还剩16页未读,继续阅读
本资源只提供10页预览,全部文档请下载后查看!喜欢就下载吧,查找使用更方便
文本内容:
高级英语翻译英汉比照•RetainingandreviewingrecordsofCDAconfigurationchangesandauditactivitiesassociatedwithCDAconfigurationchangesandemploying{manualand/orautomated}mechanismsto:-DocumentchangestoCDAsNotifydesignatedapprovalauthoritiesandProhibitimplementationofchangesuntildesignatedapprovalsarereceivedanddocumented.
3.
11.5SecurityImpactAnalysisofChangesandEnvironment.
11.5环境改变和平安影响分析The{CalvertCliffs3NuclearProjectLLCJsCSTperformsasecurityimpactassessmentbeforemakingchangestoCDAsconsistentwith{Section
1.
4.
2.2ofthisplan}tomanagethecyberriskresultingfromthechanges.TheCSTevaluatesdocumentsandincorporatesintothesecurityimpactanalysisanyidentifiedsafetyandsecurityinterdependencies.The{CalvertCliffs3NuclearProjectLLC}performsanddocumentsthesecurityimpactassessmentaspartofthechangeapprovalprocess..
11.6AccessRestrictionsforChange
3.
11.6更改访问限制•InappropriateprivilegesbeinggrantedtousersprocessesorapplicationsWeakauthenticationmechanismsImproperlyorfailingtovalidateinputandoutputdataInsecureorinadequateloggingofsystemerrorsorsecurity-relatedinformationInadequatelyboundedbuffersFormatstringvulnerabilitiesPrivilegeescalationvulnerabilitiesUnsafedatabasetransactionsUnsafeuseofnativefunctioncallsHiddenfunctionsandvulnerablefeaturesembeddedinthecodeImplementedsecurityfeaturesdonotthemselvesacttoincreasetheriskofsecurityvulnerabilitiesincreasesusceptibilitytocyberattackorreducethereliabilityofdesign-basisfunctions.UseofunsupportedorundocumentedmethodsorfunctionsandUseofundocumentedcodeormaliciousfunctionsthatmightalloweitherunauthorizedaccessoruseofthesystemorthesystemtobehavebeyondthesystemrequirements.2anddeveloperscybersecurityprogrammaintainstheintegrityoftheacquiredsystemuntiltheproductisdeliveredtothe{CalvertCliffs3NuclearProjectLLC}byimplementingequivalentsecuritycontrolsasdescribedinRG
5.71topreventtamperingandtoprovidehighassurancethattheintegrityofthedevelopedCDAismaintaineduntildeliveredtothelicensee.{CalvertCliffs3NuclearProjectLLC}requiresthedevelopertoperformanddocumentthatsecurityrequirementsareverifiedandvalidatedandthatsecuritycontrolsimplementedintheproductandusedtomeettherequirementsofthisplanaretestedtoensuretheyareeffectiveperSection
1.
4.
1.
2.{CalvertCliffs3NuclearProjectLLC}requiresdocumentationofallofthefollowingactivities:SystemdesigntransformedintocodedatabasestructuresandrelatedmachineexecutablerepresentationsHardwareandsoftwareconfigurationandsetupSoftwarecodingpracticesandtestingCommunicationconfigurationandsetupincludingtheincorporationofreusedsoftwareandcommercialoff-the-shelfproductsTheresultsofunittestsperformedtoensurethatthecodewasdevelopedcorrectlyandaccuratelyandcompletelyreflectsthesecuritydesignconfigurationtransformationsfromtherequirementsDetailsoftheimplementationofeachrequiredsecurityfeaturewithinthedevelopedcodebase.ThelistingincludesreferencethecodedfunctionsandmoduleswithinthecodebasethatweredevelopedtoimplementthesecurityfeaturesSecurityconfigurationsimplementedtomeetsecuritydesignfeaturesspecifiedintherequirementsOperatingsystemsecurityconfigurationsimplementedtomeetsecuritydesignfeaturesspecifiedintherequirementsaredocumentedForprogramminglanguagesthatsupportstaticanalysissourcecodescannersresultsofthefollowingaredocumented:Thestaticsourcecodevulnerabilityanalysisperformedtoinspectthedevelopedcodeforpotentialsecuritydefectspoorprogrammingpracticeshiddenfunctionsandvulnerablefeatureswithinthecodeduringtheimplementationofthecodebaseandmethodsappliedtoeliminatethesevulnerabilities•ThesecuritydefecttrackingmetricsusedtocaptureandtracktheidentificationtypeclassificationcauseandremediationofsecuritydefectsfoundwithinthecodeandThedefectsencounteredduringthetranslationofthedesignfeaturesspecifiedintherequirementsintocode.Forallprogramminglanguagestheresultsofthefollowingaredocumented:-AdynamicsourcecodevulnerabilityanalysisperformedtoinspectthedevelopedcodeforpotentialsecuritydefectspoorprogrammingpracticeshiddenfunctionsandvulnerablefeatureswithinthecodeduringtheimplementationofthecodebaseandmethodsappliedtoeliminatethesevulnerabilitiesThesecuritydefecttrackingmetricsusedtocaptureandtracktheidentificationtypeclassificationcauseandremediationofsecuritydefectsfoundwithinthecodeandThedefectsencounteredduringthetranslationofthedesignfeaturesspecifiedintherequirementsintocode.一一{CalvertCliffs3NuclearProjectLLC}requiresthatCDAdevelopers/integrators:•PerformconfigurationmanagementduringCDAdesigndevelopmentimplementationandoperationManageandcontrolchangestotheCDAImplementonly{CalvertCliffs3NuclearProjectLLC}approvedchangesDocumentapprovedchangestotheCDAandTracksecurityflawsandflawresolution.Licensee/Applicanttesting被许可方/申请人测试{CalvertCliffs3NuclearProjectLLC}verifiesandvalidatestheresultsofthedeveloperssecuritytestinginconductedinaccordancewithSection
3.
12.5above.{CalvertCliffs3NuclearProjectLLC}isresponsibleforthefollowing:TestingCDAe.g.offlineonacomparableCDAsecuritydevicessecuritycontrolsandsoftwaretoensurethattheydonotcompromisetheCDAortheoperationofaninterconnectedCDAoperationbeforeinstallationTestingtoensurethatCDAsdonotprovideapathwaytocompromisetheCDAorotherCDAsImplementationofthesecuritycontrolsinSections2and3ofthisplaninaccordancewiththeprocessdescribedinSection
1.
3.
1.6ofthisplanTestingofthesecuritycontrolsforeffectivenessasdescribedinSection
1.
4.
1.2ofthisplanPerformanceofvulnerabilityscansinaccordancewithSection
1.
4.
1.3ofthisplanandSection
3.
13.1ofthisplanagainsttheCDAinitsintegratedstateandcorrectioneliminationordiscussionofdiscoveredvulnerabilitiesInstallationandtestingoftheCDAinthetargetenvironmentandPerformanceofanacceptancereviewandtestoftheCDAsecurityfeatures.{CalvertCliffs3NuclearProjectLLC}documentsthefollowing:・SecuritycontrolsimplementedinaccordancewithSection2ofthisplan.VerificationoftheeffectivenessofthesecuritycontrolsimplementedinaccordancewithSection3ofthisplan.SecuritydesignfeaturesdevelopedtoaddresstheidentifiedsecurityrequirementsfortheCDAifanyinadditiontothesecuritycontrolsimplementedinaccordancewithSection2ofthisplan.Foreachsecurityfeatureorconfigurationtobeimplementedthedocumentationincludesadescriptionofthefeatureitsmethodofimplementationandanyconfigurableoptionsassociatedwiththefeatureareprovided.Eachsecurityfeaturedesignedintothesystemistraceabletoitscorrespondingsecurityrequirement.Thesecurityreviewsoftheimplementeddesignbythecybersecurityorganizationresponsiblefortheprotectionofthecriticalassets/systems/networksaredocumented.Thereviewensuresthatthesecuritydesignconfigurationitemtransformationsfromtherequirementsimplementedarecorrectaccurateandcomplete.{CalvertCliffs3NuclearProjectLLC}requires{annual}auditsofCDAstoverifythefollowing:Thesecuritycontrolspresentduringtestingremaininplaceandarefunctioningcorrectlyintheproductionsystem.CDAsarefreefromknownvulnerabilitiesandsecuritycompromisesandcontinuetoprovideinformationonthenatureandextentofcompromisesshouldtheyoccur.Thechangemanagement{processand/orprogramisfunctioningeffectivelyandisrecordingconfigurationchangesappropriately.
3.13SecurityAssessmentandRiskManagement
3.13平安评估与风险管理
3.
13.1ThreatandVulnerabilityManagement
3.
13.1威逼和漏洞管理{CalvertCliffs3NuclearProjectLLC}doesthefollowing:PerformassessmentsandscansforvulnerabilitiesinCDAs{nolessfrequentlythanonceaquarter}andatrandomintervalsinaccordancewithSection
1.
4.
1.3ofthisplanandwhennewpotentialCDAvulnerabilitiesarereportedoridentified.Employvulnerabilityscanningtoolsandtechniquesthatpromoteinteroperabilityamongtoolsandautomatingpartsofthevulnerabilitymanagementprocessby:EnumeratingplatformssoftwareflawsandimproperconfigurationsFormattingandmakingtransparentchecklistsandtestproceduresandMeasuringvulnerabilityimpacts.•AnalyzevulnerabilityscanreportsandremediatevulnerabilitieswithinatimeperiodthatwillprovidehighassurancethatCDAsareprotectedfromcyberattacksuptoandincludingtheDBT.EliminatesimilarvulnerabilitiesinotherCDAs.EmployvulnerabilityscanningtoolsthatincludethecapabilitytoupdatethelistofcybervulnerabilitiesscannedandupdatethelistofCDAvulnerabilitiesscanned{monthly}andwhennewvulnerabilitiesareidentifiedandreported.Employvulnerabilityscanningproceduresthatmaximizethebreadthanddepthofcoveragei.e.CDAcomponentsscannedandvulnerabilitieschecked.DiscernanddocumentwhatinformationassociatedwiththeCDAisdiscoverablebyadversaries.PerformsecuritytestingtodeterminethelevelofdifficultyincircumventingthesecuritycontrolsoftheCDA.{Testingmethodsincludepenetrationtestingmalicioususertestingandindependentverificationandvalidation.}IncludeprivilegedaccessauthorizationtoCDAsforselectedvulnerabilityscanningactivitiestofacilitatemorethoroughscanning.EmployautomatedmechanismstocomparetheresultsofvulnerabilityscansovertimetodeterminetrendsinCDAvulnerabilitiesandmitigation/flawremediationactivities.EmployautomatedmechanismstodetectandnotifyauthorizedpersonnelofthepresenceofunauthorizedsoftwareonCDAs.EnsurethatSSEPfunctionsarenotadverselyimpactedbythescanningprocess.WherethismayoccurCDAsareremovedfromserviceorreplicatedtotheextentfeasiblebeforescanningisconductedorbescheduledtooccurduringplannedCDAoutageswheneverpossible.Where{CalvertCliffs3NuclearProjectLLC}cannotconductvulnerabilityscanningonaproductionCDAbecauseofthepotentialforanadverseimpactonSSEPfunctionsalternatecontrolse.g.providingareplicatedsystemorCDAtoconductscanningareemployed.The{CalvertCliffs3NuclearProjectLLC}reviewshistoricauditlogstodetermineifavulnerabilityidentifiedintheCDAhasbeenpreviouslyexploited.
3.
13.2RiskMitigation.
13.2缓解风险Protectionandmitigationofriskareachievedbyimplementing1thedefense-in-depthstrategiesdiscussedinSectionC.
3.2oftoRG
5.712thesecuritycontrolsdescribedinSections2and3ofthisplanand3digitalequipmentandsoftwarecyberattackdetectionpreventionandrecoverytechniquesandtoolstothesystemsstructuresandcomponentswithinthescopeoftheruleand4Section
1.4ofthisplan.{CalvertCliffs3NuclearProjectLLC}hasthedetailedinformationonhowtheserequirementsareimplementedtoachievethehighassuranceobjectivesofsecuritycontrolsspecifiedinthisplan.ThedetailedinformationisavailableforNRCinspectionsandaudits..
13.3CorrectiveActionProgram
3.
13.3订正措施方案{CalvertCliffs3NuclearProjectLLC}establishedimplementedanddocumentedthecriteriaconsistentwithRG
5.71foradverseconditionsandtherequirementsforcorrectiveaction.Theadverseimpactresultingfromacybersecurityincidentisevaluatedtrackedandadjustedinaccordancewiththe{CalvertCliffs3NuclearProjectLLC}CorrectiveActionProgramandinamannerconsistentwithRG
5.
71.{CalvertCliffs3NuclearProjectLLCdefinesdocumentsapprovesandenforcesphysicalandlogicalaccessrestrictionsassociatedwithchangestoCDAsandgeneratesretainsandauditstherecord{quarterlyandwhenthereareindicationsthatunauthorizedchangesmayhaveoccurred.{CalvertCliffs3NuclearProjectLLC}implementsitsconfigurationmanagementprogramtoaddressdiscovereddeviations.{CalvertCliffs3NuclearProjectLLC}employsautomatedmechanismstodetectunauthorizedchangestoenforceaccessrestrictionsandtosupportsubsequentauditsofenforcementactions.{CalvertCliffs3NuclearProjectLLC}documentsthejustificationanddetailsforalternatecompensatingsecuritycontrolsforsituationsinwhichaCDAcannotsupporttheuseofautomatedmechanismstoenforceaccessrestrictionsandtosupportsubsequentauditsofenforcementactionsincludingallofthefollowing:••PhysicallyrestrictingaccessMonitoringandrecordingphysicalaccesstoenabletimelydetectionandresponsetointrusionsEmployingauditingandvalidationmeasurese.g.securityofficerroundsperiodicmonitoringoftampersealsEnsuringauthorizedindividualsaretrustworthyandreliableinaccordancewith10CFR
73.56EnsuringthatauthorizedindividualsareoperatingunderestablishedworkmanagementcontrolsandConductingpostmaintenancetestingtovalidatethatchangesareimplementedcorrectly.
3.
11.7ConfigurationSettings
3.
11.7配置设置{CalvertCliffs3NuclearProjectLLC}appliesconfigurationsettingsforCDAsby1documentingthemostrestrictivemode2valuatingoperationalrequirementsand3enforcinganddocumentingthemostrestrictiveoperationalconfigurationsettingsbaseduponexplicitoperationalrequirements.Thisisachievedbythefollowing:EstablishinganddocumentingconfigurationsettingsforCDAsthatreflectthemostrestrictivemodeDocumentingandapprovinganyexceptionsfromthemostrestrictivemodeconfigurationsettingsforindividualcomponentswithinCDAsbaseduponexplicitoperationalrequirementsEnforcingtheconfigurationsettingsinCDAsandmonitoringandcontrollingchangestoheconfigurationsettingsinaccordancewith{CalvertCliffs3NuclearProjectLLC}policiesandproceduresDocumentingandemployingautomatedmechanismsto{centrally}manageapplyandverifyconfigurationsettingsDocumentingandemploying{automatedmechanismsand/ormanualmechanisms}torespondtounauthorizedchangesto{CalvertCliffs3NuclearProjectLLC-definedconfigurationsettingsandDocumentingthejustificationforalternatecompensatingsecuritycontrolsforsituationsnwhichaCDAcannotsupporttheuseofautomatedmechanismsto{centrally}manageapplyandverifyconfigurationsettingsincludingallofthefollowing:-PhysicallyrestrictingaccessMonitoringandrecordingphysicalaccesstoenabletimelydetectionandresponsetointrusionsEmployingauditing/validationmeasurese.g.securityofficerroundsperiodicmonitoringoftampersealsEnsuringauthorizedindividualsaretrustworthyandreliableinaccordancewith10CFR
73.56EnsuringthatauthorizedindividualsareoperatingunderestablishedworkmanagementcontrolsandConductingpostmaintenancetestingtovalidatethatchangesareimplementedcorrectly.
3.
11.8LeastFunctionality.
11.8最小功能{CalvertCliffs3NuclearProjectLLC}configuresanddocumentsCDAconfigurationsettingstoprovideonlyessentialcapabilitiesandspecificallyprohibitsprotectsandrestrictstheuseofinsecurefunctionsportsprotocolsandservices.{CalvertCliffs3NuclearProjectLLCreviewsCDAs{monthly}toidentifyandeliminateunnecessaryfunctionsportsprotocolsandservices.{CalvertCliffs3NuclearProjectLLCdocumentsandemploysautomatedmechanismstopreventprogramexecution.CalvertCliffs3NuclearProjectLLC}uses{white-listsblack-listsandgray-lists}applicationcontroltechnologies..
11.9ComponentInventory
3.
11.9组件库存{CalvertCliffs3NuclearProjectLLC}developsdocumentsandmaintainsaninventoryofthecomponentsofCDAsthathasthefollowingattributes:•AccuratelyreflectsthecurrentsystemconfigurationEnsuresthatthelocationlogicalandphysicalofeachcomponentisconsistentwiththeauthorizedboundaryoftheCDAProvidestheproperlevelofgranularitydeemednecessaryfortrackingandreportingandforeffectivepropertyaccountabilityUpdatestheinventoryofsystemcomponentsasanintegralpartofcomponentinstallationsandsystemupdatesEmploysautomatedmechanismstomaintainanup-to-datecompleteaccurateandreadilyavailableinventoryofsystemcomponentsEmploysautomatedmechanismstodetecttheadditionofunauthorizedcomponentsordevicesintotheenvironmentanddisablesaccessbysuchcomponentsordevicesornotifiesdesignated{CalvertCliffs3NuclearProjectLLC}officialsandDocumentsthe{namesorroles}oftheindividualsresponsibleforadministeringthosecomponents.•MANAGEMENTCONTROLS管理限制12SystemandServiceAcquisition
3.12系统和服务获得SystemandServicesAcquisitionPolicyandProcedures
12.1系统与服务获得政策和程序{CalvertCliffs3NuclearProjectLLCdevelopsdisseminatesand{annuallyreviewsandupdatesaformaldocumentedsystemandservicesacquisitionpolicythataddressespurposescoperolesresponsibilitiesmanagementcommitment{coordinationamong{CalvertCliffs3NuclearProjectLLC}entities}associatedsystemandserviceacquisitioncontrolsandcompliance.{CalvertCliffs3NuclearProjectLLC}developsdisseminatesand{annuallyreviewsandupdatesformaldocumentedprocedurestofacilitatetheimplementationofthesystemandservicesacquisitionpolicyandassociatedsystemandservicesacquisitioncontrols.SupplyChainProtection{CalvertCliffs3NuclearProjectLLC}protectsagainstsupplychainthreatsandvulnerabilitybyemployingthefollowinglistofmeasurestoprotectagainstsupplychainthreatstomaintaintheintegrityoftheCDAsthatareacquired:•EstablishmentoftrusteddistributionpathsValidationofvendorsandRequiringtamperproofproductsortamperevidentsealsonacquiredproducts.{CalvertCliffs3NuclearProjectLLC}performsananalysisforeachproductacquisitiontodeterminethattheproductprovidesthesecurityrequirementsnecessarytoaddressthesecuritycontrolsinSections2and3ofthisplan.{CalvertCliffs3NuclearProjectLLC}usesheterogeneitytomitigatevulnerabilitiesassociatedwiththeuseofasinglevendor5sproduct.1Trustworthiness{CalvertCliffs3NuclearProjectLLC}requiresthatsoftwaredevelopersemploysoftwarequalityandvalidationmethodstominimizeflawedormalformedsoftware.{CalvertCliffs3NuclearProjectLLC}establishesimplementsanddocumentsrequirementstorequirealltoolsusedtoperformcybersecuritytasksorSSEPfunctionstoundergoacommercialqualificationprocesssimilartothatforsoftwareengineeringtoolsthatareusedtodevelopdigitalinstrumentationandcontrolsystems.
12.4IntegrationofSecurityCapabilities{CalvertCliffs3NuclearProjectLLCdocumentsandimplementsaprogramtoensurethatnewacquisitionscontainsecuritydesigninformationcapabilitiesorbothtoimplementsecuritycontrolsinSection2ofthisplan.Suchsecuritycapabilitiesincludethefollowing:•BeingcognizantofevolvingcybersecuritythreatsandvulnerabilitiesBeingcognizantofadvancementsincybersecurityprotectivestrategiesandsecuritycontrolsConductinganalysesoftheeffectsthateachadvancementcouldhaveonthesecuritysafetyandoperationofcriticalassetssystemsCDAsandnetworksandimplementingtheseadvancementsinatimelymannerandReplacinglegacysystemsastheyreachendoflifewithsystemsthatincorporatesecuritycapabilities.{CalvertCliffs3NuclearProjectLLCestablishestimeframestominimizethetimeittakestodeploynewandmoreeffectiveprotectivestrategiesandsecuritycontrols.
3.
12.5DeveloperSecurityTesting
3.
12.5开发人员平安测试{CalvertCliffs3NuclearProjectLLC}documentsandrequiresthatsystemdevelopersandintegratorsofacquiredCDAscreateimplementanddocumentasecuritytestandevaluationplantoensurethattheacquiredproductsmeetallspecifiedsecurityrequirements1thattheproductsarefreefromknowntestablevulnerabilitiesandmaliciouscodebyidentifyingandeliminatingthesefollowingvulnerabilitiesandothervulnerabilitiesthatmaychangewithnewtechnology:IWeakunprovenornonstandardcryptographicmodules{HeterogeneitywillbedeployedintheacquisitionofallCDAswherepossibleandapplicable.}•InsecurenetworkprotocolsforsensitivecommunicationsKnowninsecuresoftwarecomponentsorlibrariesKnownvulnerabilitiesInsecureconfigurationfilesoroptionsthatacttocontrolfeaturesoftheapplicationInadequateorinappropriateuseofaccesscontrolmechanismstocontrolaccesstosystemresources。
个人认证
优秀文档
获得点赞 0
