licensee/Applicant] verifies that, during deployment of CDAs, when changes or modifications have
been made to CDAs, and [no less frequently than once every month], CDAs are free of insecure and
rogue connections such as vendor connections and modems.
", "controlId": "B.1.18", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.001.018", "references": "", "relatedControls": "", "otherId": "B.001.018" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "fc9af46b-5261-4c98-a3aa-f61de0c7dd01", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Access Control for Portable and Mobile Devices", "description": "[Licensee/Applicant] is res ponsible for the following:
\u2022 establishing and documenting usage restrictions and implementation guidance for controlled
portable and mobile devices,
\u2022 authorizing, monitoring, and controlling device access to CDAs,
\u2022 enforcing and documenting that mobile device security and integrity are maintained at a level
consistent with the CDA they support, and
\u2022 enforcing and documenting that mobile devices are only used in one security level and that
mobile devices are not moved between security levels.
", "controlId": "B.1.19", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.001.019", "references": "", "relatedControls": "", "otherId": "B.001.019" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "bd6118a7-c6ca-4a76-b51f-ee5f3e150a1b", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Proprietary Protocol Visibility ", "description": "[Licensee/Applicant] ensures that, when proprietary protocols that create a lack of visibility are used (e.g.,
systems cannot detect attacks because the protocol is proprietary), alternative controls or countermeasures
are implemented to protect the CDAs from cyber attack up to and including the design-basis threat
(DBT).
", "controlId": "B.1.20", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.001.020", "references": "", "relatedControls": "", "otherId": "B.001.020" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "ce0b3e20-ad92-46ba-a6d6-ba8628943f11", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Third Party Products and Controls ", "description": "[Licensee/Applicant] ensures that, when proprietary protocols that create a lack of visibility are used (e.g.,
systems cannot detect attacks because the protocol is proprietary), alternative controls or countermeasures
are implemented to protect the CDAs from cyber attack up to and including the design-basis threat
(DBT).[Licensee/Applicant] ensures that for situations in which (1) third-party security solutions are not allowed
because of vendor license and service agreements and (2) loss of service support would occur if third-
party applications were to be installed without vendor acknowledgement or approval, alternative controls
or countermeasures are implemented to mitigate vulnerabilities created by the lack of security functions
provided by third-party products.
", "controlId": "B.1.21", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.001.021", "references": "", "relatedControls": "", "otherId": "B.001.021" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "73f7c2f9-0de7-47b5-a787-0d7be9b90e6b", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Use of External Systems ", "description": "[Licensee/Applicant] is responsible for the following:
\u2022 ensuring that external systems cannot be accessed from higher levels, such as Levels 4 and 3,
\u2022 prohibiting external systems from accessing CDAs in Levels 3 and 4, and
\u2022 prohibiting users from using an external system to access CDAs or to process, store, or transmit
organization-controlled information except in situations in which [Licensee/Applicant] verifies the implementation of equivalent security measures on the external system.
", "controlId": "B.1.22", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.001.022", "references": "", "relatedControls": "", "otherId": "B.001.022" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "c7f3d075-80c0-4247-b51a-6c026c774d2a", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Publicly Accessible Content ", "description": "[Licensee/Applicant] is res ponsible for the following:
\u2022 designates individuals authorized to post information onto a [Licensee/Applicant] system that is
publicly accessible;
\u2022 trains authorized individuals to ensure that publicly accessible information does not contain
information that could cause an adverse impact on SSEP functions or could assist an adversary in carrying out an attack;
\u2022 ensuring that information that could cause an adverse impact on SSEP functions or could assist an
adversary in carrying out an attack is not released to the public,
", "controlId": "B.1.23", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.001.023", "references": "", "relatedControls": "", "otherId": "B.001.023" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "bcc74926-fd12-4ac3-b0b6-37cfa2e24319", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Audit and Accountability Policy and Procedures", "description": "[Licensee/Applicant] developed, disseminated, and [annually] reviews and updates the following while
using an independent party for the audit reviews:
\u2022 a formal, documented audit and accountability policy that addresses the purpose, scope, roles,
responsibilities, management commitments, and internal coordination of the policy, and
\u2022 formal, documented procedures that facilitate the implementation of the audit and accountability
policy and associated audit and accountability security controls.
", "controlId": "B.2.1", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.002.001", "references": "", "relatedControls": "", "otherId": "B.002.001" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "e833a83d-8f12-4f1c-8dc0-4a5699ff88a6", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Auditable Events", "description": "[Licensee/Applicant] is responsible for the following:
\u2022 determining and documenting with SSEP functions those CDAs related events that require
auditing,
\u2022 defining the list of auditable events and frequency of auditing for each identified auditable event,
\u2022 at a minimum, auditing all CDA connections, user login/logouts, configuration/software/firmware
changes, audit setting changes, privileged access, privileged commands, and any modifications of the security functions of CDAs,
\u2022 implementing alternative controls and documenting the justification for alternative controls and
countermeasures for situations in which a CDA cannot support the use of automated mechanisms to generate audit records and employs nonautomated mechanisms and procedures,
\u2022 reviewing and updating the list of defined auditable events [no less frequently than once a year],
\u2022 including execution of privileged functions in the list of events to be audited by the CDAs,
\u2022 preventing CDAs from purging audit event records on restart,
\u2022 coordinating security audit functions within the facility to enhance mutual support and to help
guide the selection of auditable events,
\u2022 configuring all CDAs so that auditable events are adequate to support after-the-fact investigations
of security incidents, and
\u2022 adjusting the events to be audited within the CDAs based on current threat information and
effectiveness analysis described in Section 4.1.2 of Appendix A to RG 5.71.
", "controlId": "B.2.2", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.002.002", "references": "", "relatedControls": "", "otherId": "B.002.002" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "27c5a76e-ab1c-4986-acef-20dd34d030cd", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Content of Audit Records", "description": "[Licensee/Applicant] is responsible for the following:
\u2022 ensuring that CDAs produce audit records that contain sufficient information to establish what
events occurred, when the events occurred, where the events occurred, the sources of the events,
and the outcomes of the events;
\u2022 ensuring that CDAs provide the capability to include additional, more detailed information in the
audit records for audit events identified by type, location, or subject; and
\u2022 implementing architecture that provides the capability to centrally manage the content of audit
records generated by individual components throughout CDAs, and to prevent CDAs from altering or destroying audit records.
", "controlId": "B.2.3", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.002.003", "references": "", "relatedControls": "", "otherId": "B.002.003" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "64df4fcb-8622-4251-88ff-b41a025b8e97", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Audit Storage Capacity", "description": "[Licensee/Applicant] allocates audit record storage capacity, meets NRC record retention requirements,
and configures auditing to reduce the likelihood of such capacity being exceeded.
", "controlId": "B.2.4", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.002.004", "references": "", "relatedControls": "", "otherId": "B.002.004" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "1ac12511-82aa-4c2f-b9a8-cbdd8e60b93d", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Response to Audit Processing Failures ", "description": "[Licensee/Applicant] ensures the following:
\u2022 CDAs provide a warning when allocated audit record storage volume reaches a defined
percentage of maximum audit record storage capacity, which is based on [the function of how quickly storage capacity is consumed and what the organization\u2019s resources and response times
are] and documented.
\u2022 Justification and details for alternate compensating security controls are documented for those
instances in which a CDA cannot respond to audit processing failures.
\u2022 Responses to audit failures by the [Licensee/Applicant] include the use of an external system to
provide these capabilities.
\u2022 If audit processing capabilities fail for a CDA or security boundary device, the following occurs:
- Alerts are sent to designated [Licensee/Applicant] officials in the event of an audit
processing failure.
- Auditing failures are treated as a failure of the CDA or security boundary device and
[Licensee/Applicant] will take action in accordance with the technical specification.
- CDAs with auditing failures take the following additional actions:
\u25e6 Shut down the CDA.
\u25e6 Failover to a redundant CDA where necessary to prevent adverse impact to
safety, security, or emergency preparedness functions.
\u25e6 Overwrite only the oldest audit records.
\u25e6 Stop generating audit records.
", "controlId": "B.2.5", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.002.005", "references": "", "relatedControls": "", "otherId": "B.002.005" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "487df8bb-007e-4304-8c0b-d051c594538f", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Audit Review, Analysis, and Reporting ", "description": "[Licensee/Applicant] is responsible for the following:
\u2022 reviewing and analyzing the CDA audit records [no less frequently than once every 30 days] for
indications of inappropriate or unusual activity and reporting findings to designated [Licensee/Applicant] official,
\u2022 adjusting the level of audit review, analysis, and reporting within the CDAs when there is a
change in threat or risk to [Licensee/Applicant] safety, security, and emergency preparedness functions based on credible sources of information as designated by [Licensee/Applicant] or the
NRC, and
\u2022 employing automated mechanisms on CDAs to integrate audit review, analysis, and reporting into
[Licensee/Applicant] processes for investigation and response to suspicious activities.
", "controlId": "B.2.6", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.002.006", "references": "", "relatedControls": "", "otherId": "B.002.006" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "0bb7ee00-54ee-4ee7-97ba-12b49d587868", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Audit Reduction and Report Generation", "description": "[Licensee/Applicant] has configured and deployed all CDA to do the following:
\u2022 provide CDA audit reduction and report generation capability, and
\u2022 provide the capability to automatically process audit records for events of interest based upon
selectable event criteria.
[Licensee/Applicant] documents the justification and details for alternate compensating security controls
for situations in which a CDA cannot support auditing reduction and report generation by providing this
capability through a separate system.
", "controlId": "B.2.7", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.002.007", "references": "", "relatedControls": "", "otherId": "B.002.007" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "0cd46b03-2da5-4a8c-a4f9-aca6a8aeae96", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Time Stamps ", "description": "[Licensee/Applicant] CDAs use a time source protected at an equal or greater level than the CDAs or an
internal system clocks to generate time stamps for audit records, and [Licensee/Applicant] synchronizes
the time on all CDAs.
[Licensee/Applicant] synchronizes the time of all CDAs from a dedicated source protected at an equal or
greater level than the CDA existing on the security network, attached directly to the CDA or via SNTP
and a trusted key management process.
[Licensee/Applicant] implements only methods of time synchronization that do not introduce a
vulnerability to cyber attack and/or common-mode failure and implements alternative controls to manage
potential cyber security risks when time synchronization can not be used for a CDA.
", "controlId": "B.2.8", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.002.008", "references": "", "relatedControls": "", "otherId": "B.002.008" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "ea800150-44e1-4115-82f0-653381424eb2", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Protection of Audit Information ", "description": "[Licensee/Applicant] is res ponsible for the following:
\u2022 protecting audit information and audit tools from unauthorized access, modification, and deletion
in a manner consistent with the CDA sources, and
\u2022 ensuring that all audit information is protected at the same level as the device sources.
", "controlId": "B.2.9", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.002.009", "references": "", "relatedControls": "", "otherId": "B.002.009" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "16ae762b-f2f0-4ae4-ac2f-15a70944176b", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Nonrepudiation", "description": "[Licensee/Applicant] protects CDAs and audit records against an individual falsely denying they
performed a particular action.
", "controlId": "B.2.10", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.002.010", "references": "", "relatedControls": "", "otherId": "B.002.010" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "a0bf590e-3dd4-4647-84ea-dbb9db2d5d35", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Audit Record Retention ", "description": "[Licensee/Applicant] retains audit records consistent with the recordkeeping requirements for the access
authorization program to provide support for after-the-fact investigations of security incidents and to meet
regulatory and [Licensee/Applicant] record retention requirements.
", "controlId": "B.2.11", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.002.011", "references": "", "relatedControls": "", "otherId": "B.002.011" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "5df30cd6-9edf-48eb-9bd9-e83ad61a7b31", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Audit Generation", "description": "[Licensee/Applicant] security architecture provides the following:
\u2022 audit record generation capability for the auditable events on CDAs,
\u2022 audit record generation capability and the capability for authorized users to select which auditable
events are to be audited by specific components of CDAs,
\u2022 audit records for the selected list of auditable events on CDAs, and
\u2022 the capability to compile audit records from multiple components within CDAs into a site wide
(logical or physical) audit trail that is time correlated to within [Licensee/Applicant] defined level of tolerance for the relationship between time stamps of individual records in the audit trail.
", "controlId": "B.2.12", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.002.012", "references": "", "relatedControls": "", "otherId": "B.002.012" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "ac8e5c22-f224-487c-b4cd-3f906c469833", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Critical Digital Asset and Communications Protection Policy and Procedures", "description": "[Licensee/Applicant] developed, disseminated, and [annually] reviews and updates the following:
\u2022 a formal, documented CDA system and communications protection policy that addresses the
purpose, scope, roles, responsibilities, management commitments, and internal coordination of
the system, and
\u2022 formal, documented procedures that facilitate the implementation of the CDA system and
communications protection policy and associated CDA system and communications protection
security controls.
", "controlId": "B.3.1", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.003.001", "references": "", "relatedControls": "", "otherId": "B.003.001" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "7dc7058e-8221-48f5-9fe0-8cc2b70856db", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Application Partitioning and Security Function Isolation ", "description": "[Licensee/Applicant] is responsible for the following:
\u2022 configuring CDAs to separate applications into user functionality (including user interface
services) and CDA management functionality,
\u2022 configuring CDAs to isolate security functions from non-security functions, which is
accomplished through [partitions, domains, etc.], including control of access to and integrity of the hardware, software, and firmware that perform these security functions,
\u2022 configuring CDAs to employ underlying hardware separation mechanisms to facilitate security
function isolation,
\u2022 configuring CDAs to isolate critical security functions (i.e., functions enforcing access and
information flow control) from both non-security functions and other security functions,
\u2022 configuring CDAs to minimize the number of non-security functions included within the isolation
boundary containing security functions,
\u2022 configuring CDA security functions as independent modules that avoid unnecessary interactions
between modules,
\u2022 configuring CDA security functions as a layered structure minimizing interactions between levels
of the design and avoiding any dependence by lower levels on the functionality or correctness of
higher levels, and
\u2022 implementing alternative controls and documenting the justification for alternative controls or
countermeasures for situations in which a CDA cannot support security function isolation and
taking all of the following actions:
- physically restrict access to the CDA,
- monitor and record physical access to the CDA to detect and respond to intrusions in a
timely manner,
- use auditing/validation measures (e.g., security guard rounds, periodic monitoring of
tamper seals) to detect unauthorized access and modifications to the CDAs,
- ensure that individuals who have access to the CDAs are qualified, and
- ensure that those individuals are trustworthy and reliable in accordance with
10 CFR 73.56.
", "controlId": "B.3.2", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.003.002", "references": "", "relatedControls": "", "otherId": "B.003.002" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "b26b1ca5-550c-49c8-8678-d95d4926cd9f", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Shared Resources ", "description": "[Licensee/Applicant] is responsible for the following:
\u2022 configuring CDAs to prevent unauthorized and unintended information transfer via shared system
resources, and
\u2022 using physically separate network devices to create and maintain logical separation of Levels 3
and 4 from each other and from all other levels.
", "controlId": "B.3.3", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.003.003", "references": "", "relatedControls": "", "otherId": "B.003.003" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "bfc6d819-58ee-412a-ba7f-ca6cda8febb8", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Denial of Service Protection", "description": "[Licensee/Applicant] is responsible for the following:
\u2022 configuring CDAs to protect against or limit the effects of denial of service attacks,
\u2022 configuring CDAs to restrict the ability of users to launch denial of service attacks against other
CDAs or networks, and
\u2022 configuring CDAs to manage excess capacity, bandwidth, or other redundancy to limit the effects
of information-flooding and saturation types of denial-of-service attacks.
", "controlId": "B.3.4", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.003.004", "references": "", "relatedControls": "", "otherId": "B.003.004" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "8a103171-18ac-42ef-ad7b-de8f583db1af", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Resource Priority ", "description": "[Licensee/Applicant] configures CDAs to limit the us e of resources by priority by preventing lower
priority processes from delaying or interfering with the servicing of any higher priority process.
", "controlId": "B.3.5", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.003.005", "references": "", "relatedControls": "", "otherId": "B.003.005" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "425da6cd-2907-4c82-9e9f-95f9da01f6fc", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Transmission Integrity", "description": "[Licensee/Applicant] is responsible for the following:
\u2022 configuring CDAs to protect the integrity of transmitted information,
\u2022 employing cryptographic mechanisms to recognize changes to information during transmission
and upon receipt, unless otherwise protected by alternative physical measures,
\u2022 implementing mechanisms to prevent \u201cman-in-the-middle\u201d (MITM) attacks via the following
methods:
- Media Access Control Address Locking\u2014[Licensee/Applicant] locks devices and ports
via address locking to prevent MITM attacks and rogue devices from being added to the
network
- Network Access Control\u2014[Licensee/Applicant] implements network access control to
prevent MITM attacks and rogue devices from being added to the network,
\u2022 implementing monitoring to detect MITM and address resolution protocol poisoning, and
\u2022 implementing alternative controls and documenting the justification for alternative controls or
countermeasures for situations in which a CDA cannot support transmission integrity and
implements all of the following:
- physically restricts access to the CDA,
- monitors and records physical access to the CDA to detect and respond to intrusions in a
timely manner,
- uses auditing/validation measures (e.g., security guard rounds, periodic monitoring of
tamper seals) to detect unauthorized access and modifications to the CDAs,
- ensures that individuals who have access to the CDA are qualified, and
- ensures that those individuals are trustworthy and reliable in accordance with
10 CFR 73.56.
", "controlId": "B.3.6", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.003.006", "references": "", "relatedControls": "", "otherId": "B.003.006" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "af46c093-89ee-4e3c-afd6-c09f5924a5b1", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Transmission Confidentiality ", "description": "[Licensee/Applicant] is responsible for the following:
\u2022 configuring the CDAs to protect the confidentiality of transmitted information,
\u2022 employing cryptographic mechanisms to prevent unauthorized disclosure of information during
transmission and receipt unless otherwise protected by alternative physical measures, and
\u2022 implementing alternative controls and documenting the justification for alternative controls or
countermeasures for situations in which a CDA cannot internally support transmission
confidentiality capabilities, including virtual private networks, or implements all of the following:
\u2013 physically restricts access to the CDA,
\u2013 monitors and records physical access to the CDA to detect and respond to intrusions in a
timely manner,
\u2013 uses auditing/validation measures (e.g., security guard rounds, periodic monitoring of
tamper seals) to detect unauthorized access and modifications to the CDAs,
\u2013 ensures that individuals who have access to the CDA are qualified, and
\u2013 ensures that those individuals are trustworthy and reliable in accordance with
10 CFR 73.56.
", "controlId": "B.3.7", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.003.007", "references": "", "relatedControls": "", "otherId": "B.003.007" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "8afe29ee-4008-4b00-9b0c-57121928ebec", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Trusted Path", "description": "[Licensee/Applicant] configures CDAs to use trusted communication paths between the user and the
security functions of the CDAs, which includes authentication and reauthentication, at a minimum.
", "controlId": "B.3.8", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.003.008", "references": "", "relatedControls": "", "otherId": "B.003.008" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "8b16f878-075a-4401-aeb3-e35e8e82e4a9", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Cryptographic Key Establishment and Management", "description": "[Licensee/Applicant] manages cryptographic keys using automated mechanisms with supporting
procedures or manual procedures when cryptography is required and employed within the CDAs in
accordance with [Federal Information Processing Standards (FIPS)140-2 Security Requirements for
Cryptographic Modules].
", "controlId": "B.3.9", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.003.009", "references": "", "relatedControls": "", "otherId": "B.003.009" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "111e3e77-2334-4f68-a4cd-8d70af3f03ad", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Use of Cryptography ", "description": "[Licensee/Applicant] configures CDAs to implemen t cryptographic mechanisms that comply with
[Federal Information Processing Standards (FI PS)140-2 Security Requirements for Cryptographic
Modules].
", "controlId": "B.3.10", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.003.010", "references": "", "relatedControls": "", "otherId": "B.003.010" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "ebdfbfee-b556-4241-b3cf-2e96661e8b0b", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Unauthorized Remote Activation of Services ", "description": "[Licensee/Applicant] is res ponsible for the following:
\u2022 configuring CDAs to prohibit remote activation of collaborative computing mechanisms and
providing an explicit indication of use to the local user, and
\u2022 configuring CDAs to provide physical disconnection of cameras and microphones in a manner
that supports ease of use, except when these technologies are used to control and monitor the
CDA for security purposes.
", "controlId": "B.3.11", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.003.011", "references": "", "relatedControls": "", "otherId": "B.003.011" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "70c71507-dbf2-45a4-84a1-626502f8c668", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Transmission of Security Parameters", "description": "[Licensee/Applicant] configures CDAs to associate security parameters with information exchanged
between CDAs.
", "controlId": "B.3.12", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.003.012", "references": "", "relatedControls": "", "otherId": "B.003.012" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "5d3f7a08-60b3-4433-9dcb-7c48881d0162", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Public Key Infrastructure Certificates", "description": "[Licensee/Applicant] configures CDAs to associate security parameters with information exchanged
[Licensee/Applicant] issues public key certificates under a certificate policy or obtains public key
certificates under a certificate policy from a provider approved by [Licensee/Applicant].
", "controlId": "B.3.13", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.003.013", "references": "", "relatedControls": "", "otherId": "B.003.013" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "256c3738-2ca8-4083-a340-671af10001d3", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Mobile Code ", "description": "[Licensee/Applicant] is responsible for the following:
\u2022 establishing usage restrictions and implementation guidance for mobile code technologies based
on their potential to cause damage to CDAs if used maliciously, and
\u2022 authorizing, monitoring, and controlling the use of mobile code within the CDAs.
", "controlId": "B.3.14", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.003.014", "references": "", "relatedControls": "", "otherId": "B.003.014" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "2586e853-3330-4767-b3a4-e31ad9005551", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Secure Name/Address Resolution Service (Authoritative/Trusted Source) ", "description": "[Licensee/Applicant] is responsible for the following:
\u2022 configuring systems that provide name/address resolution to supply additional data origin and
integrity artifacts along with the authoritative data returned in response to resolution queries, and
\u2022 configuring systems that provide name/address resolution to CDAs, when operating as part of a
distributed, hierarchical namespace, to provide the means to indicate the security status of child
subspaces and, if the child supports secure resolution services, enabled verification of a chain of
trust among parent and child domains.
", "controlId": "B.3.15", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.003.015", "references": "", "relatedControls": "", "otherId": "B.003.015" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "de626698-a367-4eb7-82e0-dbc7262c9515", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Secure Name/Address Resolution Service (Recursive or Caching Resolver) ", "description": "[Licensee/Applicant] is responsible for the following:
\u2022 configuring the systems that serve name/address resolution service for CDAs to perform data
origin authentication and data integrity verification on the resolution response they receive from
authoritative sources, and
\u2022 configuring CDAs so that, upon receipt of data, they perform data origin authentication and data
integrity verification on resolution responses whether or not the CDAs explicitly request this service.
", "controlId": "B.3.16", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.003.016", "references": "", "relatedControls": "", "otherId": "B.003.016" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "3a5ff4f7-2100-41ea-a545-c94327aaab66", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Architecture and Provisioning for Name/Address Resolution Service ", "description": "[Licensee/Applicant] configures the systems that collectively provide name/address resolution service for
a logical organization to be fault tolerant and segregate services (i.e., implement role separation).
", "controlId": "B.3.17", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.003.017", "references": "", "relatedControls": "", "otherId": "B.003.017" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "52f7fbc8-6afc-4eac-963f-a02a3f5e0c8a", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Session Authenticity", "description": "[Licensee/Applicant] configures CDAs to provide mechanisms to protect the authenticity of
communications sessions.
", "controlId": "B.3.18", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.003.018", "references": "", "relatedControls": "", "otherId": "B.003.018" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "c6a8c524-38e7-418b-9de8-435a445e8c5a", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Thin Nodes ", "description": "[Licensee/Applicant] configures CDAs and consoles to employ processing components that have minimal
functionality and data storage.
", "controlId": "B.3.19", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.003.019", "references": "", "relatedControls": "", "otherId": "B.003.019" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "ca427c13-e081-4a45-aef4-a0971148c660", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Confidentiality of Information at Rest ", "description": "[Licensee/Applicant] configures CDAs to protect the confidentiality of information at rest.
", "controlId": "B.3.20", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.003.020", "references": "", "relatedControls": "", "otherId": "B.003.020" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "20560236-513e-4bfa-9494-84bde96b474b", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Heterogeneity/Diversity ", "description": "[Licensee/Applicant] employs diverse technologies in the implementation of CDAs.
", "controlId": "B.3.21", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.003.021", "references": "", "relatedControls": "", "otherId": "B.003.021" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "9c393c12-e69a-4061-a719-e7c400be4bd3", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Fail in Known State ", "description": "[Licensee/Applicant] is responsible for the following:
\u2022 CDAs fail in a known-state to ensure that SSEP functions are not adversely impacted by the
CDAs failure, and
\u2022 to prevent a loss of confidentiality, integrity, or availability in the event of a failure of the CDA or
a component of the CDA.
", "controlId": "B.3.22", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.003.022", "references": "", "relatedControls": "", "otherId": "B.003.022" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "241a7b99-eca1-48b6-995b-5de221524a69", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Identification and Authentication Policies and Procedures", "description": "[Licensee/Applicant] developed, disseminated, and [annually] reviews and updates the following:
\u2022 a formal, documented identification and authentication policy, which addresses purpose, scope,
roles, responsibilities, management commitments, and internal coordination, to positively identify
potential network users, hosts, applications, services, and resources using a combination of identification factors or credentials, and
\u2022 formal, documented procedures that facilitate the implementation of the identification and
authentication policy and associated identification and authentication controls.
The identification and authentication policy and procedures provide guidance on managing both user
identifiers and CDA authenticators. These items include the following:
\u2022 uniquely identifying each user, and processes acting on behalf of a user,
\u2022 verifying the identity of each user, and processes acting on behalf of a user,
\u2022 receiving authorization to issue a user identifier from an appropriate authorized representative,
\u2022 ensuring that the user identifier is issued to the intended party,
\u2022 disabling user identifier after a maximum of [30 days] of inactivity,
\u2022 disabling user identifier immediately upon termination of users need for access,
\u2022 archiving user identifiers,
\u2022 defining initial authenticator content,
\u2022 establishing administrative procedures for initial authenticator distribution; lost, compromised, or
damaged authenticators; and revoking authenticators,
\u2022 changing default authenticators upon control system installation, and
\u2022 changing/refreshing authenticators [annually].
", "controlId": "B.4.1", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.004.001", "references": "", "relatedControls": "", "otherId": "B.004.001" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "1c7312ba-df6a-4f81-bf82-0f6c8486bd09", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "User Identification and Authentication", "description": "[Licensee/Applicant] is responsible for the following:
\u2022 implementing identification and authentication technology to uniquely identify and authenticate
individuals and processes acting on behalf of users interacting with CDA and ensuring that
CDAs, security boundary devices, physical controls of the operating environment, and individuals
interacting with CDAs, are uniquely identified and authenticated and that all processes acting on
behalf of users are equally authenticated and identified,
\u2022 ensuring that the authentication technology employs strong multifactor authentication using
protected processing levels,
\u2022 implementing alternative controls and documenting the justification for alternative controls or
countermeasures for situations in which a CDA cannot support user identification and
authentication and implementing all of the following:
\u2013 physically restricting access to the CDA,
\u2013 monitoring and recording physical access to the CDA to detect and respond to intrusions
in a timely manner,
\u2013 using auditing/validation measures (e.g., security guard rounds, periodic monitoring of
tamper seals) to detect unauthorized access and modifications to the CDAs,
\u2013 ensuring that individuals who have access to the CDA are qualified, and
\u2013 ensuring that those individuals are trustworthy and reliable in accordance with
10 CFR 73.56,
\u2022 implementing secure domain-based authentication, as well as the following:
\u2013 maintaining domain controllers within the given security level they are meant to service,
\u2013 physically and logically securing domain controllers to prevent unauthorized access and
manipulation,
\u2013 prohibiting domain trust relationships between domains that exist at different security
levels,
\u2013 prohibiting domain authentication protocols from being passed between boundaries, and
\u2013 implementing role-based access control where possible to restrict user privileges to only
those required to perform the task, and
\u2022 where domain-based authentication is not used, [Licensee/Applicant] is responsible for the
following: \u2013 documenting and justifying the reason for not implementing secure domain-based
authentication,
\u2013 implementing localized authentication when feasible,
\u2013 implementing the strongest possible challeng e-response authentication mechanism within
a scenario, as supported by the application, and
\u2013 implementing role-based access control where possible to restrict user privileges to only
those required to perform the task.
", "controlId": "B.4.2", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.004.002", "references": "", "relatedControls": "", "otherId": "B.004.002" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "c4cb3e83-149b-4470-9954-6367389b52d8", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Password Requirements ", "description": "[Licensee/Applicant] ensures that, where used, passwords meet the following requirements:
\u2022 The length, strength, and complexity of passwords balance security and operational ease of access
within the capabilities of the CDA.
\u2022 Passwords have length and complexity commensurate with the required security.
\u2022 Passwords are changed every [describe the periods for each class of system, for example 30 days
for workstations, 3 months for CDAs in the vital area, etc. 90 days].
\u2022 Passwords cannot be found in a dictionary and do not contain predictable sequences of numbers
or letters.
\u2022 Copies of master passwords are stored in a secure location with limited access.
\u2022 Authority to change master passwords is limited to authorized personnel.
", "controlId": "B.4.3", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.004.003", "references": "", "relatedControls": "", "otherId": "B.004.003" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "fbd165d8-807a-4b45-8586-df3c6bcf3a9d", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Non-Authenticated Human Machine Interaction Security ", "description": "[Licensee/Applicant] is res ponsible for the following:
\u2022 ensuring that, for those situations in which a human machine interaction (HMI) for a CDA cannot
support authentication because of operational requirements, adequate physical security controls exist that require that operators are both author ized and properly identified and are monitored so
that operator actions are audited and recorded,
\u2022 controlling access to nonauthenticated human machine interactions (NHMI) so as to not hamper
HMI while maintaining security of the NHMI and ensuring that access to the NHMI is limited to only authorized personnel,
\u2022 verifying that SSEP functions are not adversely affected by authentication, session lock, or
session termination controls, and
\u2022 implementing auditing capability on NHMIs to ensure that all operator activity is recorded and
monitored by authorized and qualified personnel and maintaining historical records to provide for
auditing requirements.
", "controlId": "B.4.4", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.004.004", "references": "", "relatedControls": "", "otherId": "B.004.004" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "5fe2c1a3-564f-4a71-8a68-ea8c2f5a9a01", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Device Identification and Authentication ", "description": "[Licensee/Applicant] is responsible for the following:
\u2022 implementing and documenting technology that identifies and authenticates devices (i.e., tester)
before those devices establish connections to CDAs, and
\u2022 implementing alternative controls and documenting the justification for alternative controls or
countermeasures for situations in which a CDA cannot support device identification and
authentication (e.g., serial devices) and implementing all of the following:
\u2013 physically restricting access to the CDA,
\u2013 monitoring and recording physical access to the CDA to detect and respond to intrusions
in a timely manner,
\u2013 using auditing/validation measures (e.g., security guard rounds, periodic monitoring of
tamper seals) to detect unauthorized access and modifications to the CDA,
\u2013 ensuring that individuals who have access to the CDA are qualified, and
\u2013 ensuring that those individuals are trustworthy and reliable in accordance with
10 CFR 73.56.
", "controlId": "B.4.5", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.004.005", "references": "", "relatedControls": "", "otherId": "B.004.005" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "246b4e5e-60fe-49a8-a81a-1a260f8ea75b", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Identifier Management", "description": "[Licensee/Applicant] manages and documents user identifiers by performing all of the following:
\u2022 uniquely identifying each user,
\u2022 verifying the identity of each user,
\u2022 receiving authorization to issue a user identifier from an organization official,
\u2022 issuing the user identifier to the intended party,
\u2022 disabling the user identifier after a maximum of [30 days] of inactivity, and
\u2022 archiving user identifiers consistent with records retention for the access authorization program.
", "controlId": "B.4.6", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.004.006", "references": "", "relatedControls": "", "otherId": "B.004.006" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "466cbbd8-1a70-4e4d-bfbf-51f940365049", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Authenticator Management", "description": "[Licensee/Applicant] manages CDA authenticators by performing all of the following:
\u2022 defining initial authenticator content, such as defining password length and composition, tokens,
keys, and other means of authenticating,
\u2022 establishing administrative procedures for initial authenticator distribution; lost, compromised, or
damaged authenticators; and revoking authenticators,
\u2022 changing default authenticators upon CDA installation, and
\u2022 changing/refreshing authenticators [annually].
", "controlId": "B.4.7", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.004.007", "references": "", "relatedControls": "", "otherId": "B.004.007" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "0f32c9f6-8d7e-4de5-a2fe-1ea46ff4039d", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Authenticator Feedback ", "description": "[Licensee/Applicant] is responsible for the following:
\u2022 ensuring that CDAs obscure feedback of authentication information during the authentication
process to protect the information from possible exploitation or use by unauthorized individuals,
and
\u2022 ensuring that CDAs and feedback from CDA do not provide information that would allow an
unauthorized user to compromise the authentication mechanism.
", "controlId": "B.4.8", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.004.008", "references": "", "relatedControls": "", "otherId": "B.004.008" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "b18a22f8-318c-4107-af73-0ff2f84f90fc", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Cryptographic Module Authentication", "description": "[Licensee/Applicant] ensures that CDAs authenticate cryptographic modules in accordance with [Federal
Information Processing Standards (FIPS)140-2 Security Requirements for Cryptographic Modules].
", "controlId": "B.4.9", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.004.009", "references": "", "relatedControls": "", "otherId": "B.004.009" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "6cdc5237-c5a5-44ef-84c6-ca214628f6af", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Removal of Unnecessary Services and Programs", "description": "[Licensee/Applicant] documents all required applications, utilities, system services, scripts, configuration
files, databases, and other software and the appropriate configurations, including revisions or patch levels,
for each of the computer systems associated with the CDAs.
[Licensee/Applicant] maintains a list of services required for CDAs. The listing includes all necessary
ports and services required for normal and emergency operations. The listing also includes an
explanation or cross reference to justify why each service is necessary for operation. Only those services
and programs that are necessary for operation are allowed.
[Licensee/Applicant] verifies and documents that all CDAs are patched or mitigated in accordance with
the Flaw Remediation security controls in C 3.2.
[Licensee/Applicant] documents the remediation period appropriate for software and service updates or
workarounds to mitigate all vulnerabilities associated with the product and to maintain the established
level of security.
[Licensee/Applicant] documents the operating system and software patches as CDAs evolve to allow
traceability and verifies that no extra services are reinstalled or reactivated.
[Licensee/Applicant] removes or disables software components that are not required for the operation and
maintenance of the CDA before incorporating the CDA into the production environment.
[Licensee/Applicant] documents components that were removed or disabled. The software removed or
disabled includes, but is not limited to the following:
\u2022 device drivers for network devices not delivered,
\u2022 device drivers for unused peripherals,
\u2022 messaging services (e.g., MSN, AOL IM),
\u2022 servers or clients for unused services,
\u2022 software compilers in all user workstations and servers except for development workstations and
servers,
\u2022 software compilers for languages that are not used in the control system,
\u2022 unused networking and communications protocols,
\u2022 unused administrative utilities, diagnostics, network management, and system management
functions,
\u2022 backups of files, databases, and programs used only during system development,
\u2022 all unused data and configuration files,
\u2022 sample programs and scripts,
\u2022 unused document processing utilities (e.g., Microsoft Word, Excel, Power Point, Adobe Acrobat,
OpenOffice),
\u2022 unused removable media support, and
\u2022 games.
", "controlId": "B.5.1", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.005.001", "references": "", "relatedControls": "", "otherId": "B.005.001" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "0076f46e-eb9c-4714-b587-d4f4434a414f", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Host Intrusion Detection System", "description": "[Licensee/Applicant] establishes, implements, and documents the following requirements:
\u2022 Configure the host intrusion detection system (HIDS) to include attributes, such as static file
names, dynamic file name patterns, system and user accounts, execution of unauthorized code,
host utilization, and process permissions, to enable the system to detect cyber attacks up to and including the DBT.
\u2022 Configure HIDS to log system and user account connections in such a way that the user or
security personnel are alerted if an abnormal situation occurs.
\u2022 Configure the HIDS in a manner that does not adversely impact the CDA safety, security, and
emergency preparedness functions.
\u2022 Configure security logging storage devices as \u201cappend only\u201d to prevent alteration of records on
those storage devices.
\u2022 Perform rules updates and patches to the HIDS as security issues are identified to maintain the
established level of system security.
[Licensee/Applicant] secures HIDS configuration documents to ensure that only authorized personnel
may access them.
", "controlId": "B.5.2", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.005.002", "references": "", "relatedControls": "", "otherId": "B.005.002" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "274ab7d5-2b5e-41e6-8d53-0e3afab1e5f0", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Changes to File System and Operating System Permissions ", "description": "[Licensee/Applicant] establishes, implements, and documents the following requirements:
\u2022 Configure CDAs with the lowest privilege, data, commands, file, and account access.
\u2022 Configure the system services to execute at the lowest privilege level possible for that service and
document the configuration.
\u2022 Document the changing or disabling of access to files and functions.
\u2022 Validate that baseline permission and security settings are not altered after modifications or
upgrades.
", "controlId": "B.5.3", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.005.003", "references": "", "relatedControls": "", "otherId": "B.005.003" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "88394541-1ab6-463d-bf72-aacefdcd9f15", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Hardware Configuration ", "description": "[Licensee/Applicant] establishes, implements, and documents the following requirements:
\u2022 Disable, through software or physical disconnection, unneeded networks, wireless and
communication ports and removable media drives or provided engineered barriers.
\u2022 Password protect the BIOS from unauthorized changes.
\u2022 Document mitigation measures in cases for which password protection of the BIOS is not
technically feasible.
\u2022 Document the hardware configuration.
\u2022 Use network devices to limit access to and from specific locations, where appropriate.
\u2022 Allow system administrators the ability to reenable devices if the devices are disabled by software
and document the configuration.
\u2022 Verify that replacement devices are configured in a manner that is equal to or better than the
original.
", "controlId": "B.5.4", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.005.004", "references": "", "relatedControls": "", "otherId": "B.005.004" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "6b4d6408-cf86-4aea-830e-1d2375832668", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Installing Operating Systems, Applications, and Third-Party Software Updates", "description": "[Licensee/Applicant] establishes, implements, and documents the following:
\u2022 the patch management program, update process, and individuals responsible for installation,
\u2022 notification of vulnerabilities affecting CDAs to be conducted [within 4 hours of receipt of the
vulnerability information],
\u2022 notification to authorized personnel of patches affecting cyber security,
\u2022 the authorization of updates or workarounds to the baseline before implementation,
\u2022 the patch management process for the CDA after installation, including policies, procedures, and
programs relating to mitigation strategies for instances in which the vendor of the CDA informs [Licensee/Applicant] not to apply released patches, and
\u2022 the level of support for testing patch releases.
[Licensee/Applicant] establishes, implements, and tests the following:
\u2022 received cyber security updates on a nonproduction system/device for testing and validation
before installing on production systems, and
\u2022 all updates for security impact.
[Licensee/Applicant] ensures that the nonproduction system/device accurately replicate the
production CDA.
", "controlId": "B.5.5", "family": "Technical Security Controls", "enhancements": "", "sortId": "B.005.005", "references": "", "relatedControls": "", "otherId": "B.005.005" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "7830fc32-50a4-4ce2-8532-0a6c6d22c2da", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Media Protection Policy and Procedures ", "description": "[Licensee/Applicant] developed, disseminated, and [annually] reviews and updates the following:
\u2022 a formal, documented media protection policy that addresses purpose, scope, roles,
responsibilities, management commitment, coordination among
[Site/Licensee/Applicant] entities, and compliance for each information category, as
defined by the site policies, and ensures that any media which can provide information to
assist an adversary is marked at a minimum to identify the sensitive nature of the media, and
\u2022 a formal, documented procedure to facilitate the implementation of the media protection
policy and all associated media protection controls, including the methodology that
defines the purpose, scope, roles, responsibilities, and management commitments in the
areas of media receipt, storage, handling, sanitization, removal, reuse, and disposal
necessary to provide high assurance that the risk of unauthorized disclosure of information that could be used in a cyber attack to adversely impact the \u201csafety, security,
and emergency preparedness\u201d (SSEP) functions of the nuclear facility is prevented.
", "controlId": "C.1.1", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.001.001", "references": "", "relatedControls": "", "otherId": "C.001.001" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "6317215c-b6d7-488e-96cb-88a5fe3f6ce4", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Media Access ", "description": "[Licensee/Applicant] documents and restricts access to \u201ccritical digital asset\u201d (CDA) media to
authorized individuals only. CDA media includes both digital media (e.g., diskettes, magnetic tapes, external or removable hard drives, flash/thumb drives, compact disks, and digital video
disks) and nondigital media (e.g., paper, microfilm).
[Licensee/Applicant] restricts access to any security information on mobile computing and
communications devices with information storage capability (e.g., notebook computers, personal
digital assistants, cellular telephones) to authorized individuals only.
[Licensee/Applicant] employs automated mechanisms to restrict access to media storage areas
and audits access attempts and accesses granted.
", "controlId": "C.1.2", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.001.002", "references": "", "relatedControls": "", "otherId": "C.001.002" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "758a731e-3b95-40e0-8429-e6602d687fb6", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Media Labeling/Marking ", "description": "[Licensee/Applicant] marks removable CDA media and CDA output according to information
categories indicating the distribution limitations and handling caveats. Output on external media,
including video display devices, is marked in accordance with the identified set of special
dissemination, handling, or distribution instruct ions that apply to system output using human
readable, standard naming conventions for media labels.
", "controlId": "C.1.3", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.001.003", "references": "", "relatedControls": "", "otherId": "C.001.003" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "41367fd7-520d-411b-a610-fbb5941b131b", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Media Storage", "description": "[Licensee/Applicant] physically protects and securely stores CDA media to a level commensurate
with the sensitivity of the data.
", "controlId": "C.1.4", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.001.004", "references": "", "relatedControls": "", "otherId": "C.001.004" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "eb5a4244-c1f4-4de2-8e30-7d66625fbd15", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Media Transport ", "description": "[Licensee/Applicant] physically protects and stores CDA media in transport in a manner
commensurate with the sensitivity of the data.
[Licensee/Applicant] protects and controls CDA media during transport outside of controlled
areas and restricts the activities associated with transport of such media to authorized personnel
only.
[Licensee/Applicant] protects digital and nondigital media during transport outside of controlled
areas using [Licensee/Applicant]-defined security measures (e.g., locked containers, transport by
security officer, cryptography).
[Licensee/Applicant] documents activities associated with the transport of CDA media using
[Licensee/Applicant]-defined system of records.
[Licensee/Applicant] uses an identified custodian at all times during transport of CDA media.
", "controlId": "C.1.5", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.001.005", "references": "", "relatedControls": "", "otherId": "C.001.005" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "08c45341-dc96-4cab-8a6d-58b8499bc039", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Media Sanitation and Disposal ", "description": "[Licensee/Applicant] sanitizes CDA media, both digital and nondigital, before disposal or release
for reuse. [Licensee/Applicant] [follows the guidance in NIST SP 800-88] to sanitize CDA media. The information is destroyed by a method that precludes reconstruction by means
available to the DBT adversaries.
[Licensee/Applicant] identifies CDA media requiring sanitization and the appropriate techniques
and procedures to be used in the process; sanitizes identified CDA media, both paper and digital,
before disposal or release for reuse; and implements this control so that media sanitization is consistent. [Licensee/Applicant] tracks, documents, and verifies media sanitization and disposal
actions and performs [quarterly] tests on sanitized data to ensure that equipment and procedures
are functioning properly.
", "controlId": "C.1.6", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.001.006", "references": "", "relatedControls": "", "otherId": "C.001.006" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "4e2208db-3d9b-47ec-8a93-0a4ea4a8fe7d", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Personnel Security Policy and Procedures ", "description": "[Licensee/Applicant]\u2019s reviewing official grants unescorted access authorization to those
individuals who have access, extensive knowledge, or administrative control of CDAs or
communication systems that can adversely impact CDAs or safety, security, and emergency
preparedness functions before they gain access to those systems, in accordance with Title 10 of
the Code of Federal Regulations (10 CFR) 73.56, \u201cPersonnel Access Authorization Requirements
for Nuclear Power Plants.\u201d
", "controlId": "C.2.1", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.002.001", "references": "", "relatedControls": "", "otherId": "C.002.001" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "f40fb432-2743-4266-b37c-2b19722af9c0", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Personnel Termination or Transfer ", "description": "[Licensee/Applicant], upon termination or transfer of an individual\u2019s employment, follows the
access authorization program established under 10 CFR 73.56 and promptly performs the
following actions:
\u2022 terminates all CDA and system access,
\u2022 conducts exit interviews,
\u2022 informs appropriate personnel of status change or termination,
\u2022 retrieves all security-related organizational property, and
\u2022 retains access to organizational information and CDAs formerly controlled by terminated
individual.
", "controlId": "C.2.2", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.002.002", "references": "", "relatedControls": "", "otherId": "C.002.002" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "eb0346f5-3ee7-4cd4-91e1-08decfc9f9df", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "System and Information Integrity Policy and Procedures ", "description": "[Licensee/Applicant] developed, disseminated, and [annually] reviews and updates the following:
\u2022 a formal, documented system and information integrity policy that addresses purpose,
scope, roles, responsibilities, management commitment, coordination among
[Licensee/Applicant] entities, and compliance, and
\u2022 formal, documented procedures to facilitate the implementation of CDAs and an
information integrity policy and associated system and information integrity controls.
[Licensee/Applicant]\u2019s system and information integrity procedures contain the following
attributes:
\u2022 detects malicious or suspicious access control or networking anomalies occurring at
established defensive level boundaries and within security levels,
\u2022 alerts appropriate staff to the detected malicious or suspicious activity using a secure
communications mechanism that is protected from the network being monitored,
\u2022 isolates and contains malicious activity,
\u2022 neutralizes malicious activity,
\u2022 centralizes logging of cyber security events to support correlations,
\u2022 provides for secure monitoring and management of security mechanisms,
\u2022 provides time synchronization for all security-related devices, and
\u2022 provides high assurance that the physical and logical security of the monitoring network
(or systems/CDAs) matches or exceeds, and differs from, the systems/CDAs or networks
being monitored.
", "controlId": "C.3.1", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.003.001", "references": "", "relatedControls": "", "otherId": "C.003.001" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "3f554f5a-5b4c-4ea6-bc5c-e9b56eae3159", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Flaw Remediation ", "description": "[Licensee/Applicant] established, implemented, and documented procedures for the following
purposes:
\u2022 identifying the security alerts and vulnerability assessment process,
\u2022 communicating vulnerability information,
\u2022 correcting the flaw expeditiously utilizing the configuration management process,
\u2022 correcting security flaws in CDAs, and
\u2022 performing vulnerability scans and assessments of the CDA to validate that the flaw has
been eliminated before the CDA is put into production.
Before implementing corrections, [Licensee/Applicant] documents and tests software updates
related to flaw remediation to determine the effectiveness and potential side effects on CDAs.
The [Licensee/Applicant] captures flaw remediation information in its Corrective Action
Program.
", "controlId": "C.3.2", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.003.002", "references": "", "relatedControls": "", "otherId": "C.003.002" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "eae92cc8-68ef-4df0-9a44-bfaec86f986e", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Malicious Code Protection", "description": "[Licensee/Applicant] established, deployed, and documents real-time malicious code protection
mechanisms at security boundary device entry and exit points, CDAs (if applicable),
workstations, servers, and mobile computing devices (i.e., calibrators) on the network to detect
and eradicate malicious code resulting from the following:
\u2022 data communication between systems, CDAs, removable media, or other common means,
and
\u2022 exploitation of CDA vulnerabilities.
[Licensee/Applicant] documents and updates malicious code protection mechanisms (including
signature definitions) whenever new releases are available in accordance with the
[Licensee/Applicant]\u2019s configuration management policy and procedures.
[Licensee/Applicant] documents and configures malicious code protection mechanisms to ensure
the following:
\u2022 Scans are performed of security boundary devices, CDAs (if applicable), workstations,
servers, and mobile computing devices weekly and real-time scans of files from external
sources are performed as the files are downloaded, opened, or executed.
\u2022 Infected files are disinfected and quarantined.
[Licensee/Applicant] documents and employs malicious code protection software products from multiple vendors as part of a defense-in-depth strategy and addresses the receipt of false positives
during malicious code detection and eradication and the resulting potential impact on the
availability of the CDA.
[Licensee/Applicant] centrally manages malicious code protection mechanisms to achieve the following:
\u2022 The CDAs prevent users from circumventing malicious code protection capabilities.
\u2022 The CDAs update malicious code protection mechanisms only when directed by a
privileged user.
[Licensee/Applicant] does not allow users to introduce unauthorized removable media into the CDAs.
[Licensee/Applicant] disables all media interfaces (e.g., USB ports) that are not required for the
operation of the CDA.
[Licensee/Applicant] documents and implements malicious code protection mechanisms to
identify data containing malicious code and responds accordingly when CDAs encounter data not
explicitly allowed by the security policy.
", "controlId": "C.3.3", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.003.003", "references": "", "relatedControls": "", "otherId": "C.003.003" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "0d348691-7b83-4fa2-87bd-6f49db97e8d9", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Monitoring Tools and Techniques ", "description": "[Licensee/Applicant] is responsible for the following:
\u2022 monitoring events on the CDAs,
\u2022 detecting CDAs attacks,
\u2022 detecting and blocking unauthorized connections,
\u2022 retaining event logs in accordance with information retention requirements,
\u2022 identifying unauthorized use of the CDAs, and
\u2022 monitoring devices that are deployed to provide visibility across CDAs for the following
capabilities: \u2013 to collect information to detect attacks, unauthorized behavior and access, and
authorized access, and
\u2013 to track specific types of transactions of interest to [Licensee/Applicant].
[Licensee/Applicant] heightens the level of monito ring activity whenever [Licensee/Applicant] or
the U.S. Nuclear Regulatory Commission (NRC) determines that there is an indication of
increased risk to the safety, security, or emergency operations of the site.
[Licensee/Applicant] documents, interconnects, and configures individual intrusion detection
tools into a plantwide intrusion detection system using common protocols.
[Licensee/Applicant] tests cyber intrusion detection and prevention systems consistent with the
timeframe defined in Nuclear Energy Institute (NEI) 03-12, Section 20.1, for intrusion detection
systems, and before being placed back in service after each repair or inoperative state.
[Licensee/Applicant] documents and employs auto mated tools to support near-real-time analysis
of events.
[Licensee/Applicant] documents and employs automated tools to integrate intrusion detection
tools into access control and flow control mechanisms for rapid response to attacks by enabling
reconfiguration of these mechanisms in support of attack isolation and elimination.
[Licensee/Applicant] monitors, logs, and documents inbound and outbound communications for
unusual or unauthorized activities or conditions. Monitoring capabilities provide real-time alerts
when indications of compromise or potential compromise occur.
[Licensee/Applicant] prevents users from circumventing intrusion detection and prevention
capabilities.
[Licensee/Applicant] notifies and documents incident response personnel of suspicious events
and takes the least-disruptive actions to SSEP functions to investigate and terminate suspicious
events.
[Licensee/Applicant] documents and protects information obtained from intrusion monitoring
tools from unauthorized access, modification, and deletion.
[Licensee/Applicant] uses competent cyber security personnel to randomly test and document
intrusion monitoring tools.
[Licensee/Applicant] documents and makes provisions to ensure that encrypted traffic is visible
to monitoring tools.
[Licensee/Applicant] analyzes and documents outbound communications traffic at the external
boundary of CDAs (i.e., system perimeter) and, at selected interior points within the CDAs
infrastructure to discover anomalies.
[Licensee/Applicant] ensures and documents that the use of monitoring tools and techniques does
not adversely impact the functional performance of CDAs and that, where monitoring tools and
techniques cannot be used, adequate alternate controls are in place to compensate.
", "controlId": "C.3.4", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.003.004", "references": "", "relatedControls": "", "otherId": "C.003.004" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "d2385d54-45e6-4023-a9db-7d722df44aeb", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Security Alerts and Advisories", "description": "[Licensee/Applicant] is responsible for the following:
\u2022 receiving timely security alerts, bulletins, advisories, and directives from credible
external organizations as designated by the NRC and the [Licensee/Applicant] on an
ongoing basis, such as third-party security alert notification services and vendor security
alert lists, and maintaining a copy of these documents,
\u2022 independently evaluating and determining the need, severity, methods, and timeframes
for implementing security directives consistent with the security controls for the CDA
(Section 3.1 of Appendix A to Regulatory Guide (RG) 5.71), and
\u2022 within established timeframes set by the licensee or as directed by the NRC,
[Licensee/Applicant]:
\u2013 generates and documents internal security alerts, advisories, and directives as
necessary,
\u2013 disseminates and documents security alerts, advisories, and directives to
designated personnel for action and tracks their status and completion,
\u2013 implements and documents security directives in accordance with established
timeframes or implements an alternate security measure,
\u2013 implements and documents any required mitigation measures in accordance with
the [configuration management process], and
\u2013 employs automated or other mechanisms (e.g., e-mail lists) to make security alert
and advisory information available to [Site], as needed.
", "controlId": "C.3.5", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.003.005", "references": "", "relatedControls": "", "otherId": "C.003.005" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "540c1c06-4291-465a-bf03-93eb27a24ae1", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Security Functionality Verification ", "description": "[Licensee/Applicant] verifies and documents the correct operation of security functions of CDAs.
This occurs, where possible, upon startup and restart, upon command by a user with appropriate
privilege, [weekly], and when anomalies are discovered.
When technically feasible, CDAs provide notification of failed security tests and
[Licensee/Applicant] documents these cases.
If technically feasible, CDAs provide automate d support for the management of distributed
security testing and [Licensee/Applicant] documents the results of this testing.
[Licensee/Applicant] documents the justification for employing alternative (compensating)
controls for those situations in which a CDA cannot support the use of automated mechanisms for
the management of distributed security testing. Nonautomated mechanisms and procedures to
test security functions include the use of the following:
\u2022 qualified individuals,
\u2022 trustworthy and reliable individuals in accordance with 10 CFR 73.56,
\u2022 test procedures and results,
\u2022 physically restricted access to the CDA,
\u2022 monitored and recorded physical access to the CDA (for timely detection and response to
intrusions), and
\u2022 auditing and validation measures (e.g., security officer rounds, periodic monitoring of
tamper seals).
", "controlId": "C.3.6", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.003.006", "references": "", "relatedControls": "", "otherId": "C.003.006" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "4867ce31-ec92-4f6b-8efc-1375df54fb25", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Software and Information Integrity ", "description": "[Licensee/Applicant] is responsible for the following:
\u2022 detecting and documenting unauthorized changes to software and information,
\u2022 employing hardware access controls (e.g., hardwired switches), where technically
feasible, to prevent unauthorized software changes,
\u2022 reassessing and documenting the integrity, operation, and functions of software and
information by performing regular integrity, operation, and functional scans consistent
with manufacturer or vendor recommendations, [quarterly] or as defined in NEI 03-12 or
as required by NRC regulation, whichever is more frequent,
\u2022 employing and documenting automated tools, where technically feasible, that provide
notification to designated individuals upon discovering discrepancies during integrity
verification,
\u2022 employing and documenting centrally managed integrity verification tools,
\u2022 requiring the use of physical tamper evident packaging or seals for system components,
\u2022 requiring, when tamper evident packaging is used, that seals be inspected on a regular
basis, and
\u2022 ensuring and documenting that the use of integrity verification applications does not
adversely impact the operational performance of the CDA and applying alternate controls when integrity verification applications cannot be used.
", "controlId": "C.3.7", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.003.007", "references": "", "relatedControls": "", "otherId": "C.003.007" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "21c26c9a-d996-41c9-8e48-ecfbef9185db", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Information Input Restrictions", "description": "[Licensee/Applicant] is responsible for ensuring the following:
\u2022 The capability to input information to CDAs is restricted to only authorized sources.
\u2022 Information is checked automatically for accuracy, completeness, validity, and
authenticity as close to the point of origin as possible. Rules for checking the valid syntax of CDA inputs (e.g., character set, length, numerical range, acceptable values) are
documented and in place to verify that inputs match specified definitions for format and content. Inputs passed to interpreters are prescreened to prevent the content from being
unintentionally interpreted as commands.
", "controlId": "C.3.8", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.003.008", "references": "", "relatedControls": "", "otherId": "C.003.008" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "e713efe9-cb48-4d22-871a-7bbf51e16558", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Error Handling ", "description": "[Licensee/Applicant] documents and implements controls for CDAs to ensure the following:
\u2022 Error conditions are identified.
\u2022 Generated error messages provide information necessary for corrective actions without
revealing potentially harmful information that could be exploited by adversaries.
\u2022 Error messages are revealed only to authorized personnel.
\u2022 Inclusion of sensitive information, such as passwords, in error logs or associated
administrative messages is prohibited.
", "controlId": "C.3.9", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.003.009", "references": "", "relatedControls": "", "otherId": "C.003.009" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "43714471-61de-4d88-91bc-a4760883e227", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Information Output Handling and Retention", "description": "[Licensee/Applicant] retains output from CDAs to ensure that sensitive information is only
disclosed to authorized personnel and is handled and disposed of to ensure that output is not
disclosed to unauthorized personnel.
", "controlId": "C.3.10", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.003.010", "references": "", "relatedControls": "", "otherId": "C.003.010" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "b96db9c2-cf26-4585-a38e-9a8d17a3d43f", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Anticipated Failure Response ", "description": "[Licensee/Applicant] protects the availability of CDAs through compliance with technical
specifications, preventive maintenance programs, maintenance rule programs, security plans,
emergency plans, or the corrective action program. Where these programs do not apply, the
availability of CDAs is provided by the following means:
\u2022 substitution of components, when needed, and a mechanism to exchange active and
standby roles of the components, and
\u2022 consideration of the mean time to failure for components in specific environments of
operation
\u2022 having adequate inventory of essential spare parts.
", "controlId": "C.3.11", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.003.011", "references": "", "relatedControls": "", "otherId": "C.003.011" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "b8627dd1-1ee6-48c3-967f-9463f62ec253", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "System Maintenance Policy and Procedures ", "description": "[Licensee/Applicant] developed, disseminated, and [annually] reviews the following:
\u2022 a formal, documented CDA maintenance policy that addresses purpose, scope, roles,
responsibilities, management commitment, coordination among [Licensee/Applicant]
entities, associated CDA maintenance controls, and compliance,
\u2022 formal, documented procedures to facilitate the implementation of the CDA maintenance
policy and associated maintenance controls, and
\u2022 the system maintenance policy and procedures which cover assets located in all security
boundaries, including the following:
\u2013 owner-controlled area: the outermost protected area boundary for a plant that is
outside the plant\u2019s security area,
\u2013 protected area: an area within the boundaries of a nuclear facility that is
encompassed by physical barriers and to which access is controlled (see
10 CFR 73.2, \u201cDefinitions\u201d),
\u2013 vital areas: areas containing any equipment, system, device, or material, the
failure, destruction, or release of which could directly or indirectly endanger the
public health and safety by exposure to radiation. Vital areas may also contain
equipment or systems which would be required to function to protect public
health and safety following such failure, destruction, or release, and
\u2013 public access area: locations outside the physical control of the plant.
", "controlId": "C.4.1", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.004.001", "references": "", "relatedControls": "", "otherId": "C.004.001" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "e7d72f6b-16ed-48f6-9a46-d6d76c6b0e6a", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Maintenance Tools", "description": "[Licensee/Applicant] is responsible for the following:
\u2022 approving, monitoring, and documenting the use of CDA maintenance tools,
\u2022 inspecting and documenting maintenance tools (e.g., diagnostic and test equipment and
mobile devices, such as laptops) carried into a facility by maintenance personnel for obvious improper modifications,
\u2022 checking and documenting all media and mobile devices, such as laptops, containing
diagnostic, CDA, and system and test programs or software for malicious code before the
media or mobile device is used in or on a CDA,
\u2022 controlling, preventing and documenting the unauthorized removal of maintenance
equipment by one of the following:
\u2013 verifying that there is no [Licensee/Applicant] information contained on the
equipment and validating the integrity of the device before reintroduction into the
facility,
\u2013 sanitizing or destroying the equipment,
\u2013 retaining the equipment within the facility, and
\u2013 obtaining approval from an authority explicitly authorizing removal of the
equipment from the facility, and
\u2022 employing [automated/manual] mechanisms to restrict the use of maintenance tools to
authorized personnel only and employing manual mechanisms only when CDAs or
support equipment (e.g., laptops) cannot support automated mechanisms.
", "controlId": "C.4.2", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.004.002", "references": "", "relatedControls": "", "otherId": "C.004.002" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "4827ab7c-11f8-484a-b906-fee192c54c7c", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Personnel Performing Maintenance and Testing Activities ", "description": "[Licensee/Applicant] is responsible for the following:
\u2022 maintaining and documenting a current list of authorized maintenance personnel
consistent with its access authorization program and insider mitigation program, and
\u2022 implementing and documenting [automated mechanism or nonautomated mechanism] to
detect unauthorized use or execution of commands by an escorted individual, or designating and documenting [Licensee/Applicant] personnel with required access
authorization and knowledge necessary to supervise escorted personnel interacting with
CDAs.
", "controlId": "C.4.3", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.004.003", "references": "", "relatedControls": "", "otherId": "C.004.003" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "9fb0f2cd-9c03-4c9a-a0a2-45b94ca4e3fc", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Physical and Environmental Protection Policies and Procedures", "description": "For those CDAs located outside of the [Site] protected area, [Licensee/Applicant] developed,
implemented, and [annually] reviews and updates the following:
\u2022 a formal, documented physical and environmental protection policy that addresses the
following:
\u2013 the purpose of the physical security program as it relates to protecting the CDAs,
\u2013 the scope of the physical security program as it applies to the organization\u2019s staff
and third-party contractors, and
\u2013 the roles, responsibilities, and management accountability structure of the
physical security program to ensure compliance with the [Licensee/Applicant]
security policy and other regulatory commitments, and
\u2022 formal, documented procedures to facilitate the implementation of the physical and
environmental protection policy and associated physical and operational environmental
protection security controls.
", "controlId": "C.5.1", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.005.001", "references": "", "relatedControls": "", "otherId": "C.005.001" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "7a617ac7-2929-4e99-a2de-165d4a84c1dd", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Third Party/Escorted Access", "description": "[Licensee/Applicant] is responsible for the following:
\u2022 screening, enforcing, and documenting security controls for third-party personnel
(including service contractors and other organizations providing control system operation
and maintenance, development, information technology services, outsourced applications, and network and security management) and monitoring service provider
behavior and compliance, and
\u2022 explicitly including personnel security controls in acquisition-related contract and
agreement documents.
", "controlId": "C.5.2", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.005.002", "references": "", "relatedControls": "", "otherId": "C.005.002" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "0918b971-ec8d-4dbb-a18d-ee683b04e74a", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Physical and Environmental Protection ", "description": "[Licensee/Applicant] secures and documents physical access to CDAs. Physical security controls
(e.g., physical, locked, drivers) are employed to limit access to CDAs and to prevent degradation
of the operational environment which could impact the correct performance of CDAs (e.g.,
temperature, humidity, dust, vibration and electromagnetic or radiofrequency interference).
", "controlId": "C.5.3", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.005.003", "references": "", "relatedControls": "", "otherId": "C.005.003" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "0fe12127-fc5f-4d52-8942-cbbfe3ad78a8", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Physical Access Authorizations ", "description": "[Licensee/Applicant] is responsible for the following:
\u2022 developing and maintaining a list of, and issuing authorization credentials (e.g., badges,
identification cards, smart cards) to, personnel with authorized access to facilities
containing CDAs and security boundary systems, and
\u2022 designating officials within the organization to review and approve the above access lists
and authorization credentials, consistent with the access authorization program.
", "controlId": "C.5.4", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.005.004", "references": "", "relatedControls": "", "otherId": "C.005.004" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "c9768f66-9150-438a-9752-8b0345d1a4cf", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Physical Access Control ", "description": "[Licensee/Applicant] is responsible for the following:
\u2022 controlling all physical access points (including designated entry and exit points) to
locations where CDAs reside and verifying individual access authorization before granting access to these areas,
\u2022 approving individual access privileges and enforcing physical and logical access
restrictions associated with changes to CDAs,
\u2022 controlling logical access through the use of electronic devices and software,
\u2022 generating, retaining, and reviewing records pertaining to access restrictions,
\u2022 ensuring that only qualified and authorized individuals obtain access to CDAs, and
\u2022 controlling physical access to the CDAs independent of the physical access controls for
the facility.
", "controlId": "C.5.5", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.005.005", "references": "", "relatedControls": "", "otherId": "C.005.005" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "a6d815c1-084b-4fdc-8071-af0d1bbd82b3", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Access Control for Transmission Medium", "description": "[Licensee/Applicant] controls and documents physical access to CDA communication paths.
", "controlId": "C.5.6", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.005.006", "references": "", "relatedControls": "", "otherId": "C.005.006" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "dbca45b6-0226-47e2-af44-1ef5f24758b5", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Access Control for Display Medium", "description": "[Licensee/Applicant] controls and documents physical access to CDAs that display information
that may assist an adversary and prevents unauthorized individuals from observing the display
output.
", "controlId": "C.5.7", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.005.007", "references": "", "relatedControls": "", "otherId": "C.005.007" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "9df0b312-3c96-49ec-9696-19cebfc14f53", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Monitoring Physical Access ", "description": "[Licensee/Applicant] is responsible for the following:
\u2022 monitoring and documenting physical access to CDAs and security boundaries to detect
and respond to physical security incidents,
\u2022 reviewing physical access logs,
\u2022 coordinating results of reviews and investigations with [Licensee/Applicant]\u2019s incident
response personnel,
\u2022 monitoring real-time physical intrusion alarms and surveillance equipment,
\u2022 employing automated mechanisms to assess and recognize potential intrusions and
initiates appropriate response actions, and
\u2022 providing adequate lighting for access monitoring devices (e.g., cameras).
", "controlId": "C.5.8", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.005.008", "references": "", "relatedControls": "", "otherId": "C.005.008" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "129166d1-90cc-4e09-a76a-1507c5abca1d", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Visitor Control Access Records", "description": "[Licensee/Applicant] is responsible for the following:
\u2022 controlling and documenting visitor physical access to CDAs by verifying the identity
and confirming access authorization of these individuals prior to entry, and
\u2022 escorting visitors and monitoring visitor activity to prevent adverse impact to SSEP
functions.
", "controlId": "C.5.9", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.005.009", "references": "", "relatedControls": "", "otherId": "C.005.009" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "899d2ae3-db17-4f1f-8780-939214d93416", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Defensive Strategy ", "description": "[Licensee/Applicant] implements and documents its defensive strategy that identifies the
protective controls associated within each security level.
[Licensee/Applicant] implements and documents a defensive model that identifies the logical
boundaries for data transfer and associated communication protocols. The model defines the level of connectivity permitted between levels and individual CDAs. The elements of the
defensive strategy are incorporated into CDAs. Security controls are applied commensurate with
the risk associated to perform the function required to meet design specifications and operational
requirements. This approach is used to deter likely methods of attack and provides high
assurance of adequate protection. Defense-in-depth strategies use elements of the physical security plan; emergency response plan; and management, operation, and technical controls.
Security controls are applied to CDAs to limit data flow from one level to another, thus protecting
the CDA from a cyber attack originating from a less secure level. Security controls and defense-
in-depth strategies are used to detect, delay, mitigate, and recover from a cyber attack.
The cyber security defensive model is deployed using a network architecture portrayed by a series
of increasing defensive levels. The model takes advantage of the physical and administrative security controls implemented by the physical security program. Physical barriers such as locked
doors, locked cabinets, or physical location in the [Site] protected area or vital area are also used
to mitigate risk.
Section 3.2 of this plan in Appendix A documents specific information regarding the
[Licensee/Applicant] defensive strategy.
", "controlId": "C.6", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.006", "references": "", "relatedControls": "", "otherId": "C.006" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "0088c3ea-9fe0-46c6-8cff-2a476811f901", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Defense-in-Depth", "description": "[Licensee/Applicant] implements and documents a defensive strategy, as well as the following:
\u2022 allocates the highest degree (i.e., Level 4) of cyber security protection to CDAs that carry
out safety, important to safety, and security functions and protects those CDAs from lower defensive levels,
\u2022 prevents remote access to CDAs located in the highest defensive level,
\u2022 prevents spoofing of addresses from one security level to another,
\u2022 only one-way data flow is allowed from Level 4 to Level 3 and from Level 3 to Level 2,
\u2022 initiation of communications from digital assets at lower security levels to digital assets
at higher security levels is prohibited,
\u2022 bi-directional (2-way) communication between CDAs in Level 4 is only conducted
within a security Level 4,
\u2022 any non-safety system that has bi-directional communication to a safety system is
afforded the same level of protection as the safety system,
\u2022 provides intrusion prevention and detection capabilities within and at the boundaries
between security levels,
\u2022 ensures for defense-in-depth levels using bi-directional (2 way) communication that data
flow from one level to other levels occurs only through a device that enforces the security
policy between each level and detects, prevents, delays, mitigates, and recovers from a
cyber attack coming from the lower security level, and
\u2022 moves data, software, firmware, and devices from lower levels of security to higher
levels of security using a documented validation process or procedure which is
trustworthy at or above the trust level of the device on which the data, code, information,
or device will be installed or connected with to ensure that the data, software, firmware,
or devices are free from known malicious code, Trojan viruses, worms, and other passive
attacks.
[Licensee/Applicant] implements and documents security boundary control devices between
higher security levels and lower security levels that include the following elements:
\u2022 physically and logically secures and hardens CDAs to prevent unauthorized access or
manipulation,
\u2022 employs secure management communications and encryption in accordance with
Appendix B to RG 5.71,
\u2022 provides logging and alert capabilities,
\u2022 provides intrusion detection and prevention capabilities,
\u2022 detects and prevents malware from moving between boundaries,
\u2022 possesses the ability to perform more than stateful inspection with respect to the
protocols used in communication across the boundary, such as through a bastion host or application proxy, and
\u2022 except in the case of data diodes, contains a rule set that at a minimum:
\u2013 is configured to deny traffic, except that which is explicitly authorized,
\u2013 provides protocol, source, and destination filtering such as IP addresses, MAC
addresses, TCP ports, and UDP ports,
\u2013 bases blocking on source and destination address pairs, services, and ports where
the protocol supports this,
\u2013 does not permit either incoming or outgoing traffic by default,
\u2013 is managed either through a direct connection to the firewall from a management
device, such as a laptop, or through a dedicated interface connected to a site-
centric security network,
\u2013 does not permit direct communication to the firewall from any of the managed
interfaces,
\u2013 records information relative to accepted and rejected connections, traffic
monitoring, analysis, and intrusion detection,
\u2013 forwards logs to a centralized logging server,
\u2013 enforces destination authorization and restricts users by allowing them to reach
only the CDAs necessary for their function,
\u2013 records information flow for traffic monitoring, analysis, and intrusion detection,
\u2013 is deployed and maintained by authorized personnel adequately trained in the
technologies used,
\u2013 documents and designs with minimal connections that permit acquisition and
control networks to be severed from corporate networks, should that decision be made, in times of serious cyber incidents or when directed by authorized
personnel who are designated to do so,
\u2013 is evaluated, analyzed, and tested before deployment and routinely upon
modification of the rule set and updates to the operational software and firmware
required to operate the firewall,
\u2013 receives time synchronization from a trusted and dedicated source existing on the
security network, attached directly to the CDA or via SNTP and a trusted key
management process,
\u2013 synchronizes time with CDAs to provide for event correlation,
\u2013 is capable of forwarding logging information in a standard format to a secure
logging server or uses an external device to provide this logging (as in the case of
a data diode),
\u2013 routinely reviews logs by personnel that are appropriately trained in such analysis
to detect malicious or anomalous activity,
\u2013 is updated [quarterly],
\u2013 uses only physically and logically secured and hardened computing devices and
flow control to prevent unauthorized access or manipulation of data streams,
\u2013 allows no information of any kind, including handshaking protocols, to be
transferred directly from networks, systems, or CDAs existing at a lower security
level to networks, systems, or CDAs existing at Level 4, and
\u2013 employs measures to prevent viruses or other malicious or unwanted programs
from propagating information between security levels.
CDAs that provide safety, important-to-safety, security, or control functions are allocated
defensive Level 4 protection. CDAs that provide data acquisition functions are allocated at least
defensive Level 3 protection. The defensive model defines data transmission.
", "controlId": "C.7", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.007", "references": "", "relatedControls": "", "otherId": "C.007" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "372e28e4-4efd-4283-89a5-13e1827f9f23", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Incident Response ", "description": "Measures necessary to deny, deter, and detect cyber attacks are implemented by [system, CDA,
network protective devices] and align with the [Licensee/Applicant] defensive strategy.
[Licensee/Applicant] establishes, implements, and documents security controls to deny, deter, and
detect adverse threats and conditions to CDAs that may be susceptible to cyber attacks. Security
controls employed counteract postulated threats. [Licensee/Applicant] establishes, implements,
and documents the methods used to respond to incidents and to escalate cyber security events to
the [Site/Licensee]\u2019s incident response personnel, appropriate law enforcement authorities, or the
NRC.
The [Licensee/Applicant]\u2019s Corrective Action Program evaluates, tracks, manages, provides
corrective action and documents cyber attacks.
[Licensee/Applicant] procedures that govern response to cyber events direct timely identification,
detection, and response to cyber attacks. When there is a reasonable suspicion of a cyber attack,
response instructions direct notification to the [shift superintendent operations, site security superintendent, manager nuclear information technology, cyber security incident response team]
and other emergency response actions.
[Licensee/Applicant] procedures direct containment activities. These measures include (but are
not limited to) activities necessary for the following:
\u2022 assist operations in conducting an operability determination,
\u2022 isolate the affected CDA with approval by [shift superintendent operations], if possible,
and
\u2022 verify that surrounding or interconnected CDAs, networks, and support systems are not
contaminated, degraded, or compromised.
Eradication activities identify the attack and the compromised pathway. [Licensee/Applicant]
patches, cleans, reimages, or replaces the CDA using disaster recovery procedures.
[Licensee/Applicant] governing procedures direct measures necessary to mitigate the
consequences of cyber attacks.
Recovery activities include, but are not limited to, functional recovery tests, security function and requirements tests, restoration to an operational state, verification of operability, and return to
active service. Systems, networks, or equipment affected by cyber attacks are restored and
returned to operation as directed by [Licensee/ Applicant] procedures. [Licensee/Applicant]
conducts post incident analysis in accordance with its Corrective Action Program.
[Licensee/Applicant] reports cyber attacks to the NRC as directed by [Licensee/Applicant]
procedures, in accordance with the requirements of Appendix G, \u201cReportable Safeguards
Events,\u201d to 10 CFR Part 73 and as further described in Regulatory Position C.8.6.
", "controlId": "C.8", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.008", "references": "", "relatedControls": "", "otherId": "C.008" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "e1567565-3da9-4a9c-b7a0-59cf81e7539b", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Incident Response Policy and Procedures", "description": "[Licensee/Applicant] developed, disseminated, and [annually] reviews and updates the following:
\u2022 a formal, documented incident response policy that addresses purpose, scope, roles,
responsibilities, management commitment, coordination among [Licensee/Applicant]
entities, and compliance,
\u2022 formal, documented procedures to facilitate the implementation of the incident response
policy and associated incident response controls that establish procedures for the
following: \u2013 notifying staff and operators,
\u2013 determining whether unexpected indications or fault conditions could be the
result of a cyber attack in progress,
\u2013 in the event that the cyber attack was the result of previous activities that have
lain dormant within a CDA, using the Corrective Action Program to perform an
analysis to identify entry mechanisms and take steps to close down the
vulnerability, and
\u2013 establishing a disaster recovery plan that specifically permits rapid recovery from
a cyber attack, including system backups which allow rapid reconstruction of the
CDA, and
\u2022 recovery plans that are exercised to ensure that they are effective and that personnel are
sufficiently familiar with how to employ them in accordance with [disaster recovery
plans, business continuity or emergency plans] and that changes made are based on lessons learned from exercises and drills and actual incidents and events.
[Licensee/Applicant] includes stakeholders in the development of incident response policies,
procedures, and plans, including the following groups:
\u2022 physical security,
\u2022 cyber security team,
\u2022 operations,
\u2022 engineering,
\u2022 information technology,
\u2022 human resources,
\u2022 system support vendors,
\u2022 management, and
\u2022 legal.
", "controlId": "C.8.1", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.008.001", "references": "", "relatedControls": "", "otherId": "C.008.001" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "5f00ffcc-e8aa-492e-b950-f3fc563c15bc", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Incident Response Training ", "description": "[Licensee/Applicant] is responsible for the following:
\u2022 training personnel in their incident response roles and responsibilities with respect to the
CDAs and providing refresher training [at least annually],
\u2022 incorporating simulated events into incident response training to facilitate effective
response by personnel in crisis situations, and
\u2022 documenting incident response training exercises and acknowledgements that personnel
are qualified and trained.
", "controlId": "C.8.2", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.008.002", "references": "", "relatedControls": "", "otherId": "C.008.002" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "1b50124f-eb93-4cfd-a327-dc179d81d731", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Incident Response Testing and Drills", "description": "[Licensee/Applicant] is responsible for the following:
\u2022 testing and conducting drills of the incident response capability for CDAs [at least
annually],
\u2022 using [Licensee/Applicant]-defined tests or drills or both to update the incident response
capability to maintain its effectiveness,
\u2022 documenting the results of testing and drills,
\u2022 providing incident response testing and drills procedures,
\u2022 employing automated mechanisms to thoroughly and effectively test or drill the incident
response capability, and
\u2022 performing and documenting announced and unannounced tests and drills.
", "controlId": "C.8.3", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.008.003", "references": "", "relatedControls": "", "otherId": "C.008.003" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "b49ad43e-ba00-4627-97a3-ad0b8e1bcf45", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Incident Handling ", "description": "[Licensee/Applicant] is responsible for the following:
\u2022 implementing and documenting an ongoing incident handling capability for security
incidents that includes preparation, detection and analysis, containment, eradication, and recovery [rolled into existing incident handling program],
\u2022 incorporating lessons learned from ongoing incident handling activities into incident
response procedures and implementing the procedures accordingly,
\u2022 forming an integrated cyber security incident response team (CSIRT),
\u2022 in the event of an unplanned incident that reduces the number of required cyber security
personnel, compensating, by using other trained and qualified onsite cyber security personnel or calling in off-duty personnel within 2 hours from the time of discovery,
\u2022 providing the team with the technical skills and authority to effectively respond to a
potential cyber security event,
\u2022 developing and documenting processes, procedures, and controls that the team will
employ upon the discovery or identification of a potential or actual cyber security attack,
and
\u2022 documenting and defining response to the following:
\u2013 identification of what constitutes a cyber security incident,
\u2013 identification of threat level classification for incidents,
\u2013 description of actions to be taken for each component of the Incident Response
&Recovery (IR&R) process,
\u2013 description of individual postulated classes or categories of incidents or attacks,
as analyzed during attack vector analysis, and indicators and potential or planned
methods of mitigation,
\u2013 identification of defensive strategies that would assist in identifying and
containing a cyber attack,
\u2013 description of the CSIRT incident notification process,
\u2013 description of incident documentation requirements,
\u2013 establishment of coordinated and secure communication methods to be used
between local and remote CSIRT members and outside agencies, and
\u2013 description of response escalation requirements.
The [Licensee/Applicant] CSIRT consists of individuals with knowledge and experience in the
following areas:
\u2022 Information and digital system technology\u2014This covers the areas of cyber security,
software development and application, computer system administration, and computer
networking. In particular, knowledge is required of the digital systems involved in plant
operations, including digital instrumentation and control systems, and those involved in
plant business systems. In the plant operations area, this includes programmable logic controllers, control systems, and distributed control systems. In the business area, this
includes computer systems and databases containing information used to design, operate,
and maintain CDAs. In the networking arena, knowledge is required of both plant- and
corporate-wide networks. An experienced and highly skilled cyber security staff member
might have expertise in all of these areas.
\u2022 Nuclear facility operations, engineering, and safety\u2014This includes knowledge of overall
facility operations and plant technical specifications. Staff representing this technical
area must be able to trace the impact of a vulnerability or series of vulnerabilities in a
CDA (or connected digital asset) outward through plant subsystems and systems so that
the overall impact on safety, security, and emergency preparedness of the plant can be
evaluated.
\u2022 Physical and operational security\u2014This includes in-depth knowledge of the plant\u2019s
physical and operational security program. In addition to the above requirements,
specialized in-depth cyber security skills are required to perform the electronic validation
testing and optional scanning activities.
\u2022 [Licensee/Applicant] may not have onsite personnel trained and experienced in all arenas.
If this expertise is not available on site, corporate-level cyber security personnel, an independent cyber security organization, or other sources of the necessary validation
expertise are considered.
In addition, individuals with the following roles join the CSIRT on an as-needed basis (depending
on the incident):
\u2022 site security (physical),
\u2022 senior plant management,
\u2022 corporate public relations, and
\u2022 corporate legal.
Incident data collected includes the following:
\u2022 incident title,
\u2022 date of incident,
\u2022 reliability of report,
\u2022 type of incident (e.g., accident, virus),
\u2022 entry point (e.g., Internet, wireless, modem),
\u2022 perpetrator,
\u2022 type of system, hardware and software impacted,
\u2022 brief description of incident,
\u2022 impact on organization,
\u2022 measures to prevent recurrence, and
\u2022 references.
", "controlId": "C.8.4", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.008.004", "references": "", "relatedControls": "", "otherId": "C.008.004" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "7a482f0c-a652-4b69-b60e-8620bfef6a6d", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Incident Monitoring ", "description": "[Licensee/Applicant] tracks and documents security incidents on an ongoing basis using
automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information.
", "controlId": "C.8.5", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.008.005", "references": "", "relatedControls": "", "otherId": "C.008.005" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "0b4e27c4-5a56-456e-bb0a-18c267e453b7", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Incident Reporting", "description": "Regulatory Guide (RG) 5.69, \u201cGuidance for the Application of the Radiological Sabotage Design
Basis Threat in the Design, Development and Implementation of a Physical Security Protection
Program that Meets 10 CFR 73.55 Requirements\u201d (Safeguards Information), provides guidance on the type of cyber attacks and cyber security incidents that are reported to the U.S. Nuclear
Regulatory Commission (NRC).
During the process to investigate and recover from a cyber security attack or cyber incident, a
review to determine reportability is necessary. Currently, several regulations exist to report
emergency and nonemergency events to the NRC. Reporting guidance exists but does not
explicitly establish cyber security reporting criteria. The NRC has developed Draft Regulatory
Guide DG-5019, \u201cReporting of Safeguards Events,\u201d but has not finalized or issued it at the time of this summary.
", "controlId": "C.8.6", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.008.006", "references": "", "relatedControls": "", "otherId": "C.008.006" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "9243c3b1-08e2-4c5c-835e-790e9d6de9e9", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Incident Response Assistance", "description": "[Licensee/Applicant] provides competent and trained incident response support personnel who
are available year round, 24 hours per day to offer advice and assistance to users of CDAs in
response to and reporting of cyber security incidents. The support resource is an integral part of [Licensee/Applicant]\u2019s incident response capability.
Licensee/Applicant] employs mechanisms to increase the availability of incident response-related
information and support.
", "controlId": "C.8.7", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.008.007", "references": "", "relatedControls": "", "otherId": "C.008.007" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "bc7bebc3-8d61-48a4-88d3-a9d105524eaf", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Cyber Incident Response Plan ", "description": "[Licensee/Applicant] developed an incident response plan that:
\u2022 describes the structure and organization of the cyber incident response capability,
\u2022 provides a high-level approach for how the cyber incident response capability fits into the
overall organization,
\u2022 defines reportable cyber incidents consistent with Regulatory Position C.8.6,
\u2022 provides metrics for measuring the cyber incident response capability within the organization,
\u2022 defines the resources and management support needed to effectively maintain and mature an
incident response capability, and
\u2022 is reviewed and approved by the Cyber Security Program Sponsor.
[Licensee/Applicant] distributes copies of the incident response plan plant personnel including
incident response personnel, reviews the incident response plan [annually], revises the incident
response plan to address changes or problems encountered during plan implementation,
execution, or testing, and communicates incident response plan changes to plant personnel
including incident response personnel.
", "controlId": "C.8.8", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.008.008", "references": "", "relatedControls": "", "otherId": "C.008.008" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "34b12cb6-a214-414b-8588-796535a04533", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Contingency Planning Policy and Procedures ", "description": "[Licensee/Applicant] developed, disseminated, and [annually] reviews and updates the following:
\u2022 a formal, documented contingency planning policy that addresses purpose, scope, roles,
responsibilities, management commitment, coordination among [Licensee/Applicant]
entities, and compliance, and
\u2022 formal, documented procedures to facilitate the implementation of the contingency
planning policy and associated contingency planning controls.
[Licensee/Applicant] updates contingency planning policy and procedures and, where necessary,
related policies and procedures for other programs when [Licensee/Applicant] review indicates
updates are required.
[Licensee/Applicant]\u2019s contingency plan includes the following:
\u2022 required response to events or conditions of varying duration and severity that would
activate the recovery plan,
\u2022 procedures for operating the CDAs in manual mode with external electronic connections
severed until secure conditions can be restored,
\u2022 roles and responsibilities of responders,
\u2022 processes and procedures for the backup and secure storage of information,
\u2022 complete and up-to-date logical diagrams depicting network connectivity,
\u2022 current configuration information for components,
\u2022 personnel list (according to title or function or both) for authorized physical and cyber
access to the CDA,
\u2022 communication procedure and list of personnel (according to title or function or both) to
contact in the case of an emergency, and
\u2022 documented requirements for the replacement of components.
", "controlId": "C.9.1", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.009.001", "references": "", "relatedControls": "", "otherId": "C.009.001" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "5cfbf538-6973-40c5-a7bc-adbb6509baa9", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Contingency Plan", "description": "[Licensee/Applicant] is responsible for the following:
\u2022 implementing a cyber security contingency plan to maintain the SSEP functions by
developing and disseminating roles, responsibilities, assigned individuals with contact
information, and activities associated with determining the effects of CDAs after a
compromise, disruption or failure and restoring those CDAs,
\u2022 coordinating contingency plan development with [Licensee/Applicant] organizations
responsible for related plans (e.g., emergency plan, physical security plan) and
requirements (e.g., technical specifications),
\u2022 maintaining the necessary resources and capacity to ensure that necessary information
processing, telecommunications, and environmental support exist during crisis situations,
\u2022 documenting the resources needed to ensure that the capacity necessary for information
processing, telecommunications, and environmental support exists during crisis situations, and
\u2022 deploying CDAs such that, in the event of a loss of processing within a CDA or a loss of
communication with operational facilities, CDAs will execute predetermined actions.
", "controlId": "C.9.2", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.009.002", "references": "", "relatedControls": "", "otherId": "C.009.002" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "2542ee4b-441c-4aa8-9857-35fba93daa53", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Contingency Plan Testing ", "description": "[Licensee/Applicant] is responsible for taking the following actions:
\u2022 tests and/or exercises and documents the contingency plan [at least annually] to verify its
effectiveness and the organization\u2019s readiness to execute this plan,
\u2022 reviews the contingency plan test and exercise results and initiates appropriate corrective
actions,
\u2022 coordinates contingency plan testing and/or exercises with [Licensee/Applicant] elements
responsible for related plans,
\u2022 tests and/or exercises and documents the contingency plan at emergency and/or backup
sites to familiarize contingency personnel with these facilities and their available
resources and to evaluate the [Site\u2019s] capabilities to support contingency operations,
\u2022 employs automated mechanisms to thoroughly and effectively test/exercise the
contingency plan by providing a more complete coverage of contingency issues and
selecting more realistic test/exercise scenarios and environments,
\u2022 includes recovery and reconstitution of CDAs as part of contingency plan testing,
\u2022 establishes and documents alternate controls when the contingency plan cannot be tested
or exercised on production CDAs because of the potential for a significant adverse
impact on safety, security, performance, or reliability of the site or CDA, and
\u2022 uses scheduled and unscheduled system maintenance activities, including responding to
CDA component and system failures, as an opportunity to test or exercise the contingency plan.
", "controlId": "C.9.3", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.009.003", "references": "", "relatedControls": "", "otherId": "C.009.003" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "25506ef7-75f6-4c3e-b713-fbcf415bbb10", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Contingency Plan Training", "description": "[Licensee/Applicant] is responsible for the following:
\u2022 training personnel in their contingency roles and responsibilities with respect to the
CDAs and providing refresher training [at least annually] or consistent with the
[Licensee/Applicant\u2019s] overall contingency program, whichever period is shorter,
\u2022 maintaining training procedures and documenting training records of individuals,
\u2022 including training drills to familiarize contingency personnel with the facility, CDAs, and
available resources and evaluating the site\u2019s capabilities to support contingency operations,
\u2022 employing automated mechanisms to thoroughly and effectively test/drill the contingency
plan by providing more complete coverage of contingency issues, and
\u2022 selecting realistic test/drill scenarios and environments, effectively stressing the CDAs.
", "controlId": "C.9.4", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.009.004", "references": "", "relatedControls": "", "otherId": "C.009.004" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "80b368e9-7931-4552-8d0c-65d77260c2ae", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Alternate Storage Site and Location for Backups ", "description": "[Licensee/Applicant] identifies and documents alternate storage locations and initiates necessary
agreements to permit the storage of CDA back up information. The frequency of CDA backups
and the transfer rate of backup information to the alternate storage locations are consistent with
[Licensee/Applicant]\u2019s recovery time objectives and recovery plan objectives.
[Licensee/Applicant] is responsible for the following:
\u2022 identifying an alternate storage location that is geographically separated from the primary
storage location so as not to be susceptible to a common hazard,
\u2022 configuring the alternate storage location to facilitate recovery of operation, and
\u2022 identifying and documenting potential accessibility problems to the alternate storage
location in the event of a wide area disruption or disaster and implementing explicit
mitigation actions.
", "controlId": "C.9.5", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.009.005", "references": "", "relatedControls": "", "otherId": "C.009.005" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "a5a436cc-b9c0-45f9-8150-129a9107fa16", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "CDA Backups", "description": "[Licensee/Applicant] is responsible for the following:
\u2022 conducting backups of user-level and system-level information,
\u2022 backing up CDAs at an interval identified for the CDA or based on trigger events,
\u2022 protecting backup information at the storage location,
\u2022 testing and documenting backup information [monthly] to verify media reliability and
information integrity,
\u2022 using backup information in the restoration of CDA functions as part of contingency plan
testing,
\u2022 protecting system backup information from unauthorized modification,
\u2022 storing backup copies of the operating system and other critical CDA software in a
separate facility or in a fire-rated container that is not collocated with the operational
software, and
\u2022 establishing and documenting the timeframe in which data or the CDA must be restored
and the frequency at which critical data and configurations are changing.
", "controlId": "C.9.6", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.009.006", "references": "", "relatedControls": "", "otherId": "C.009.006" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "1d9af275-a3f8-4eb4-bec3-4f5f3a45ac23", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Recovery and Reconstitution", "description": "[Licensee/Applicant] employs mechanisms with supporting procedures that allow CDAs to be
recovered and reconstituted to a known secure state following a disruption or failure and only
when initiated by authorized personnel. [Licensee/Applicant] performs regression testing before
returning to normal operations to ensure that CDA are performing correctly.
", "controlId": "C.9.7", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.009.007", "references": "", "relatedControls": "", "otherId": "C.009.007" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "299b9f76-83e7-4b8d-b590-aa3bd61f3dce", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Cyber Security Awareness and Training ", "description": "[Licensee/Applicant] establishes, implements, and documents the training requirements necessary
for licensee/applicant personnel and contractors to perform their assigned duties and
responsibilities in implementing the requirements of the program.
[Licensee/Applicant] individuals are trained to a level of cyber security knowledge appropriate to
their assigned responsibilities in order to provide high assurance that these individuals are able to
perform their job functions properly.
", "controlId": "C.10.1", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.010.001", "references": "", "relatedControls": "", "otherId": "C.010.001" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "5d60adf9-feef-4d87-b600-c1ce308e71c9", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Awareness Training", "description": "[Licensee/Applicant]\u2019s cyber security awareness training is designed to increase an individual\u2019s
sensitivity to cyber threats and vulnerabilities and their recognition of the need to protect data and
information. Policy-level awareness training prov ides employees and contractors with the ability
to understand security policies so that the program is effectively implemented. Individual users
must understand their responsibility for adherence to applicable policies and standards.
[Licensee/Applicant] establishes, implements, and documents requirements for the following:
\u2022 Training programs provide basic cyber security awareness training for facility personnel.
Refresher or continuous training provides updates on new threats and technology.
\u2022 Cyber security awareness is provided by displaying posters, offering security-messaged
items, generating e-mail advisories and notices, and displaying logon screen messages.
\u2022 Training includes practical exercises to simulate actual cyber incidents, recovery plans,
response plans and adversary attacks.
[Licensee/Applicant] develops and documents the content of cyber security training based on the
following:
\u2022 assigned roles and responsibilities,
\u2022 specific requirements identified by the defensive strategy, and
\u2022 CDAs to which personnel have authorized access.
[Licensee/Applicant] establishes, implements, and documents requirements for training to
provide the following:
\u2022 cyber security awareness training for [Licensee/Applicant] employees and contractors
which addresses the following: \u2013 the site-specific objectives, management expectations, programmatic authority,
roles and responsibilities, policies, procedures, and consequences for
noncompliance with the cyber security program,
\u2013 general attack methodologies, including social engineering techniques and
appropriate and inappropriate cyber security practices,
\u2013 attack indicators, such as the following:
\u25e6 unusually heavy network traffic,
\u25e6 out of disk space or significantly reduced free disk space,
\u25e6 unusually high CPU usage,
\u25e6 creation of new user accounts,
\u25e6 attempted or actual use of administrator-level accounts,
\u25e6 locked-out accounts,
\u25e6 account in-use when the user is not at work,
\u25e6 cleared log files,
\u25e6 full log files with unusually large number of events,
\u25e6 antivirus or IDS alerts,
\u25e6 disabled antivirus software and other security controls,
\u25e6 unexpected patch changes,
\u25e6 machines connecting to outside IP addresses,
\u25e6 requests for information about the system (social engineering attempts),
\u25e6 unexpected changes in configuration settings,
\u25e6 unexpected system shutdown,
\u25e6 unusual activity from control devices,
\u25e6 loss of signal from control devices, and
\u25e6 unusual equipment in secure areas,
\u2013 organizational contacts to whom to report suspicious activity, incidents, and
violations of cyber security policies, procedures, or practices,
\u2013 an explanation as to why access and control methods are required,
\u2013 measures users can employ to reduce risks, and
\u2013 the impact on the organization if the control methods are not incorporated.
", "controlId": "C.10.2", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.010.002", "references": "", "relatedControls": "", "otherId": "C.010.002" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "572eeda9-feb5-42e6-9eca-3e994f35b1b7", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Technical Training ", "description": "[Licensee/Applicant] establishes, implements, and documents training programs for personnel
performing, verifying, or managing activities within the scope of the program to ensure that
suitable proficiency is achieved and maintained. [Licensee/Applicant] individuals that have cyber
security responsibilities related to programs, processes, procedures, or individuals that are
involved in the design, modification, and maintenance of CDAs, will receive technical training.
[Licensee/Applicant] establishes, implements, and documents requirements to do the following:
\u2022 provide cyber security-related technical training to individuals:
\u2013 before authorizing access to CDAs or performing assigned duties,
\u2013 when required by policy or procedure changes and plant modifications, and
\u2013 annually or at an interval as defined by the [Licensee/Applicant], whichever is
shorter, to mitigate risk and to ensure personnel maintain competency, and
\u2022 provide cyber security-related technical training on applicable cyber security concepts
and practices to those individuals whose roles and responsibilities involve designing,
installing, operating, maintaining, or administering (e.g., serving as a system
administrator) CDAs or associated networks which addresses the following:
\u2013 knowledge of specific cyber security and engineering procedures, practices, and
technologies, including implementation methods and design requirements, which
apply to the assets they may encounter as part of their job and
\u2013 general information on cyber vulnerabilities, potential consequences to CDAs
and networks of successful cyber attacks, and cyber security risk reduction
methods
[Licensee/Applicant] provides system managers, cyber security specialists, system owners,
network administrators, and other personnel having access to system-level software with security-related technical training to perform their assigned duties.
", "controlId": "C.10.3", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.010.003", "references": "", "relatedControls": "", "otherId": "C.010.003" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "714669de-3c52-4f78-ba6d-a7561a85a9d5", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Specialized Cyber Security Training ", "description": "[Licensee/Applicant] individuals who have programmatic and procedural cyber security authority
and require the necessary skills and knowledge to execute capabilities expected of a cyber
security specialist receive specialized cyber security training in order to design, execute, and
manage the cyber defensive strategy effectively.
[Licensee/Applicant] establishes, implements, and documents requirements for advanced training
for individuals who are designated security experts or specialists, including the cyber security
specialists with roles and responsibilities for cyber security, incident response, and the execution
and management of defense-in-depth protective strategies. Advanced training addresses the
following:
\u2022 achievement and maintenance of the necessary up-to-date skills and knowledge in core
competencies of data security, operation system security, application security, network
security, security controls, intrusion analysis, incident management and response, digital
forensics, penetration testing, and plant system functionality and operations,
\u2022 competency in the use of tools and techniques to physically and logically harden CDAs
and networks to reduce vulnerabilities to cyber attack,
\u2022 the provision of cyber security guidance, assistance, and training for other staff members,
\u2022 the review of programmatic and system-specific cyber security plans and practices,
\u2022 assessment of CDAs, networks, and assets for compliance with cyber security policies,
and
\u2022 design, acquisition, installation, operation, maintenance, or administration of security
controls.
", "controlId": "C.10.4", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.010.004", "references": "", "relatedControls": "", "otherId": "C.010.004" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "d1ffd97d-80f7-4511-9d33-fd4c042a09de", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Cross-Functional Cyber Security Team", "description": "[Licensee/Applicant] develops, implements, and documents a cross-functional cyber security
team (CST).
[Licensee/Applicant] develops, implements, and documents a program to share expertise and
varied domain knowledge between members of the CST.
[Licensee/Applicant]\u2019s CST includes, at a minimum, a member of the organization\u2019s information
technology staff, an instrumentation and control system engineer, a control system operator, a
subject matter expert in cyber security, and a member of the management staff.
[Licensee/Applicant]\u2019s cyber security subject matter experts\u2019 skills include network architecture
and design, security processes and practices, and secure infrastructure design and operation.
[Licensee/Applicant]\u2019s CST also includes the control system vendor or system integrator, as
needed.
[Licensee/Applicant]\u2019s CST reports [directly to organizational structure how and who].
", "controlId": "C.10.5", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.010.005", "references": "", "relatedControls": "", "otherId": "C.010.005" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "e900ffe4-cb7e-4b85-9510-1fc3979a9e02", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Situation Awareness ", "description": "[Licensee/Applicant] security training describes the physical processes being controlled, as well
as the associated CDAs and security controls.
", "controlId": "C.10.6", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.010.006", "references": "", "relatedControls": "", "otherId": "C.010.006" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "b19378db-c11a-4622-bce4-544d05bdee36", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Feedback", "description": "[Licensee/Applicant] establishes, implements, and documents a feedback process for personnel
and contractors to refine the cyber security program and address identified training gaps.
", "controlId": "C.10.7", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.010.007", "references": "", "relatedControls": "", "otherId": "C.010.007" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "b7394d5f-d2f4-444e-9d1a-d0b17e9ed313", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Security Training Records", "description": "[Licensee/Applicant] documents and monitors individual cyber security training.
", "controlId": "C.10.8", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.010.008", "references": "", "relatedControls": "", "otherId": "C.010.008" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "43ea3023-88e7-4dd1-b42a-4bab86eeca4c", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Contacts with Security Groups and Associations ", "description": "[Licensee/Applicant] documents and monitors individual cyber security training.[Licensee/Applicant] maintains contact with selected security groups to remain informed of
newly recommended security practices, techniques, and technologies and to share current
security-related information including threats, vulnerabilities, and incidents.
", "controlId": "C.10.9", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.010.009", "references": "", "relatedControls": "", "otherId": "C.010.009" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "14785b2c-6ffa-4903-87be-361a4fa7b0ab", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Roles and Responsibilities", "description": "[Licensee/Applicant] creates, documents, and staffs the following positions (roles) with
appropriately qualified personnel:
Role: Cyber Security Sponsor
Requirements: member of senior site management
Responsibilities:
\u2022 overall responsibility and accountability for the cyber security program, and
\u2022 provides resources required for the development, implementation and sustenance of the
cyber security program.
Role: Cyber Security Program Manager
Responsibilities:
\u2022 provides oversight of the plant cyber security operations,
\u2022 functions as a single point of contact for issues related to site cyber security,
\u2022 provides oversight and direction on issues regarding nuclear plant cyber security,
\u2022 initiates and coordinates CSIRT functions as required,
\u2022 coordinates with the NRC as required during cyber security events,
\u2022 oversees and approves the development and implementation of a cyber security plan,
\u2022 ensures and approves the development and operation of the cyber security education,
awareness, and training program, and
\u2022 oversees and approves the development and implementation of cyber security policies
and procedures.
Role: Cyber Security Specialist
Responsibilities:
\u2022 protects CDAs from cyber threat,
\u2022 understands the cyber security implications surrounding the overall architecture of plant
networks, control systems, safety systems, operating systems, hardware platforms, plant-
specific applications, and the services and protocols upon which those applications rely,
\u2022 performs cyber security evaluations of digital plant systems,
\u2022 conducts security audits, network scans, and penetration tests against CDAs as necessary,
\u2022 conducts cyber security investigations involving compromise of CDAs,
\u2022 preserves evidence collected during cyber security investigations to prevent loss of
evidentiary value, and
\u2022 maintains expert skill and knowledge level in the area of cyber security.
Role: Cyber Security Incident Response Team
Requirements:
\u2022 personnel have knowledge of cyber forensics and
\u2022 functions in accordance with the incident response plan
Responsibilities:
\u2022 initiates emergency action when required to safeguard CDAs from compromise and to
assist with the eventual recovery of compromised systems,
\u2022 contains and mitigates incidents involving critical and other support systems, and
\u2022 restores compromised CDAs.
", "controlId": "C.10.10", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.010.010", "references": "", "relatedControls": "", "otherId": "C.010.010" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "bbf83de6-5c0e-41c2-b455-8357338b9fde", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Configuration Management ", "description": "[Licensee/Applicant] establishes, implements, and documents configuration management security
controls for CDAs consistent with the process described in Section 4.2.1 of [this Plan (Appendix
A)].
", "controlId": "C.11.1", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.011.001", "references": "", "relatedControls": "", "otherId": "C.011.001" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "70377844-06cb-4548-9105-c6f59ef7d165", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Configuration Management Policy and Procedures ", "description": "[Licensee/Applicant] develops, disseminates, and [annually] reviews and updates a formal,
documented configuration management policy and implementing procedures that address the
purpose, scope, roles, responsibilities, management commitment, [coordination among
[Licensee/Applicant] entities], associated configuration management controls, and compliance.
[Licensee/Applicant] documents its configuration management policy as a part of the [Site]
configuration management plan and includes hard ware configurations, software configurations,
and access permissions. Changes to hardware or software are documented and accessed in
accordance with these policies and implementing procedures.
The structured configuration management process evaluates and controls changes to CDAs to
ensure that CDAs remains secure. Before any change is implemented, [Licensee/Applicant] confirms that new vulnerabilities are not introduced.
", "controlId": "C.11.2", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.011.002", "references": "", "relatedControls": "", "otherId": "C.011.002" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "f6cf7e08-f304-471f-b4b0-915895920d00", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Baseline Configuration ", "description": "[Licensee/Applicant] develops, documents, and maintains a current baseline configuration of
CDAs and their connections including the interface characteristics, security requirements, and the
nature of the information communicated.. As a pa rt of the configuration management process,
[Licensee/Applicant] employs [manual/automated] mechanisms to maintain an up-to-date,
complete, accurate, and readily available baseline configuration of each CDA.
[Licensee/Applicant] documents the up-to-date baseline configurations and audits the
configurations [quarterly]. Baseline configurations include [but are not limited to] a current list of all components (e.g., hardware, software), configuration of peripherals, version releases of
current software, and switch settings of machine components. For each CDA,
[Licensee/Applicant] maintains a log of configuration changes made, the name of the person who
implemented the change, the date of the change, the purpose of the change, and any observations
made during the course of the change.
[Licensee/Applicant] documents and maintains baseline configurations for development and test
environments that are managed separately from the operational/production baseline configuration.
[Licensee/Applicant] employs a \u201cdeny-all, perm it-by-exception\u201d authorization policy to identify
and authorize software permitted on [Licensee/Applicant] CDAs (i.e., white lists of authorized software). After authorized changes are implemented, [Licensee/Applicant] verifies that security
features still function properly and that adequate cyber security levels are maintained.
Individuals authorized to modify CDA configurations are properly trained and qualified to
perform the modifications. [Licensee/Applicant] defines the minimum physical and logical
access for the modifications. Additionally, [Licensee/Applicant] employs electronic means to
monitor CDA access to ensure that only authorized systems and services are used. Furthermore,
[Licensee/Applicant] documents the justification for the use of alternate (compensating) security
controls for instances in which monitoring cannot be done electronically, including the following:
\u2022 physically restricting access,
\u2022 monitoring and recording physical access to enable timely detection and response to
intrusions,
\u2022 employing auditing and validation measures (e.g., security officer rounds, periodic
monitoring of tamper seals),
\u2022 ensuring authorized individuals are trustworthy and reliable in accordance with 10 CFR
73.56,
\u2022 ensuring that authorized individuals are operating under established work management
controls, and
\u2022 conducting post maintenance testing to validate that changes are implemented correctly.
[Licensee/Applicant] reviews log records [no less frequently than once a quarter] in compliance
with the physical security plan.
", "controlId": "C.11.3", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.011.003", "references": "", "relatedControls": "", "otherId": "C.011.003" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "579c99a9-2955-461d-a48a-b66f3b7e2046", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Configuration Change Control", "description": "[Licensee/Applicant] is responsible for the following:
\u2022 authorizing and documenting changes to CDAs
\u2022 retaining and reviewing records of CDA configuration changes and audit activities
associated with CDA configuration changes and employing [manual/automated] mechanisms to:
\u2013 document changes to CDAs,
\u2013 notify designated approval authorities, and
\u2013 prohibit implementation of changes until designated approvals are received and
documented.
", "controlId": "C.11.4", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.011.004", "references": "", "relatedControls": "", "otherId": "C.011.004" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "65aead1a-aff3-457c-a9db-e7b8472070d8", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Security Impact Analysis of Changes and Environment ", "description": "The [Licensee/Applicant]\u2019s CST performs a security impact assessment before making changes to
CDAs consistent with [Section 4.2.2 of Appendix A to RG 5.71] to manage the cyber risk
resulting from the changes. The CST evaluates, documents, and incorporates into the security
impact analysis any identified safety and security interdependencies.
The [Licensee/Applicant] performs and documents the security impact assessment as part of the
change approval process.
", "controlId": "C.11.5", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.011.005", "references": "", "relatedControls": "", "otherId": "C.011.005" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "58cb0f36-fd41-4633-a6b3-6ddd5cb40f04", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Access Restrictions for Change", "description": "[Licensee/Applicant] defines, documents, approves, and enforces physical and logical access
restrictions associated with changes to CDAs and generates, retains, and audits the record [quarterly] and when there are indications that unauthorized changes may have occurred.
[Licensee/Applicant] implements its configuration management program to address discovered
deviations.
[Licensee/Applicant] employs automated mechanisms to detect unauthorized changes, to enforce
access restrictions and to support subsequent audits of enforcement actions.
[Licensee/Applicant] documents the justification and details for alternate (compensating) security
controls for situations in which a CDA cannot support the use of automated mechanisms to
enforce access restrictions and to support subsequent audits of enforcement actions, including all
of the following:
\u2022 physically restricting access,
\u2022 monitoring and recording physical access to enable timely detection and response to
intrusions,
\u2022 employing auditing and validation measures (e.g., security officer rounds, periodic
monitoring of tamper seals),
\u2022 ensuring authorized individuals are trustworthy and reliable in accordance with
10 CFR 73.56,
\u2022 ensuring that authorized individuals are operating under established work management
controls, and
\u2022 conducting post maintenance testing to validate that changes are implemented correctly.
", "controlId": "C.11.6", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.011.006", "references": "", "relatedControls": "", "otherId": "C.011.006" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "c79b3845-78ed-40da-8985-9f90bbc67e12", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Configuration Settings", "description": "[Licensee/Applicant] applies configuration settings for CDAs by (1) documenting the most
restrictive mode, (2) evaluating operational requirements, and (3) enforcing and documenting the
most restrictive operational configuration settings based upon explicit operational requirements.
This is achieved by the following:
\u2022 establishing and documenting configuration settings for CDAs that reflect the most
restrictive mode,
\u2022 documenting and approving any exceptions from the most restrictive mode configuration
settings for individual components within CDAs based upon explicit operational requirements,
\u2022 enforcing the configuration settings in CDAs and monitoring and controlling changes to
the configuration settings in accordance with [Licensee/Applicant] policies and
procedures,
\u2022 documenting and employing automated mechanisms to [centrally] manage, apply, and
verify configuration settings,
\u2022 documenting and employing [automated mechanisms/manual mechanisms] to respond to
unauthorized changes to [Licensee/Applicant]-defined configuration settings, and
\u2022 documenting the justification for alternate (compensating) security controls for situations
in which a CDA cannot support the use of automated mechanisms to [centrally] manage,
apply, and verify configuration settings, including all of the following: \u2013 physically restricting access,
\u2013 monitoring and recording physical access to enable timely detection and response
to intrusions,
\u2013 employing auditing/validation measures (e.g., security officer rounds, periodic
monitoring of tamper seals),
\u2013 ensuring authorized individuals are trustworthy and reliable in accordance with
10 CFR 73.56,
\u2013 ensuring that authorized individuals are operating under established work
management controls, and
\u2013 conducting post maintenance testing to validate that changes are implemented
correctly.
", "controlId": "C.11.7", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.011.007", "references": "", "relatedControls": "", "otherId": "C.011.007" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "deefedaf-8a28-4ce3-8d51-1180de0cd1e7", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Least Functionality ", "description": "[Licensee/Applicant] configures and document s CDA configuration settings to provide only
essential capabilities and specifically prohibits, protects, and restricts the use of insecure functions, ports, protocols and services. [Licensee/Applicant] reviews CDAs [monthly] to
identify and eliminate unnecessary functions, ports, protocols, and services. [Licensee/Applicant]
documents and employs automated mechanisms to prevent program execution.
[Licensee/Applicant] uses [white-lists, black-lists, gray-lists] application control technologies.
", "controlId": "C.11.8", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.011.008", "references": "", "relatedControls": "", "otherId": "C.011.008" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "e0ebe27c-1183-48f6-9dce-44be0216d5b8", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Component Inventory ", "description": "[Licensee/Applicant] develops, documents, and maintains an inventory of the components of
CDAs that has the following attributes:
\u2022 accurately reflects the current system configuration,
\u2022 ensures that the location (logical and physical) of each component is consistent with the
authorized boundary of the CDA,
\u2022 provides the proper level of granularity deemed necessary for tracking and reporting and
for effective property accountability,
\u2022 updates the inventory of system components as an integral part of component
installations and system updates,
\u2022 employs automated mechanisms to maintain an up-to-date, complete, accurate, and
readily available inventory of system components,
\u2022 employs automated mechanisms to detect the addition of unauthorized components or
devices into the environment and disables access by such components or devices or notifies designated [Licensee/Applicant] officials, and
\u2022 documents the [names or roles] of the individuals responsible for administering those
components.
", "controlId": "C.11.9", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.011.009", "references": "", "relatedControls": "", "otherId": "C.011.009" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "0fb73ba6-ff89-4181-8239-9babcdff9138", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "System and Services Acquisition Policy and Procedures", "description": "[Licensee/Applicant] develops, disseminates, and [annually] reviews and updates a formal,
documented system and services acquisition policy that addresses purpose, scope, roles,
responsibilities, management commitment, [coordination among [Licensee/Applicant] entities], associated system and service acquisition controls, and compliance.
[Licensee/Applicant] develops, disseminates, and [annually] reviews and updates formal,
documented procedures to facilitate the implementation of the system and services acquisition
policy and associated system and services acquisition controls.
", "controlId": "C.12.1", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.012.001", "references": "", "relatedControls": "", "otherId": "C.012.001" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "051c8456-4869-4462-b1df-db32168acb06", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Supply Chain Protection", "description": "[Licensee/Applicant] protects against supply chain threats and vulnerability by employing the
following list of measures to protect against supply chain threats to maintain the integrity of the
CDAs that are acquired:
\u2022 establishment of trusted distribution paths,
\u2022 validation of vendors, and
\u2022 requiring tamper proof products or tamper evident seals on acquired products.
[Licensee/Applicant] performs an analysis for each product acquisition to determine that the
product provides the security requirements necessary to address the security controls in
Appendixes B and C to RG 5.71.
[Licensee/Applicant] uses heterogeneity to mitigate vulnerabilities associated with the use of a
single vendor\u2019s product.
", "controlId": "C.12.2", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.012.002", "references": "", "relatedControls": "", "otherId": "C.012.002" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "edfa58d6-da41-4b53-b77c-60aefbd42c81", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Trustworthiness", "description": "[Licensee/Applicant] requires that software developers employ software quality and validation
methods to minimize flawed or malformed software.
[Licensee/Applicant] establishes, implements, and documents requirements to require all tools
used to perform cyber security tasks or SSEP functions to undergo a commercial qualification
process similar to that for software engineering tools that are used to develop digital
instrumentation and control systems.
", "controlId": "C.12.3", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.012.003", "references": "", "relatedControls": "", "otherId": "C.012.003" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "e8df0047-e5b0-4fcd-ae59-de7625d830eb", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Integration of Security Capabilities", "description": "[Licensee/Applicant] documents and implements a program to ensure that new acquisitions
contain security design information, capabilities or both to implement security controls in
Appendix B to RG 5.71. Such security capabilities include the following:
\u2022 being cognizant of evolving cyber security threats and vulnerabilities,
\u2022 being cognizant of advancements in cyber security protective strategies and security
controls,
\u2022 conducting analyses of the effects that each advancement could have on the security,
safety, and operation of critical assets, systems, CDAs, and networks and implementing these advancements in a timely manner, and
\u2022 replacing legacy systems as they reach end of life with systems that incorporate security
capabilities.
[Licensee/Applicant] establishes timeframes to minimize the time it takes to deploy new and
more effective protective strategies and security controls.
", "controlId": "C.12.4", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.012.004", "references": "", "relatedControls": "", "otherId": "C.012.004" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "95648a99-54bc-4774-8c8b-56fe5997b7ca", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Developer Security Testing", "description": "[Licensee/Applicant] documents and requires that system developers and integrators of acquired
CDAs create, implement, and document a security test and evaluation plan to ensure that the
acquired products meet all specified security requirements (1) that the products are free from
known, testable vulnerabilities and malicious code by identifying and eliminating these following
vulnerabilities and other vulnerabilities that may change with new technology:
\u2022 weak, unproven, or nonstandard cryptographic modules,
\u2022 insecure network protocols for sensitive communications,
\u2022 known insecure software components or libraries,
\u2022 known vulnerabilities,
\u2022 insecure configuration files or options that act to control features of the
application,
\u2022 inadequate or inappropriate use of access control mechanisms to control access to
system resources,
\u2022 inappropriate privileges being granted to users, processes, or applications,
\u2022 weak authentication mechanisms,
\u2022 improperly or failing to validate input and output data,
\u2022 insecure or inadequate logging of system errors or security-related information,
\u2022 inadequately bounded buffers,
\u2022 format string vulnerabilities,
\u2022 privilege escalation vulnerabilities,
\u2022 unsafe database transactions,
\u2022 unsafe use of native function calls,
\u2022 hidden functions and vulnerable features embedded in the code,
\u2022 implemented security features do not themselves act to increase the risk of
security vulnerabilities, increase susceptibility to cyber attack, or reduce the
reliability of design-basis functions.
\u2022 use of unsupported or undocumented methods or functions, and
\u2022 use of undocumented code or malicious functions that might allow either
unauthorized access or use of the system or the system to behave beyond the system requirements.
(2) and developers cyber security program maintains the integrity of the acquired system until the
product is delivered to the [Licensee/Applicant] by implementing equivalent security controls as described in RG 5.71 to prevent tampering and to provide high assurance that the integrity of the
developed CDA is maintained until delivered to the licensee.
[Licensee/Applicant] requires the developer to perform and document that security requirements
are verified and validated and that security controls implemented in the product and used to meet the requirements of this plan are tested to ensure they are effective per section A.4.1.2.
[Licensee/Applicant] requires documentation of all of the following activities:
\u2022 system design transformed into code, database structures, and related machine executable
representations,
\u2022 hardware and software configuration and setup,
\u2022 software coding practices and testing,
\u2022 communication configuration and setup (including the incorporation of reused software
and commercial off-the-shelf products),
\u2022 The results of unit tests performed to ensure that the code was developed correctly and
accurately and completely reflects the security design configuration transformations from
the requirements,
\u2022 details of the implementation of each required security feature within the developed code
base. The listing includes reference the coded functions and modules within the code base
that were developed to implement the security features,
\u2022 security configurations implemented to meet security design features specified in the
requirements,
\u2022 operating system security configurations implemented to meet security design features
specified in the requirements are documented,
\u2022 For programming languages that support static analysis source code scanners, results of
the following are documented:
\u2013 the static source code vulnerability analysis performed to inspect the developed
code for potential security defects, poor programming practices, hidden
functions, and vulnerable features within the code during the implementation of the code base and methods applied to eliminate these vulnerabilities,
\u2013 the security defect tracking metrics used to capture and track the identification,
type, classification, cause, and remediation of security defects found within the
code, and
\u2013 the defects encountered during the translation of the design features specified in
the requirements into code.
\u2022 For all programming languages, the results of the following are documented:
\u2013 a dynamic source code vulnerability analysis performed to inspect the developed
code for potential security defects, poor programming practices, hidden
functions, and vulnerable features within the code during the implementation of
the code base and methods applied to eliminate these vulnerabilities,
\u2013 the security defect tracking metrics used to capture and track the identification,
type, classification, cause, and remediation of security defects found within the
code, and
\u2013 the defects encountered during the translation of the design features specified in
the requirements into code.
[Licensee/Applicant] requires that CDA developers/integrators:
\u2022 perform configuration management during CDA design, development, implementation,
and operation,
\u2022 manage and control changes to the CDA,
\u2022 implement only [Licensee/Applicant] approved changes,
\u2022 document approved changes to the CDA, and
\u2022 track security flaws and flaw resolution.
", "controlId": "C.12.5", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.012.005", "references": "", "relatedControls": "", "otherId": "C.012.005" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "9872d869-c30f-4c16-b2cd-584b8b8aac4b", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Licensee/Applicant testing ", "description": "[Licensee/Applicant] verifies and validates the results of the developer\u2019s security testing in
conducted in accordance with Section 12.5 above.
[Licensee/Applicant] is responsible for the following:
\u2022 testing CDA (e.g., offline on a comparable CDA) security devices, security controls, and
software to ensure that they do not compromise the CDA or the operation of an
interconnected CDA operation before installation,
\u2022 testing to ensure that CDAs do not provide a pathway to compromise the CDA or other
CDAs,
\u2022 implementation of the security controls in Appendices B and C to RG 5.71 in accordance
with the process described in Section 3.1.6 of Appendix A to RG 5.71,
\u2022 testing of the security controls for effectiveness, as described in Section 4.1.2 of
Appendix A to RG 5.71,
\u2022 performance of vulnerability scans, in accordance with Section 4.1.3 of Appendix A to
RG 5.71 and Section 13.1 of this plan, against the CDA in its integrated state and correction, elimination, or discussion of discovered vulnerabilities,
\u2022 installation and testing of the CDA in the target environment, and
\u2022 performance of an acceptance review and test of the CDA security features.
[Licensee/Applicant] documents the following:
\u2022 Security controls implemented in accordance with Appendix B of RG 5.71.
\u2022 Verification of the effectiveness of the security controls implemented in accordance with
Appendix C.
\u2022 Security design features developed to address the identified security requirements for the
CDA (if any), in addition to the security controls implemented in accordance with
Appendix B to 5.7.1. For each security feature or configuration to be implemented, the
documentation includes a description of the feature, its method of implementation, and
any configurable options associated with the feature are provided. Each security feature designed into the system is traceable to its corresponding security requirement.
The security reviews of the implemented design by the cyber security organization responsible
for the protection of the critical assets/systems/networks are documented. The review ensures
that the security design configuration item transformations from the requirements implemented are correct, accurate, and complete.
[Licensee/Applicant] requires [annual] audits of CDAs to verify the following:
\u2022 The security controls present during testing remain in place and are functioning correctly
in the production system.
\u2022 CDAs are free from known vulnerabilities and security compromises and continue to
provide information on the nature and extent of compromises, should they occur.
\u2022 The change management [process/program] is functioning effectively and is recording
configuration changes appropriately.
", "controlId": "C.12.6", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.012.006", "references": "", "relatedControls": "", "otherId": "C.012.006" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "b93e144c-ab8e-4142-896c-5b0d1dcbffad", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Threat and Vulnerability Management ", "description": "[Licensee/Applicant] does the following:
\u2022 Perform assessments and scans for vulnerabilities in CDAs [no less frequently than once
a quarter] and at random intervals in accordance with Section 4.1.3 of Appendix A to RG 5.71 and when new potential CDA vulnerabilities are reported or identified.
\u2022 Employ vulnerability scanning tools and techniques that promote interoperability among
tools and automating parts of the vulnerability management process by:
\u2013 enumerating platforms, software flaws, and improper configurations,
\u2013 formatting and making transparent checklists and test procedures, and
\u2013 measuring vulnerability impacts.
\u2022 Analyze vulnerability scan reports and remediate vulnerabilities within a time period that
will provide high assurance that CDAs are protected from cyber attacks up to and
including the DBT.
\u2022 Eliminate similar vulnerabilities in other CDAs.
\u2022 Employ vulnerability scanning tools that include the capability to update the list of cyber
vulnerabilities scanned and update the list of CDA vulnerabilities scanned [monthly] and
when new vulnerabilities are identified and reported.
\u2022 Employ vulnerability scanning procedures that maximize the breadth and depth of
coverage (i.e., CDA components scanned and vulnerabilities checked).
\u2022 Discern and document what information associated with the CDA is discoverable by
adversaries.
\u2022 Perform security testing to determine the level of difficulty in circumventing the security
controls of the CDA. [Testing methods include penetration testing, malicious user testing, and independent verification and validation.]
\u2022 Include privileged access authorization to CDAs for selected vulnerability scanning
activities to facilitate more thorough scanning.
\u2022 Employ automated mechanisms to compare the results of vulnerability scans over time to
determine trends in CDA vulnerabilities and mitigation/flaw remediation activities.
\u2022 Employ automated mechanisms to detect and notify authorized personnel of the presence
of unauthorized software on CDAs.
\u2022 Ensure that SSEP functions are not adversely impacted by the scanning process. Where
this may occur, CDAs are removed from service or replicated (to the extent feasible) before scanning is conducted or be scheduled to occur during planned CDA outages
whenever possible. Where [Licensee/Applicant] cannot conduct vulnerability scanning
on a production CDA because of the potential for an adverse impact on SSEP functions,
alternate controls (e.g., providing a replicated system or CDA to conduct scanning) are employed.
The [Licensee/Applicant] reviews historic audit logs to determine if a vulnerability identified in
the CDA has been previously exploited.
", "controlId": "C.13.1", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.013.001", "references": "", "relatedControls": "", "otherId": "C.013.001" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "f6cf1c54-b4c6-4892-a06a-f0a59d8ed3d3", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Risk Mitigation", "description": "Protection and mitigation of risk are achieved by implementing (1) the defense-in-depth strategies
discussed in Section 3.2 of to RG 5.71, (2) the security controls described in Appendices B and C
to RG 5.71, and (3) digital equipment and software cyber attack detection, prevention, and
recovery techniques and tools to the systems, structures, and components within the scope of the
rule and (4) Section 4 of Appendix A of RG 5.71. [Licensee/Applicant] has the detailed information on how these requirements are implemented to achieve the high assurance objectives
of security controls specified in this plan. The detailed information is available for NRC
inspections and audits.
", "controlId": "C.13.2", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.013.002", "references": "", "relatedControls": "", "otherId": "C.013.002" }, { "parameters": [], "ccis": [], "objectives": [], "tests": [], "externalMappings": [], "uuid": "adfcb8d9-68e5-4b75-af9c-caa31082cf80", "subControls": "", "mappings": "", "assessmentPlan": "", "practiceLevel": "", "weight": 0.0, "title": "Corrective Action Program ", "description": "[Licensee/Applicant] established, implemented, and documented the criteria consistent with RG
5.71 for adverse conditions and the requirements for corrective action. The adverse impact
resulting from a cyber security incident is evaluated, tracked, and adjusted in accordance with the [Licensee/Applicant] Corrective Action Program and in a manner consistent with RG 5.71.
", "controlId": "C.13.3", "family": "Operational and Management Security Controls", "enhancements": "", "sortId": "C.013.003", "references": "", "relatedControls": "", "otherId": "C.013.003" } ], "uuid": "b2f5e6a9-2745-4dcd-8686-2aa71c180d3c", "title": "NRC RG 5.71 Rev. 1 - Cyber Security Program for Nuclear Facilities", "datePublished": "2023-02-01T05:00:00", "lastRevisionDate": "2026-01-13T05:00:00", "url": "https://www.nrc.gov/docs/ML2225/ML22258A204.pdf", "keywords": "", "abstract": "", "description": "This regulatory guide (RG) describes an approach that is acceptable to the staff of the U.S. Nuclear Regulatory Commission (NRC) to meet regulatory requirements in Title 10 of the Code of Federal Regulations (10 CFR) 73.54, \u201cProtection of digital computer and communication systems and networks\u201d (Ref. 1).
", "defaultName": "NRC_5.71_Rev_1_1", "downloadURL": "https://regscaleblob.blob.core.windows.net/catalogs/NRC_5.71_Rev_1_1.json", "regulationDatePublished": "2020-01-01", "regulationDateModified": "", "requireUniqueControlId": false, "sourceOscalURL": "", "externalId": "NRC 5.71 Rev 1", "originator": 0, "category": "Energy/Utilies" } }