Commercial Nuclear Power Plant Cyber Security Policy The birth of the current security posture for commercial nuclear power plants is linked to the security imposed on the Manhattan Project, which ultimately resulted in the creation of the atomic bomb. Following World War II, the United States Congress passed the McMahon Act, which determined how the US government would control and manage nuclear technology. The legislation also created the Atomic Energy Commission (AEC). Congress amended the McMahon Act as the Atomic Energy Act of 1954, and included provisions for the security of nuclear material. The US Executive Branch promulgated the Act into Title 10 of the Code of Federal Regulations (CFRs). 10CFR73, Physical Protection of Plants and Materials, prescribes the requirements and maintenance of physical protection systems that have capabilities for the protection of special nuclear material. Further, regulations pertinent to cyber security are located in 10CFR73.54, Protection of Digital Computer and Communications Systems and Networks, which requires that nuclear plant operators provide high assurance that digital computer and communications are adequately protected against cyber-attacks, up to and including the design basis threats. The commercial nuclear industry-lobbying group, Nuclear Energy Institute (NEI) collaborated with the federal regulators, Nuclear Regulatory Commission (USNRC) and developed NEI 08-09, Cyber Security Plan for Nuclear Power Reactors. When implemented, this document serves as a template or prototype for nuclear plant operators to develop a cyber-security plan, which satisfies 10CFR73.54. Nuclear plant operators are required to protect those digital assets subject to cyber-attack that would act to modify, destroy, or compromise the integrity or confidentiality of data and/or software; deny access to systems, services, and/or data, and impact the operation of systems, networks, and associated equipment, as they pertain to: • Nuclear safety-related and important-to-safety functions; • Security functions; • Emergency preparedness functions, including offsite communications; and • Support systems and equipment that, if compromised, would adversely affect safety, security, or emergency preparedness functions. Nuclear plant operators have until December 31, 2015, to implement the requirements of 10CFR73.54. However, due to costs and other implementation coordination issues, some nuclear plant operators are requesting an extension of the deadline by a year or two.