← Frameworks / 10 CFR 73.54 / Control Mappings

10 CFR 73.54 Protection of Digital Computer and Communication Systems and Networks

US Nuclear Regulatory Commission mandatory cybersecurity regulation for nuclear power plants and fuel cycle facilities. Requires protection of Critical Digital Assets (CDAs) associated with safety, security, and emergency preparedness functions from cyber attacks up to and including the Design Basis Threat. Implements defense-in-depth through a 5-level security architecture per NRC Regulatory Guide 5.71. Covers technical, operational, and management controls with NRC-approved Cyber Security Plans, ongoing assessment, and integration with physical protection programs.

Controls: 116

Total Mappings: 138

Publisher: U.S. Nuclear Regulatory Commission (NRC) Version: 2009 (RG 5.71: 2010)

10 CFR 73.54 → SP 800-53 SP 800-53 → 10 CFR 73.54 Coverage Analysis

AC (7) AT (4) AU (8) CA (6) CM (8) CP (5) IA (4) IR (4) MA (6) MP (4) PE (11) PL (3) PM (10) PS (8) RA (6) SA (2) SC (9) SI (5) SR (6)

AC Access Control

Control	Name	10 CFR 73.54 References
AC-02	Account Management	RG5.71-A-AC
AC-03	Access Enforcement	73.54(c)(1)RG5.71-A-AC
AC-04	Information Flow Enforcement	73.54(c)(1)73.54(c)(2)
AC-05	Separation Of Duties	RG5.71-A-AC
AC-06	Least Privilege	RG5.71-A-AC
AC-07	Unsuccessful Login Attempts	RG5.71-A-AC
AC-17	Remote Access	RG5.71-A-AC

AT Awareness and Training

Control	Name	10 CFR 73.54 References
AT-01	Security Awareness And Training Policy And Procedures	RG5.71-C-AT
AT-02	Security Awareness	RG5.71-C-AT
AT-03	Security Training	RG5.71-C-AT
AT-04	Security Training Records	RG5.71-C-AT

AU Audit and Accountability

Control	Name	10 CFR 73.54 References
AU-02	Auditable Events	RG5.71-A-AU
AU-03	Content Of Audit Records	RG5.71-A-AU
AU-04	Audit Storage Capacity	RG5.71-A-AU
AU-05	Response To Audit Processing Failures	RG5.71-A-AU
AU-06	Audit Monitoring, Analysis, And Reporting	RG5.71-A-AU
AU-08	Time Stamps	RG5.71-A-AU
AU-09	Protection Of Audit Information	RG5.71-A-AU
AU-12	Audit Record Generation	RG5.71-A-AU

CA Security Assessment and Authorization

Control	Name	10 CFR 73.54 References
CA-01	Certification, Accreditation, And Security Assessment Policies And Procedures	RG5.71-C-CA
CA-02	Security Assessments	RG5.71-C-PLRG5.71-C-CA
CA-05	Plan Of Action And Milestones	RG5.71-C-CA
CA-06	Security Accreditation	RG5.71-C-PLRG5.71-C-CA
CA-07	Continuous Monitoring	RG5.71-C-CA73.54(d)
CA-08	Penetration Testing	RG5.71-C-CA

CM Configuration Management

Control	Name	10 CFR 73.54 References
CM-02	Baseline Configuration	RG5.71-B-CM
CM-03	Configuration Change Control	RG5.71-B-CM
CM-04	Monitoring Configuration Changes	RG5.71-B-CM
CM-05	Access Restrictions For Change	RG5.71-B-CM
CM-06	Configuration Settings	RG5.71-B-CM
CM-07	Least Functionality	RG5.71-B-CM
CM-08	Information System Component Inventory	RG5.71-B-CM
CM-14	Signed Components	RG5.71-A-SIRG5.71-C-SR

CP Contingency Planning

Control	Name	10 CFR 73.54 References
CP-01	Contingency Planning Policy And Procedures	RG5.71-B-CP
CP-02	Contingency Plan	RG5.71-B-CP
CP-04	Contingency Plan Testing And Exercises	RG5.71-B-CP
CP-09	Information System Backup	RG5.71-B-CP
CP-10	Information System Recovery And Reconstitution	RG5.71-B-CP

IA Identification and Authentication

Control	Name	10 CFR 73.54 References
IA-02	User Identification And Authentication	RG5.71-A-AC
IA-03	Device Identification And Authentication	RG5.71-A-AC
IA-05	Authenticator Management	RG5.71-A-AC
IA-08	Identification and Authentication (Non-Organizational Users)	RG5.71-A-AC

IR Incident Response

Control	Name	10 CFR 73.54 References
IR-01	Incident Response Policy And Procedures	RG5.71-B-CP
IR-02	Incident Response Training	RG5.71-B-CP
IR-04	Incident Handling	RG5.71-B-CP
IR-06	Incident Reporting	RG5.71-B-CP

MA Maintenance

Control	Name	10 CFR 73.54 References
MA-01	System Maintenance Policy And Procedures	RG5.71-B-MA
MA-02	Controlled Maintenance	RG5.71-B-MA
MA-03	Maintenance Tools	RG5.71-B-MA
MA-04	Remote Maintenance	RG5.71-B-MA
MA-05	Maintenance Personnel	RG5.71-B-MA
MA-06	Timely Maintenance	RG5.71-B-MA

MP Media Protection

Control	Name	10 CFR 73.54 References
MP-02	Media Access	RG5.71-B-MA
MP-04	Media Storage	RG5.71-B-MA
MP-06	Media Sanitization And Disposal	RG5.71-B-MA
MP-07	Media Use	RG5.71-B-MA

PE Physical and Environmental Protection

Control	Name	10 CFR 73.54 References
PE-01	Physical And Environmental Protection Policy And Procedures	RG5.71-B-PE
PE-02	Physical Access Authorizations	RG5.71-B-PE
PE-03	Physical Access Control	RG5.71-B-PE
PE-04	Access Control For Transmission Medium	RG5.71-B-PE
PE-06	Monitoring Physical Access	RG5.71-B-PE
PE-08	Access Records	RG5.71-B-PE
PE-09	Power Equipment And Power Cabling	RG5.71-B-PE
PE-11	Emergency Power	RG5.71-B-PE
PE-13	Fire Protection	RG5.71-B-PE
PE-14	Temperature And Humidity Controls	RG5.71-B-PE
PE-15	Water Damage Protection	RG5.71-B-PE

PL Planning

Control	Name	10 CFR 73.54 References
PL-01	Security Planning Policy And Procedures	73.54(b)RG5.71-C-PL
PL-02	System Security Plan	73.54(b)RG5.71-C-PL
PL-08	Security and Privacy Architectures	73.54(c)(2)RG5.71-C-PL

PM Program Management

Control	Name	10 CFR 73.54 References
PM-01	Information Security Program Plan	73.54(a)73.54(b)
PM-02	Information Security Program Leadership Role	73.54(b)
PM-03	Information Security and Privacy Resources	73.54(b)
PM-06	Measures of Performance	73.54(d)
PM-07	Enterprise Architecture	73.54(a)
PM-09	Risk Management Strategy	73.54(b)
PM-11	Mission and Business Process Definition	73.54(a)
PM-13	Security and Privacy Workforce	RG5.71-C-AT
PM-14	Testing, Training, and Monitoring	RG5.71-C-CARG5.71-C-AT73.54(d)
PM-15	Security and Privacy Groups and Associations	73.54(d)

PS Personnel Security

Control	Name	10 CFR 73.54 References
PS-01	Personnel Security Policy And Procedures	RG5.71-C-PS
PS-02	Position Categorization	RG5.71-C-PS
PS-03	Personnel Screening	RG5.71-C-PS
PS-04	Personnel Termination	RG5.71-C-PS
PS-05	Personnel Transfer	RG5.71-C-PS
PS-06	Access Agreements	RG5.71-C-PS
PS-07	Third-Party Personnel Security	RG5.71-C-PS
PS-08	Personnel Sanctions	RG5.71-C-PS

RA Risk Assessment

Control	Name	10 CFR 73.54 References
RA-01	Risk Assessment Policy And Procedures	RG5.71-C-PL
RA-02	Security Categorization	73.54(a)RG5.71-C-PL
RA-03	Risk Assessment	RG5.71-C-PL
RA-05	Vulnerability Scanning	RG5.71-B-CMRG5.71-C-PL
RA-07	Risk Response	RG5.71-C-PL73.54(d)
RA-09	Criticality Analysis	RG5.71-C-PL

SA System and Services Acquisition

Control	Name	10 CFR 73.54 References
SA-04	Acquisitions	RG5.71-C-SR
SA-09	External Information System Services	RG5.71-C-SR

SC System and Communications Protection

Control	Name	10 CFR 73.54 References
SC-07	Boundary Protection	73.54(c)(1)73.54(c)(2)RG5.71-A-SC
SC-08	Transmission Integrity	RG5.71-A-SC
SC-12	Cryptographic Key Establishment And Management	RG5.71-A-SC
SC-13	Use Of Cryptography	RG5.71-A-SC
SC-23	Session Authenticity	RG5.71-A-SC
SC-28	Protection of Information at Rest	73.54(c)(1)RG5.71-A-SC
SC-32	System Partitioning	73.54(c)(1)73.54(c)(2)RG5.71-A-SC
SC-45	System Time Synchronization	RG5.71-A-SC
SC-46	Cross Domain Policy Enforcement	73.54(c)(2)RG5.71-A-SC

SI System and Information Integrity

Control	Name	10 CFR 73.54 References
SI-02	Flaw Remediation	RG5.71-A-SI
SI-03	Malicious Code Protection	RG5.71-A-SI
SI-04	Information System Monitoring Tools And Techniques	RG5.71-A-AURG5.71-A-SI
SI-07	Software And Information Integrity	RG5.71-A-SI
SI-16	Memory Protection	RG5.71-A-SI

SR Supply Chain Risk Management

Control	Name	10 CFR 73.54 References
SR-01	Policy and Procedures	RG5.71-C-SR
SR-02	Supply Chain Risk Management Plan	RG5.71-C-SR
SR-03	Supply Chain Controls and Processes	RG5.71-C-SR
SR-05	Acquisition Strategies, Tools, and Methods	RG5.71-C-SR
SR-06	Supplier Assessments and Reviews	RG5.71-C-SR
SR-11	Component Authenticity	RG5.71-C-SR