Authors: Amit Pawar (Xage Security), Bill Lawrence (ITEGRITI), Michael Sanchez (ITEGRITI), Tushar Trivedi (LTIMindtree)
This blog is the first of a two-part series. Part one establishes the regulatory and guidance baseline for nuclear cybersecurity—what the Nuclear Regulatory Commission (NRC) requires under 10 CFR 73.54, how Regulatory Guide (RG) 5.71 defines an acceptable compliance approach, and how NEI 08-09 is used in practice to build and operate a Cyber Security Plan.
Part two moves from guidance to execution, translating these requirements into enforceable technical control patterns for advanced reactors and modern operating models. It will focus on identity, segmentation, privileged and remote access, and audit-ready evidence, mapped to architectures increasingly used in advanced reactor programs.
Why Nuclear Cyber Is Being Tested Now
AI-driven data center growth has pulled firm, reliable generation back into strategic focus. Over the past year, hyperscalers have signed long-duration nuclear agreements, some tied to life extensions and uprates at existing plants and others underwriting advanced reactor programs.
What stands out is not ambition, but speed. As timelines compress, interfaces multiply: EPC partners, I&C vendors, digital supply chains, grid and market telemetry, and in some models, power campuses serving large colocated or contractually linked loads. These interfaces are precisely where nuclear cybersecurity programs are most likely to be stressed.
The good news is that U.S. nuclear cybersecurity expectations are not ambiguous. They are already defined through binding regulation and well-established guidance that the industry uses every day.
The Established Nuclear Cybersecurity Baseline
Three documents anchor the U.S. nuclear cybersecurity framework:
- 10 CFR 73.54 is the binding regulation. It requires nuclear plants to protect certain digital systems from cyber attack and to maintain layered defenses, incident response, and recovery capabilities.
- NRC Regulatory Guide (RG) 5.71, Revision 1 explains approaches the NRC staff considers acceptable for meeting the rule. It incorporates lessons learned over time and explicitly references industry guidance for identifying and protecting critical digital assets, including balance-of-plant and emergency preparedness systems.
- NEI 08-09, Cyber Security Plan for Nuclear Power Reactors is the industry’s implementation template. It is widely used across the operating fleet and provides a practical structure for building and maintaining a site Cyber Security Plan, based on familiar security control families tailored for nuclear environments.
Together, these documents define both the required outcomes and the accepted path to compliance.
10 CFR 73.54 Requirements
10 CFR 73.54 requires licensees to provide high assurance that digital computer and communication systems and networks supporting the following functions are protected against cyber attacks:
- Safety-related and important-to-safety functions
- Security functions
- Emergency preparedness functions, including offsite communications
- Support systems that could adversely impact any of the above
The rule also requires a structured cybersecurity program that includes protective controls, defense-in-depth, and a documented Cyber Security Plan with incident response and recovery capabilities.
Critically, 10 CFR 73.54 is not limited to legacy plants. It explicitly applies to applicants and licensing pathways and is intended to be integrated into the overall physical protection program from the outset, with the same rigor expected of other safety and security disciplines.
What Changed in RG 5.71 Rev. 1—And Why It Matters Now
RG 5.71 Rev. 1 reflects a meaningful shift in how the NRC expects licensees to address modern digital environments. The revision incorporates industry guidance for identifying and protecting critical digital assets, clarifies expectations around defense-in-depth, and updates references to current cybersecurity standards.
The NRC’s Federal Register notice makes this explicit. The revision:
- Incorporates industry guidance for identifying and protecting critical digital assets across safety-related, important-to-safety, balance-of-plant, and emergency preparedness systems
- Clarifies guidance on defense-in-depth
- Updates references based on current NIST and IAEA cybersecurity standards, informed by inspection findings and operating experience
For advanced reactors and digitally modernized plants, these updates are especially significant. The question is no longer whether digital systems exist, but where the digital boundary is drawn, how critical digital assets are identified, and whether defensive architecture is strong enough to prevent modern integration pressures—from analytics platforms, vendors, and adjacent data-center models—from eroding segmentation.
How the Pieces Fit Together
Taken together, the framework operates as a three-layer stack: regulation at the foundation, NRC guidance defining acceptable approaches, and an industry implementation template that operationalizes requirements.
The table below summarizes how 10 CFR 73.54, RG 5.71 Rev. 1, and NEI 08-09 relate to one another and what each produces in practice.
| Source | What it is | Issuer | Primary purpose | Practical output |
| 10 CFR 73.54 | Binding federal regulation | NRC | Defines mandatory cybersecurity outcomes, including protection of in-scope digital assets, defense-in-depth, and required incident response and recovery capabilities | A required cybersecurity program and an NRC-approved Cyber Security Plan |
| RG 5.71, Rev. 1 | NRC guidance describing an acceptable compliance approach | NRC | Explains approaches the NRC staff considers acceptable for meeting 10 CFR 73.54, incorporating lessons learned, updated NIST/IAEA guidance, and industry methods for identifying and protecting critical digital assets, including balance-of-plant and emergency preparedness systems | A clear set of expectations that can be mapped to system architecture, controls, and program design |
| NEI 08-09 | Industry cybersecurity plan template and implementation guidance | NEI | Provides a practical Cyber Security Plan structure and control framework used by most operating plants to implement and maintain their cybersecurity programs | A buildable, auditable Cyber Security Plan and repeatable implementation approach |
Why NEI 08-09 and RG 5.71 Matter More for Advanced Reactors
NEI 08-09 is not optional in practice. It has functioned as the de facto implementation backbone across the operating fleet, providing a control framework derived from recognized security control families and tailored for nuclear use. RG 5.71 reinforces this by explicitly recognizing industry guidance as part of an acceptable compliance approach.
Advanced reactor programs also expand the digital surface area earlier than traditional builds. Modern digital I&C, extensive sensing and telemetry, and vendor-integrated tooling are often deployed from day one. That expansion increases the number of systems that may fall within scope and makes early identification of critical digital assets and design-time control placement essential.
“Nuclear for AI” commercial models further amplify integration pressure. Even when data centers are not physically colocated, long-term PPAs and attribute-based contracts introduce new telemetry, reporting, and coordination workflows. These agreements are not cybersecurity documents, but they act as cyber forcing functions by increasing stakeholders, suppliers, data exchanges, and time-critical integration points.
| Hyperscaler | Nuclear Provider | Site/Program | Description |
| Meta | Constellation | Clinton Clean Energy Center | 20-year agreement beginning in 2027, supporting license renewal, continued operations, and a 30 MW uprate |
| Microsoft | Constellation | Three Mile Island Unit 1 (Crane Clean Energy Center) | 20-year agreement supporting restart plans and returning approximately 835 MW of firm generation to the PJM grid |
| Meta | Vistra | PJM nuclear fleet (Perry, Davis-Besse, Beaver Valley) | 20-year power purchase agreements tied to Perry and Davis-Besse, with additional uprates including Beaver Valley |
| Meta | TerraPower | Natrium program (Wyoming) | Development funding for up to two Natrium units (approximately 690 MW firm), with options tied to additional units |
| Meta | Oklo | Ohio power campus (proposed) | Agreement supporting development of a 1.2 GW power campus, including mechanisms for prepaying power |
| Kairos Power | Advanced reactor program (site TBD) | Framework agreement targeting up to 500 MW by 2035, with early deployments anticipated around 2030 | |
| Amazon | X-energy | Multiple sites (incl. Energy Northwest partnership) | Investment and project rights targeting more than 5 GW of advanced nuclear capacity by 2039 |
Where Nuclear Cybersecurity Gets Tested in AI-Era Builds
The table below maps regulatory priorities to the controls advanced reactor and nuclear-to-data-center programs must operationalize. Across programs, the same themes are consistently stressed: early asset scoping, segmentation discipline, controlled remote access, change control under schedule pressure, and audit-ready incident response and recovery.
| Regulatory priority | What to enforce in practice | Why AI-era builds make this harder | Regulatory anchor |
| CDA identification and scoping discipline | Identify CDAs early; keep scope stable; treat late reclassification as a controlled change | Digital systems are added continuously during design, commissioning, and vendor integration | 10 CFR 73.54 requires identification of assets to protect; RG 5.71 Rev. 1 emphasizes updated guidance for identifying and protecting critical digital assets, including balance-of-plant |
| Defensive architecture and segmentation | Zones and conduits; strict mediation at trust boundaries; explicit allow-listing of pathways | More third parties, analytics, and reporting increase pressure for “temporary” connectivity | 10 CFR 73.54 requires defense-in-depth; RG 5.71 Rev. 1 clarifies defense-in-depth expectations |
| Remote access as a controlled privilege | Strong identity, MFA, least privilege, time-bound access, audited sessions, contractor controls | Advanced reactor supply chains and commissioning rely heavily on remote vendor access | 10 CFR 73.54 requires protection of systems and trained personnel/contractors; incident response readiness |
| Secure change control | Cyber review before modifications; treat updates and configuration changes as cyber-relevant events | Compressed schedules and ship-date pressure override discipline unless controls are built in | 10 CFR 73.54 requires evaluation of modifications before implementation |
| Incident response and recovery | Detection, response, mitigation, vulnerability correction, and tested restoration plans | New operating models demand resilience under uncertainty and rapid recovery | 10 CFR 73.54 explicitly requires incident response and recovery measures in the Cyber Security Plan |
| Supply chain and third-party risk | Update integrity, provenance, secure development evidence, and contractual access constraints | New reactor ecosystems introduce newer vendors, more software, and more complex dependencies | RG 5.71 Rev. 1 incorporates updated NIST/IAEA guidance and lessons learned from inspections and attacks |
The executive implication is straightforward: cybersecurity cannot be added late. It must be encoded as an architectural property, especially around access pathways, segmentation, and change control, because those are the surfaces that scale with commercialization.
Advanced Reactors, Part 53, and Continuity of the Cyber Baseline
The NRC is developing an optional advanced reactor licensing framework under 10 CFR Part 53. Regardless of which licensing pathway is used, the operational reality remains unchanged: digital systems that can affect safety, security, or emergency preparedness must be protected with rigor.
The cybersecurity discipline embedded in 10 CFR 73.54, RG 5.71, and NEI implementation patterns is precisely what new-build programs should leverage, rather than reinventing under schedule pressure.
Practitioner View: What to Encode in Contracts and Governance
When evaluating “nuclear for AI” deals, one question matters most: do the commercial structures reinforce disciplined interfaces, or do they unintentionally incentivize shortcuts?
Programs aligned with the intent of 73.54 and RG/NEI guidance consistently enforce a few principles:
- No standing connectivity into protected environments
- Remote access that is explicit, time-bounded, auditable, and centrally revocable
- Vendor obligations that include secure update and change-control behaviors
- Telemetry flows that are minimized, mediated, and clearly separated from protected OT environments
These are predictable friction points in digitally modern builds—and the exact places where compliance-grade cybersecurity programs either hold or fail.
Coming Next: Turning Guidance Into Enforceable Controls
Part one establishes what “good” must look like under the NRC cyber rule and its accepted guidance. Part two will translate those requirements into practical implementation patterns that advanced reactor and modernization programs can standardize—particularly where schedule pressure and third-party integration tend to create exceptions.
