Text

June 18, 2009 Mr. Saqib Hussain Security Specialist Nuclear Energy Institute 1776 I Street NW, Suite 400 Washington, D.C. 20006

SUBJECT:

USE OF ENCRYPTION SOFTWARE FOR ELECTRONIC TRANSMISSION OF SAFEGUARDS INFORMATION

Dear Mr. Hussain:

By e-mail dated May 29, 2009, the Nuclear Energy Institute (NEI) requested approval for the use of Pretty Good Privacy (PGP) Desktop Professional 9.9.1, developed with PGP Software Developers Kit (SDK) 3.12 for encryption of sensitive unclassified Safeguards Information (SGI). National Institute of Standards and Technology (NIST) Certificate (Number 1101) shows that this software development tool complies with Federal Information Processing Standards 140-2, "Security Requirements for Cryptographic Modules" (FIPS 140-2). In a letter dated November 19, 2004, the Commission approved NEI to handle, receive, possess, and store SGI.

The U.S. Nuclear Regulatory Commission (NRC) staff finds the use of PGP Software Corporation Desktop Professional 9.9.1 or newer versions of encryption software is acceptable for processing and transmitting SGI electronically for your site, provided that:

1. The PGP software has been developed using a software development tool, PGP SDK 3.12, which has been validated by NIST, Certificate Number 1101 to meet FIPS 140-2.

2. NIST-validated Cryptographic Algorithms are used to encrypt data for electronic transmission. These algorithms are listed in the certificate with algorithm certificate numbers. The NIST website, http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm, should be checked to ensure that the Cryptographic Algorithms selected for encrypting data are continuously approved by NIST. The NRC approves only those Cryptographic Algorithms approved by NIST. Thus, if NIST no longer approves certain Cryptographic Algorithms, the NRC also does not approve use of that Cryptographic Algorithm.

3. Addressees may replace the current version of encryption products that were approved by the NRC with a newer version of encryption product without prior approval from the NRC, provided that the addressees document that the newer version of encryption product, i.e., document that the FIPS validation certificate of the newer version of encryption product is the same as the current version of encryption product.

Title 10 of the Code of Federal Regulations Section 73.21(g)(3) states, in part,

. . . Safeguards Information shall be transmitted only by protected telecommunication circuits

S. Hussain (including facsimile) approved by the NRC. The Secretary of Commerce has made use of Cryptographic Module Validation Program products mandatory and binding for Federal agencies when a Federal agency determines that cryptography is necessary for protecting sensitive information.

The public key should be named according to the following syntax:

LastName_FirstName_Organization.asc. This naming convention represents the organizational point of contact indicated as owning the key. Please provide the public key for transmitting sensitive, unclassified SGI and the point of contact information (name, telephone number and e-mail address) to the NRC point of contact provided below. All SGI holders must employ an appropriate credentialing process to verify that individuals provided with public keys are legitimate users. Private keys must be controlled as SGI.

The NRC technical point of contact regarding the use of PGP is Monika Coflin, Cyber Security Specialist, Division of Security Policy, who can be reached at (301)415-6659 or via e-mail at monika.coflin@nrc.gov.

If you have any questions, please contact me at (301) 415-5374.

Sincerely,

/RA/ by Mark Resner for/

Craig Erlanger, Branch Chief Integrated Security Coordination & Policy Branch Division of Security Policy Office of Nuclear Security and Incident Response

S. Hussain (including facsimile) approved by the NRC. The Secretary of Commerce has made use of Cryptographic Module Validation Program products mandatory and binding for Federal agencies when a Federal agency determines that cryptography is necessary for protecting sensitive information.

The public key should be named according to the following syntax:

LastName_FirstName_Organization.asc. This naming convention represents the organizational point of contact indicated as owning the key. Please provide the public key for transmitting sensitive, unclassified SGI and the point of contact information (name, telephone number and e-mail address) to the NRC point of contact provided below. All SGI holders must employ an appropriate credentialing process to verify that individuals provided with public keys are legitimate users. Private keys must be controlled as SGI.

The NRC technical point of contact regarding the use of PGP is Monika Coflin, Cyber Security Specialist, Division of Security Policy, who can be reached at (301)415-6659 or via e-mail at monika.coflin@nrc.gov.

If you have any questions, please contact me at (301) 415-5374.

Sincerely, Craig Erlanger, Branch Chief Integrated Security Coordination & Policy Branch Division of Security Policy Office of Nuclear Security and Incident Response ADAMS ACCESSION NUMBER: ML091560441 OFFICE NSIR/DSP NSIR/DSP NSIR/DSP NSIR/DSP NAME M.Coflin M.Resner M.Shuaibi M.Shuaibi for/C.Erlanger for/R.Correia DATE 6/16/09 6/16/09 6/18/09 6/18/09