The Nuclear Regulatory Commission (“NRC”) appears poised to be the next agency to promulgate cybersecurity breach notification requirements.  The NRC has stated that it is moving forward with draft breach notification rules it released in July 2014.  Under the draft rules, anyone licensed by NRC to operate a nuclear power plant would be required to report cybersecurity events to the NRC Headquarters Operations Center via its Emergency Notification System.  The draft rules set forth four types of notifications for cybersecurity breaches based on the imminence or severity of the event:  one-hour notifications; four-hour notifications; eight-hour notifications; and twenty-four hour recordable events, explained below.

One-hour Notification − Must be made within one hour of discovering a cyber attack that “adversely impacted safety-related or important-to-safety function, security functions, or emergency preparedness functions . . . or compromises support systems and equipment that results in adverse impacts to safety, security, or emergency preparedness functions.”

Four-hour Notification − Must be made within four hours of:

  • Discovering a cyber attack that “could have caused an adverse impact” to safety- and security-related functions;
  • Discovering a suspected or actual cyber attack that was initiated by personnel with physical or electronic access to computers, communications systems, and networks; and/or
  • Notification by a local, state, or federal agency of an event related to the implementation of the licensee’s cyber security program.

There is no requirement to make four-hour notification if a one-hour notification is made for the same event.

Eight-hour Notification − Must be made within eight hours of receiving or collecting information about any “observed behavior, activities, or statements” indicating a potential cyber attack.  There is no requirement to make eight-hour notification if a four-hour notification or one-hour notification is made for the same event.

Twenty-four hour Recordable Events − Licensees should use a corrective action program (as required by 10 C.F.R. § 72.172) to document, track, trend, correct, and prevent recurrence of failures and deficiencies in their cybersecurity program within twenty-four hours of discovery.  A corrective action program should also be used to document, track, and trend one-, four-, and eight-hour notifications.

The notifications discussed above are made by telephone via the NRC Emergency Notification System.  If the Emergency Notification System is inoperable or unavailable, the Licensee is required to notify via a method that will ensure the report is received by the NRC Headquarters Operations Center within the relevant timeframe.  Written follow-up reports must be submitted following a one- or four-hour notification involving the discovery of an actual or suspected cyber attack.

The current draft rules do not define certain key terms, such as “cyber attack,” or what qualifies as an adverse impact.  Additionally, the draft rules do not set forth what information must be reported as part of the mandatory notifications.

The NRC’s draft data breach rules follow on the heels of announced Department of Defense (“DoD”) and Intelligence Community (“IC”) rapid reporting regulations.  The DoD and IC have both faced hurdles in the promulgation of their nearly identical rapid reporting rules, both missing and extending deadlines for publishing draft rules.  The NRC’s draft rules are quite nuanced in that they delineate the required reporting timeframe based on the imminence or severity of the cyber event.  For example, a cyber attack that has adversely impacted a licensee’s safety- or security-related functions must be reported within one hour, whereas intelligence suggesting a potential attack has a longer reporting timeframe of eight hours.  The DoD and IC rules are not yet promulgated, so it is unclear whether they will include similar notification timeframes.  The NRC draft rules impose much shorter notification windows than another DoD breach reporting rule promulgated last November for the safeguarding of Unclassified Controlled Technical Information, which imposes 72-hour reporting requirements.

For your convenience a chart of the notifications is attached here.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Susan B. Cassidy Susan B. Cassidy

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors…

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors on compliance with FAR and DFARS requirements, with a special expertise in supply chain, cybersecurity and FedRAMP requirements. She has an active investigations practice and advises contractors when faced with cyber incidents involving government information, as well as representing contractors facing allegations of cyber fraud under the False Claims Act. Susan relies on her expertise and experience with the Defense Department and the Intelligence Community to help her clients navigate the complex regulatory intersection of cybersecurity, national security, and government contracts. She is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. In 2023, Chambers USA quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Her clients range from new entrants into the federal procurement market to well established defense contractors and she provides compliance advices across a broad spectrum of procurement issues. Susan consistently remains at the forefront of legislative and regulatory changes in the procurement area, and in 2018, the National Law Review selected her as a “Go-to Thought Leader” on the topic of Cybersecurity for Government Contractors.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

  • Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 7012, and NIST SP 800-171 requirements,
  • Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 and limitations on sourcing from China
  • Federal Acquisition Security Council (FASC) regulations and product exclusions,
  • Controlled unclassified information (CUI) obligations, and
  • M&A government cybersecurity due diligence.

Susan has an active internal investigations practice that assists clients when allegations of non-compliance arise with procurement requirements, such as in the following areas:

  • Procurement fraud and FAR mandatory disclosure requirements,
  • Cyber incidents and data spills involving sensitive government information,
  • Allegations of violations of national security requirements, and
  • Compliance with MIL-SPEC requirements, the Qualified Products List, and other sourcing obligations.

In addition to her counseling and investigatory practice, Susan has considerable litigation experience and has represented clients in bid protests, prime-subcontractor disputes, Administrative Procedure Act cases, and product liability litigation before federal courts, state courts, and administrative agencies.

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Prior to joining Covington, Susan served as in-house senior counsel at Northrop Grumman Corporation and Motorola Incorporated.