scope:

This Standard covers the cyber security of new and existing nuclear power plants (NPPs) and small reactor facilities.

Note: This Standard may provide guidance for nuclear facilities other than NPPs and small reactor facilities, using a risk-informed graded approach.

This Standard addresses cyber security for systems and components which perform or impact:

a) functions important to nuclear safety;

b) nuclear security functions;

c) emergency preparedness functions;

d) safeguard functions; and

e) those auxiliary functions which, if compromised, exploited, or failed, could adversely impact Item a), b), c), or d).

Note: This Standard may be applied to other functions, such as those related to production reliability.

This Standard pertains to the securing of cyber essential assets to protect against cyber attacks resulting in consequential degradation or loss of ability to perform their intended function, the compromise of their availability, integrity, and the loss of confidentiality of information that they store, process, or transmit.

This Standard does not apply to business systems (e.g., work management) and offline engineering systems, except for business systems that are part of the secure development environment at the time of development.

In this Standard, "shall" is used to express a requirement, i.e., a provision that the user is obliged to satisfy in order to comply with the standard; "should" is used to express a recommendation or that which is advised but not required; and "may" is used to express an option or that which is permissible within the limits of the standard.

Notes accompanying clauses do not include requirements or alternative requirements; the purpose of a note accompanying a clause is to separate from the text explanatory or informative material.

Notes to tables and figures are considered part of the table or figure and may be written as requirements.

Annexes are designated normative (mandatory) or informative (nonmandatory) to define their application.