10 CFR 73.54 Protection of Digital Computer and Communication Systems and Networks — SP 800-53 Coverage
How well do NIST SP 800-53 Rev 5 controls address each 10 CFR 73.54 requirement? This analysis maps from framework clauses back to SP 800-53, with expert coverage weightings and gap identification.
Clause-by-Clause Analysis
Sorted by clause73.54(a) Scope and Applicability
Rationale
PM-01 establishes the information security program providing organizational scope definition. PM-07 enterprise architecture integration supports alignment of cyber security with facility operations. PM-11 mission/business process definition helps identify safety, security, and emergency preparedness (EP) functions. RA-02 security categorization provides a methodology for classifying systems by impact level. Together these controls provide a general framework for scoping and applicability but lack nuclear-specific terminology and regulatory structure.
Gaps
Nuclear-specific scope definitions for safety, security, and EP functions are not addressed by SP 800-53. The NRC licensing and inspection regime, integration with the facility physical protection program under 10 CFR 73.55, and the defense-in-depth concept linking cyber security to nuclear safety are absent. The regulation requires identification of systems whose compromise could adversely impact safety, security, or EP -- a nuclear-specific categorization methodology beyond FIPS 199.
73.54(b) Cyber Security Plan
Rationale
PL-01 and PL-02 establish security planning policy and system security plans. PM-01 defines the organizational information security program. PM-02 assigns senior information security officer roles. PM-03 addresses resource allocation for security. PM-09 establishes risk management strategy. These controls collectively support development of a comprehensive cyber security plan with governance, resourcing, and strategic alignment.
Gaps
The NRC requires the cyber security plan to be submitted to and approved by the NRC as a license condition -- a regulatory review and approval process with no SP 800-53 equivalent. The regulation mandates a dedicated Cyber Security Assessment Team (CSAT) with nuclear-specific qualifications. The plan must integrate with the facility physical security plan under 10 CFR 73.55, coordinating cyber and physical protection in a manner not addressed by IT-centric security planning controls.
73.54(c)(1) Protection of Critical Digital Assets
Rationale
SC-07 provides boundary protection for network segmentation around critical systems. AC-03 enforces access control policies on digital assets. AC-04 controls information flow between security domains. SC-28 protects data at rest on critical systems. SC-32 establishes system partitioning to isolate critical components. These controls address the technical protection mechanisms applicable to Critical Digital Assets (CDAs).
Gaps
The CDA identification methodology -- determining which digital assets have a safety, security, or EP nexus -- is a nuclear-specific process not addressed by SP 800-53. Protection requirements must align with the Design Basis Threat (DBT) defined by the NRC, which includes insider threats and adversary capabilities specific to nuclear facilities. Nuclear safety system isolation requirements (e.g., complete electrical isolation of safety-related I&C) exceed the logical separation concepts in SP 800-53.
73.54(c)(2) Defense-in-Depth Protective Strategies
Rationale
SC-07 boundary protection supports network segmentation between security levels. SC-32 system partitioning enables separation of safety and non-safety systems. AC-04 information flow enforcement controls data movement between levels. SC-46 cross-domain policy enforcement addresses inter-level data transfer controls. PL-08 security and privacy architectures provides the architectural foundation for defense-in-depth design.
Gaps
RG 5.71 defines a nuclear-specific 5-level security architecture: Level 4 (safety systems), Level 3 (security and EP systems), Level 2 (support systems), Level 1 (corporate network), and Level 0 (external networks). Physical and logical isolation of Level 4 systems -- including unidirectional data flow, air gaps, and hardware-enforced separation -- goes far beyond SP 800-53 network segmentation concepts. The deterministic behavior requirements for safety I&C systems and the prohibition of bidirectional communication paths to safety networks are nuclear-specific protections.
73.54(d) Ongoing Assessment and Program Review
Rationale
CA-07 continuous monitoring maintains ongoing security posture awareness. PM-06 measures of performance tracks security program effectiveness. PM-14 testing, training, and monitoring ensures ongoing program validation. PM-15 security and privacy groups/associations maintains external engagement for threat intelligence. RA-07 risk response ensures risk treatment actions are current and effective.
Gaps
NRC triennial cyber security inspections are conducted by NRC regional inspectors using nuclear-specific inspection procedures -- a regulatory oversight mechanism with no SP 800-53 equivalent. Program review is tied to facility license conditions and must be reported to the NRC. Integration with the Reactor Oversight Process (ROP) means cyber security performance feeds into the NRC's overall facility safety assessment, connecting cyber security program effectiveness to reactor operating license conditions.
RG5.71-A-AC Technical Controls - Access Control
Rationale
AC-02 account management provides lifecycle management for user accounts on CDAs. AC-03 access enforcement and AC-06 least privilege restrict access to authorized personnel. AC-05 separation of duties prevents single-person control of critical functions. AC-07 unsuccessful login attempts provides lockout mechanisms. AC-17 remote access controls restrict remote connectivity to CDAs. IA-02 identification and authentication of users, IA-03 device identification/authentication, IA-05 authenticator management, and IA-08 identification/authentication of non-organizational users together provide comprehensive I&A coverage.
Gaps
Nuclear-specific operator authentication requirements for control room environments -- including emergency bypass procedures that allow reactor operators to take immediate safety actions without authentication delays -- are not addressed. Physical key-switch access mechanisms for safety system activation and manual reactor trip capabilities bypass digital authentication entirely. Multi-person authentication requirements for safety-critical operations and nuclear-specific role qualifications (licensed reactor operators per 10 CFR 55) are outside SP 800-53 scope.
RG5.71-A-AU Technical Controls - Audit and Accountability
Rationale
AU-02 defines auditable events for CDAs. AU-03 specifies audit record content including user identity, timestamp, and event outcome. AU-04 ensures adequate audit storage capacity. AU-05 handles audit processing failure responses. AU-06 provides audit review, analysis, and reporting capabilities. AU-08 time stamps ensure accurate event correlation. AU-09 protects audit records from unauthorized modification. AU-12 generates audit records at defined events. SI-04 provides continuous system monitoring and intrusion detection.
Gaps
Nuclear-specific audit events -- including control rod position changes, reactor trip signals, Engineered Safety Features Actuation System (ESFAS) activations, and safety parameter changes -- require domain-specific event taxonomies not defined in SP 800-53. QA records retention requirements under 10 CFR 50 Appendix B mandate specific retention periods and quality assurance controls for safety-related audit data. Audit systems must not interfere with real-time safety system performance, a constraint not addressed by general audit controls.
RG5.71-A-SC Technical Controls - System and Communications Protection
Rationale
SC-07 boundary protection and SC-32 system partitioning provide network segmentation. SC-08 transmission confidentiality and integrity protects data in transit. SC-12 and SC-13 address cryptographic key management and protection. SC-23 session authenticity prevents session hijacking. SC-28 protects information at rest. SC-45 system time synchronization ensures coordinated timestamps across CDAs. SC-46 cross-domain policy enforcement manages data transfer between security levels.
Gaps
Unidirectional security gateways (data diodes) between safety and non-safety networks are a fundamental nuclear requirement not specifically addressed by SP 800-53 boundary protection controls. Deterministic communication protocols for safety I&C systems -- ensuring bounded response times for safety functions -- are outside the scope of general communications protection. Nuclear-qualified communication protocols and the prohibition of routable protocols on safety networks represent domain-specific requirements beyond SP 800-53.
RG5.71-A-SI Technical Controls - System and Information Integrity
Rationale
SI-02 flaw remediation addresses patching and vulnerability management. SI-03 malicious code protection provides anti-malware capabilities. SI-04 system monitoring enables detection of integrity violations. SI-07 software, firmware, and information integrity uses cryptographic hashes and digital signatures to verify CDA software. SI-16 memory protection prevents unauthorized code execution. CM-14 signed components ensures authenticity of software and firmware distributed to CDAs.
Gaps
Nuclear qualification of patches and updates requires 10 CFR 50.59 screening to determine if modifications could affect safety functions -- a regulatory evaluation process with no SP 800-53 equivalent. Safety system verification and validation (V&V) requirements mandate independent review of all software changes. The QA program for software modifications under 10 CFR 50 Appendix B imposes documentation, review, and approval requirements exceeding standard change management controls.
RG5.71-B-CM Operational Controls - Configuration Management
Rationale
CM-02 baseline configuration establishes approved configurations for CDAs. CM-03 configuration change control manages modifications through a formal process. CM-04 impact analysis evaluates changes before implementation. CM-05 access restrictions for change limits who can modify configurations. CM-06 configuration settings enforces secure settings. CM-07 least functionality disables unnecessary services. CM-08 system component inventory maintains a complete CDA inventory. RA-05 vulnerability monitoring and scanning identifies weaknesses.
Gaps
Nuclear-specific change management under 10 CFR 50.59 requires evaluation of whether configuration changes could create an unreviewed safety question -- a regulatory screening process beyond SP 800-53 change control. Safety system configuration control requires QA oversight per 10 CFR 50 Appendix B with independent verification. Changes affecting Technical Specifications require NRC license amendment approval, a regulatory gate not represented in standard configuration management.
RG5.71-B-CP Operational Controls - Contingency Planning
Rationale
CP-01 and CP-02 establish contingency planning policy and plans for CDA recovery. CP-04 contingency plan testing validates recovery procedures. CP-09 system backup and CP-10 system recovery provide data protection and restoration capabilities. IR-01 and IR-02 define incident response policy and procedures. IR-04 incident handling provides structured response processes. IR-06 incident reporting establishes reporting channels and timelines.
Gaps
Integration with nuclear Emergency Operating Procedures (EOPs) and Abnormal Operating Procedures (AOPs) is not addressed -- cyber incidents affecting safety systems must be managed within the plant's emergency response framework. NRC 1-hour event notification requirements under 10 CFR 73.71 impose specific reporting timelines and content requirements to the NRC Operations Center. Coordination with the plant Technical Support Center (TSC) during cyber events and integration with the site emergency plan under 10 CFR 50.47 are nuclear-specific contingency requirements.
RG5.71-B-MA Operational Controls - Maintenance
Rationale
MA-01 establishes maintenance policy for CDAs. MA-02 controlled maintenance ensures scheduled and documented maintenance activities. MA-03 maintenance tools controls tools brought into CDA environments. MA-04 nonlocal maintenance restricts remote maintenance access. MA-05 maintenance personnel vets individuals performing CDA maintenance. MA-06 timely maintenance ensures prompt corrective actions. MP-02 media access restricts access to digital media. MP-04 media storage protects media containing CDA data. MP-06 media sanitization ensures secure disposal. MP-07 media use restricts portable and removable media.
Gaps
Integration with the nuclear Maintenance Rule (10 CFR 50.65) which requires monitoring the effectiveness of maintenance activities for safety-related structures, systems, and components is not addressed. Maintenance activities during different reactor modes (power operation, hot standby, cold shutdown) have mode-specific restrictions not captured in SP 800-53. Portable and mobile device restrictions in vital areas -- including prohibition of wireless devices and strict controls on removable media introduced into protected areas -- exceed general media protection controls.
RG5.71-B-PE Operational Controls - Physical and Environmental Protection
Rationale
PE-01 establishes physical and environmental protection policy. PE-02 physical access authorizations and PE-03 physical access control manage entry to CDA locations. PE-04 access control for transmission manages physical access to communication infrastructure. PE-06 monitoring physical access provides surveillance. PE-08 visitor access records tracks non-authorized personnel. PE-09 power equipment and cabling protects electrical infrastructure. PE-11 emergency power ensures uninterruptible power. PE-13 fire protection, PE-14 environmental controls, and PE-15 water damage protection address environmental threats to CDAs.
Gaps
Nuclear vital area access controls under 10 CFR 73.55 define protected areas and vital areas with armed security force response -- a level of physical protection far exceeding standard data center controls. The integration of cyber security with the facility's physical protection program, including vehicle barriers, intrusion detection, and armed response, is nuclear-specific. Protected area definitions, vital area designations, and the two-person rule for vital area access are regulatory requirements not addressed by SP 800-53 physical security controls.
RG5.71-C-AT Management Controls - Awareness and Training
Rationale
AT-01 establishes security awareness and training policy. AT-02 provides security awareness training to all personnel. AT-03 delivers role-based security training for CDA administrators and operators. AT-04 maintains training records. PM-13 security and privacy workforce establishes competency requirements. PM-14 testing, training, and monitoring ensures ongoing training effectiveness through exercises and evaluations.
Gaps
NRC-mandated security training qualification requirements specify minimum training hours and competency assessments for cyber security personnel at nuclear facilities. Annual cyber security exercises must include realistic scenarios involving CDAs and integration with facility emergency response. Safeguards Information (SGI) handling training under 10 CFR 73.22 is a nuclear-specific requirement for personnel with access to sensitive security information about nuclear facilities.
RG5.71-C-CA Management Controls - Security Assessment and Authorization
Rationale
CA-01 establishes assessment and authorization policy. CA-02 control assessments evaluate CDA security control effectiveness. CA-05 plan of action and milestones tracks remediation. CA-06 authorization provides management risk acceptance. CA-07 continuous monitoring maintains ongoing awareness of security posture. CA-08 penetration testing validates defenses through adversarial simulation. PM-14 testing, training, and monitoring ensures ongoing program effectiveness.
Gaps
The NRC cyber security inspection program -- conducted by NRC regional inspectors using nuclear-specific inspection procedures -- has no SP 800-53 equivalent. Cyber Security Assessment Team (CSAT) requirements mandate a dedicated team with nuclear domain expertise for ongoing assessment. Triennial cyber security exercises coordinated with the NRC and potentially involving force-on-force elements are nuclear-specific assessment requirements beyond standard penetration testing.
RG5.71-C-PL Management Controls - Planning and Risk Assessment
Rationale
PL-01 and PL-02 provide security planning policy and system security plans. PL-08 security and privacy architectures supports defense-in-depth planning. RA-01 establishes risk assessment policy. RA-02 security categorization classifies CDAs. RA-03 risk assessment identifies threats and vulnerabilities. RA-05 vulnerability monitoring and scanning detects weaknesses. RA-07 risk response defines treatment strategies. RA-09 criticality analysis identifies critical CDAs. CA-02 control assessments evaluate control effectiveness. CA-06 authorization provides management acceptance of risk.
Gaps
Nuclear Probabilistic Risk Assessment (PRA) integration is not addressed -- cyber risk must be evaluated in the context of core damage frequency and large early release frequency metrics used in nuclear safety analysis. Safety significance determination processes that categorize equipment based on risk insights (10 CFR 50.69) are nuclear-specific. The NRC inspection and enforcement framework under Inspection Manual Chapter (IMC) 0609, including significance determination processes for cyber security findings, has no SP 800-53 equivalent.
RG5.71-C-PS Management Controls - Personnel Security
Rationale
PS-01 establishes personnel security policy. PS-02 position risk designation categorizes roles by sensitivity. PS-03 personnel screening conducts background investigations. PS-04 personnel termination manages access revocation. PS-05 personnel transfer adjusts access for role changes. PS-06 access agreements formalizes security responsibilities. PS-07 external personnel security extends controls to contractors. PS-08 personnel sanctions establishes consequences for violations.
Gaps
The nuclear access authorization program under 10 CFR 73.56 requires extensive background investigations, psychological assessments, and ongoing behavioral observation programs far exceeding standard personnel screening. Fitness-for-duty requirements under 10 CFR 26, including drug and alcohol testing and work-hour restrictions, are nuclear-specific. Unescorted access authorization to protected and vital areas requires nuclear-specific trustworthiness and reliability determinations not addressed by SP 800-53 personnel security controls.
RG5.71-C-SR Management Controls - Supply Chain
Rationale
SR-01 establishes supply chain risk management policy. SR-02 supply chain risk assessment evaluates vendor risks. SR-03 supply chain controls and processes implements protections. SR-05 acquisition strategies for supply chain addresses procurement security. SR-06 supplier assessments and reviews evaluates vendor security posture. SR-11 component authenticity verifies genuine components. SA-04 acquisition process integrates security into procurement. SA-09 external system services manages third-party service risks. CM-14 signed components ensures software and firmware authenticity.
Gaps
Nuclear supply chain requirements under 10 CFR 21 mandate reporting of defects and noncompliance in safety-related components to the NRC -- a regulatory reporting obligation with no SP 800-53 equivalent. Safety-related procurement QA under 10 CFR 50 Appendix B requires commercial-grade dedication processes and supplier audit programs specific to nuclear quality. Counterfeit, fraudulent, and suspect items (CFSI) programs following EPRI guidance on digital supply chain integrity address nuclear-specific risks in long-lifecycle safety systems.
Methodology and Disclaimer
This coverage analysis maps from 10 CFR 73.54 clauses/requirements back to NIST SP 800-53 Rev 5 controls, assessing how well the SP 800-53 control set addresses each framework requirement.
Coverage weighting represents an informed estimate based on control-objective alignment, not a definitive compliance determination. Weightings consider whether SP 800-53 controls address the intent of each framework requirement, even where terminology and structure differ.
This analysis should be validated by qualified assessors for use in compliance or audit activities. The authoritative source for any compliance determination is always the framework itself.