The Nuclear Regulatory Commission (“NRC”) appears poised to be the next agency to promulgate cybersecurity breach notification requirements.  The NRC has stated that it is moving forward with draft breach notification rules it released in July 2014.  Under the draft rules, anyone licensed by NRC to operate a nuclear power plant would be required to report cybersecurity events to the NRC Headquarters Operations Center via its Emergency Notification System.  The draft rules set forth four types of notifications for cybersecurity breaches based on the imminence or severity of the event:  one-hour notifications; four-hour notifications; eight-hour notifications; and twenty-four hour recordable events, explained below.

One-hour Notification − Must be made within one hour of discovering a cyber attack that “adversely impacted safety-related or important-to-safety function, security functions, or emergency preparedness functions . . . or compromises support systems and equipment that results in adverse impacts to safety, security, or emergency preparedness functions.”

Four-hour Notification − Must be made within four hours of:

  • Discovering a cyber attack that “could have caused an adverse impact” to safety- and security-related functions;
  • Discovering a suspected or actual cyber attack that was initiated by personnel with physical or electronic access to computers, communications systems, and networks; and/or
  • Notification by a local, state, or federal agency of an event related to the implementation of the licensee’s cyber security program.

There is no requirement to make four-hour notification if a one-hour notification is made for the same event.

Eight-hour Notification − Must be made within eight hours of receiving or collecting information about any “observed behavior, activities, or statements” indicating a potential cyber attack.  There is no requirement to make eight-hour notification if a four-hour notification or one-hour notification is made for the same event.

Twenty-four hour Recordable Events − Licensees should use a corrective action program (as required by 10 C.F.R. § 72.172) to document, track, trend, correct, and prevent recurrence of failures and deficiencies in their cybersecurity program within twenty-four hours of discovery.  A corrective action program should also be used to document, track, and trend one-, four-, and eight-hour notifications.

The notifications discussed above are made by telephone via the NRC Emergency Notification System.  If the Emergency Notification System is inoperable or unavailable, the Licensee is required to notify via a method that will ensure the report is received by the NRC Headquarters Operations Center within the relevant timeframe.  Written follow-up reports must be submitted following a one- or four-hour notification involving the discovery of an actual or suspected cyber attack.

The current draft rules do not define certain key terms, such as “cyber attack,” or what qualifies as an adverse impact.  Additionally, the draft rules do not set forth what information must be reported as part of the mandatory notifications.

The NRC’s draft data breach rules follow on the heels of announced Department of Defense (“DoD”) and Intelligence Community (“IC”) rapid reporting regulations.  The DoD and IC have both faced hurdles in the promulgation of their nearly identical rapid reporting rules, both missing and extending deadlines for publishing draft rules.  The NRC’s draft rules are quite nuanced in that they delineate the required reporting timeframe based on the imminence or severity of the cyber event.  For example, a cyber attack that has adversely impacted a licensee’s safety- or security-related functions must be reported within one hour, whereas intelligence suggesting a potential attack has a longer reporting timeframe of eight hours.  The DoD and IC rules are not yet promulgated, so it is unclear whether they will include similar notification timeframes.  The NRC draft rules impose much shorter notification windows than another DoD breach reporting rule promulgated last November for the safeguarding of Unclassified Controlled Technical Information, which imposes 72-hour reporting requirements.

For your convenience a chart of the notifications is attached here.

Tags: Cyber Attack, Cybersecurity, Data Breach, DoD, Draft Rules, Intelligence Community, Notification, NRC, Nuclear Regulatory Commission, Rapid Reporting, UCTI
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Susan B. Cassidy Susan B. Cassidy

Susan Cassidy co-chairs Covington’s Aerospace and Defense Industry Group, and has been advising government contractors for more than 35 years on the requirements imposed on companies contracting with the U.S. Government.

Susan’s practice focuses on the intersection of cybersecurity, national security, and supply…

Susan Cassidy co-chairs Covington’s Aerospace and Defense Industry Group, and has been advising government contractors for more than 35 years on the requirements imposed on companies contracting with the U.S. Government.

Susan’s practice focuses on the intersection of cybersecurity, national security, and supply chain risk management for companies that sell products and services to the U.S. Government. Susan advises contractors at all phases of the procurement cycle, and regularly:

advises clients on compliance obligations imposed by the FAR, DFARS, and other agency regulatory requirements;
leads internal and government False Claims Act (FCA) investigations addressing allegations of violations of government cybersecurity, national security, supply chain, quality, and MIL-SPEC requirements; and
advises clients who have suffered a cyber breach where U.S. government information may have been impacted.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 252.204-7012, FedRAMP, controlled unclassified information (CUI), and NIST SP 800-171 requirements;
Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 semiconductor product and service restrictions, and limitations on sourcing a variety of products from China; and
Federal Acquisition Security Council (FASC) regulations and product exclusions.

 

Susan previously served as senior in-house counsel for two major defense contractors (Northrop Grumman Corporation and Motorola Incorporated) and is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. Chambers USA has quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Susan’s pro-bono work extends to assisting veterans in a variety of matters, as well as providing advice to elderly clients on their wills and other end-of-life planning documents.

Read more about Susan B. CassidyEmail
Show more Show less