Text

September 28, 2018 COMSECY-18-0022 MEMORANDUM TO: Chairman Svinicki PLEASE RESPOND BY:

Commissioner Baran October 16, 2018 Commissioner Burns Commissioner Caputo Commissioner Wright FROM: Margaret M. Doane /RA/

Executive Director for Operations

SUBJECT:

CONTROLLED UNCLASSIFIED INFORMATION RULEMAKING The purpose of this paper is to request Commission approval to develop a rulemaking to revise the U.S. Nuclear Regulatory Commissions (NRCs) regulations as a part of the agencys transition to a controlled unclassified information (CUI) program. Title 32 of the Code of Federal Regulations (32 CFR) Part 2002, Controlled Unclassified Information (CUI) (CUI Rule),

requires that each Executive Branch agency, including the NRC, establish a CUI Program and associated policies that are consistent with the requirements of the CUI Rule. Therefore, the staff anticipates that, in fiscal year (FY) 2020, the NRC will replace the Sensitive Unclassified Non-Safeguards Information (SUNSI) program with the agencys new CUI Program that will also include, within its scope, Safeguards Information (SGI) and SGIModified Handling. In connection with the requirement to establish implementing policies consistent with the CUI Rule, the staff has identified two categories of changes to NRC regulations that are needed to implement the CUI Program, as described further below.

In November 2010, the President issued Executive Order 13556, Controlled Unclassified Information, to establish an open and uniform program for managing information that requires safeguarding or dissemination controls. On September 14, 2016, the National Archives and Records Administration (NARA) published 32 CFR Part 2002 in the Federal Register (81 FR 63323).

The CUI Rule went into effect on November 14, 2016, and established requirements for CUI designation, safeguarding, dissemination, marking, decontrolling, destruction, incident management, self-inspection, and oversight across the Executive Branch.

In SECY-18-0035, Update on Development of the Controlled Unclassified Information Program, dated March 8, 2018 (Agencywide Documents Access and Management System Accession Number ML18065B107), the staff informed the Commission of the staffs approach to implement 32 CFR Part 2002. That paper stated that the staff was assessing how the agency would need to revise its regulations as a result of the transition to the CUI Program. Based upon the results of the assessment, the staff has identified two categories of revisions.

CONTACT: Tanya Mensah, OCIO/GEMS (301) 415-3610

The Commissioners 2 First, some NRC regulations use the term sensitive unclassified non-safeguards information or SUNSI when referring to NRC information that would fall within the scope of the CUI Program.

Accordingly, nomenclature changes (i.e., replacing these references with controlled unclassified information or CUI) would be necessary once the CUI Program is otherwise implemented at the NRC to reflect the replacement of the SUNSI program with the CUI Program. Examples include, but are not limited to, 10 CFR 2.307, Extension and reduction of time limits; delegated authority to order use of procedures for access by potential parties to certain sensitive unclassified information, and 10 CFR 2.311, Interlocutory review of rulings on requests for hearings/petitions to intervene, selection of hearing procedures, and requests by potential parties for access to sensitive unclassified non-safeguards information and safeguards information.

The second category includes NRC regulations that would appear to create substantive problems if not revised when the CUI Program is implemented. For example, 10 CFR 2.390, Public inspections, exemptions, requests for withholding, currently instructs persons submitting documents to the NRC to mark them in a certain manner when requesting that the agency withhold those documents from public disclosure. This marking instruction is not consistent with CUI requirements for banner markings. Thus, unless revised, the regulation would instruct submitters to apply control markings to documents when submitting them to the NRC that the NRC would be required to replace immediately with different control markings, even if the NRC agrees entirely with the submitters request to control the information and the cited basis to do so. As another example, the regulations in 10 CFR Part 73, Physical Protection of Plants and Materials, currently mandate markings for SGI and SGIModified Handling that do not comply with CUI requirements, which could result in a conflict between the NRCs regulations and the CUI Rule as to how certain SGI must be marked. 1 The staff intends that any revisions to the substance of regulations such as these would be limited in scope, aimed solely at ensuring proper implementation at the NRC of the Government-wide CUI program.

The NRC staff proposes to perform this update via a standard notice and comment rulemaking, in conjunction with its broader CUI implementation effort. The staff will not issue a final rule updating NRC regulations for CUI purposes until the NRCs CUI Program is effective and in place. Following the publication of a final CUI Policy Statement, the staff expects to publish the proposed rule for public comment in FY 2020. The staff expects to submit the draft final rule to the Commission in FY 2021.

Because the contents of the rule are not explicitly mandated by statute, the NRC staff is submitting this paper for Commission approval prior to beginning this rulemaking consistent with recent Commission direction in SRM-COMSECY-17-0002, Rulemakings Mandated by Statute or Implementing U.S. Government Policy on Export Licensing Controls, to submit a short 1 See 10 CFR 73.22(d)(4) and 10 CFR 73.23(d)(4). SGI is a type of CUI Specified information, meaning that the NRC is not required by the CUI Rule to amend any substantive handling requirements in agency regulations that protect SGI from unauthorized disclosure (e.g., requirements for protection while in transit or in storage, or acceptable methods of transmission or destruction). Such requirements remain within the discretion of the Commission under Section 147 of the Atomic Energy Act, as amended. Thus, even after the NRC transitions to its CUI Program, the applicable controls for SGI will remain those codified in 10 CFR Part 73. However, CUI marking requirements do apply to all CUI, even CUI Specified information like SGI, meaning that any SGI that the NRC creates, possesses, or shares with external entities will have to be marked in accordance with the CUI Rule. SGI that a licensee possesses and that the licensee generated itself about its own licensed facility would not have to be marked according to the CUI Rule (because the CUI Rule does not apply to a private entitys own information in that private entitys own possession). Consistent with the discussion of 10 CFR 2.390 above, the NRC staff plans to consider whether it makes sense to codify CUI marking requirements into 10 CFR Part 73 so that 10 CFR Part 73 does not direct licensees to apply a different set of SGI markings than would be applied to the exact same information if received from the NRC or maintained within the NRCs possession. This rulemaking effort will also need to ensure, at minimum, that the NRCs SGI regulations do not require non-CUI-compliant markings for information that does fall within the CUI Programs scope, such as SGI that the NRC generates and then shares with a licensee under a CUI information-sharing agreement.

The Commissioners 3 paper seeking Commission approval to proceed with a rulemaking on matters involving the exercise of minor levels of discretion.

The CUI rulemaking is planned to begin in the first quarter of FY 2019. The FY 2019 budget request does not include resources for this rulemaking effort. Resources would be reallocated from lower priority work within the appropriate business lines. The staff would prioritize this activity in a manner consistent with the current Common Prioritization of Rulemaking process and relative to the priorities associated with other business line work. Resources required beyond FY 2019 will be addressed during the planning, budgeting, and performance management process.

The staff requests Commission approval to commence a rulemaking to address the Executive Order and NARA regulations on the scope defined in this paper.

SECY please track.

cc: SECY OGC OCA OPA OCFO NRR NRO NSIR NMSS OE ADM RGN I RGN II RGN III RGN IV

The Commissioners 4

SUBJECT:

CONTROLLED UNCLASSIFIED INFORMATION RULEMAKING.

DATED: SEPTEMBER 28, 2018 DISTRIBUTION:

RidsEdoMailCenter RidsOcfoMailCenter RidsNrrOd Resource RidsNmssOd RidsOgcMailCenter RidsNroOd Resource RidsOcaMailCenter RidsOpaMail RidsNsirOd Resource RidsOcio RidsSecyMailCenter RidsNmssOd Resource RidsOeMailCenter Resource RidsRgn1MailCenter Resource RidsRgn2MailCenter Resource RidsRgn3MailCenter Resource RidsRgn4MailCenter Resource RidsAdmMailCenter Resource ADAMS Accession Number: ML18234A047 *via email OFFICE OCIO/GEMS QTE OCIO/GEMS OCIO/GEMS NAME TMensah* JDougherty* JFeibus* JMoses*

DATE 08/23/18 08/27/18 09/05/18 09/06/18 OFFICE NMSS/DRM/RASB OCIO OGC EDO NAME CBladey* SFlanders JAdler* MDoane DATE 09/12/18 09/18/18 09/20/18 09/28/18 OFFICIAL RECORD COPY