SPECIAL NOTICE
R -- Training on Electric Power Research Institue�s (EPRI) Technical Assessment Methodology (TAM), Revision 1
- Notice Date
- 4/12/2023 11:41:55 AM
- Notice Type
- Special Notice
- NAICS
- 541690
— Other Scientific and Technical Consulting Services
- Contracting Office
- NUCLEAR REGULATORY COMMISSION ROCKVILLE MD 20855 USA
- ZIP Code
- 20855
- Solicitation Number
- 31310023P0013
- Response Due
- 4/28/2023 1:00:00 PM
- Point of Contact
- MITCHELL, JEFFREY R., Phone: 3014155074
- E-Mail Address
-
Jeffrey.Mitchell@nrc.gov
(Jeffrey.Mitchell@nrc.gov)
- Description
- Synopsis The U.S. Nuclear Regulatory Commission (NRC) intends to award a non-competitive, firm fixed price purchase order to Electric Power Research Institute, 1300 West W.T. Harris Boulevard, Charlotte, NC� 28262-8500 for the project entitled �Training on EPRI�s Technical Assessment Methodology (TAM), Revision 1� The acquisition is conducted under the authority of Federal Acquisition Regulation (FAR) 13.106-1(b) which provides that contracting officers may solicit from one source if the contracting officer determines that the circumstances of the contract action deem only one source reasonably available (e.g., urgency, exclusive licensing agreements, brand-name or industrial mobilization). The designated North American Industry Classification System (NAICS) Code is 541690-Other Scientific and Technical Consulting Services. The anticipated period of performance is one year. Background � As nuclear power plants move more towards digital I&Cs, and the convergence of operational technology (OT) and information technology (IT), the cybersecurity attack surface of these plants increases, leading to potential increases in cyber attacks. NRC requires licensees to establish, maintain, and implement cybersecurity programs in accordance with 10 CFR 73.54. As part of their security plan, licensees should assess their critical digital assets to determine the attack surface, attack pathway, vulnerabilities, and threat information that provide the basis for selection of security controls to address these threats and vulnerabilities. Licensees have used Regulatory Guide (RG) 5.71, �Cyber Security Programs for Nuclear Power Reactors,� or NEI 08-09, �Cyber Security Plan for Nuclear Power Reactors� as guidelines for creating and implementing their cybersecurity plans. The Electric Power Research Institute (EPRI) developed their own proprietary approach, the Technical Assessment Methodology (TAM), to assess vulnerabilities, and evaluate and apply cybersecurity controls in power plants. TAM is a bottom-to-top cyber security engineering approach to assess and to mitigate cyber security vulnerabilities in equipment used in modern critical infrastructure such as power plants and transmission facilities. Licensees have started to use or are considering using TAM, or a TAM-like approach to address the cybersecurity risks in their power plants. As the TAM approach starts to get adopted by licensees, NRC staff and inspectors should have an in-depth understanding of how TAM works, how licensees apply it, and how it compares to the top-to-bottom approach that they have been using based on guidance based on RG 5.71 and NEI 08-09. NRC staff and inspectors should be able to determine whether the TAM approach can provide the same rigor and equivalent level of protection as the defensive strategy consisting of a defensive architecture and a set of tailored security controls promoted by RG 5.71. Objective � The objective of this contract/work is to provide in-depth training on EPRI�s TAM methodology, so that NRC staff and inspectors can efficiently assess a licensees� cybersecurity plans that utilizes the TAM approach. NRC staff and regional inspectors that oversee or inspect power plants, and assess the effectiveness of a licensee�s cybersecurity program, would benefit as it would assist their cybersecurity inspection processes and allow them to be able to understand how the TAM was applied, assess the defensive architecture, and evaluate the cybersecurity posture of the resulting network. Contact This Notice of Intent is NOT a request for proposal NOR a solicitation of offers; however, if any interested party believes they can meet the above requirements, it may submit a statement of capabilities. The statement of capabilities must be submitted in writing and must contain material in sufficient detail to allow the government to determine if the party can perform the requirements.� Additionally, in order to perform work for the NRC potential sources must be free of organizational conflict of interest (OCOI). For information on the NRC COI regulations, visit NRC Acquisition Regulation Subpart 2009.5 (https://www.nrc.gov/about-nrc/contracting/48cfr-ch20.html). A determination not to compete this proposed procurement based on responses to the notice is solely within the discretion of the Government. All interested parties must express their interest and capabilities in writing via email to Jeffrey R. Mitchell, Contracting Officer via e-mail at Jeffrey.Mitchell@nrc.gov no later than April 28, 2023 by 4:00 P.M. Eastern Time
- Web Link
-
SAM.gov Permalink
(https://sam.gov/opp/c64c2454f64c4a488dd5786a85f23b04/view)
- Record
- SN06647940-F 20230414/230412230106 (samdaily.us)
- Source
-
SAM.gov Link to This Notice
(may not be valid after Archive Date)
| FSG Index | This Issue's Index | Today's SAM Daily Index Page |