ML20072H953
| ML20072H953 | |
| Person / Time | |
|---|---|
| Issue date: | 03/05/2020 |
| From: | Tanya Mensah Governance & Enterprise Management Services Division |
| To: | |
| Tanya Mensah, 301-415-3610 | |
| Shared Package | |
| ML20062F082 | List: |
| References | |
| NRC-0841 | |
| Download: ML20072H953 (92) | |
Text
Official Transcript of Proceedings NUCLEAR REGULATORY COMMISSION
Title:
Controlled Unclassified Information (CUI)
Public Meeting Docket Number:
(n/a)
Location:
Rockville, Maryland Date:
Thursday, March 5, 2020 Work Order No.:
NRC-0841 Pages 1-91 NEAL R. GROSS AND CO., INC.
Court Reporters and Transcribers 1323 Rhode Island Avenue, N.W.
Washington, D.C. 20005 (202) 234-4433
1 UNITED STATES OF AMERICA 1
NUCLEAR REGULATORY COMMISSION 2
+ + + + +
3 PUBLIC MEETING ON 4
CONTROLLED UNCLASSIFIED INFORMATION (CUI) 5
+ + + + +
6
- THURSDAY, 7
MARCH 5, 2020 8
+ + + + +
9 ROCKVILLE, MARYLAND 10
+ + + + +
11 The Commission met at the Nuclear 12 Regulatory Commission, Three White Flint North, 11601 13 Landsdown Street, at 2:00 p.m., Tanya Mensah, Project 14 Manager, presiding.
15 16 NRC STAFF:
17 TANYA MENSAH, CUI Project Manager 18 JAMES ADLER, Office of General Counsel 19 PAUL GOLDBERG, Office of Nuclear Material Safety and 20 Safeguards 21 KATHY LYONS-BURKE, Senior Level Scientist 22 JOHN MOSES, CUI Senior Agency Official, Office of 23 the Chief Information Officer 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
2 ALSO PRESENT:
1 DEVIN CASEY, Information Security Oversight Office, 2
National Archives and Records Administration 3
PATRICK ASENDORF, Tennessee Valley Authority 4
DAVE GALLOT, Exelon 5
RYAN LIGHTY, Morgan Lewis 6
STEVE MEYER, STARS Alliance 7
MAGGIE STAIGER, NEI 8
C. GIBB VINSON, Illinois Emergency Management Agency 9
10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
3 CONTENTS 1
Page 2
Opening Remarks and Introduction 3
4 John Moses 6
5 Maggie Staiger
.............. 11 6
NRC Implementation Plans
............ 11 7
Questions/Opportunity for Comment........ 37 8
Industry Implementation Plans, NEI
....... 70 9
Question & Comment Period............ 88 10 Closing Remarks, NRC
.............. 91 11 Adjourn..................... 91 12 13 14 15 16 17 18 19 20 21 22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
4 P-R-O-C-E-E-D-I-N-G-S 1
2:01 p.m.
2 MS. MENSAH: Good afternoon. This is 3
Tanya Mensah with the Nuclear Regulatory Commission.
4 We're going to start our meeting now. It's 2:00 p.m.
5 Just want to thank everybody for your time 6
and for coming out to the meeting today. We'd like to 7
welcome you to this public meeting for an important 8
topic. To discuss the NRCs Controlled Unclassified 9
Information Program, or CUI for short.
10 Our meeting is scheduled for two hours.
11 Before we get started, I'd like to quickly just go 12 over a few meeting logistics.
13 For those in the room, in regards to 14 getting around the building, you have unrestricted 15 access to the lobby, where you came in, and the 16 restrooms, which are located in the lobby as well.
17 If we're asked to evacuate the building, 18 please exit calmly and follow the direction of the NRC 19 staff and security.
20 Sign-in sheets are by the entrance of the 21 door, on the table with other meeting handouts.
22 Today's meeting is a Category 2 public 23 meeting. The public is invited to participate in 24 those meetings by discussing issues with the NRC, at 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
5 designed points identified on the agenda.
1 The general agenda for this meeting is for 2
slide presentation followed by focused Q&As. So 3
please hold your questions until that part of the 4
meeting.
5 For people in the room, we ask that you 6
please mute or place your phone on vibrate. We have 7
today with us a court reporter, Dylan, to transcribe 8
the meeting.
9 To get a clean transcript, we need to have 10 only one speaker at a time with no interruptions.
11 When you want to speak during the time when we're 12 opening it up for questions and answers, you'll need 13 to raise your hand, and I'll bring you a handheld mic.
14 And you'll need to state your name and affiliation for 15 the record, even if you've spoken before.
16 Participants on the phone line will be 17 participating through our external operator who will 18 manage the bridge line.
19 The NRC meeting slides for this meeting 20 and other references are included in the public 21 meeting notice to facilitate your participation.
22 At this time I'd like to ask the Operator 23 to please explain how callers should let you know they 24 have a comment.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
6 THE OPERATOR: Sure. If you'd like to 1
make a comment or if you have a question, please press 2
- 1. Please remember to unmute your phone and record 3
your name clearly when promoted.
4 If you'd like to withdraw that question or 5
comment, you may press *2. Thank you.
6 MS. MENSAH: Thank you. In addition, for 7
those on the phone, I'd appreciate it if you could 8
email your name and contact information to me, Tanya 9
Mensah, so that I can include your name in the meeting 10 summary.
My email
- address, which is 11 tanya.mensah@nrc.gov, is located on the public meeting 12 notice.
13 If at any time you can't hear, please let 14 our Operator know and we'll do our best to address the 15 problem.
16 When you make a comment, please start by 17 giving us your name and your affiliation. And please 18 speak clearly and with volume directly into your 19 receiver.
20 Today we have with us John Moses, the NRC 21 CUI Senior Agency Official from the NRC's Office of 22 Chief Information Officer. At this time, I would like 23 to turn the meeting over to John for a few opening 24 remarks.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
7 1
2 3
4 5
6 7
8 9
10 11 12 13 14 15 16 17 18 19 MR. MOSES: Good afternoon, everyone. On behalf of NRC I want to thank you all for taking the time to attend and join us in this session. We look forward to your insights, questions and concerns, so we can make sure that we implement CUI effectively and as efficiently as possible.
This is part of our ongoing dialogue with stakeholders. This is our second public meeting.
We also have held other meetings with stakeholders in small and large sessions, whether in person or on the phone, and we're going to continue to engage you.
I'd like to share some background on CUI. The CUI program was established on November 4th, 2010 under Executive Order 13556.
And the purpose of the CUI program is to standardize the way federal agencies handle unclassified information that requires protection, and to promote information sharing among federal agencies and stakeholders, including states, tribes, industry, academia, licensees and vendors.
20 The executive order also designates an 21 22 23 executive agent, the National Archives and Records Administration. We have representatives from the executive agent here to join us in this meeting.
24 On September 14th in 2016 the National 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
1 2
3 4
5 6
7 8
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 8
Archives and Records Administration promulgated a rulemaking, 32 CFR 2002 to implement the Controlled Unclassified Information Program.
The rule establishes a
policy for designating, handling, controlling, and decontrolling Controlled Unclassified Information, or CUI.
Specifically, the rule describes minimum protections for physical and electronic environments of CUI marking, sharing, and destruction.
Now, I'd like to share the NRC's approach to CUI. NRC's critical goal is to minimize the impact of the transition to CUI for the NRC and for our external stakeholders while ensuring compliance.
In many cases, the implementation of CUI offers several approaches to compliance. We would welcome your perspective on those different approaches.
For instance, entering into a sharing agreement could be implemented at an organizational level, such as a large company. Sharing agreements also could be put in place during transactions, every time information is exchanged.
In another instance, different formats of information, whether paper or electronic, require different methods of protection.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
9 1
2 3
4 5
6 7
8 9
10 11 12 13 14 15 16 17 18 19 20 21 If you have any preferences on any of these or concerns, please share those with us at this session today, or thereafter. Your comments, questions, and recommendations would be particularly welcome.
The NRC CUI program is under development, and we're several years away from completing the implementation of CUI. We made a tremendous amount of
- progress, teasing out possible solutions to challenging or vexing issues that we're uncovering. We look forward to hearing from you and your perspectives on those challenges.
Our plan today is to highlight some of NRC's key implementation activities. In addition, we'd like to address some of the questions raised by industry and stakeholders during the July 25th meeting.
We hope to provide you with the status of where we are in terms of considering those issues and how NRC could benefit from further stakeholder perspectives and we continue to implement and proceeding in the program.
22 In light of the fact that some of the 23 aspects of the CUI program are still being developed, 24 we may not be able to answer all of your questions at 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
1 2
3 4
5 6
7 8
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 10 this time. However, please ask those questions. Don't shy away, we'd like to hear from you. We'll take notes and consider your views as we continue to implement CUI.
Our perspective is we want to understand what your concerns or questions or recommendations are because that's going to positively feedback into how we can implement the CUI Program in the most efficient and effective way.
Following this
- meeting, we will evaluate your
- comments, questions and recommendations. We'll also consider those points when we convene additional public meetings.
Before we begin. I'd just like to introduce some of our meeting participants. To my immediate left, for those of you on the phone you can't see him, is Mr. Devin Casey from the Information Security Oversight Office, ISOO, at the National Archives and Records Administration. ISOO is the organizational unit at the National Archives that serves as the executive agent for the CUI Program.
Mr. Casey has the lead to oversee federal agency implementation and we invited as a guest to observe our meeting. Please join me in welcoming Devin and his other colleagues for attending the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
11 1
2 3
4 5
meeting.
(Applause.)
MR. MOSES: Before we proceed with our formal presentation, I'd like to welcome Maggie Staiger from the Nuclear Energy Institute for a few minutes to present some remarks. Maggie?
6 MS. STAIGER: Thank you, John. This is 7
Maggie Staiger with NEI.
8 I just want to reach out and thank Tanya 9
and the NRC for hosting us and allowing this continued 10 conversation that we've been having. This has been 11 very helpful with informing the industry on what we 12 can expect going forward.
13 And again, NEI would like to thank NARA 14 for its attendance and the recent release of the NDA.
15 That's very helpful. We're looking forward to looking 16 into it more. And we look forward to a good 17 conversation. Thank you.
18 MR. MOSES: Thank you.
19 MS. MENSAH: Okay, this is Tanya Mensah.
20 At this time, we're going to begin the NRC's formal 21 presentation.
22 If you are on the phone, again, the public 23 meeting presentation slides were available on the 24 public meeting notice. You'll see two attachments, 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
12 well, three actually. Ones the meeting notice itself, 1
then there is the public meeting presentation slides, 2
and then there is also another handout, which is the 3
draft NARA non-disclosure agreement.
4 Okay. So, as John pointed out, the 5
purpose of today is to continue our discussions 6
between the NRC Staff and Industry Representatives on 7
issues related to the NRC's plans to implement a 8
Controlled Unclassified Information Program.
9 Slide 3. Our agenda for today is that I 10 will present and then we'll have, that will be 11 followed by question and comments. And then we'll 12 take a quick break.
13 And then NEI will then present. And then 14 we'll just have a dialogue on the discussion topics of 15 interest. And then we will conclude our meeting after 16 having another period there for questions and 17 comments.
18 Slide 4. So, John Moses provided a really 19 good background of the CUI rule. As a refresher, the 20 next four to five slides are a high-level overview of 21 what we discussed during our first CUI public meeting, 22 which was held on July 25th, 2019.
23 So what is CUI. CUI is an information 24 security reform. It standardizes the way the federal 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
13 government handles information that is not classified 1
or restricted data but requires protection.
2 It replaces more than 100 different agency 3
policies and associated markings with one shared CUI 4
policy and a standardization markings for federal 5
executive branch agencies. And it directly applies to 6
executive branch agencies that designate or handles 7
CUI.
And indirectly applies through written 8
agreements or arrangements to non-executive branch 9
recipients of CUI.
10 And so when we talk about non-executive 11 branch recipients for the NRC, that normally means our 12 licensee's agreement states, applicants, vendors.
13 Those that we expect to share CUI with once we 14 transition.
15 And there is a footnote offered on the 16 page as well, on non-executive branch entities. Also 17 may include elements of the legislative or judicial 18 branches of the federal government, state, interstate, 19 tribal or local government elements and private 20 organizations.
21 They do not include foreign entities. Nor 22 does it include individuals or organizations when they 23 receive CUI pursuant to federal disclosure laws.
24 Include the Freedom of Information Act and the Privacy 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
14 Act.
1 Slide 5. The CUI program addresses how 2
executive branch agencies handle and share information 3
for agency business purposes. It does not affect 4
public rights to information under the Freedom of 5
Information Act or the Privacy Act. And it does not 6
require agencies to change their policies on public 7
release of information to the general public.
8 Slide 6. Slide Number 6 summarizes the 9
CUI rule requirements for agencies when sharing CUI.
10 And we're going to discuss this further, but in 11 summary it states that agencies are required to enter 12 into written agreements or arrangements in which the 13 recipient agrees to protect the information in 14 accordance with the CUI rule.
15 The agreement can take any form. And if 16 an agreement with a particular non-executive branch 17 entity is not feasible, but the agency's mission 18 requires it to disseminate CUI to that entity, the 19 agency must strongly encourage the recipient to 20 protect the CUI in accordance with the rule.
21 Slide 7. Slide 7 just reiterates some of 22 the key messages that we discussed when we met in July 23 of last year at our first public meeting.
24 In general, CUI includes only information 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
15 that the government creates or possesses or that an 1
entity creates or possesses on behalf of the 2
government.
3 Non-executive branch entities only have to 4
apply CUI controls to information received from the 5
federal government pursuant to a written agreement or 6
arrangement. The NRC has not yet determined the 7
nature and type of these agreements or arrangements.
8 Once the NRC transitions to CUI, we will 9
no longer be using official use only designations, if 10 you're familiar with our, what we call our SUNSI 11 program. And I'll talk about that in a minute.
12 But in general, the majority of sensitive 13 unclassified information that's currently shared by 14 the NRC with non-executive branch entities, as 15 official use, would qualify as CUI and would be 16 marked, said with CUI compliant markings.
17 The CUI rule doesn't replace or supersede 18 other laws, regulations or government-wide policies, 19 which may impose their own controlled requirements.
20 One the examples that NRC is most familiar with here 21 is Part 73, which is for the physical protection of 22 plants and materials, the controls for our safeguard's 23 information.
24 And non-executive branch entities will 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
16 continue to comply with the markings that are 1
specified in NRC regulations. So examples include 10 2
CFR 2.390, and of course Part 73.
3 If you're already familiar with these 4
regulations you know that there are specific 5
instructions in them for how you have to mark the 6
document when you're submitting them.
Those 7
requirements are not changing. We're not pursing a 8
rulemaking to change those requirements.
9 Slide 8. We also talked about, in July, 10 NIST special publication 800-171. This is a reference 11 that is incorporated into the CUI rule by reference.
12 And agencies must prescribe, at a minimum, the 13 requirements of this standard when sharing electronic 14 CUI with non-executive branch entities that are not 15 operating an information system on behalf of the 16 agency.
17 So, most non-executive agencies, I mean 18 entities, you'd be using your own information system, 19 which would be considered non-federal. Which is why 20 the NIST 800-171 standard is there. That's what you 21 would be required to follow so that we can share CUI 22 with you.
23 As I was finalizing the meeting slides for 24 this public meeting, I became aware that NIST 800-171 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
17 was recently revised. My understanding is that the 1
changes are editorial, they're minimal. And so I just 2
provided some bullets there in reference in case 3
you're interested in looking at that in more detail.
4 Slide Number 9. So, in general, our 5
transition goals for CUI at the NRC are that we're 6
going to replace the NRC's current program, which we 7
refer to as sensitive unclassified non-safeguards 8
information.
9 Under that program we protect things like 10 proprietary, security
- related, allegations, 11 investigations and other things. Export controlled 12 information as well.
13 It will also include SGI and SGI-modified 14 handling because under CUI these are information types 15 that are identified as what they refer to as CUI 16 specified. So if you're not familiar with the two 17 types of CUI, there are two subsets. One is CUI 18 basic, the other is CUI specified.
19 And so all that basically refers to is 20 that all CUI is, are information types that are based 21 upon existing laws, regulations and government-wide 22 policies.
23 And so, those policies or laws or 24 regulations permit or require agencies to protect that 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
18 information. And so, for CUI basic it may not provide 1
details as far as how do you protect it, and so the 2
default is 32 CFR, which is the CUI rule. So you 3
protect CUI basic at the default.
4 For CUI specified, there is usually a law 5
regulation or government-wide policy that already 6
requires specific controls in terms of how you handle 7
it or how you disseminate it. And so, you apply the 8
controls that are required through the law of 9
regulation.
10 During our transition to the CUI program, 11 all elements of our SUNSI program will remain in 12 place. And if NRC employees or contractors receive 13 CUI before the implementation of the CUI program at 14 the agency, they'll follow the agency's current 15 guidance to protect sensitive information.
16 Slide Number 10. So Slide Number 10 just 17 outlines some of the key implementation tasks. This 18 is a very simplified schedule. But we wanted to just 19 highlight some of the key tasks that we are working 20 towards.
21 In general, our timeline is that we expect 22 the transition. We're planning the transition by 23 December 2021. This is an estimate that is subject to 24 change.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
19 And the reason why it's subject to change 1
is because there are different ways that you can meet 2
the CUI rule requirements.
3 And so we are still evaluating at a 4
working group level, within the NRC, the different 5
options so that we can not only comply with the rule 6
requirements but also so that we can minimize the 7
impact of the transition on the NRC staff, as well as 8
our NRC staff, NRC external stakeholders.
9 And so, as we learn more and as we work 10 with NIRA and we learn from other agencies, the 11 potential exists for us to continue these evaluations 12 so that we can continue to move towards the goal.
13 So that's why we're having these public 14 discussions because we want to keep people aware of 15 our current goal. But we also want to let you know 16 that things can change, and we plan to communicate 17 those changes as we become aware of them.
18 Some of the key tasks include, and these 19 are all described in SECY-18-0035, which is publicly 20 available. Some of the key tasks include the first, 21 meaning publishing our CUI policy statement, 22 proceeding with the CUI rulemaking.
23 And so, this is an administrative rule to 24 align nomenclature. There are some references or some 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
20 places in NRC regulations where we've identified 1
references to SUNSI and sensitive unclassified 2
information.
3 So we won't have a SUNSI program once we 4
transition to CUI, so we're just adjusting that 5
nomenclature so that we can remove it from the 6
regulation. So it is anticipated to be an 7
administrative rule.
8 We also have a management directive that's 9
being revised. This will provide guidance to NRC 10 staff and our contractors in terms of how to implement 11 the CUI rule requirements.
12 We have, to develop CUI training for NRC 13 staff and contractors, update our internal guidance 14 and our office procedures. So it's like a trickle-15 down effect. So we're starting at the highest level.
16 But as you can image, we have a lot of 17 internal documents that also reference our SUNSI 18 program. So all of those will also eventually have to 19 be updated.
20 And we also have the goal to establish 21 written agreements, or arrangements, to then deploy 22 CUI training for NRC staff and contractors and to 23 inform the staff, as well as internal, external 24 stakeholders of our milestones to transition to CUI.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
21 And the link to all of these references 1
are at the bottom of the slide in case you need to 2
locate them.
3 Slide Number 11. This is just to show 4
some of the forms that we participated in to raise 5
awareness of CUI. Our public meeting that we 6
referenced before. There is an ADAMS accession number 7
as well for those if you want to take a look at the 8
meeting summary from that.
9 A lot of the issues from that meeting were 10 just continuing our discussion today, to talk about 11 where we are in terms of our status.
12 We've also participated in the regulatory 13 issue taskforce public meeting that NRR leads. Those 14 are quarterly.
15 And then we recently participated in the 16 monthly status call with the agreement states to 17 provide them with an update on where we are with CUI.
18 And also, to encourage them to participate in these 19 forums so that we can also have their feedback.
20 And then of course there is our CUI public 21 website for the NRC. It provides general information 22 on the NRCs transition plans and informs NRC 23 stakeholders of any public meetings.
24 And also provides contact information for 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
22 John Moses, who is the CUI senior agency official for 1
the NRC.
2 Slide Number 12. So, before we go into 3
this slide I just wanted to explain, for those who are 4
not familiar, what the working group is.
5 Throughout our agency we have different 6
program offices and regional offices, and so the 7
working group has been in existence for some time.
8 But there are representatives from the NRC program 9
- offices, including our regional
- offices, who 10 participate.
11 We have meetings every other week to talk 12 about some of the issues that we're going to go 13 through today, in today's public meeting. But our 14 goal is focused on implementing the CUI program in the 15 NRC while minimizing burden where feasible, to our 16 staff as well as to external stakeholders.
17 We also have, above that, a steering 18 committee. So, the steering committee are typically 19 deputy officer directors. And also our deputy 20 regional administrator.
21 And so, what we do is we bring issues 22 before the steering committee and they weigh in on 23 recommendations to help us develop the agencies policy 24 for CUI.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
23 So, some of the issues that were raised 1
during our July public meeting are listed here. And 2
most of them focus on written agreements or 3
arrangements, how do we plan to share CUI, what type 4
of documents do we plan to share.
5 Once you receive CUI from the NRC can you 6
then share it with another third-party? So we'll talk 7
about that.
8 Will the non-executive branch entities be 9
required to handle NRC documents that contain like 10 your information as CUI. And also questions about 11 NIST 800-171 and the NRC's inspection plans for that.
12 And so, the following slides are intended 13 to convey the working groups progress. These are not 14 NRC official positions.
15 We still have a lot of work to do but what 16 we're trying to do is share what we are thinking as we 17 are going through the process so that we receive the 18 benefit of stakeholder feedback while we're developing 19 it. We don't want to wait to get to the end and then 20 say we're done without making sure that we've had 21 these, this dialogue.
22 Slide Number 13. So, we talked about the 23 requirements for written agreements or arrangements.
24 The second bullet there I included a link to the CUI, 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
24 narrowed CUI policy and guidance.
1 And so, NARA issues guidance for agencies 2
to help us implement the CUI program, and they're 3
referred to as CUI notices. They are publicly 4
available. You can go to that link and you can see 5
all of the guidance and policy that NARA has issued 6
for agencies to follow.
7 They also have a couple that the working 8
group has concerned, or are concurrently considering.
9 The first is CUI Notice 2018-01.
10 This is guidance that NARA developed for 11 drafting agreements with non-executive branch entities 12 involving CUI. And also, there is a draft CUI notice 13 that they are currently working on that is not 14 finalized yet.
15 And so, for this meeting NARA was aware 16 that we wanted to start facilitating some dialogue 17 around what a written agreement might intentionally 18 look like. And so they permitted us to make their 19 draft publicly available for this meeting.
20 My understanding is that that draft will 21 be finalized, or is expected to be finalized, towards 22 the end of March, perhaps early April time frame. But 23 when it is, it will be available on NARA's CUI notices 24 on this website link. And so you can go there any 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
25 time to check to see like, has it been published yet.
1 If you look at the other handout that I 2
provided, that is the draft template that NARA 3
proposed for agencies to use as an agreement to 4
establish a non-disclosure agreement. So we'll talk 5
a little bit about that when we're having our open 6
discussion, but I just wanted to point everybody to 7
that.
8 Hopefully you've had an opportunity to 9
glance through it and think about the format and look 10 at the actual language so that, one, we can receive 11 some comments on it today. Or feedback.
12 Right now our path forward for 13 establishing written agreements, or arrangements, is 14 that the working group wants to review the final NDA 15 once it is published so that we can consider it and 16 make recommendations about its use to our steering 17 committee here at the NRC.
18 We want to hold further discussions with 19 NRC external stakeholders so that we can gain 20 alignment on the format, template and timing of 21 establishing agreements. And we also want to 22 continue, plan to continue to coordinate with NARA and 23 other agencies to focus on developing what we refer to 24 as a standard multi-agency agreement with external 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
26 parties.
1 And so what that means, that last bullet, 2
is that we're aware that many of the NRC's external 3
stakeholders, licensees, as being one example that you 4
probably will be receiving CUI from multiple agencies.
5 And as a result of that, there was a 6
recommendation during our July public meeting that it 7
would be perhaps more efficient, less burdensome upon 8
you, if you were able to sign one agreement that 9
applied or covered multiple agencies that you interact 10 with.
11 And so we're going to talk about that a 12 little later, but that's something that we know would 13 minimize the burden of having to sign written 14 agreements with our stakeholders, so.
15 Page 14. In terms of sharing CUI with 16 non-executive branch entities, there are several 17 approaches that are under consideration by the working 18 group.
19 The first was to develop some type of 20 online NRC portal where a user could log in to the NRC 21 portal and be able to view information that is 22 disseminated in terms of CUI. And that would be so 23 that the user doesn't actually have to take possession 24 of the document. By that we mean that we don't have 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
27 to send it to you, it's not on your systems, which 1
would be considered non-federal assistance.
2 We received feedback at the last public 3
meeting that being able to view only may not address 4
everyone's needs and that there may, you may need to 5
have an option to download the document. And so we 6
can talk about that further, but we are aware of that 7
feedback.
8 I think that our understanding is that if 9
you have to take possession of it, if it's on your 10 non-federal system, then that's when you have the 11 requirements for 800-171 apply.
12 The other option, and you might have to 13 pursue multiple approaches, but the other one was to 14 incorporate a
written agreement as terms and 15 conditions that have to be accepted. Similar to like 16 some type of click and sign.
17 So, before the recipient can access CUI 18 documents that are disseminated, they have to check 19 and acknowledge that, yes, I read the terms and 20 conditions, I agree to them. And then they'd be able 21 to access that system.
22 Some of the feedback that we've received 23 so far, at the last public meeting was that that's a 24 really good idea, but it would also help to have that 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
28 standardized across the government where multiple 1
agencies have similar approach. Because it may not 2
really be of much benefit to you, as a recipient, if 3
the NRC is the only one trying to alleviate that 4
burden on you.
5 So our current path forward is that we are 6
just continuing to explore different options for 7
sharing CUI with non-executive branch entities. And 8
we're looking for feedback on that if you have any 9
thoughts about that today as well.
10 Slide 15. So this is just a table, just 11 to show a high-level general path forward to 12 establishing written agreements or arrangements.
13 What it shows, the first two items in the 14 first two rows show things that we think we're 15 currently trying to achieve, which is to identify NRC 16 stakeholders. Make sure that we're reaching out to 17 them and making everybody aware of CUI and of the 18 requirement, in particular, for us to establish 19 written agreements.
20 And so, trying to have more, enhance our 21 awareness communication on this topic. And also to 22 gather feedback.
23 Future steps show that we look to develop 24 some type of general agreement. Based upon the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
29 stakeholder there may be a need, however, for us to 1
consider other approaches. For specific or unique 2
approaches that are most beneficial or efficient for 3
specific stakeholders.
4 And so we do recognize that a general 5
standard agreement may not work for everybody. And 6
so, again, we're looking for comments and feedback on 7
that.
8 The next step, once we have some type of 9
agreement, is to share the agreement. And then there 10 might be, again, some case-by-case edits that we need 11 to make based on who that entity is. And then design 12 the agreements prior to the NRC's CUI implementation 13 date.
14 Slide 16. So these are just some examples 15 of NRC documents that may transmit CUI. This is not 16 an all-inclusive list, the wall of the NRC's 17 documents.
18 But just some of the ones that the working 19 group put together to start to think about, well, what 20 type of, how can we bend these types of documents, 21 what type of CUI do we expect to share, which ones are 22 purely NRC generated documents that will be CUI that 23 we will need to share, and which ones also might be 24 documents that we're developing that but the input for 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
30 those documents is based upon your information that 1
you might provide to the NRC.
2 And so that leads us directly into Slide 3
- 17. The working group, so far, as identified two 4
primary bins of information.
5 The first is that we could be providing 6
you with a document that qualifies as CUI. But that 7
document, and that document does not include any 8
information that belongs to whoever we're 9
disseminating it to, so the recipient.
10 And so examples of that would include NRC 11 research
- reports, technical
- reports, security 12 advisories, information assessment team advisories and 13 so, for these reports we typically don't go out and 14 ask, like for example, licensees to send us something 15 or take information that's based upon what you're 16 doing and what you have that you own. That you own.
17 And we're not sending that back to you.
18 So that's the first bin that we identified.
19 The second was that we are developing a 20 document and we're transmitting to you. It qualifies 21 as CUI but the majority of information in there is 22 information that the NRC, that was provided by the 23 recipient.
24 So, examples of that include safety 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
31 evaluations, the request for addition information, 1
inspection reports.
2 And so, for these, some of the things that 3
we're trying to consider is if, we think there are 4
these two primary bins, then how do we distinguish 5
when we transmit the document to you, that this is 6
purely NRC generated CUI. You're going to be required 7
to protect it in accordance with the CUI rule, in 8
accordance with your written agreement. Per the terms 9
of your written agreement.
10 Or if this is, for example, a safety 11 evaluation, and it's your information, when we send 12 the document to you, or transmit it, it may still have 13 the CUI markings on the document. But we might have 14 to include a transmittal letter to explain that while 15 the information was with the NRC, we were required to 16 protect it and handle it as CUI. When we return it 17 back to you, it's your information, you can do what 18 you want with it.
19 But just to be able to clarify that, so 20 you don't have to guess, so our inspectors don't have 21 to guess when they're out there looking at documents.
22 And so, these are some of the thoughts we have 23 discussed. And that we currently are pursuing.
24 So our current path forward is that, 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
32 again, we want to have additional discussion on this 1
in the public forum that we have now.
2 And then we also make sure that we haven't 3
missed any type of other unique scenarios, other than 4
these two general groupings that we've initially 5
identified.
6 Slide 18. So this was a question that 7
came up during the last public meeting. And we 8
followed up with NARA, and so they gave us some 9
clarification that we planned to share now.
10 So when you receive CUI from the NRC, or 11 any agency, if you have to then share it with a third-12 party. Local emergency responders, law enforcement or 13 other non-executive branch entities.
14 Do you, yourself, as the recipient, need 15 to then create a written agreement with whoever you're 16 going to share it with. And the answer was no, the 17 requirement is for agencies to establish the written 18 agreements.
19 Now, one of the, three of the things that 20 NARA shared with us is that unless the NRC applies a 21 limited dissemination marking to the document, or 22 otherwise restricts dissemination in the written 23 agreement, then the recipient would be able to share 24 the CUI document with a third-party who has a lawful 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
33 government purpose to that information.
1 The CUI markings must remain on the 2
document, of course, when they're shared by the 3
recipient and the third-party so that this third-party 4
is aware of this CUI status and is aware of the need 5
to protect the information in accordance with the CUI 6
rule. And any other applicable laws, regulations or 7
government-wide policies.
8 And that if the NRC applies a limited 9
dissemination marking that restricts access only to 10 the recipient. And that might be because there are 11 certain laws that require us to do so, then the 12 recipient would not be permitted to share the document 13 with a third-party.
14 And so there are a list of NARA approved 15 limited dissemination markings on their CUI registry.
16 The CUI registry or maintained by NARA. It's online, 17 it's public.
18 It basically explains and shows what 19 agencies are required to protect. This is the system 20 that allows all the markings across the executive 21 branch to be standardized.
22 And so, on that registry you can also see 23 the limited dissemination markings that are approved 24 for agency use.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
34 Slide 19. And so another topic that was 1
raised during our last public meeting that we agreed 2
to continue to follow this and discuss this because we 3
know that we're going to probably need to have some 4
separate discussions. Public meetings where this is 5
just the primary focus, as far as it being this 800-6 171.
7 But there were questions about, what is 8
the NRC planning to do as far as inspections, are we 9
required to inspect against the NIST 800-171 and what 10 will that look like.
11 And so, at that time we shared that we had 12 not started down the path of looking at those issues 13 yet. We are now engaging with NARA, and we also are 14 just starting that process.
15 And so, what we are aware of are the 16 requirements. The agencies, as we talked about, must 17 prescribe the requirements of 800-171, when we're 18 sharing electronic CUI.
19 And then also, we know that agencies must 20 use 800-171A, which is assessing security requirements 21 for controlled unclassified information, so that we 22 would use that to assess for compliance.
23 Our understanding is that, as contracts 24 and written agreements are established and/or modified 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
35 to reflect CUI requirements, that it would be 1
appropriate for agencies to establish a reasonable 2
deadline for non-executive branch entities to comply 3
with NIST 800-171.
4 Our understanding is also that agencies 5
have flexibility in determining the frequency of 6
inspections for non-executive branch entities. And so 7
NARA CUI Notice 2019-04, which is titled, Oversight of 8
the Controlled Unclassified Information Program within 9
Private Sector
- Entities, provides guidance to 10 agencies.
11 And we're aware that agencies should be 12 looking to perform some type of selective validation 13 based on the type of CUI, the quantity or the mission 14 related to the CUI that's handled by the non-executive 15 branch entity.
16 And so as a path forward, this is a topic 17 that our working group needs to further consider, and 18 our steering committee as well. We plan the whole 19 future topics on this discussion at a future time once 20 we feel like we have information of a path forward 21 that we can proposed and discuss with the public and 22 our stakeholders.
23 Okay, so in summary. Again, our plans 24 are, in terms of the biggest impacts to our external 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
36 stakeholders we'd like to make sure we're focusing on 1
establishing a path forward on written agreements 2
between the NRC and non-executive branch entities.
3 We want to continue to coordinate with 4
NARA and other federal agencies as the NRC develops 5
its CUI program.
6 And we want to continue to engage and seek 7
feedback from NRC external stakeholders on a periodic 8
basis on these topics.
9 So that concludes my presentation for now.
10 And what I'd like to is, I think we're on schedule, 11 we're going to, we'd like to have dialogue and then 12 provide opportunities for questions and comments.
13 So I may not be the only one answering 14 questions. So as you have questions, we'll figure out 15 who the most appropriate individual is to respond.
16 At this time, let's have questions or 17 comments first in the room. If you have a comment or 18 a question I'm going to need you to raise your hand so 19 we can get you the handheld mic. That way you can be 20 recorded by the court reporter.
21 And then we're going to, I'm going to ask 22 the Operator to please queue the lines for questions 23 and comments so that we can go to the phones in a 24 moment.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
37 So, are there any questions here in the 1
conference room?
2 MS. STAIGER: Yes, Tanya.
3 (Off record comments.)
4 MS. MENSAH: And you're also welcome to 5
come to the podium as well.
6 (Off record comments.)
7 MS. STAIGER: Yes, thank you, Tanya. This 8
is Maggie Staiger. Yes, this is Maggie Staiger with 9
NEI.
10 Thank you, Tanya, for this presentation, 11 this is very informative. We truly appreciate the 12 efforts that the working group is putting in to 13 answering our questions from this summer. There's a 14 lot of good information in here.
15 I believe you indicated that the NRC is no 16 longer going to be pursuing rulemaking for Part 73.
17 Do you anticipate any rulemaking changes that would 18 impact the licensees or do you think the rulemaking 19 that you'll be pursing will solely impact the NRC 20 based on nomenclature, as you mentioned?
21 MS. MENSAH: So, this is Tanya Mensah. At 22 this time we don't see any impact on licensees. We 23 are not, initially, if you look at the SECY-18-0035, 24 I think there may have been some language in there 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
38 that initially the staff thought that we might need to 1
change requirements in Part 73 to require you, as a 2
non-executive branch entity, to use CUI markings.
3 But if you go back to some of the 4
definitions of CUI, meaning that is being your own 5
information, there was a lot of talk internally about, 6
well, it's your information, you're not required to 7
mark your own information at CUI or handle your own 8
information as CUI.
9 And so our decision was that you would 10 leave the regulation intact. I mean, there could be, 11 if there were future rulemaking changes to Part 73, it 12 could be beyond Part 73, but whatever Part 73 is, it 13 will remain that way. We're not envisioning that 14 we're going to change it to align with CUI.
15 The burden would be on the staff, the NRC, 16 when we are marking the documents to apply the 17 appropriate markings.
18 MS. STAIGER: Thank you, Tanya.
19 MS. MENSAH: Okay. Are there any other 20 comments or clarifications from the NRC on that?
21 MR. MOSES: I'll pass the mic.
22 MR. MEYER: Steve Meyer, STARS Alliance.
23 I just wanted to follow-up on that, Tanya. I don't 24 have 73.21 right in front of me but I know it 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
39 discusses the required markings or controls for 1
safeguards information that a licensee receives.
2 Is there going to be any, if you don't 3
revise, and I'm proposing you do, but if you don't 4
revise Part 73, how is it going to be clarified that 5
information we received from you, that's SGI, CUI 6
specific SGI, that we're not in conflict by applying 7
our controls from the same information?
8 Are we just going to keep it in the CUI 9
bucket, you know, the program once we receive it from 10 you?
11 MS. MENSAH: I think that's a question 12 that the working group and steering committee are 13 still trying to consider, what the appropriate way is 14 for us to convey to you that this is your information 15 and you're not required to handle your information at 16 CUI. Even though we have to apply the CUI markings on 17 it.
18 And one of the examples that I've heard 19 that I thought was really good, this is through NARA, 20 and so if Devin has additional comments he can weigh 21 in, but the example that I've heard at their meetings 22 are that, it was an example with the IRS.
23 So when you submit your tax information, 24 you don't mark your documents with CUI labels and 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
40 you're not following the CUI rule as your information.
1 So if you choose to make your financial information or 2
your social security information, you can do what you 3
want with that, 4
You can make it public, you can put it on 5
your door for everybody to see, it's up to you. But 6
when the IRS receives it, they have the responsibility 7
to mark the document as CUI and protect it 8
accordingly. Now, they might have to send documents 9
back to taxpayers.
10 And if they have CUI markings, my 11 understanding is that the preference would be to leave 12 the markings on the document but just to explain in 13 the transmittal memo that the reason you see these 14 markings is because while I was with the agency we 15 were required to protect it as CUI. But this is your 16 information.
17 And so we are looking at that. Just in 18 terms of an analogy to see if a similar approach might 19 be something that we can use.
20 Our concern is that we want to keep it as 21 simple as possible because we feel like the more we go 22 in and start trying to pull out information and to, 23 that we can end up making this overly burdensome if 24 we're not careful.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
41 So, we're still considering that in 1
looking at what other agencies might be doing.
2 Because if you're going to receive, if you're going to 3
be receiving CUI from other agencies, there is a 4
strong possibility that we'll have similar approaches.
5 We want to have a similar approach.
6 MR. MEYER: Thank you.
7 MR. GALLOT: Dave Gallot, Exelon. On 8
Slide 18, Tanya, I didn't quite understand the answer 9
regarding third-party sharing.
10 You answered the question on the slide no 11 and then I think you said the agency has to establish 12 the agreement. What I didn't understand there is, 13 does that mean before a licensee shares something 14 that's marked CUI with a third-party, the agency has 15 to get in an agreement with that third-party?
16 MS. MENSAH: So, the way I think we're 17 looking at this in terms of process is that we would 18 have a written agreement established first with 19 whoever we expect to share CUI with.
20 And then the terms of your written 21 agreement would specify if there are any restrictions 22 in terms of dissemination. Or either on that document 23 you would see if, because the banner at the top for 24 CUI would indicate if there were any limited 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
42 dissemination.
1 MR. GALLOT: Okay.
2 MS. MENSAH: So if we, as an agency, said, 3
- well, we're not going to apply the limited 4
dissemination markings so that you have that 5
flexibility, which is what the working group is 6
considering, then you would not be restricted in 7
anyway in terms of sharing with someone who has a 8
lawful government purpose.
9 MR. GALLOT: Okay. And if it did have 10 those restrictions then we'd have to go back to the 11 NRC and have them establish a written non-disclosure 12 with that third-party before we could share it?
13 MS. MENSAH: That might be a possibility.
14 MR. GALLOT: Okay.
15 MS. MENSAH: We haven't gotten that far 16 yet.
17 MR. GALLOT: Okay.
18 MS. MENSAH: But there are some types of 19 information, for example, that by law or regulation 20 they have restrictions on how you can share it with.
21 So we have to apply the law as well.
22 So if we're dealing with an information 23 type where you have to have the limited dissemination, 24 then that would be on the document since we have to 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
43 follow the law.
1 MR. GALLOT: Okay. Thank you.
2 MS. MENSAH: Okay.
3 MR. MEYER: Tanya, Steve Meyer, STARS 4
Alliance. If I could follow-up to that question.
5 I think you know our, what we're looking 6
for there is to continue to be able to share like OE 7
from inspection reports, security lead in. And what's 8
really going to be important is how broad that limited 9
dissemination control is applied. Because we 10 certainly want to be able to continue to share that 11 with others.
12 And then I guess an element of this, if we 13 do want to bring in a third-party, maybe not a 14 permanent employee but somebody that would help us 15 with maybe like a security, would treat that 16 individual as an employee under our existing NDA?
17 MS. MENSAH: Well, I think those are good 18 comments, and we can consider them. I don't know, 19 Devin, if you are aware --
20 (Technical difficulties.)
21 MS. MENSAH: -- I'm not sure if you have 22 any feedback on that from a federal-wide perspective, 23 what other agencies might be. Do you want --
24 MR. CASEY: Yes, that's what it is.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
44 (Technical difficulties.)
1 MS. MENSAH: Sorry, we're having some 2
microphone issues right now.
3 (Off record comments.)
4 MR. CASEY: So this is Devin Casey, ISOO.
5 There is a lot of nuance in it and it really depends 6
on the particular situation as to how information gets 7
disseminated further
- upon, after its first 8
dissemination.
9 And a lot of this is very similar in 10 government contracting. And it really depends on 11 what's in the contract and the lawful government 12 purpose of that information.
13 And then obviously in this case, also 14 what's in the description of your non-disclosure 15 agreements as well. As to whether or not you can 16 essentially bring other people on to access that 17 information.
18 Generally, and the rest of the contracting 19 environment, that information is limited by a lawful 20 government purpose. Unless otherwise and specifically 21 stated.
22 And unlawful government purpose is quite 23 simply a purpose that is not unlawful and is a 24 government purpose. So, the contracting of someone to 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
45 assist you with analyzing data that the government has 1
given you for safety purposes could be a government 2
purpose for that information to use it in its intended 3
use. So it would not be restricted in dissemination 4
based off of those facts.
5 Now, obviously if there is a limited 6
dissemination control applied or a non-disclosure 7
agreement where they would also have to sign the non-8 disclosure agreement, whatever that process is, that 9
would have to be followed.
10 Obviously, frequently in the contracting 11 background or contracting area there may be personnel 12 security requirements in addition to the non-13 disclosure frequently accompany that type of access or 14 work as well. So those are considerations as part of 15 that.
16 So, I mean, contracts and agreements still 17 have the force of contracts and agreements. You have 18 to follow all the tenants in them. But CUI, in and of 19 itself, doesn't inherently change too much of how that 20 works. It functions off that lawful government 21 purpose dissemination.
22 But we've actually found that that's been 23 pretty valuable because many times contracts and 24 agreements didn't actually explicitly state when you 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
46 could share information. It really only said when you 1
couldn't.
2 And there is an actual definition of, 3
unless otherwise prohibited you can share in 4
furtherance of a lawful government purpose. So 5
hopefully that expressed statement, again, unless 6
otherwise limited, is helpful.
7 MS. MENSAH: Okay. If there are no other 8
comments or questions in the room, we can go to the 9
phone. For the, Operator, do we have any questions or 10 comments from those on the phone?
11 THE OPERATOR: We do not. But as a quick 12 reminder, if you do or if you would like to ask a 13 question or make a comment please *1.
14 MR. MOSES: Are there folks in the room?
15 THE OPERATOR: One moment for the first 16 question.
17 MS. MENSAH: Okay, we're ready for 18 questions.
19 THE OPERATOR: Patrick, your line is open.
20 MR. ASENDORF: Thank you. This is Patrick 21 Asendorf from Tennessee Valley Authority.
22 My question goes back to the agency 23 designation of the CUI. And it goes to Steve Meyer's 24 follow-on to his question about safeguards 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
47 information. And understanding that its CUI specific.
1 So, the NRC provides information through 2
guidance documents that may be safeguards information.
3 And they designate that information as CUI safeguard 4
information, and then a
licensee takes that 5
information and incorporates that into their program 6
documents. And then has to disseminate that 7
information.
8 Would that information be considered still 9
CUI, SGI specifically, CUI specific. Because, would 10 NRC designate it or would that be considered the 11 licensee's program document now?
12 MR. ADLER: This is James Adler from the 13 General Counsel's Office at the NRC. If this is 14 safeguards information that is not, it's just the NRC 15 sent it to the licensee and the licensee is 16 incorporating it into their own documents and their 17 NRC marked it as SGI, then it's not the licensee's SGI 18 that the licensee originally gave to the NRC, then I 19 think it still would qualify as CUI even if it's 20 incorporated into additional licensee documents.
21 But if it's SGI that the licensee gave to 22 the NRC and then the NRC put it into a different 23 document and sent it back to the licensee with CUI 24 markings on it, then that would potentially, as been 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
48 discussed, come with a letter saying this is, we have 1
to market a CUI but you don't have to --
2 (Technical difficulties.)
3 MR. ADLER: -- and then incorporate it 4
then into another document --
5 (Technical difficulties.)
6 MR. ASENDORF: I'm sorry, the microphones 7
there are not coming through.
8 MR. ADLER: Yes. Is this one --
9 MR. ASENDORF: I didn't hear the --
10 MR. ADLER: Can you hear now?
11 MR. ASENDORF: Yes.
12 MR. ADLER: Okay, think this works. So --
13 MR. ASENDORF: So, I did hear up to the 14 point where, if it were NRC's information that was 15 sent to the licensee, it would still be considered CUI 16 once incorporated into a licensee's document.
17 MR. ADLER: Right. If it's not the 18 licensee's own SGI. If it is and the NRC sends it and 19 its marked CUI because the NRC had to, the NRC would 20 hopefully convey to the licensee they don't have to 21 treat it as CUI even though it's marked that way. And 22 then that would carry through in any other documents 23 the licensee incorporated it into.
24 MR. ASENDORF: Okay. So, I see that as a 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
49 fine line of difference of the licensee's created 1
document because there is information that we 2
currently have in licensee's documents that was 3
designated by the NRC. And I see that in the future 4
as well as a potential.
5 So, I think we would have to work through 6
how that information is marked and controlled under 7
the CUI. From a licensee standpoint.
8 MS. STAIGER: This is Maggie Staiger with 9
NEI. So just to add on to this conversation, you with 10 the NRC are expecting that we would take that 11 information and keep it in our current SUNSI or 12 safeguards program, so you would not see the need to 13 have the same document in two different locations 14 being controlled as CUI, as well as within the 15 existing program that the licensee would have set up 16 currently, correct?
17 MR. ADLER: I'm not sure I quite 18 understand the question. But this is, I mean, if SGI 19 needs to be protected under 10 CFR, Part 73, SGI 20 requirements, then it's CUI-specified. So that would 21 make sense.
22 If it is also CUI because it's not, as 23 we've sent the information to the licensee it's SGI, 24 but it's also CUI, it's not their information, then 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
50 there could be, you know, potentially some additional 1
requirements that might apply.
2 Because if CUI specifies as the authority, 3
say 10 CFR, Part 73, doesn't cover all aspects of 4
controlling the information, then CUI basic 5
requirements fill the gaps.
6 I don't think we've gotten to the point of 7
knowing exactly what that might mean in the context of 8
SGI, but at least in theory it could make a difference 9
as to whether it's CUI from the licensee's perspective 10 or not. Even though, in either case, it's still SGI 11 and has to be protected under Part 73.
12 MR. ASENDORF: This is Pat Asendorf again 13 with TVA. So I understand the protection requirements 14 under safeguards information being maintained, it's 15 just that if there is an additional marking that CUI, 16 a different type of a banner than the current SGI 17 marking that would be added to that, because it was 18 information that was originally provided by the NRC, 19 created by the NRC to the licensee.
20 And then just carrying that forward into 21 a licensee's now documentary security plan, or a 22 procedure that safeguards, but under the licensee's 23 program it doesn't have a CUI banner, per se, my 24 question would be would we have to carry that CUI 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
1 2
3 4
5 6
7 51 banner forward into that licensee document because the NRC created information that is incorporated into it?
MR. MOSES: This is John Moses from the NRC. To clarify my understanding, are you referring to CUI information that you provided to the NRC or information NRC provided to you? Also, are you just referring to safeguards information or any CUI information?
8 MR. ASENDORF: Yes, I'm talking purely 9
safeguards.
10 MR. MOSES: Okay, purely safeguards --
11 MR. ASENDORF: -- that the NRC created the 12 safeguards information and disseminated that to 13 licensees as guidance to be incorporated into a 14 licensee's program ---
15 MR. MOSES: Right. So NRC provided 16 safeguards information to you?
17 18 (Simultaneous speaking.)
MR. MOSES: NRC provided CUI to you and 19 labeled it as CUI?
20 MR. ASENDORF: No, the NRC provides the 21 guidance to licensees.
22 MR. MOSES: Okay.
23 MR. ASENDORF: All right, licensees now 24 take that CUI-specific that's SGI-specific. And then 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
52 they incorporate that into their licensee document.
1 And then, so now they have NRC created CUI that's SGI 2
in their licensee document. And then they may have to 3
disseminate that back to the NRC or to somebody else, 4
another licensee, in sharing information.
5 So I'm just trying to understand that 6
nuance of, because it originated from the NRC, and not 7
it's in a licensee's document that they created, 8
there's a bunch of information in the licensee's 9
document that was licensee-created, but there's this 10 piece that came from the NRC that's incorporated in 11 there.
12 MR. CASEY: This is Devin Casey from ISOO.
13 And while I can't speak specifically about licensing 14 information, I can speak generally about CUI. CUI, 15 when
- reused, derivatively used or reproduced, 16 maintains its CUI designations and
- markings, 17 regardless of the number of times it's reused 18 derivatively.
19 That's why granularly marking CUI to the 20 best extent possible is so valuable. Because 21 understanding what it and is not CUI in a document can 22 help you pull out the uncontrolled, unclassified 23 information and widely distribute it more easily than 24 just using a banner marking. But unless specifically 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
53 marked in a CUI document, all of the information is 1
supposed to be treated as CUI, regardless of how it's 2
reused.
3 MR. ASENDORF: Okay, thank you. So I 4
understand portion marking would probably be best for 5
that situation --
6 MR. CASEY: Yes. There are many ---
7 (Simultaneous speaking.)
8 MR. ASENDORF: -- that can be identified?
9 MR. CASEY: There are many situations 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 where portion marking is very valuable or ensuring to separate the CUI and uncontrolled portions of a document in a way that's recognizable to the recipients.
MR. MOSES: So I just wanted to ask a clarifying question for NARA. Were you talking about co-mingling different types of CUI? So let's say, there's privacy information of your employees plus SGI that was provided to NRC, and we would control it.
It sounds like this circumstance is a question of hybrid labels because SGI has different requirements for protection and destruction compared to privacy information. And the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
1 2
3 4
5 6
7 8
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 54 question is, can I just put it back in the SGI, or would I do something different?
MR. CASEY: Devin Casey, ISOO. So if there are multiple types of CUIs classified, the requirements for both have to be followed. Again, if it's returning your own privacy information, then do with it as you will.
In general terms, if we take your stuff and put CUI on it and then give you your stuff back, it's still your stuff, and you can take those markings off. But if it is, you know, multiple types of CUI, all of the requirements for that CUI have to be followed in that document.
So if there's privacy information and SGI information, then the tenets of both policies have to be followed to the best of extent possible. We haven't really come across any where they contradict.
Because normally, one just increases the requirements of the other.
MR. MEYER: I didn't think I was going to need to ask this question, but I think I need to now.
After the earlier, Steve Meyer, STARS Alliance, after the earlier discussion about the origination of CUI, I was seeing that no licensee would implement the CUI program controls for their information.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
55 But an example that Pat Asendorf brought 1
up seems to raise that as a possibility where, you 2
know, you take this safeguards information, whatever, 3
the CUI was created by the NRC, put it in your 4
documents, and now you need to carry that forward.
5 So if a licensee, my question then is if 6
a licensee chose to go ahead and apply the CUI program 7
controls knowing that they may get into this, and it 8
might be simpler, you know, instead of trying to run 9
two programs in parallel, do you see any problem with 10 the licensee going forward, you know, designating 11 their information as CUI, and just controlling it that 12 way for all the new stuff, and then leaving all the 13 old stuff as legacy information, and using the old, 14 you know, existing controls for SRI, SGI, et cetera?
15 So they would be calling their stuff CUI, 16 and at the same time they'd be receiving it from you 17 as CUI. I see problems with that, but I'd like 18 perspective, based on this new scenario I don't think 19 we considered before.
20 MR. CASEY: Devin Casey, ISOO, and this 21 question has come up from businesses that do a lot of 22 work with the Department of Defense and other 23 entities. Because sometimes the company is more 24 willing to kind of start diving into identifying the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
56 information now even ahead of their government 1
partners.
2 We have always cautioned against marking 3
anything CUI until it reaches that government nexus.
4 So unless it's created by or for, or collected by or 5
for the executive branch, we encourage not to use the 6
CUI markings.
7 That doesn't mean that we don't want you 8
to protect the information, and it doesn't mean that 9
we don't want you to mark the information. We just 10 encourage that you not mark it in the same way the 11 government does just so that you can keep that 12 understanding of, you know, what is yours and what is 13 ours.
14 The big caveat there is at one point 15 you'll probably have government CUI in your system.
16 And if you have your information marked as CUI, you 17 are going to be reporting incidents to the United 18 States government for all of it if you can't separate 19 it out.
20 Because there's incident cyber security 21 reporting for CUI, and if you can't tell if it was 22 yours or ours, then you're going to have to report it 23 us in ways that you might not have to otherwise. I 24 don't know what SGI's reporting requirements are 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
57 separately. It's just a situation that can arise with 1
CUI.
2 OPERATOR: We do have another question on 3
the phone line. Our next question come from Gibb 4
Vinson. Your line is open.
5 MR. VINSON: Thank you. Regarding the 6
written agreements that we have for transmitting CUI, 7
it seems like that could be hundreds if not thousands 8
of documents for us in commercial licensees. That 9
seems overly burdensome. Regarding the option for 10 having a statement in your transmissions that you must 11 treat it as CUI, is that considered to be a routine 12 type option, or is that only to be used on limited 13 cases?
14 MS. MENSAH: His is Tanya Mensah. The 15 working group was considering, we're trying to 16 consider what the best approach would be, what would 17 be most efficient. But I think initially going in we 18 were thinking it would be routine, not just on a case 19 by case basis.
20 So that we would be able to, if it's your 21 information, we'd be clearly stating that. So that 22 when you receive NRC documents that have CUI markings, 23 you would understand that the NRC was required to 24 apply the marking, but you don't have to protect it as 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
58 CUI, because it's your information.
1 So that was that transmittal letter that 2
needs to be further fleshed out so that we can think 3
about that further. But we weren't thinking of, like, 4
that would be a routine transmittal.
5 MR. VINSON: Okay, that sounds great.
6 Also, seems like I saw a record keeping element to 7
this where we were supposed to document and track each 8
transmission of CUI information. Is that correct?
9 MR. MOSES: We're not aware of that, and 10 I'll let NARA respond.
11 MR. CASEY: Devin Casey, ISOO, that is not 12 a general requirement for CUI. So I don't know what 13 that would be.
14 MR. VINSON: Okay, thank you.
15 MR. CASEY: Yes. So I do work at the 16 National Archives and Records Administration. I am 17 not a records person though, I'm just a CUI guy. So 18 I don't know the ins and outs of records requirements, 19 but that's not part of the CUI program. I can say 20 that.
21 MS. STAIGER: Tanya, this is Maggie 22 Staiger with NEI. Just to point back to the 23 transmission letter that the working group is 24 considering, do you think that if this letter were to 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
59 come through would the licensee be able to remove the 1
markings of CUI to further help specify whether that 2
information is the independent information to 3
licensees versus the Government information to help 4
differentiate that moving forward?
5 MS. MENSAH: So that kind of goes into, 6
this is Tanya Mensah, goes into what Devin was talking 7
about in terms of portion marking. So either being 8
able to separate out, like, we're transmitting this to 9
you, this portion is clearly CUI, you have to protect 10 it, and the other stuff's your information.
11 So there would be two approaches. Either 12 we're not marking it, the portion that is CUI, so that 13 it would have no markings on it, but I think that the 14 concern with that approach is that it would be 15 difficult from a staff perspective, because we might 16 have the whole document marked when it's in our 17 possession. Now we have to go and create almost like 18 a separate document with different markings.
19 And there were concerns about potential 20 inadvertent release. So we still have to consider 21 those issues like how we would parse it out. Are we 22 going to do portion marking so that we can clarify 23 further that this is the specific paragraph that's 24 CUI, so then you would know? I think we would 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
60 encourage that, but the working group just hasn't 1
gotten there yet.
2 MR. CASEY: So this is Devin Casey. The 3
sharing of controlled and classified information back 4
to the holder who's not obligated to protect it is, it 5
falls kind of in a gray area of our policy.
6 So it's not a disclosure related to a 7
statute, in which case we generally remove the 8
markings like FOIA. It's also not decontrol of that 9
information, because we are not actually decontrolling 10 it. We're still protecting it at the executive branch 11 entity. But we're returning it to an entity that's 12 not obligated to protect it.
13 And that's why it's kind of up to an 14 agency's implementation and plan to determine whether 15 or not they're going to strip markings off, or 16 communicate that that information doesn't require 17 protection, or if it's going to be left to an 18 understanding of how the CUI policy works that the 19 recipient doesn't have to protect CUI that is only 20 marked CUI because it's their information. They've 21 received it back.
22 So it's kind of up to a lot of 23 interpretation and policy in how this working group 24 solves it. There's a lot of flexibility in how they 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
61 1
2 3
4 5
6 7
8 9
10 11 12 13 14 15 16 17 18 19 20 21 22 can go about that.
MR. MOSES: This is John Moses from the NRC. This is a suggestion or comment for Devin and our NARA colleagues. Would there be a way to show provenance in the markings that may essentially disambiguate some of these challenges?
There are concerns about the separation of cover sheets that designate the origination of the CUI. Let's say an external party sends privacy information to an agency with a
cover sheet indicating the originator. The agency correctly marks and handles the privacy information as CUI. However, when the agency provides the privacy information marked as CUI back to the external party without a cover sheet indicating the originator of the information. The external party may incorrectly handle its own privacy information as CUI.
MR. CASEY: So Devin Casey, ISOO, again.
So the only problem with a marker on a CUI document is the agency marker for who controls it. Because the requirement that any CUI that is controlled is identified by at least the agency that's controlled the information, so the designation indicator.
23 Outside of that, we do allow for markings 24 on documents that aren't strictly security related.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
62 So we have administrative controls that are allowed to 1
be marked on documents, but we also encourage the 2
continued use of things like paragraphs or other 3
identifiers on a document that speak to the content or 4
purpose of that document.
5 So frequently in the contracting realm, 6
we're not going to create a new government marking for 7
every contracting entity that does business with the 8
government so that we can have the entity represented 9
in the CUI marking. It would break information 10 sharing at DoD alone, let alone the executive branch.
11 That doesn't mean that people who you 12 share that CUI proprietary information with aren't 13 putting on that document or ensuring that there's 14 letterhead identifying the entity that's shared it 15 with them.
16 So we do allow for that sort of the 17 practice of, you know, entity letterhead, things of 18 that nature, to remain on the document to give you an 19 indicator you've just received your own information 20 back.
21 Normally in the contracting world, that's 22 ironed out through part of the contracting agreement 23 of, you know, here's how you give it to us. And when 24 we give it back to, here's how we'll do it, and here's 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
63 1
2 3
4 5
6 7
8 9
10 11 12 13 14 15 what it looks like.
Obviously, this is a bit broader of an environment and therefore harder in some ways to handle which I think the value of a common agreement would be very valuable to understand how that process works, whether or not you should expect it to be marked and to do the work yourself of identifying if it was really yours, or whether or not that marking will be removed, or if there will be a notice supplied to the particular types of information that are yours being given back to you.
MR. MOSES: This is John Moses. So, an agency is permitted to use an administrative label, such as "provided to the NRC by X" to indicate the originator of CUI provided to the agency?
16 17 18 MR. CASEY: Yes. Whatever works for you.
MR. MOSES: Okay, thank you.
MR. CASEY: This is Devin Casey again.
19 20 21 22 Because administrative labels do not add controls to the document. We do jealously guard our markings.
We don't want you to add controls to how a document is protected.
23 That doesn't come with a cyber security 24 requirement. It doesn't change the destruction 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
64 requirements. It doesn't make you put it in a GSA 1
safe. So it's not infringing on our security marking.
2 Our only note would be don't put it in our banner, so 3
it's not confused with the CUI banner or other CUI 4
markings.
5 MR. MOSES: Thank you.
6 MS. MENSAH: This is Tanya Mensah. It's 7
about 3:20. And I know we have another presentation.
8 Are there any other questions or comments on the 9
phone?
10 OPERATOR: Yes, we have a question from 11 Jason. Your line is now open.
12 JASON: Hello, Tanya. Does the CUI only 13 apply to Part 73?
14 MR. MOSES: This is John Moses. I'm not 15 sure Tanya heard that. Was the question does CUI only 16 apply to Part 73?
17 JASON: Correct, versus 437.
18 MR. MOSES: So I can answer that. CUI 19 transcends all those parts, because it is impacting 20 different kinds of information that are outside of or 21 tangential to those parts.
22 MR. GOLDBERG: Jason, you referred to Part 23 37.
24 JASON: Okay.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
65 MR. GOLDBERG: Hi, this is Paul Goldberg.
1 CUI does not apply to Part 37. As John was saying, 2
you know, in addition to Part 73, it does apply to a 3
number of other categories of information, clearly 4
ones that Tanya mentioned
- earlier, privacy, 5
investigation, allegations, proprietary, export 6
control, categories like that.
7 JASON: Thank you.
8 MS. MENSAH: Thank you. Are there any 9
other questions on the phone?
10 OPERATOR: Our next question comes from 11 Dwayne. Your line is now open.
12 DWAYNE: Yes. I was wondering can someone 13 elaborate a little bit on paper versus electronic 14 protection?
15 MR. CASEY: This is Devin Casey, ISOO. So 16 the protection of physical CUI is essentially it must 17 be stored in a controlled environment and behind a 18 locking barrier. We don't go too much further in 19 defining what that means. That's up to agency or 20 entity policy so, you know, something like your 21 physical security SOP or policy would define a 22 controlled environment. Then, of course, a locking 23 barrier is something that locks and provides evidence 24 of tamper.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
66 And then there's requirements for the 1
physical destruction of paper documents in accordance 2
with NIST 800-88 which is generally either a 3
classified shredder or one meeting the standards of a 4
classified
- shredder, a
five millimeter, or a
5 multi-step destruction process.
6 The electronic requirements for 7
safeguarding CUI are a bit more complicated. If it's 8
a federal information system, it has to be moderate 9
confidentiality impact value. If it's a non-federal 10 information system, it's supposed to be minimally NIST 11 800-171 compliant which defines moderate 12 confidentiality for a non-federal information system.
13 DWAYNE: Okay, thank you very much.
14 MR. CASEY: And outside of a NIST 800-171 15 compliance system, it must be encrypted, that in 16 accordance with FIPS encryption standards.
17 MS. MENSAH: Thank you. This is Tanya 18 Mensah. Are there any other questions. I think we 19 have time for a couple more. And then we'll go to 20 Maggie for the NEI presentation.
21 OPERATOR: Our last question comes from 22 Crystal Shaw. Your line is now open.
23 MS. SHAW: Hi, Tanya. It seems from the 24 discussion that's taking place that we are being 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
1 2
3 4
5 6
7 8
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 67 encouraged to maintain a completely separate program with the CUI with information that is submitted from the NRC. And what I mean when I say that is for information that's coming in, it'll be marked CUI.
But it almost seems like we should not take that and tag that within our safeguards program.
If a licensee chose to do that, and the NRC inspected it, would there be any liabilities with that, because he did not have something marked safeguard in accordance with our program but were keeping it in accordance with the CUI?
MR. MOSES: So this is John Moses from the NRC. And I'll defer to other folks from NRC. If it is safeguards information, it needs to be handled according to those requirements.
The handling requirements do not change because of CUI, although the labeling might be slightly different.
Safeguards information still has to be handled as such.
CUI includes many types of information, in addition to safeguards. Just to be clear, CUI can be characterized as basic CUI or specified CUI.
Safeguards is specified CUI with specific requirements for the different aspects of the life cycle - designation, marking, controlling 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
68 1
2 3
4 5
decontrolling and destruction.
That's a little different than other types of CUI. So they would have to be handled, if received and maintained, according to the CUI standards for basic.
Hopefully that's instructive.
- Devin, James, or Tanya, do you want to comment?
6 7
8 9
10 11 12 13 14 15 16 17 18 19 20 21 22 23 MR. CASEY: Devin Casey, that's exactly right.
MS. SHAW: So that I do understand. I understand the difference, and I understand that there would be controls on something marked CUI specific.
However, if we chose not to stamp it safeguard and follow or safeguard program as well, but maintain those controls with those
- markings, is that inappropriate?
MR. CASEY: This is Devin Casey. So is the question do safeguarding markings have to also be applied to CUI safeguarding information?
MR.
MOSES:
There's a
type of information called safeguards information. The marking of safeguards information would have to be in accordance to the existing requirements for safeguards information. Perhaps, I'm not fully grasping what you're asking. It wouldn't change.
24 MS.
LYONS-BURKE:
This is Kathy 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
69 Lyons-Burke from the NRC. The safeguards regulations 1
require that that information be labeled in a very 2
specific way.
3 MR. MEYER: This is Steve Meyer, STARS 4
Alliance. I guess what I'm picturing this as, as a 5
- licensee, is that you get these CUI-specific 6
safeguards. And I think what Crystal is asking is if 7
the NRC inspected us, I think they would expect to 8
find that in our safeguards control area, in a folder 9
labeled CUI so that it's clearly evident that we 10 followed safeguards, we control it that way, and it 11 was sent by the relevant agency, NRC, as CUI. And we 12 have an NDA that maintained it that way, and we'd have 13 to keep it marked that way. So we'd have to meet both 14 requirements. Isn't that what this comes down to?
15 MR. ADLER: Well, I think what you just 16 described there was correct. Hopefully, that answers 17 the question.
18 MR. CASEY: Devin Casey, ISOO. Yes, that 19 does sound like the correct description of it. You're 20 required to follow the tenets of the CUI program as 21 required in the contractor agreement but also the 22 existing statutory requirements for that information.
23 If there is a point where they do directly 24 conflict, then please raise that to your regulatory 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
70 bodies, or entities, or points of contact to have that 1
policy updated or changed. And then we would, you 2
know, we, or they, or whatever the entity is would 3
issue a notice to address that in the interim.
4 MS. MENSAH: This is Tanya Mensah. Are 5
there any additional questions on the phone?
6 OPERATOR:
I'm showing no further 7
questions at this time.
8 MS. MENSAH: Okay. Are there any 9
additional clarifying questions in the room?
10 (No audible response.)
11 MS. MENSAH: Okay. So, Maggie, I'll turn 12 it over to you so that you can jump right in to the 13 NEI presentation if that's okay.
14 MS. STAIGER: Thank you, Tanya. Again, 15 This is Maggie Staiger with NEI. I just wanted to 16 thank Tanya and the NRC again for this great 17 discussion. I think we were able to answer a lot of 18 questions.
19 On behalf of NEI and the industry, I want 20 to go over some quick highlights of where we see this 21 year progressing. Again, NEI does not want to get 22 ahead of themselves. We understand there's a lot of 23 discoveries that are going on with the working group.
24 And we appreciate that. But we wanted to share where 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
71 we see this year's progress going for us.
1 So for instance, we issued an APC letter 2
notifying our licensees of the upcoming CUI rule. We 3
did that this January. So we've started the 4
discussion and, again, we appreciate this public 5
meeting so quick after.
6 We are currently in the process of 7
evaluating the impacts of the rules, 32 CFR 2002, and 8
the NIST requirements in doing a gap analysis. Right 9
now, that's progressing. In some cases, we're getting 10 some feedback that we expect. Licensees will need 11 from a year to two years to adhere and fill the gaps 12 that we're identifying with the NIST standard.
13 Now again, this isn't immediate from once 14 we're identifying these gaps. It's going to rely on 15 feedback that we receive from the NRC once the 16 management directive is released as well as the 17 policy statements.
18 And in addition to any other 19 communications that we have with DoD, or DOE, and the 20 other federal agencies that we share information with, 21 right now we've had the most communication with the 22 NRC. And we do thank you for that. We appreciate 23 this open and transparency that you've provided for 24 this. But there is some concern regarding the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
72 progress that the industry received for these other 1
agencies.
2 So those timelines continue to be pushed.
3 So we appreciate that the NRC is looking at making the 4
CUI program active in December of 2021. And we 5
understand that that's a rolling timeline. But we 6
just want to stress too NARA that, for the industry to 7
adhere to these new standards that are coming out, it 8
will take time and perhaps funding, which means we 9
have to get the budgetary estimates in for the 10 upcoming years, which also shortens the timeline that 11 we have to work with it.
12 Moving forward, in addition to that, this 13 year we're looking at determining negotiations and any 14 type of NDA agreements that we can work through. We 15 appreciate NARA releasing that draft document, and we 16 have started looking at it.
17 We're hopeful that we can utilize this 18 agreement to take credit and perhaps reduce some of 19 the scope that the NIST standard is going to require 20 for electronic controls.
21 For instance, one example would be FS 22 screen and using the NDA to accept that closed network 23 systems, such as our PADS system that we are currently 24 using, could be incorporated into this without 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
73 adhering to some of the rigorous NIST standards so 1
that you could take CUI information that would be 2
provided from the NRC, for instance, Social Security 3
numbers for incoming inspectors. We would have to 4
take that information and input it into our current FS 5
screen program.
6 While, yes, that information is considered 7
CUI under the new rule, we want to be able to continue 8
using the approved processes that we have without 9
additional burden. So we'd be interested in looking 10 into that opportunity with taking credit through the 11 NDA.
12 Now that we have that available, we'll 13 continue with communications. Again, once the 14 management directive from the NRC is released, which 15 we expect sometime this summer per your presentation, 16 NEI is going to work on developing a change of 17 management plan and a template. And we'll provide 18 that to the NRC and the industry to help facilitate 19 this change moving forward.
20 And then finally, towards the third 21 quarter of this year, we would like to be wrapping up 22 these NDA agreements. Of course, that will rely a lot 23 on the input that we receive from the other federal 24 agencies and the working groups. But we continue to 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
74 value this close working relationship that we have.
1 And we look forward to this continued effort for it.
2 In addition to some of the challenges that 3
the licensees will experience, specifically with the 4
NIST 800-171, we do acknowledge that there will be 5
more public meetings addressing this in great detail.
6 And we do look forward to that.
7 But just as some precursory discussions, we do 8
have some concerns. We understand that, per the NARA 9
presentation in February, the federal agencies are 10 required to have an accredited NIST program. Is that 11 accreditation intended to trickle down to the 12 licensees, and if so to what point or to what extent?
13 MR. CASEY: This is Devin Casey, ISOO. So 14 only one executive branch entity is looking at 15 actually accrediting non-federal information systems.
16 So that is a proposed DoD plan for CMMC which you can 17 learn more about on DoD's website if you Google CMMC.
18 That is DoD only entered as not a CUI element. CUI 19 informs on the level of certification required to 20 contract or enter into agreements with DoD.
21 For instance, if CUI is included in that 22 exchange, that would be Level 3 to 5. But it's not an 23 actual implementation of the CUI program. So 24 accreditation of non-federal information systems is 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
75 something the CUI program actually specifically 1
avoided including. That's why NIST 800-171 systems 2
are self-certified and then overseen by the executive 3
branch as needed.
4 MS. STAIGER: Thank you, Devin. I 5
appreciate that. Looking more at a broader picture, 6
does the NRC and NARA have any interpretation on a 7
transition period that you would expect the licensees 8
to adhere to?
9 MR. CASEY: Devin Casey again, so DoD did 10 roll out, a couple of years ago now, DFARS 70-12. And 11 when they rolled out DFARS 70-12, it pushed the NIST 12 800-171 requirements on all of its contracting 13 entities that entered into a new contract with DoD 14 that year. And it required compliance immediately.
15 This is why they've been regarded as a quick mistake.
16 They then quickly adjusted how that would 17 would work and specifically stated that they had 12 18 months or close to that until the next beginning of 19 the new calendar year to become compliant with NIST 20 800-171.
21 Another note is that after that initial 22 push NIST 800-171, Revision 1, which we're now on 23 Revision 2, came out. And what it did was explicitly 24 include the requirement to have a fully created system 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
76 security plan.
1 And part of that system security plan 2
includes a plan of action, also frequently referred to 3
as a plan of action milestones, that outlines how 4
currently unimplemented controls are planned to be 5
implemented.
6 And NIST 800-171 actually says, as long as 7
you have a system security plan and a plan of action, 8
you are compliant unless the government requires you 9
to not have a plan of action. So unless they come in 10 and specifically say that you must be done, then you 11 can have a plan of action.
12 So that actually helps kind of alleviate 13 a lot of those initial concerns that a lot of those 14 DoD entities had. And it built an idea of 15 implementation plan into 171 itself. So if someone 16 were to require a 171, really you have, you know, 17 should give them a grace period to get their ducks in 18 a row and have an SSP and POAM. But after that, that 19 can be acceptable.
20 One key note is, you know, POAM should be 21 reasonable. And once you have a POAM and you certify 22 with the government that you're going to stay 800-171 23 compliant, you are kind of held to the timelines of 24 that POAM now to an external entity, not just 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
77 internally which may surprise some CIO offices across 1
the United States.
2 Having external deadlines is very 3
different from internal goals. So that is a 4
consideration there that significant deviation from 5
that POAM should actually be communicated back to the 6
entities to which you have contracts or agreements 7
certifying your compliance.
8 MR. MEYER: Steve Meyer, STARS Alliance, 9
and talking about the example that you mentioned, it 10 was at 12 months following DoD's requirement that the 11 contractors had to implement that?
12 MR. CASEY: Devin Casey, ISOO, yes. Yes, 13 it was 12 months after. So there were, because of the 14 number of contracts, it was included. And it wasn't 15 12 months after the issuance of a new contract. DoD 16 just set a single date and says it's approximately 12 17 months from now. So what they said was it was 18 essentially, it gave them until the end of that 19 calendar year. So I think it ended up being 11 months 20 or something.
21 MR. MEYER: Okay, good to know. And I 22 think that that's very important for the power reactor 23 licensees. Because as Maggie explained, you know, 24 we're following along and managing our leads as the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
78 NRC is moving ahead and implementing. But there's 1
things that we need to do.
2 And as we get into it, it's kind of like 3
NRC has discovered more, and it keeps growing. And 4
the thing that I notice is they're, you know, it's 5
really not clear what NARA's expectation was for after 6
the agencies implement how long, you know, their 7
customers or their stakeholders have to implement. So 8
I think that's something we need to work towards on 9
our end.
10 The other thing, Devin, is that I think 11 what makes it somewhat more difficult, at least on our 12 end on the power reactor licensees and working with 13 the NRC, is that it doesn't seem like we're hearing 14 the same level of push, I think Maggie spoke to this, 15 from the other agencies.
16 So when we get to the corporate, you know, 17 the 800-171 assessments and changes that they needed 18 are obviously not just nuclear, it's corporate level.
19 You know, when we start talking to corporations, you 20 know, it's almost as if they haven't heard it from the 21 other executive agency counterparts. Can you help and 22 shed some light as to what's going on there?
23 MR. CASEY: Yes, Devin Casey, ISOO, again.
24 It hasn't spread much beyond DoD yet, because DoD is 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
79 the only one to put it into existing contracts and 1
agreements. Actually, I think a couple of their 2
agencies have. I believe NASA has already included 3
the requirements occasionally.
4 Most agencies and entities are waiting for 5
out FAR case to come out. So we are coming out with 6
a CUI FAR case. It will standardize the application 7
of the CUI requirements and the non-federal entities 8
through contracts that are subject to FAR 9
requirements.
10 That will include the NIST 800-171 in it.
11 And, you know, the executive branch will add it to the 12 extent that most entities in the executive branch 13 that spend money are required to comply with the FAR, 14 and many that aren't required voluntarily do. So 15 there'll be a rather large shift at that moment.
16 Other entities have looked at it, and the 17 Department of Education has looked at how colleges and 18 academia will be applying this to 800-171 standards 19 for information that is collected on their behalf as 20 well. So it's trickling out there.
21 As far as the defense industrial base goes, it 22 is very much out there. But the rest of the civilian 23 infrastructure, it hasn't really trickled down to 24 there yet, unless there's been a defense tie in.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
80 MR. MEYER: And are they, CUI industry day 1
I thought that the entire, you know, all agency 2
implementation date was 9/30 of '21. So are they 3
working to that date or a different date then?
4 MR. CASEY: So we'll be publishing 5
something shortly that speaks to agency 6
implementation. We've done it twice in the past about 7
agency timelines. We are looking at a new document 8
that'll come out and discuss, you know, where we think 9
agencies, you know, start giving them firmer deadlines 10 for implementation. But they do have quite a lot of 11 flexibility currently.
12 I can say in the next 12 to 18 months a 13 lot of work and changes will start to be communicated 14 outside of the executive branch, because that's after 15 policies get published.
16 We do limited coordination as we're 17 working on policies with stakeholders and experts who 18 can inform on the creation of the policy. But we 19 don't, you know, do quite the same amount of work with 20 the drafts as we do once it's finally out and we 21 start, you know, really talking about what the 22 requirements are to all of our entities and getting 23 them ready for it. So there will be a significant 24 change in the next years.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
81 MS. MENSAH: And, Maggie, just to 1
follow-up on your question, this is Tanya Mensah, so 2
as the NRC working group, we will be looking through 3
these interactions that we're having to get 4
recommendations regarding the amount of time and 5
resources it would take for a specific stakeholder to 6
transition.
7 One of the things we recognize is that we 8
have different stakeholders with different resources 9
and schedules. And so we have operating reactors, but 10 we also have, like, universities for non-power. So 11 we're looking to get some feedback on the sense of 12 what that time table might look like. It might be 13 different for different stakeholders. We just don't 14 know yet.
15 Another thing I think that has come up, at 16 least at a working group level, is we're trying to 17 understand, and maybe, Devin, you can address this as 18 well, are you seeing that agencies are preparing to 19 transition to CUI, that their goal is, once they 20 transition, then they're going to give the 21 non-executive branch entities another 12 months to 22 complete their transition?
23 Or is this something that's being done in 24 parallel so that, by the time the agency says, okay, 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
82 now we're implementing CUI, that their entities that 1
they're planning to share CUI with have already 2
transitioned?
3 MR. CASEY: Devin Casey, ISOO. We've kind 4
of seen it all. And some agencies have, you know, 5
chunked different aspects of the program into 6
different phases of development. So obviously, DoD 7
pushed the cyber security requirements out before 8
they'd even published CUI policy. So they reference 9
NIST 800-171 right off the bat.
10 Other entities have looked at doing things 11 similar with their 171 requirements. At the same 12 time, other agencies have sat and said, you know, 13 we're not going to start pushing these requirements 14 out to industry until we're ready to do a good job 15 marking and identifying that information in a way that 16 supports that effort.
17 As far as timelines for implementation 18 after that, that's something that our FAR, when our 19 FAR comes out, one of the last phases of determining 20 implementation for it and what those timelines look 21 like, one note is if a non-federal entity, you know, 22 figured out how their system is currently configured 23 and goes to the work of identifying how they're going 24 to budget to bring it into NIST 800-171 compliance, 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
1 2
3 4
5 6
7 8
9 10 11 12 13 14 15 16 17 83 well, in order to do that you have to have a system security plan and a plan of action.
So at that point, you're already minimally compliant with the 171 program. So while you might be two years of your POAM, you're already meeting the requirements as far as the minimal requirements for 171 compliance or concern. So that usually addresses a lot of the concerns right there. And it's part of the reason we made that change to the 171.
Because we do understand, we don't expect you to implement multi-factor authentication at a non-federal entity in six months. That's a two-year plan generally, you know, a year of planning and a year of implementations.
MR. MOSES: This is John Moses from the NRC. Devin, could you comment on the external deadlines in terms of plan of action and milestones of POAMs?
18 MR. CASEY: Yes. So, and this is 19 especially pertinent in the contracting realm. One of 20 the things that we started to see with industry's 21 happiness of having the ability to create a plan of 22 action and milestones, is the same thing that we see 23 on any plan of actions and milestones. The dates come 24 and go, and the actions don't get implemented.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
84 So at the point where you've entered into 1
an agreement certifying compliance with NIST 800-171, 2
and part of that compliance is your plan of action, 3
that tacitly means that you've agreed to meet those 4
deadlines that are in your plan of action.
5 So there's a requirement or understanding 6
that you will do your best to meet the plan of action 7
and milestones as outlined to implement those 8
unimplemented controls for 171. You can't enter into 9
an agreement with the United States, but in 10 multi-factor authentication we'll get this done 11 sometime and never meet it.
12 That doesn't meet the requirements for a 13 plan of action, and it's not something that, again, 14 the goal is to have all systems that process CUI be 15 fully compliant with 171 and to have plans of action 16 only be there for, you know, we're adding a new 17 system, we're expanding to the Cloud, and we have 18 mitigating actions in place that they'll still be used 19 but not for a long term postponement of implementing 20 controls.
21 MR. MOSES: If I could focus the 22 discussion. If contracting entities are handling CUI 23 on behalf of the federal government, they have to 24 comply with CUI requirements.
But for 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
1 2
3 4
5 6
7 8
9 10 11 12 13 14 15 16 17 18 19 20 21 85 stakeholders, is NARA looking at inspection requirements?
My understanding of the government's enforcement mechanism for stakeholders is for the government to cease sharing CUI information. Devin, please clarify if I'm incorrect.
MR. CASEY: We leave that oversight to the entity that has the contractor agreement, so we won't step in and do that. We will evaluate entities' oversight of their non-federal entities, agencies' oversight of non-federal entities. But we do that, you know, based off of risk acceptance.
So we understand that, you know, you may set your own, like for instance, you could come up with, you know, have a plan of actions and milestones, but we do expect all existing entities to be fully compliant within five years.
That's something that you could communicate out. So, you know, DoD has put out contracts where they're not too concerned about how compliant with 171 you are as long as you're trying.
And they've put out others that require full compliance on day one.
22 MR. MOSES: And those are contracts, not 23 agreements?
24 MR. CASEY: Yes, those are contracts. And 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
86 again, they're based off of the quality and quantity 1
of CUI. So that is left up to the entity entering 2
into that agreement to set those additional deadlines.
3 MR. MOSES: So the emphasis essentially is 4
a risk-based decision?
5 MR. CASEY: Very much so.
6 MR. MOSES: Thank you.
7 MS. STAIGER: This is Maggie Staiger with 8
NIE. To follow-up on the NIST discussion that we've 9
had, for some of our smaller entities, such as 10 universities, there has been some consideration of not 11 receiving information in electronic format to avoid 12 the new requirements within NIST. Has there been any 13 discussion about purely using the physical kind of 14 communication?
15 MR. CASEY: Devin Case, ISOO. Yes, 16 there's a lot of, I hesitate to call them fun 17 solutions, but there's a lot solutions to avoid coming 18 up with another NIST 800-171 compliant environment.
19 And then the physical sharing of information is one of 20 them. There are requirements for how we send, and 21 it's pretty simple for how you physically send 22 information, receive it, and store it in the physical 23 environment.
24 We also strongly encourage providing 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
87 access, so things like portals, or remote access, 1
VPNs. Using existing infrastructure and resources in 2
gaining access to that through an agreement is an 3
excellent way to, you know, to help out those smaller 4
entities that don't want to or have trouble setting up 5
their own smaller enclaves.
6 So you can bring them into the fold, 7
whether it is, you know, simplifying by sending 8
physical copy or letting them take physical copy home 9
from accessing the environment. The remote portals 10 and access are very good ways of distributing that 11 information.
12 And then obviously, you know, printing off 13 and taking home local physical copies is a viable 14 alternative, because it does prevent the loss of that 15 information on the Internet which is a lot of what 16 we're going for.
17 MS. MENSAH: This is Tanya Mensah.
18
- Maggie, does that conclude your questions or 19 presentation?
20 MS. STAIGER: Yes, it does.
21 MS. MENSAH: Okay.
22 MS. STAIGER: So we can open up questions.
23 MS. MENSAH: Okay, great. So at this 24 time, I know we're nearing the end of the meeting, but 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
88 we want to allow another opportunity for questions and 1
comments, not only here in the room but on the phone.
2 So I'll start here in the room. Are there any 3
additional questions?
4 (No audible response.)
5 MS. MENSAH: Okay. At this time, for the 6
operator, are there any additional questions or 7
comments on the phone?
8 OPERATOR: We have one question. One 9
moment.
10 MS. MENSAH: Thank you.
11 OPERATOR: Our first question is from 12 Ryan. Your line is now open.
13 MR. LIGHTY: Hi, good afternoon. This is 14 Ryan Lighty with Morgan Lewis. I just had a quick 15 question about the concept of legacy information. And 16 I was curious what the expectation might be around 17 that.
18 For example, if information was shared 19 before the CUI requirements become effective, and that 20 information would be considered CUI after the 21 effective date, is there any expectation that 22 licensee's would need to go back through and try to 23 identify legacy information that would otherwise be 24 CUI?
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
89 MS. MENSAH: This is Tanya Mensah. My 1
understanding is that licensee's do not have legacy 2
information unless somehow we specified that in a 3
written agreement, that you have to do something 4
different but that you don't have, non-executive 5
branch entities don't have legacy information. You 6
just have information that you received prior to that 7
agencies transition to CUI. And, Devin, I'll allow 8
you to elaborate if there's any other ---
9 MR. CASEY: You said it about as well as 10 I could, Devin Casey, ISOO. Non-federal entities have 11 information that they receive pursuant to a previous 12 or existing contract or an agreement.
13 And they must continue to protect it in 14 accordance with the terms of that contract or 15 agreement. They do not have to modify those 16 protections unless the other party they entered into 17 an agreement to opens up negotiation and modifies that 18 agreement following whatever approved legal standards 19 are required for that.
20 MS. MENSAH: Does that address your 21 question?
22 MR. LIGHTY: Yes, thank you.
23 MS. MENSAH: Thank you. Are there any 24 other questions or comments on the phone?
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
90 OPERATOR:
I'm showing no further 1
questions at this time.
2 MS. MENSAH: Okay. Well, we have come to 3
the end of our allotted time. And on behalf of the 4
NRC, we appreciate everyone's time and support this 5
afternoon. I think it's been a very good discussion 6
just for everybody's awareness.
7 This meeting, again, was transcribed by a 8
court reporter. And so afterwards the transcript will 9
be made public in ADAMS, and I will be preparing a 10 meeting summary where it will be referenced. And so 11 if you sent me your information by email to request a 12 call-in number, if you let me know if you want to be 13 notified when the meeting summary is available, I can 14 make you aware of that by email as well once it's 15 publicly available.
16 For those in the room, on your way out 17 please feel free to take a public meeting feedback 18 form at the table, and I'll ask you to complete the 19 form. Again, you can mail that back in or you can 20 scan it and PDF it back to me, however you prefer. My 21 email address is on the public meeting notice.
22 I will ask John Moses if he has any final 23 remarks before we conclude.
24 MR. MOSES: This is John Moses. Once 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
1 2
3 4
5 6
7 8
9 10 11 12 13 14 15 16 17 18 19 20 21 22 91 again, I'd like to thank everyone for taking the time and the effort to get ready for and participate in this meeting. I know sometimes preparing for these meetings takes longer than the actual meeting.
I appreciate all of your the insights, feedback, and recommendations.
I also want thank Devin and his colleagues from the National Archives for joining us here and fielding a lot of challenging, thoughtful questions.
We will stay here for a bit longer if you didn't get an opportunity to ask your question. If something comes up later, please contact Tanya or me. We're interested in figuring out how we can implement this in the most effective and efficient way. We will succeed by ensuring a standard method to protect and share information in a way that doesn't cause an undue burden. Thank you.
MS. MENSAH: At this time, we will adjourn. Thank you again for your time. And have safe travels home. Thank you to the operator. We're going to hang up now.
(Whereupon, the above-entitled matter went off the record at 5:23 p.m.)
23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433