Implementing Guide NST070 for Nuclear Safety Standards Committee Meeting

Nuclear Safety Standards Committee 57 Meeting, 04-06 June 2024 Agenda item 4.6 Draft Implementing Guide NST070 Mitchell Hewes Information Management Division of Nuclear Security

Background This Implementing Guide is planned as a revision of NSS 23-G originally published in 2015. NSS No. 23-G is the only dedicated publication in the Nuclear Security Series (NSS) focusing on Information Security. Subsequently the IAEA has published NSS No. 42-G Computer Security for Nuclear Security in 2021 which expands the concept of Sensitive Information treating computer logic as a subset.

Development History Document Preparation Profile (DPP) NST070 2022 June 2022 DPP approved by the Nuclear Security Guidance Committee (NSGC) 2022 - 2024 Development of Draft NST070 (3 Consultancy Meetings) March 2024 Approved by Coordination Committee (Step 6)

Structure INTRODUCTION INFORMATION SECURITY CONCEPTS LEGISLATIVE, REGULATORY AND POLICY FRAMEWORKS FOR SECURING SENSITIVE INFORMATION IMPACT ASSESSMENT AND CLASSIFICATION OF SENSITIVE INFORMATION THE LIFE CYCLE OF SENSITIVE INFORMATION IMPLEMENTATION AND SUSTAINABILITY OF INFORMATION SECURITY MANAGEMENT SYSTEMS REFERENCES 7

Scope Target audience: All those who are responsible for the security of sensitive information. Sensitive information is Information, in whatever form, including software, the unauthorized disclosure, modification, alteration, destruction, or denial of use of which could compromise nuclear security. Information Security is cross-cutting within the entire Nuclear Security Series of documents. NSS 42-G has established by consensus computer security as a complete subset of information security. NST070 proposes concepts and figures to move up to the level of NSS 23-G to recognise this (Fig. 1, 3, 4, 5, 6) with modifications to include non-computer based aspects of information security.

Scope (cont.) Concepts covered: Information, information objects, information assets (Section 2); Legislative and regulatory consideration (para. 3.3-3.9); Designation of competent authorities (para. 3.11); Impacts of the compromise of sensitive information (para. 4.3); Challenges: Since information security can vary from one State to another, potentially being managed outside the nuclear security regime, this guidance presents a mechanism to merge considerations from broader approaches to information security in a unified policy framework within the nuclear security regime.

Comments Received 142 comments received before the 2024 June Committee meetings from: Australia, Cuba, Finland, France, Indonesia, Islamic Republic of Iran, Japan, Pakistan, Russian Federation, Saudi Arabia, Sweden, UAE, Ukraine, USA, IEC SC45A, ENISS, WNTI Types of comments: editorial/typographical, additional text for clarification and requests to rephrase or for additional detail. Comments received have been thoroughly considered and addressed. Resolution table and amended draft NST070 posted before the meeting.

Comment Resolution Statistics All Committees Accepted with modifications Committee Number of comments received Accepted Rejected RASSC 15 EPReSC 5 10 0 (4 Member States) TRANSSC 10 NUSSC 6 4 0 (1 Member State, WINTI) WASSC 117 NSGC 51 57 9 (11 Member State, IEC SC45A, ENISS) 142 55 Member State 7 Observer 62 Member State 9 Observer 4 Member State 5 Observer TOTAL: (16 Member States and 4 observers)

Comment Resolution Statistics Basis for Modification Clarifying para/line. no change is applied to. Applying change to first use in document or noting correct para when comment was misattributed. Editorial Proposing merging of concepts requested in comments rather than additional sentences added to a para. Proposals provided to reduce repetition/ensure consistent terminology. Minor corrections to usage of information/information objects/information assets with/without sensitive prefix. Proposing correct placement in document (concepts in Section 2, implementation in Sections 3-6). Detailed responses to comments requesting additional content or redrafting of paras. where complete new text wasn t provided.

Comment Resolution Statistics Basis for Rejection 4 comments requesting modifications to direct quotes from published consensus documents/definitions. 1 comment requesting a change implying full coverage of nuclear safety. NST070 has only been drafted to cover security (i.e. involving a criminal or other intentional unauthorized act) and not safety aspects such as reliability of information. 1 comment noting the only security risk is the unauthorized dissemination of information. The DPP for NST070 was approved to address all aspects related to confidentiality, integrity, and availability of sensitive information per it s established consensus definition. 3 comments requesting guidance for i) the integration of international standards organizations into a nuclear security regime, ii) the integration of international standards into a State s legislative framework, or iii) making specific requests from a State to an international standards body to develop standards. Generic statement was developed noting that competent authorities could identify a national or international standard as supporting demonstrating adherence to a policy/regulatory framework. More specific comments about inclusion were rejected.

Action Requested The committee is requested to approve/clear as applicable NST070 for the submission for Member States comments.

Thank you!