NRC 10 CFR 73.54 Nuclear Cybersecurity Requirements

Title 10 CFR Part 73.54, "Protection of Digital Computer and Communication Systems and Networks," promulgated by the US Nuclear Regulatory Commission (NRC) in 2009 and implemented through NRC Regulatory Guide 5.71 (2010), is the primary cybersecurity regulation for commercial nuclear power plants. The rule requires licensees to establish, implement, and maintain a Cybersecurity Plan that provides high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks. The scope covers any digital asset that could adversely affect the performance of safety systems (10 CFR 50.55a), security systems (10 CFR 73), emergency preparedness systems, and support systems and equipment that, if compromised, could adversely impact these critical systems. These are collectively called Critical Digital Assets (CDAs).

NRC Reg. Guide 5.71 establishes a defense-in-depth and diversity (D3) architecture with eight security levels (Level 0 through Level 7), where Level 4 is the most critical (Safety and Important to Safety systems) and Level 7 represents corporate IT. The cardinal rule of nuclear cybersecurity is the unidirectional data flow requirement: Level 4 systems must not have any communication pathways to less-secure levels; data can only flow outward (from Level 4 to Level 3) via hardware data diodes. No IP connectivity, no wireless, no portable media without written procedures and monitoring. Any digital maintenance port (RS-232, USB, Ethernet maintenance port) on a CDA is itself a CDA and must be protected with physical locks, audit logging, and authorized-use-only procedures. Portable media introduced to any CDA system must be scanned on a dedicated, isolated scanning station before connection.

The NRC cybersecurity inspection program (Inspection Procedure 71130.10) evaluates licensee compliance through periodic inspections that examine: the CDA inventory and its completeness; implementation of the eight defense levels; cyber incident response procedures; supply chain controls for CDA components; and training records. A Cyber Security Assessment Team (CSAT) inspection can result in Severity Level III or IV violations for deficiencies in CDA protection. The NRC's 10 CFR 73.77 requires licensees to report cyber attacks that affect or could affect the performance of any safety, security, or emergency preparedness function within one hour of discovery — the most stringent incident reporting timeline of any US critical infrastructure sector. New reactor designs (AP1000, SMRs) must address cybersecurity in their Design Control Document (DCD) as part of the combined license (COL) application.

We support nuclear licensees in developing and implementing NRC Reg. Guide 5.71-compliant Cybersecurity Plans, performing CDA inventories and boundary analyses, designing Level 0–4 defense-in-depth architectures with hardware-enforced unidirectional controls, and preparing for NRC CSAT inspections. Our team includes specialists with nuclear cybersecurity implementation experience across both operating and new reactor programs.

Compliance-Native Architecture Guide

Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.