Lessons learned from the implementation of Regulatory Guide 1.152, revision 3 and needs for future work in this area

In July 2011, the US NRC updated Regulatory Guide 1.152 to Revision 3. The main focus of the revision was to recognize that the NRC now specifically regulates cyber security under its 10 CFR 73.54 regulation and that malicious actions taken against safety systems are no longer addressed in Part 50 or 52 licensing space. To address non-malicious safety and reliability issues Regulatory Guide 1.152 Revision 3 introduced the concepts of secure development and operational environments to provide guidance to applicants. In order for staff to reach these conclusions it is incumbent on the applicant to provide an assessment of the vulnerabilities to the secure development and operation of their digital system. Unfortunately, the NRC staff has seen a wide variety and depth of information contained in submissions. To further add complexity to this topic, the vast majority of the information submitted in support of this evaluation is normally redacted from the publicly available information under provisions of 10 CFR 2.390 which inhibits lessons learned from being readily available. With the release of IEEE Std. 7-4.3.2 - 2010, the NRC staff anticipates revising Regulatory Guide 1.152 to Revision 4 in order to provide an endorsement of the applicable portions of that standard. The updated standard incorporates much of the NRC's interim staff guidance developed to clarify the staff's positions. In addition, staff would like to pursue developing guidance on the performance and documentation of secure development and operation vulnerability analyses. Additional guidance is also needed regarding application of the criteria to pre-developed systems. Staff believes these efforts should be of benefit to both the staff and future applicants.