The Nuclear Regulatory Commission (“NRC”) appears poised to be the next agency to promulgate cybersecurity breach notification requirements. The NRC has stated that it is moving forward with draft breach notification rules it released in July 2014. Under the draft rules, anyone licensed by NRC to operate a nuclear power plant would be required to report cybersecurity events to the NRC Headquarters Operations Center via its Emergency Notification System. The draft rules set forth four types of notifications for cybersecurity breaches based on the imminence or severity of the event: one-hour notifications; four-hour notifications; eight-hour notifications; and twenty-four hour recordable events, explained below.
One-hour Notification − Must be made within one hour of discovering a cyber attack that “adversely impacted safety-related or important-to-safety function, security functions, or emergency preparedness functions . . . or compromises support systems and equipment that results in adverse impacts to safety, security, or emergency preparedness functions.”
Four-hour Notification − Must be made within four hours of:
- Discovering a cyber attack that “could have caused an adverse impact” to safety- and security-related functions;
- Discovering a suspected or actual cyber attack that was initiated by personnel with physical or electronic access to computers, communications systems, and networks; and/or
- Notification by a local, state, or federal agency of an event related to the implementation of the licensee’s cyber security program.
There is no requirement to make four-hour notification if a one-hour notification is made for the same event.
Eight-hour Notification − Must be made within eight hours of receiving or collecting information about any “observed behavior, activities, or statements” indicating a potential cyber attack. There is no requirement to make eight-hour notification if a four-hour notification or one-hour notification is made for the same event.
Twenty-four hour Recordable Events − Licensees should use a corrective action program (as required by 10 C.F.R. § 72.172) to document, track, trend, correct, and prevent recurrence of failures and deficiencies in their cybersecurity program within twenty-four hours of discovery. A corrective action program should also be used to document, track, and trend one-, four-, and eight-hour notifications.
The notifications discussed above are made by telephone via the NRC Emergency Notification System. If the Emergency Notification System is inoperable or unavailable, the Licensee is required to notify via a method that will ensure the report is received by the NRC Headquarters Operations Center within the relevant timeframe. Written follow-up reports must be submitted following a one- or four-hour notification involving the discovery of an actual or suspected cyber attack.
The current draft rules do not define certain key terms, such as “cyber attack,” or what qualifies as an adverse impact. Additionally, the draft rules do not set forth what information must be reported as part of the mandatory notifications.
The NRC’s draft data breach rules follow on the heels of announced Department of Defense (“DoD”) and Intelligence Community (“IC”) rapid reporting regulations. The DoD and IC have both faced hurdles in the promulgation of their nearly identical rapid reporting rules, both missing and extending deadlines for publishing draft rules. The NRC’s draft rules are quite nuanced in that they delineate the required reporting timeframe based on the imminence or severity of the cyber event. For example, a cyber attack that has adversely impacted a licensee’s safety- or security-related functions must be reported within one hour, whereas intelligence suggesting a potential attack has a longer reporting timeframe of eight hours. The DoD and IC rules are not yet promulgated, so it is unclear whether they will include similar notification timeframes. The NRC draft rules impose much shorter notification windows than another DoD breach reporting rule promulgated last November for the safeguarding of Unclassified Controlled Technical Information, which imposes 72-hour reporting requirements.
For your convenience a chart of the notifications is attached here.