ML20072H953
ML20072H953 | |
Person / Time | |
---|---|
Issue date: | 03/05/2020 |
From: | Tanya Mensah Governance & Enterprise Management Services Division |
To: | |
Tanya Mensah, 301-415-3610 | |
Shared Package | |
ML20062F082 | List: |
References | |
NRC-0841 | |
Download: ML20072H953 (92) | |
Text
Official Transcript of Proceedings NUCLEAR REGULATORY COMMISSION
Title:
Controlled Unclassified Information (CUI)
Public Meeting Docket Number: (n/a)
Location: Rockville, Maryland Date: Thursday, March 5, 2020 Work Order No.: NRC-0841 Pages 1-91 NEAL R. GROSS AND CO., INC.
Court Reporters and Transcribers 1323 Rhode Island Avenue, N.W.
Washington, D.C. 20005 (202) 234-4433
1 1 UNITED STATES OF AMERICA 2 NUCLEAR REGULATORY COMMISSION 3 + + + + +
4 PUBLIC MEETING ON 5 CONTROLLED UNCLASSIFIED INFORMATION (CUI) 6 + + + + +
7 THURSDAY, 8 MARCH 5, 2020 9 + + + + +
10 ROCKVILLE, MARYLAND 11 + + + + +
12 The Commission met at the Nuclear 13 Regulatory Commission, Three White Flint North, 11601 14 Landsdown Street, at 2:00 p.m., Tanya Mensah, Project 15 Manager, presiding.
16 17 NRC STAFF:
18 TANYA MENSAH, CUI Project Manager 19 JAMES ADLER, Office of General Counsel 20 PAUL GOLDBERG, Office of Nuclear Material Safety and 21 Safeguards 22 KATHY LYONS-BURKE, Senior Level Scientist 23 JOHN MOSES, CUI Senior Agency Official, Office of 24 the Chief Information Officer 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
2 1 ALSO PRESENT:
2 DEVIN CASEY, Information Security Oversight Office, 3 National Archives and Records Administration 4 PATRICK ASENDORF, Tennessee Valley Authority 5 DAVE GALLOT, Exelon 6 RYAN LIGHTY, Morgan Lewis 7 STEVE MEYER, STARS Alliance 8 MAGGIE STAIGER, NEI 9 C. GIBB VINSON, Illinois Emergency Management Agency 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
3 1 CONTENTS 2 Page 3 Opening Remarks and Introduction 4 Tanya Mensah . . . . . . . . . . . . . . . 4 5 John Moses . . . . . . . . . . . . . . . . 6 6 Maggie Staiger . . . . . . . . . . . . . . 11 7 NRC Implementation Plans . . . . . . . . . . . . 11 8 Questions/Opportunity for Comment . . . . . . . . 37 9 Industry Implementation Plans, NEI . . . . . . . 70 10 Question & Comment Period . . . . . . . . . . . . 88 11 Closing Remarks, NRC . . . . . . . . . . . . . . 91 12 Adjourn . . . . . . . . . . . . . . . . . . . . . 91 13 14 15 16 17 18 19 20 21 22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
4 1 P-R-O-C-E-E-D-I-N-G-S 2 2:01 p.m.
3 MS. MENSAH: Good afternoon. This is 4 Tanya Mensah with the Nuclear Regulatory Commission.
5 We're going to start our meeting now. It's 2:00 p.m.
6 Just want to thank everybody for your time 7 and for coming out to the meeting today. We'd like to 8 welcome you to this public meeting for an important 9 topic. To discuss the NRCs Controlled Unclassified 10 Information Program, or CUI for short.
11 Our meeting is scheduled for two hours.
12 Before we get started, I'd like to quickly just go 13 over a few meeting logistics.
14 For those in the room, in regards to 15 getting around the building, you have unrestricted 16 access to the lobby, where you came in, and the 17 restrooms, which are located in the lobby as well.
18 If we're asked to evacuate the building, 19 please exit calmly and follow the direction of the NRC 20 staff and security.
21 Sign-in sheets are by the entrance of the 22 door, on the table with other meeting handouts.
23 Today's meeting is a Category 2 public 24 meeting. The public is invited to participate in 25 those meetings by discussing issues with the NRC, at NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
5 1 designed points identified on the agenda.
2 The general agenda for this meeting is for 3 slide presentation followed by focused Q&As. So 4 please hold your questions until that part of the 5 meeting.
6 For people in the room, we ask that you 7 please mute or place your phone on vibrate. We have 8 today with us a court reporter, Dylan, to transcribe 9 the meeting.
10 To get a clean transcript, we need to have 11 only one speaker at a time with no interruptions.
12 When you want to speak during the time when we're 13 opening it up for questions and answers, you'll need 14 to raise your hand, and I'll bring you a handheld mic.
15 And you'll need to state your name and affiliation for 16 the record, even if you've spoken before.
17 Participants on the phone line will be 18 participating through our external operator who will 19 manage the bridge line.
20 The NRC meeting slides for this meeting 21 and other references are included in the public 22 meeting notice to facilitate your participation.
23 At this time I'd like to ask the Operator 24 to please explain how callers should let you know they 25 have a comment.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
6 1 THE OPERATOR: Sure. If you'd like to 2 make a comment or if you have a question, please press 3 *1. Please remember to unmute your phone and record 4 your name clearly when promoted.
5 If you'd like to withdraw that question or 6 comment, you may press *2. Thank you.
7 MS. MENSAH: Thank you. In addition, for 8 those on the phone, I'd appreciate it if you could 9 email your name and contact information to me, Tanya 10 Mensah, so that I can include your name in the meeting 11 summary. My email address, which is 12 tanya.mensah@nrc.gov, is located on the public meeting 13 notice.
14 If at any time you can't hear, please let 15 our Operator know and we'll do our best to address the 16 problem.
17 When you make a comment, please start by 18 giving us your name and your affiliation. And please 19 speak clearly and with volume directly into your 20 receiver.
21 Today we have with us John Moses, the NRC 22 CUI Senior Agency Official from the NRC's Office of 23 Chief Information Officer. At this time, I would like 24 to turn the meeting over to John for a few opening 25 remarks.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
7 1 MR. MOSES: Good afternoon, everyone. On 2 behalf of NRC I want to thank you all for taking the 3 time to attend and join us in this session. We look 4 forward to your insights, questions and concerns, 5 so we can make sure that we implement CUI 6 effectively and as efficiently as possible.
7 This is part of our ongoing dialogue with 8 stakeholders. This is our second public meeting.
9 We also have held other meetings with stakeholders 10 in small and large sessions, whether in person or on 11 the phone, and we're going to continue to engage you.
12 I'd like to share some background on 13 CUI. The CUI program was established on November 14 4th, 2010 under Executive Order 13556.
15 And the purpose of the CUI program is to standardize the way federal agencies handle 16 unclassified information that requires protection, and 17 to promote information sharing among federal agencies 18 and stakeholders, including states, tribes, industry, 19 academia, licensees and vendors.
20 21 The executive order also designates an 22 executive agent, the National Archives and Records 23 Administration. We have representatives from the 24 executive agent here to join us in this meeting.
25 On September 14th in 2016 the National NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
8 1 Archives and Records Administration promulgated a 2 rulemaking, 32 CFR 2002 to implement the Controlled 3 Unclassified Information Program.
4 The rule establishes a policy for 5 designating, handling, controlling, and decontrolling 6 Controlled Unclassified Information, or CUI.
7 Specifically, the rule describes minimum protections 8 for physical and electronic environments of CUI 9 marking, sharing, and destruction.
10 Now, I'd like to share the NRC's approach 11 to CUI. NRC's critical goal is to minimize the 12 impact of the transition to CUI for the NRC and for 13 our external stakeholders while ensuring compliance.
14 In many cases, the implementation of CUI offers several approaches to compliance. We would 15 welcome your perspective on those different 16 17 approaches.
For instance, entering into a sharing 18 agreement could be implemented at an organizational 19 level, such as a large company. Sharing agreements 20 also could be put in place during transactions, every 21 time information is exchanged.
22 In another instance, different formats 23 of information, whether paper or electronic, 24 require different methods of protection.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
9 1 If you have any preferences on any of 2 these or concerns, please share those with us at 3 this session today, or thereafter. Your comments, 4 questions, and recommendations would be particularly 5 welcome.
6 The NRC CUI program is under development, 7 and we're several years away from completing 8 the implementation of CUI. We made a tremendous 9 amount of progress, teasing out possible 10 solutions to challenging or vexing issues that 11 we're uncovering. We look forward to hearing from 12 you and your perspectives on those challenges.
13 Our plan today is to highlight some of 14 NRC's key implementation activities. In addition, 15 we'd like to address some of the questions raised by 16 industry and stakeholders during the July 25th 17 meeting.
18 We hope to provide you with the status of where we are in terms of considering those issues and 19 how NRC could benefit from further stakeholder 20 perspectives and we continue to implement and 21 22 proceeding in the program.
23 In light of the fact that some of the 24 aspects of the CUI program are still being developed, 25 we may not be able to answer all of your questions at NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
10 1 this time. However, please ask those questions. Don't 2 shy away, we'd like to hear from you. We'll take 3 notes and consider your views as we continue to 4 implement CUI.
5 Our perspective is we want to understand 6 what your concerns or questions or recommendations are 7 because that's going to positively feedback into how 8 we can implement the CUI Program in the most 9 efficient and effective way.
10 Following this meeting, we will 11 evaluate your comments, questions and 12 recommendations. We'll also consider those points 13 when we convene additional public meetings.
14 Before we begin. I'd just like to introduce some of our meeting participants. To my immediate 15 left, for those of you on the phone you can't see 16 him, is Mr. Devin Casey from the Information 17 Security Oversight Office, ISOO, at the National 18 Archives and Records Administration. ISOO is the 19 organizational unit at the National Archives that 20 serves as the executive agent for the CUI Program.
21 Mr. Casey has the lead to oversee federal 22 agency implementation and we invited as a guest to 23 observe our meeting. Please join me in welcoming 24 Devin and his other colleagues for attending the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
11 1 meeting.
2 (Applause.)
3 MR. MOSES: Before we proceed with our 4 formal presentation, I'd like to welcome Maggie 5 Staiger from the Nuclear Energy Institute for a few 6 minutes to present some remarks. Maggie?
7 MS. STAIGER: Thank you, John. This is 8 Maggie Staiger with NEI.
9 I just want to reach out and thank Tanya 10 and the NRC for hosting us and allowing this continued 11 conversation that we've been having. This has been 12 very helpful with informing the industry on what we 13 can expect going forward.
14 And again, NEI would like to thank NARA 15 for its attendance and the recent release of the NDA.
16 That's very helpful. We're looking forward to looking 17 into it more. And we look forward to a good 18 conversation. Thank you.
19 MR. MOSES: Thank you.
20 MS. MENSAH: Okay, this is Tanya Mensah.
21 At this time, we're going to begin the NRC's formal 22 presentation.
23 If you are on the phone, again, the public 24 meeting presentation slides were available on the 25 public meeting notice. You'll see two attachments, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
12 1 well, three actually. Ones the meeting notice itself, 2 then there is the public meeting presentation slides, 3 and then there is also another handout, which is the 4 draft NARA non-disclosure agreement.
5 Okay. So, as John pointed out, the 6 purpose of today is to continue our discussions 7 between the NRC Staff and Industry Representatives on 8 issues related to the NRC's plans to implement a 9 Controlled Unclassified Information Program.
10 Slide 3. Our agenda for today is that I 11 will present and then we'll have, that will be 12 followed by question and comments. And then we'll 13 take a quick break.
14 And then NEI will then present. And then 15 we'll just have a dialogue on the discussion topics of 16 interest. And then we will conclude our meeting after 17 having another period there for questions and 18 comments.
19 Slide 4. So, John Moses provided a really 20 good background of the CUI rule. As a refresher, the 21 next four to five slides are a high-level overview of 22 what we discussed during our first CUI public meeting, 23 which was held on July 25th, 2019.
24 So what is CUI. CUI is an information 25 security reform. It standardizes the way the federal NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
13 1 government handles information that is not classified 2 or restricted data but requires protection.
3 It replaces more than 100 different agency 4 policies and associated markings with one shared CUI 5 policy and a standardization markings for federal 6 executive branch agencies. And it directly applies to 7 executive branch agencies that designate or handles 8 CUI. And indirectly applies through written 9 agreements or arrangements to non-executive branch 10 recipients of CUI.
11 And so when we talk about non-executive 12 branch recipients for the NRC, that normally means our 13 licensee's agreement states, applicants, vendors.
14 Those that we expect to share CUI with once we 15 transition.
16 And there is a footnote offered on the 17 page as well, on non-executive branch entities. Also 18 may include elements of the legislative or judicial 19 branches of the federal government, state, interstate, 20 tribal or local government elements and private 21 organizations.
22 They do not include foreign entities. Nor 23 does it include individuals or organizations when they 24 receive CUI pursuant to federal disclosure laws.
25 Include the Freedom of Information Act and the Privacy NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
14 1 Act.
2 Slide 5. The CUI program addresses how 3 executive branch agencies handle and share information 4 for agency business purposes. It does not affect 5 public rights to information under the Freedom of 6 Information Act or the Privacy Act. And it does not 7 require agencies to change their policies on public 8 release of information to the general public.
9 Slide 6. Slide Number 6 summarizes the 10 CUI rule requirements for agencies when sharing CUI.
11 And we're going to discuss this further, but in 12 summary it states that agencies are required to enter 13 into written agreements or arrangements in which the 14 recipient agrees to protect the information in 15 accordance with the CUI rule.
16 The agreement can take any form. And if 17 an agreement with a particular non-executive branch 18 entity is not feasible, but the agency's mission 19 requires it to disseminate CUI to that entity, the 20 agency must strongly encourage the recipient to 21 protect the CUI in accordance with the rule.
22 Slide 7. Slide 7 just reiterates some of 23 the key messages that we discussed when we met in July 24 of last year at our first public meeting.
25 In general, CUI includes only information NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
15 1 that the government creates or possesses or that an 2 entity creates or possesses on behalf of the 3 government.
4 Non-executive branch entities only have to 5 apply CUI controls to information received from the 6 federal government pursuant to a written agreement or 7 arrangement. The NRC has not yet determined the 8 nature and type of these agreements or arrangements.
9 Once the NRC transitions to CUI, we will 10 no longer be using official use only designations, if 11 you're familiar with our, what we call our SUNSI 12 program. And I'll talk about that in a minute.
13 But in general, the majority of sensitive 14 unclassified information that's currently shared by 15 the NRC with non-executive branch entities, as 16 official use, would qualify as CUI and would be 17 marked, said with CUI compliant markings.
18 The CUI rule doesn't replace or supersede 19 other laws, regulations or government-wide policies, 20 which may impose their own controlled requirements.
21 One the examples that NRC is most familiar with here 22 is Part 73, which is for the physical protection of 23 plants and materials, the controls for our safeguard's 24 information.
25 And non-executive branch entities will NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
16 1 continue to comply with the markings that are 2 specified in NRC regulations. So examples include 10 3 CFR 2.390, and of course Part 73.
4 If you're already familiar with these 5 regulations you know that there are specific 6 instructions in them for how you have to mark the 7 document when you're submitting them. Those 8 requirements are not changing. We're not pursing a 9 rulemaking to change those requirements.
10 Slide 8. We also talked about, in July, 11 NIST special publication 800-171. This is a reference 12 that is incorporated into the CUI rule by reference.
13 And agencies must prescribe, at a minimum, the 14 requirements of this standard when sharing electronic 15 CUI with non-executive branch entities that are not 16 operating an information system on behalf of the 17 agency.
18 So, most non-executive agencies, I mean 19 entities, you'd be using your own information system, 20 which would be considered non-federal. Which is why 21 the NIST 800-171 standard is there. That's what you 22 would be required to follow so that we can share CUI 23 with you.
24 As I was finalizing the meeting slides for 25 this public meeting, I became aware that NIST 800-171 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
17 1 was recently revised. My understanding is that the 2 changes are editorial, they're minimal. And so I just 3 provided some bullets there in reference in case 4 you're interested in looking at that in more detail.
5 Slide Number 9. So, in general, our 6 transition goals for CUI at the NRC are that we're 7 going to replace the NRC's current program, which we 8 refer to as sensitive unclassified non-safeguards 9 information.
10 Under that program we protect things like 11 proprietary, security related, allegations, 12 investigations and other things. Export controlled 13 information as well.
14 It will also include SGI and SGI-modified 15 handling because under CUI these are information types 16 that are identified as what they refer to as CUI 17 specified. So if you're not familiar with the two 18 types of CUI, there are two subsets. One is CUI 19 basic, the other is CUI specified.
20 And so all that basically refers to is 21 that all CUI is, are information types that are based 22 upon existing laws, regulations and government-wide 23 policies.
24 And so, those policies or laws or 25 regulations permit or require agencies to protect that NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
18 1 information. And so, for CUI basic it may not provide 2 details as far as how do you protect it, and so the 3 default is 32 CFR, which is the CUI rule. So you 4 protect CUI basic at the default.
5 For CUI specified, there is usually a law 6 regulation or government-wide policy that already 7 requires specific controls in terms of how you handle 8 it or how you disseminate it. And so, you apply the 9 controls that are required through the law of 10 regulation.
11 During our transition to the CUI program, 12 all elements of our SUNSI program will remain in 13 place. And if NRC employees or contractors receive 14 CUI before the implementation of the CUI program at 15 the agency, they'll follow the agency's current 16 guidance to protect sensitive information.
17 Slide Number 10. So Slide Number 10 just 18 outlines some of the key implementation tasks. This 19 is a very simplified schedule. But we wanted to just 20 highlight some of the key tasks that we are working 21 towards.
22 In general, our timeline is that we expect 23 the transition. We're planning the transition by 24 December 2021. This is an estimate that is subject to 25 change.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
19 1 And the reason why it's subject to change 2 is because there are different ways that you can meet 3 the CUI rule requirements.
4 And so we are still evaluating at a 5 working group level, within the NRC, the different 6 options so that we can not only comply with the rule 7 requirements but also so that we can minimize the 8 impact of the transition on the NRC staff, as well as 9 our NRC staff, NRC external stakeholders.
10 And so, as we learn more and as we work 11 with NIRA and we learn from other agencies, the 12 potential exists for us to continue these evaluations 13 so that we can continue to move towards the goal.
14 So that's why we're having these public 15 discussions because we want to keep people aware of 16 our current goal. But we also want to let you know 17 that things can change, and we plan to communicate 18 those changes as we become aware of them.
19 Some of the key tasks include, and these 20 are all described in SECY-18-0035, which is publicly 21 available. Some of the key tasks include the first, 22 meaning publishing our CUI policy statement, 23 proceeding with the CUI rulemaking.
24 And so, this is an administrative rule to 25 align nomenclature. There are some references or some NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
20 1 places in NRC regulations where we've identified 2 references to SUNSI and sensitive unclassified 3 information.
4 So we won't have a SUNSI program once we 5 transition to CUI, so we're just adjusting that 6 nomenclature so that we can remove it from the 7 regulation. So it is anticipated to be an 8 administrative rule.
9 We also have a management directive that's 10 being revised. This will provide guidance to NRC 11 staff and our contractors in terms of how to implement 12 the CUI rule requirements.
13 We have, to develop CUI training for NRC 14 staff and contractors, update our internal guidance 15 and our office procedures. So it's like a trickle-16 down effect. So we're starting at the highest level.
17 But as you can image, we have a lot of 18 internal documents that also reference our SUNSI 19 program. So all of those will also eventually have to 20 be updated.
21 And we also have the goal to establish 22 written agreements, or arrangements, to then deploy 23 CUI training for NRC staff and contractors and to 24 inform the staff, as well as internal, external 25 stakeholders of our milestones to transition to CUI.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
21 1 And the link to all of these references 2 are at the bottom of the slide in case you need to 3 locate them.
4 Slide Number 11. This is just to show 5 some of the forms that we participated in to raise 6 awareness of CUI. Our public meeting that we 7 referenced before. There is an ADAMS accession number 8 as well for those if you want to take a look at the 9 meeting summary from that.
10 A lot of the issues from that meeting were 11 just continuing our discussion today, to talk about 12 where we are in terms of our status.
13 We've also participated in the regulatory 14 issue taskforce public meeting that NRR leads. Those 15 are quarterly.
16 And then we recently participated in the 17 monthly status call with the agreement states to 18 provide them with an update on where we are with CUI.
19 And also, to encourage them to participate in these 20 forums so that we can also have their feedback.
21 And then of course there is our CUI public 22 website for the NRC. It provides general information 23 on the NRCs transition plans and informs NRC 24 stakeholders of any public meetings.
25 And also provides contact information for NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
22 1 John Moses, who is the CUI senior agency official for 2 the NRC.
3 Slide Number 12. So, before we go into 4 this slide I just wanted to explain, for those who are 5 not familiar, what the working group is.
6 Throughout our agency we have different 7 program offices and regional offices, and so the 8 working group has been in existence for some time.
9 But there are representatives from the NRC program 10 offices, including our regional offices, who 11 participate.
12 We have meetings every other week to talk 13 about some of the issues that we're going to go 14 through today, in today's public meeting. But our 15 goal is focused on implementing the CUI program in the 16 NRC while minimizing burden where feasible, to our 17 staff as well as to external stakeholders.
18 We also have, above that, a steering 19 committee. So, the steering committee are typically 20 deputy officer directors. And also our deputy 21 regional administrator.
22 And so, what we do is we bring issues 23 before the steering committee and they weigh in on 24 recommendations to help us develop the agencies policy 25 for CUI.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
23 1 So, some of the issues that were raised 2 during our July public meeting are listed here. And 3 most of them focus on written agreements or 4 arrangements, how do we plan to share CUI, what type 5 of documents do we plan to share.
6 Once you receive CUI from the NRC can you 7 then share it with another third-party? So we'll talk 8 about that.
9 Will the non-executive branch entities be 10 required to handle NRC documents that contain like 11 your information as CUI. And also questions about 12 NIST 800-171 and the NRC's inspection plans for that.
13 And so, the following slides are intended 14 to convey the working groups progress. These are not 15 NRC official positions.
16 We still have a lot of work to do but what 17 we're trying to do is share what we are thinking as we 18 are going through the process so that we receive the 19 benefit of stakeholder feedback while we're developing 20 it. We don't want to wait to get to the end and then 21 say we're done without making sure that we've had 22 these, this dialogue.
23 Slide Number 13. So, we talked about the 24 requirements for written agreements or arrangements.
25 The second bullet there I included a link to the CUI, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
24 1 narrowed CUI policy and guidance.
2 And so, NARA issues guidance for agencies 3 to help us implement the CUI program, and they're 4 referred to as CUI notices. They are publicly 5 available. You can go to that link and you can see 6 all of the guidance and policy that NARA has issued 7 for agencies to follow.
8 They also have a couple that the working 9 group has concerned, or are concurrently considering.
10 The first is CUI Notice 2018-01.
11 This is guidance that NARA developed for 12 drafting agreements with non-executive branch entities 13 involving CUI. And also, there is a draft CUI notice 14 that they are currently working on that is not 15 finalized yet.
16 And so, for this meeting NARA was aware 17 that we wanted to start facilitating some dialogue 18 around what a written agreement might intentionally 19 look like. And so they permitted us to make their 20 draft publicly available for this meeting.
21 My understanding is that that draft will 22 be finalized, or is expected to be finalized, towards 23 the end of March, perhaps early April time frame. But 24 when it is, it will be available on NARA's CUI notices 25 on this website link. And so you can go there any NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
25 1 time to check to see like, has it been published yet.
2 If you look at the other handout that I 3 provided, that is the draft template that NARA 4 proposed for agencies to use as an agreement to 5 establish a non-disclosure agreement. So we'll talk 6 a little bit about that when we're having our open 7 discussion, but I just wanted to point everybody to 8 that.
9 Hopefully you've had an opportunity to 10 glance through it and think about the format and look 11 at the actual language so that, one, we can receive 12 some comments on it today. Or feedback.
13 Right now our path forward for 14 establishing written agreements, or arrangements, is 15 that the working group wants to review the final NDA 16 once it is published so that we can consider it and 17 make recommendations about its use to our steering 18 committee here at the NRC.
19 We want to hold further discussions with 20 NRC external stakeholders so that we can gain 21 alignment on the format, template and timing of 22 establishing agreements. And we also want to 23 continue, plan to continue to coordinate with NARA and 24 other agencies to focus on developing what we refer to 25 as a standard multi-agency agreement with external NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
26 1 parties.
2 And so what that means, that last bullet, 3 is that we're aware that many of the NRC's external 4 stakeholders, licensees, as being one example that you 5 probably will be receiving CUI from multiple agencies.
6 And as a result of that, there was a 7 recommendation during our July public meeting that it 8 would be perhaps more efficient, less burdensome upon 9 you, if you were able to sign one agreement that 10 applied or covered multiple agencies that you interact 11 with.
12 And so we're going to talk about that a 13 little later, but that's something that we know would 14 minimize the burden of having to sign written 15 agreements with our stakeholders, so.
16 Page 14. In terms of sharing CUI with 17 non-executive branch entities, there are several 18 approaches that are under consideration by the working 19 group.
20 The first was to develop some type of 21 online NRC portal where a user could log in to the NRC 22 portal and be able to view information that is 23 disseminated in terms of CUI. And that would be so 24 that the user doesn't actually have to take possession 25 of the document. By that we mean that we don't have NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
27 1 to send it to you, it's not on your systems, which 2 would be considered non-federal assistance.
3 We received feedback at the last public 4 meeting that being able to view only may not address 5 everyone's needs and that there may, you may need to 6 have an option to download the document. And so we 7 can talk about that further, but we are aware of that 8 feedback.
9 I think that our understanding is that if 10 you have to take possession of it, if it's on your 11 non-federal system, then that's when you have the 12 requirements for 800-171 apply.
13 The other option, and you might have to 14 pursue multiple approaches, but the other one was to 15 incorporate a written agreement as terms and 16 conditions that have to be accepted. Similar to like 17 some type of click and sign.
18 So, before the recipient can access CUI 19 documents that are disseminated, they have to check 20 and acknowledge that, yes, I read the terms and 21 conditions, I agree to them. And then they'd be able 22 to access that system.
23 Some of the feedback that we've received 24 so far, at the last public meeting was that that's a 25 really good idea, but it would also help to have that NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
28 1 standardized across the government where multiple 2 agencies have similar approach. Because it may not 3 really be of much benefit to you, as a recipient, if 4 the NRC is the only one trying to alleviate that 5 burden on you.
6 So our current path forward is that we are 7 just continuing to explore different options for 8 sharing CUI with non-executive branch entities. And 9 we're looking for feedback on that if you have any 10 thoughts about that today as well.
11 Slide 15. So this is just a table, just 12 to show a high-level general path forward to 13 establishing written agreements or arrangements.
14 What it shows, the first two items in the 15 first two rows show things that we think we're 16 currently trying to achieve, which is to identify NRC 17 stakeholders. Make sure that we're reaching out to 18 them and making everybody aware of CUI and of the 19 requirement, in particular, for us to establish 20 written agreements.
21 And so, trying to have more, enhance our 22 awareness communication on this topic. And also to 23 gather feedback.
24 Future steps show that we look to develop 25 some type of general agreement. Based upon the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
29 1 stakeholder there may be a need, however, for us to 2 consider other approaches. For specific or unique 3 approaches that are most beneficial or efficient for 4 specific stakeholders.
5 And so we do recognize that a general 6 standard agreement may not work for everybody. And 7 so, again, we're looking for comments and feedback on 8 that.
9 The next step, once we have some type of 10 agreement, is to share the agreement. And then there 11 might be, again, some case-by-case edits that we need 12 to make based on who that entity is. And then design 13 the agreements prior to the NRC's CUI implementation 14 date.
15 Slide 16. So these are just some examples 16 of NRC documents that may transmit CUI. This is not 17 an all-inclusive list, the wall of the NRC's 18 documents.
19 But just some of the ones that the working 20 group put together to start to think about, well, what 21 type of, how can we bend these types of documents, 22 what type of CUI do we expect to share, which ones are 23 purely NRC generated documents that will be CUI that 24 we will need to share, and which ones also might be 25 documents that we're developing that but the input for NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
30 1 those documents is based upon your information that 2 you might provide to the NRC.
3 And so that leads us directly into Slide 4 17. The working group, so far, as identified two 5 primary bins of information.
6 The first is that we could be providing 7 you with a document that qualifies as CUI. But that 8 document, and that document does not include any 9 information that belongs to whoever we're 10 disseminating it to, so the recipient.
11 And so examples of that would include NRC 12 research reports, technical reports, security 13 advisories, information assessment team advisories and 14 so, for these reports we typically don't go out and 15 ask, like for example, licensees to send us something 16 or take information that's based upon what you're 17 doing and what you have that you own. That you own.
18 And we're not sending that back to you.
19 So that's the first bin that we identified.
20 The second was that we are developing a 21 document and we're transmitting to you. It qualifies 22 as CUI but the majority of information in there is 23 information that the NRC, that was provided by the 24 recipient.
25 So, examples of that include safety NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
31 1 evaluations, the request for addition information, 2 inspection reports.
3 And so, for these, some of the things that 4 we're trying to consider is if, we think there are 5 these two primary bins, then how do we distinguish 6 when we transmit the document to you, that this is 7 purely NRC generated CUI. You're going to be required 8 to protect it in accordance with the CUI rule, in 9 accordance with your written agreement. Per the terms 10 of your written agreement.
11 Or if this is, for example, a safety 12 evaluation, and it's your information, when we send 13 the document to you, or transmit it, it may still have 14 the CUI markings on the document. But we might have 15 to include a transmittal letter to explain that while 16 the information was with the NRC, we were required to 17 protect it and handle it as CUI. When we return it 18 back to you, it's your information, you can do what 19 you want with it.
20 But just to be able to clarify that, so 21 you don't have to guess, so our inspectors don't have 22 to guess when they're out there looking at documents.
23 And so, these are some of the thoughts we have 24 discussed. And that we currently are pursuing.
25 So our current path forward is that, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
32 1 again, we want to have additional discussion on this 2 in the public forum that we have now.
3 And then we also make sure that we haven't 4 missed any type of other unique scenarios, other than 5 these two general groupings that we've initially 6 identified.
7 Slide 18. So this was a question that 8 came up during the last public meeting. And we 9 followed up with NARA, and so they gave us some 10 clarification that we planned to share now.
11 So when you receive CUI from the NRC, or 12 any agency, if you have to then share it with a third-13 party. Local emergency responders, law enforcement or 14 other non-executive branch entities.
15 Do you, yourself, as the recipient, need 16 to then create a written agreement with whoever you're 17 going to share it with. And the answer was no, the 18 requirement is for agencies to establish the written 19 agreements.
20 Now, one of the, three of the things that 21 NARA shared with us is that unless the NRC applies a 22 limited dissemination marking to the document, or 23 otherwise restricts dissemination in the written 24 agreement, then the recipient would be able to share 25 the CUI document with a third-party who has a lawful NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
33 1 government purpose to that information.
2 The CUI markings must remain on the 3 document, of course, when they're shared by the 4 recipient and the third-party so that this third-party 5 is aware of this CUI status and is aware of the need 6 to protect the information in accordance with the CUI 7 rule. And any other applicable laws, regulations or 8 government-wide policies.
9 And that if the NRC applies a limited 10 dissemination marking that restricts access only to 11 the recipient. And that might be because there are 12 certain laws that require us to do so, then the 13 recipient would not be permitted to share the document 14 with a third-party.
15 And so there are a list of NARA approved 16 limited dissemination markings on their CUI registry.
17 The CUI registry or maintained by NARA. It's online, 18 it's public.
19 It basically explains and shows what 20 agencies are required to protect. This is the system 21 that allows all the markings across the executive 22 branch to be standardized.
23 And so, on that registry you can also see 24 the limited dissemination markings that are approved 25 for agency use.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
34 1 Slide 19. And so another topic that was 2 raised during our last public meeting that we agreed 3 to continue to follow this and discuss this because we 4 know that we're going to probably need to have some 5 separate discussions. Public meetings where this is 6 just the primary focus, as far as it being this 800-7 171.
8 But there were questions about, what is 9 the NRC planning to do as far as inspections, are we 10 required to inspect against the NIST 800-171 and what 11 will that look like.
12 And so, at that time we shared that we had 13 not started down the path of looking at those issues 14 yet. We are now engaging with NARA, and we also are 15 just starting that process.
16 And so, what we are aware of are the 17 requirements. The agencies, as we talked about, must 18 prescribe the requirements of 800-171, when we're 19 sharing electronic CUI.
20 And then also, we know that agencies must 21 use 800-171A, which is assessing security requirements 22 for controlled unclassified information, so that we 23 would use that to assess for compliance.
24 Our understanding is that, as contracts 25 and written agreements are established and/or modified NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
35 1 to reflect CUI requirements, that it would be 2 appropriate for agencies to establish a reasonable 3 deadline for non-executive branch entities to comply 4 with NIST 800-171.
5 Our understanding is also that agencies 6 have flexibility in determining the frequency of 7 inspections for non-executive branch entities. And so 8 NARA CUI Notice 2019-04, which is titled, Oversight of 9 the Controlled Unclassified Information Program within 10 Private Sector Entities, provides guidance to 11 agencies.
12 And we're aware that agencies should be 13 looking to perform some type of selective validation 14 based on the type of CUI, the quantity or the mission 15 related to the CUI that's handled by the non-executive 16 branch entity.
17 And so as a path forward, this is a topic 18 that our working group needs to further consider, and 19 our steering committee as well. We plan the whole 20 future topics on this discussion at a future time once 21 we feel like we have information of a path forward 22 that we can proposed and discuss with the public and 23 our stakeholders.
24 Okay, so in summary. Again, our plans 25 are, in terms of the biggest impacts to our external NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
36 1 stakeholders we'd like to make sure we're focusing on 2 establishing a path forward on written agreements 3 between the NRC and non-executive branch entities.
4 We want to continue to coordinate with 5 NARA and other federal agencies as the NRC develops 6 its CUI program.
7 And we want to continue to engage and seek 8 feedback from NRC external stakeholders on a periodic 9 basis on these topics.
10 So that concludes my presentation for now.
11 And what I'd like to is, I think we're on schedule, 12 we're going to, we'd like to have dialogue and then 13 provide opportunities for questions and comments.
14 So I may not be the only one answering 15 questions. So as you have questions, we'll figure out 16 who the most appropriate individual is to respond.
17 At this time, let's have questions or 18 comments first in the room. If you have a comment or 19 a question I'm going to need you to raise your hand so 20 we can get you the handheld mic. That way you can be 21 recorded by the court reporter.
22 And then we're going to, I'm going to ask 23 the Operator to please queue the lines for questions 24 and comments so that we can go to the phones in a 25 moment.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
37 1 So, are there any questions here in the 2 conference room?
3 MS. STAIGER: Yes, Tanya.
4 (Off record comments.)
5 MS. MENSAH: And you're also welcome to 6 come to the podium as well.
7 (Off record comments.)
8 MS. STAIGER: Yes, thank you, Tanya. This 9 is Maggie Staiger. Yes, this is Maggie Staiger with 10 NEI.
11 Thank you, Tanya, for this presentation, 12 this is very informative. We truly appreciate the 13 efforts that the working group is putting in to 14 answering our questions from this summer. There's a 15 lot of good information in here.
16 I believe you indicated that the NRC is no 17 longer going to be pursuing rulemaking for Part 73.
18 Do you anticipate any rulemaking changes that would 19 impact the licensees or do you think the rulemaking 20 that you'll be pursing will solely impact the NRC 21 based on nomenclature, as you mentioned?
22 MS. MENSAH: So, this is Tanya Mensah. At 23 this time we don't see any impact on licensees. We 24 are not, initially, if you look at the SECY-18-0035, 25 I think there may have been some language in there NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
38 1 that initially the staff thought that we might need to 2 change requirements in Part 73 to require you, as a 3 non-executive branch entity, to use CUI markings.
4 But if you go back to some of the 5 definitions of CUI, meaning that is being your own 6 information, there was a lot of talk internally about, 7 well, it's your information, you're not required to 8 mark your own information at CUI or handle your own 9 information as CUI.
10 And so our decision was that you would 11 leave the regulation intact. I mean, there could be, 12 if there were future rulemaking changes to Part 73, it 13 could be beyond Part 73, but whatever Part 73 is, it 14 will remain that way. We're not envisioning that 15 we're going to change it to align with CUI.
16 The burden would be on the staff, the NRC, 17 when we are marking the documents to apply the 18 appropriate markings.
19 MS. STAIGER: Thank you, Tanya.
20 MS. MENSAH: Okay. Are there any other 21 comments or clarifications from the NRC on that?
22 MR. MOSES: I'll pass the mic.
23 MR. MEYER: Steve Meyer, STARS Alliance.
24 I just wanted to follow-up on that, Tanya. I don't 25 have 73.21 right in front of me but I know it NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
39 1 discusses the required markings or controls for 2 safeguards information that a licensee receives.
3 Is there going to be any, if you don't 4 revise, and I'm proposing you do, but if you don't 5 revise Part 73, how is it going to be clarified that 6 information we received from you, that's SGI, CUI 7 specific SGI, that we're not in conflict by applying 8 our controls from the same information?
9 Are we just going to keep it in the CUI 10 bucket, you know, the program once we receive it from 11 you?
12 MS. MENSAH: I think that's a question 13 that the working group and steering committee are 14 still trying to consider, what the appropriate way is 15 for us to convey to you that this is your information 16 and you're not required to handle your information at 17 CUI. Even though we have to apply the CUI markings on 18 it.
19 And one of the examples that I've heard 20 that I thought was really good, this is through NARA, 21 and so if Devin has additional comments he can weigh 22 in, but the example that I've heard at their meetings 23 are that, it was an example with the IRS.
24 So when you submit your tax information, 25 you don't mark your documents with CUI labels and NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
40 1 you're not following the CUI rule as your information.
2 So if you choose to make your financial information or 3 your social security information, you can do what you 4 want with that, 5 You can make it public, you can put it on 6 your door for everybody to see, it's up to you. But 7 when the IRS receives it, they have the responsibility 8 to mark the document as CUI and protect it 9 accordingly. Now, they might have to send documents 10 back to taxpayers.
11 And if they have CUI markings, my 12 understanding is that the preference would be to leave 13 the markings on the document but just to explain in 14 the transmittal memo that the reason you see these 15 markings is because while I was with the agency we 16 were required to protect it as CUI. But this is your 17 information.
18 And so we are looking at that. Just in 19 terms of an analogy to see if a similar approach might 20 be something that we can use.
21 Our concern is that we want to keep it as 22 simple as possible because we feel like the more we go 23 in and start trying to pull out information and to, 24 that we can end up making this overly burdensome if 25 we're not careful.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
41 1 So, we're still considering that in 2 looking at what other agencies might be doing.
3 Because if you're going to receive, if you're going to 4 be receiving CUI from other agencies, there is a 5 strong possibility that we'll have similar approaches.
6 We want to have a similar approach.
7 MR. MEYER: Thank you.
8 MR. GALLOT: Dave Gallot, Exelon. On 9 Slide 18, Tanya, I didn't quite understand the answer 10 regarding third-party sharing.
11 You answered the question on the slide no 12 and then I think you said the agency has to establish 13 the agreement. What I didn't understand there is, 14 does that mean before a licensee shares something 15 that's marked CUI with a third-party, the agency has 16 to get in an agreement with that third-party?
17 MS. MENSAH: So, the way I think we're 18 looking at this in terms of process is that we would 19 have a written agreement established first with 20 whoever we expect to share CUI with.
21 And then the terms of your written 22 agreement would specify if there are any restrictions 23 in terms of dissemination. Or either on that document 24 you would see if, because the banner at the top for 25 CUI would indicate if there were any limited NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
42 1 dissemination.
2 MR. GALLOT: Okay.
3 MS. MENSAH: So if we, as an agency, said, 4 well, we're not going to apply the limited 5 dissemination markings so that you have that 6 flexibility, which is what the working group is 7 considering, then you would not be restricted in 8 anyway in terms of sharing with someone who has a 9 lawful government purpose.
10 MR. GALLOT: Okay. And if it did have 11 those restrictions then we'd have to go back to the 12 NRC and have them establish a written non-disclosure 13 with that third-party before we could share it?
14 MS. MENSAH: That might be a possibility.
15 MR. GALLOT: Okay.
16 MS. MENSAH: We haven't gotten that far 17 yet.
18 MR. GALLOT: Okay.
19 MS. MENSAH: But there are some types of 20 information, for example, that by law or regulation 21 they have restrictions on how you can share it with.
22 So we have to apply the law as well.
23 So if we're dealing with an information 24 type where you have to have the limited dissemination, 25 then that would be on the document since we have to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
43 1 follow the law.
2 MR. GALLOT: Okay. Thank you.
3 MS. MENSAH: Okay.
4 MR. MEYER: Tanya, Steve Meyer, STARS 5 Alliance. If I could follow-up to that question.
6 I think you know our, what we're looking 7 for there is to continue to be able to share like OE 8 from inspection reports, security lead in. And what's 9 really going to be important is how broad that limited 10 dissemination control is applied. Because we 11 certainly want to be able to continue to share that 12 with others.
13 And then I guess an element of this, if we 14 do want to bring in a third-party, maybe not a 15 permanent employee but somebody that would help us 16 with maybe like a security, would treat that 17 individual as an employee under our existing NDA?
18 MS. MENSAH: Well, I think those are good 19 comments, and we can consider them. I don't know, 20 Devin, if you are aware --
21 (Technical difficulties.)
22 MS. MENSAH: -- I'm not sure if you have 23 any feedback on that from a federal-wide perspective, 24 what other agencies might be. Do you want --
25 MR. CASEY: Yes, that's what it is.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
44 1 (Technical difficulties.)
2 MS. MENSAH: Sorry, we're having some 3 microphone issues right now.
4 (Off record comments.)
5 MR. CASEY: So this is Devin Casey, ISOO.
6 There is a lot of nuance in it and it really depends 7 on the particular situation as to how information gets 8 disseminated further upon, after its first 9 dissemination.
10 And a lot of this is very similar in 11 government contracting. And it really depends on 12 what's in the contract and the lawful government 13 purpose of that information.
14 And then obviously in this case, also 15 what's in the description of your non-disclosure 16 agreements as well. As to whether or not you can 17 essentially bring other people on to access that 18 information.
19 Generally, and the rest of the contracting 20 environment, that information is limited by a lawful 21 government purpose. Unless otherwise and specifically 22 stated.
23 And unlawful government purpose is quite 24 simply a purpose that is not unlawful and is a 25 government purpose. So, the contracting of someone to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
45 1 assist you with analyzing data that the government has 2 given you for safety purposes could be a government 3 purpose for that information to use it in its intended 4 use. So it would not be restricted in dissemination 5 based off of those facts.
6 Now, obviously if there is a limited 7 dissemination control applied or a non-disclosure 8 agreement where they would also have to sign the non-9 disclosure agreement, whatever that process is, that 10 would have to be followed.
11 Obviously, frequently in the contracting 12 background or contracting area there may be personnel 13 security requirements in addition to the non-14 disclosure frequently accompany that type of access or 15 work as well. So those are considerations as part of 16 that.
17 So, I mean, contracts and agreements still 18 have the force of contracts and agreements. You have 19 to follow all the tenants in them. But CUI, in and of 20 itself, doesn't inherently change too much of how that 21 works. It functions off that lawful government 22 purpose dissemination.
23 But we've actually found that that's been 24 pretty valuable because many times contracts and 25 agreements didn't actually explicitly state when you NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
46 1 could share information. It really only said when you 2 couldn't.
3 And there is an actual definition of, 4 unless otherwise prohibited you can share in 5 furtherance of a lawful government purpose. So 6 hopefully that expressed statement, again, unless 7 otherwise limited, is helpful.
8 MS. MENSAH: Okay. If there are no other 9 comments or questions in the room, we can go to the 10 phone. For the, Operator, do we have any questions or 11 comments from those on the phone?
12 THE OPERATOR: We do not. But as a quick 13 reminder, if you do or if you would like to ask a 14 question or make a comment please *1.
15 MR. MOSES: Are there folks in the room?
16 THE OPERATOR: One moment for the first 17 question.
18 MS. MENSAH: Okay, we're ready for 19 questions.
20 THE OPERATOR: Patrick, your line is open.
21 MR. ASENDORF: Thank you. This is Patrick 22 Asendorf from Tennessee Valley Authority.
23 My question goes back to the agency 24 designation of the CUI. And it goes to Steve Meyer's 25 follow-on to his question about safeguards NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
47 1 information. And understanding that its CUI specific.
2 So, the NRC provides information through 3 guidance documents that may be safeguards information.
4 And they designate that information as CUI safeguard 5 information, and then a licensee takes that 6 information and incorporates that into their program 7 documents. And then has to disseminate that 8 information.
9 Would that information be considered still 10 CUI, SGI specifically, CUI specific. Because, would 11 NRC designate it or would that be considered the 12 licensee's program document now?
13 MR. ADLER: This is James Adler from the 14 General Counsel's Office at the NRC. If this is 15 safeguards information that is not, it's just the NRC 16 sent it to the licensee and the licensee is 17 incorporating it into their own documents and their 18 NRC marked it as SGI, then it's not the licensee's SGI 19 that the licensee originally gave to the NRC, then I 20 think it still would qualify as CUI even if it's 21 incorporated into additional licensee documents.
22 But if it's SGI that the licensee gave to 23 the NRC and then the NRC put it into a different 24 document and sent it back to the licensee with CUI 25 markings on it, then that would potentially, as been NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
48 1 discussed, come with a letter saying this is, we have 2 to market a CUI but you don't have to --
3 (Technical difficulties.)
4 MR. ADLER: -- and then incorporate it 5 then into another document --
6 (Technical difficulties.)
7 MR. ASENDORF: I'm sorry, the microphones 8 there are not coming through.
9 MR. ADLER: Yes. Is this one --
10 MR. ASENDORF: I didn't hear the --
11 MR. ADLER: Can you hear now?
12 MR. ASENDORF: Yes.
13 MR. ADLER: Okay, think this works. So --
14 MR. ASENDORF: So, I did hear up to the 15 point where, if it were NRC's information that was 16 sent to the licensee, it would still be considered CUI 17 once incorporated into a licensee's document.
18 MR. ADLER: Right. If it's not the 19 licensee's own SGI. If it is and the NRC sends it and 20 its marked CUI because the NRC had to, the NRC would 21 hopefully convey to the licensee they don't have to 22 treat it as CUI even though it's marked that way. And 23 then that would carry through in any other documents 24 the licensee incorporated it into.
25 MR. ASENDORF: Okay. So, I see that as a NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
49 1 fine line of difference of the licensee's created 2 document because there is information that we 3 currently have in licensee's documents that was 4 designated by the NRC. And I see that in the future 5 as well as a potential.
6 So, I think we would have to work through 7 how that information is marked and controlled under 8 the CUI. From a licensee standpoint.
9 MS. STAIGER: This is Maggie Staiger with 10 NEI. So just to add on to this conversation, you with 11 the NRC are expecting that we would take that 12 information and keep it in our current SUNSI or 13 safeguards program, so you would not see the need to 14 have the same document in two different locations 15 being controlled as CUI, as well as within the 16 existing program that the licensee would have set up 17 currently, correct?
18 MR. ADLER: I'm not sure I quite 19 understand the question. But this is, I mean, if SGI 20 needs to be protected under 10 CFR, Part 73, SGI 21 requirements, then it's CUI-specified. So that would 22 make sense.
23 If it is also CUI because it's not, as 24 we've sent the information to the licensee it's SGI, 25 but it's also CUI, it's not their information, then NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
50 1 there could be, you know, potentially some additional 2 requirements that might apply.
3 Because if CUI specifies as the authority, 4 say 10 CFR, Part 73, doesn't cover all aspects of 5 controlling the information, then CUI basic 6 requirements fill the gaps.
7 I don't think we've gotten to the point of 8 knowing exactly what that might mean in the context of 9 SGI, but at least in theory it could make a difference 10 as to whether it's CUI from the licensee's perspective 11 or not. Even though, in either case, it's still SGI 12 and has to be protected under Part 73.
13 MR. ASENDORF: This is Pat Asendorf again 14 with TVA. So I understand the protection requirements 15 under safeguards information being maintained, it's 16 just that if there is an additional marking that CUI, 17 a different type of a banner than the current SGI 18 marking that would be added to that, because it was 19 information that was originally provided by the NRC, 20 created by the NRC to the licensee.
21 And then just carrying that forward into 22 a licensee's now documentary security plan, or a 23 procedure that safeguards, but under the licensee's 24 program it doesn't have a CUI banner, per se, my 25 question would be would we have to carry that CUI NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
51 1 banner forward into that licensee document because the 2 NRC created information that is incorporated into it?
3 MR. MOSES: This is John Moses from the 4 NRC. To clarify my understanding, are you referring to 5 CUI information that you provided to the NRC or 6 information NRC provided to you? Also, are you just 7 referring to safeguards information or any CUI 8 information?
9 MR. ASENDORF: Yes, I'm talking purely 10 safeguards.
11 MR. MOSES: Okay, purely safeguards --
12 MR. ASENDORF: -- that the NRC created the 13 safeguards information and disseminated that to 14 licensees as guidance to be incorporated into a 15 licensee's program ---
16 MR. MOSES: Right. So NRC provided 17 safeguards information to you?
18 (Simultaneous speaking.)
19 MR. MOSES: NRC provided CUI to you and 20 labeled it as CUI?
21 MR. ASENDORF: No, the NRC provides the 22 guidance to licensees.
23 MR. MOSES: Okay.
24 MR. ASENDORF: All right, licensees now 25 take that CUI-specific that's SGI-specific. And then NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
52 1 they incorporate that into their licensee document.
2 And then, so now they have NRC created CUI that's SGI 3 in their licensee document. And then they may have to 4 disseminate that back to the NRC or to somebody else, 5 another licensee, in sharing information.
6 So I'm just trying to understand that 7 nuance of, because it originated from the NRC, and not 8 it's in a licensee's document that they created, 9 there's a bunch of information in the licensee's 10 document that was licensee-created, but there's this 11 piece that came from the NRC that's incorporated in 12 there.
13 MR. CASEY: This is Devin Casey from ISOO.
14 And while I can't speak specifically about licensing 15 information, I can speak generally about CUI. CUI, 16 when reused, derivatively used or reproduced, 17 maintains its CUI designations and markings, 18 regardless of the number of times it's reused 19 derivatively.
20 That's why granularly marking CUI to the 21 best extent possible is so valuable. Because 22 understanding what it and is not CUI in a document can 23 help you pull out the uncontrolled, unclassified 24 information and widely distribute it more easily than 25 just using a banner marking. But unless specifically NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
53 1 marked in a CUI document, all of the information is 2 supposed to be treated as CUI, regardless of how it's 3 reused.
4 MR. ASENDORF: Okay, thank you. So I 5 understand portion marking would probably be best for 6 that situation --
7 MR. CASEY: Yes. There are many ---
8 (Simultaneous speaking.)
9 MR. ASENDORF: -- that can be identified?
10 MR. CASEY: There are many situations 11 where portion marking is very valuable or ensuring to 12 separate the CUI and uncontrolled portions of a 13 document in a way that's recognizable to the 14 recipients.
15 MR. MOSES: So I just wanted to ask a 16 clarifying question for NARA. Were you talking 17 about co-mingling different types of CUI? So let's 18 say, there's privacy information of your employees 19 plus SGI that was provided to NRC, and we would 20 control it.
21 It sounds like this circumstance is a 22 question of hybrid labels because SGI has different 23 requirements for protection and destruction compared 24 to privacy information. And the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
54 1 question is, can I just put it back in the SGI, or 2 would I do something different?
3 MR. CASEY: Devin Casey, ISOO. So if 4 there are multiple types of CUIs classified, the 5 requirements for both have to be followed. Again, if 6 it's returning your own privacy information, then do 7 with it as you will.
8 In general terms, if we take your stuff 9 and put CUI on it and then give you your stuff back, 10 it's still your stuff, and you can take those markings 11 off. But if it is, you know, multiple types of CUI, 12 all of the requirements for that CUI have to be 13 followed in that document.
14 So if there's privacy information and SGI information, then the tenets of both policies have to 15 be followed to the best of extent possible. We 16 17 haven't really come across any where they contradict.
Because normally, one just increases the requirements 18 19 of the other.
MR. MEYER: I didn't think I was going to 20 need to ask this question, but I think I need to now.
21 After the earlier, Steve Meyer, STARS Alliance, after 22 the earlier discussion about the origination of CUI, 23 I was seeing that no licensee would implement the CUI 24 program controls for their information.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
55 1 But an example that Pat Asendorf brought 2 up seems to raise that as a possibility where, you 3 know, you take this safeguards information, whatever, 4 the CUI was created by the NRC, put it in your 5 documents, and now you need to carry that forward.
6 So if a licensee, my question then is if 7 a licensee chose to go ahead and apply the CUI program 8 controls knowing that they may get into this, and it 9 might be simpler, you know, instead of trying to run 10 two programs in parallel, do you see any problem with 11 the licensee going forward, you know, designating 12 their information as CUI, and just controlling it that 13 way for all the new stuff, and then leaving all the 14 old stuff as legacy information, and using the old, 15 you know, existing controls for SRI, SGI, et cetera?
16 So they would be calling their stuff CUI, 17 and at the same time they'd be receiving it from you 18 as CUI. I see problems with that, but I'd like 19 perspective, based on this new scenario I don't think 20 we considered before.
21 MR. CASEY: Devin Casey, ISOO, and this 22 question has come up from businesses that do a lot of 23 work with the Department of Defense and other 24 entities. Because sometimes the company is more 25 willing to kind of start diving into identifying the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
56 1 information now even ahead of their government 2 partners.
3 We have always cautioned against marking 4 anything CUI until it reaches that government nexus.
5 So unless it's created by or for, or collected by or 6 for the executive branch, we encourage not to use the 7 CUI markings.
8 That doesn't mean that we don't want you 9 to protect the information, and it doesn't mean that 10 we don't want you to mark the information. We just 11 encourage that you not mark it in the same way the 12 government does just so that you can keep that 13 understanding of, you know, what is yours and what is 14 ours.
15 The big caveat there is at one point 16 you'll probably have government CUI in your system.
17 And if you have your information marked as CUI, you 18 are going to be reporting incidents to the United 19 States government for all of it if you can't separate 20 it out.
21 Because there's incident cyber security 22 reporting for CUI, and if you can't tell if it was 23 yours or ours, then you're going to have to report it 24 us in ways that you might not have to otherwise. I 25 don't know what SGI's reporting requirements are NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
57 1 separately. It's just a situation that can arise with 2 CUI.
3 OPERATOR: We do have another question on 4 the phone line. Our next question come from Gibb 5 Vinson. Your line is open.
6 MR. VINSON: Thank you. Regarding the 7 written agreements that we have for transmitting CUI, 8 it seems like that could be hundreds if not thousands 9 of documents for us in commercial licensees. That 10 seems overly burdensome. Regarding the option for 11 having a statement in your transmissions that you must 12 treat it as CUI, is that considered to be a routine 13 type option, or is that only to be used on limited 14 cases?
15 MS. MENSAH: His is Tanya Mensah. The 16 working group was considering, we're trying to 17 consider what the best approach would be, what would 18 be most efficient. But I think initially going in we 19 were thinking it would be routine, not just on a case 20 by case basis.
21 So that we would be able to, if it's your 22 information, we'd be clearly stating that. So that 23 when you receive NRC documents that have CUI markings, 24 you would understand that the NRC was required to 25 apply the marking, but you don't have to protect it as NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
58 1 CUI, because it's your information.
2 So that was that transmittal letter that 3 needs to be further fleshed out so that we can think 4 about that further. But we weren't thinking of, like, 5 that would be a routine transmittal.
6 MR. VINSON: Okay, that sounds great.
7 Also, seems like I saw a record keeping element to 8 this where we were supposed to document and track each 9 transmission of CUI information. Is that correct?
10 MR. MOSES: We're not aware of that, and 11 I'll let NARA respond.
12 MR. CASEY: Devin Casey, ISOO, that is not 13 a general requirement for CUI. So I don't know what 14 that would be.
15 MR. VINSON: Okay, thank you.
16 MR. CASEY: Yes. So I do work at the 17 National Archives and Records Administration. I am 18 not a records person though, I'm just a CUI guy. So 19 I don't know the ins and outs of records requirements, 20 but that's not part of the CUI program. I can say 21 that.
22 MS. STAIGER: Tanya, this is Maggie 23 Staiger with NEI. Just to point back to the 24 transmission letter that the working group is 25 considering, do you think that if this letter were to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
59 1 come through would the licensee be able to remove the 2 markings of CUI to further help specify whether that 3 information is the independent information to 4 licensees versus the Government information to help 5 differentiate that moving forward?
6 MS. MENSAH: So that kind of goes into, 7 this is Tanya Mensah, goes into what Devin was talking 8 about in terms of portion marking. So either being 9 able to separate out, like, we're transmitting this to 10 you, this portion is clearly CUI, you have to protect 11 it, and the other stuff's your information.
12 So there would be two approaches. Either 13 we're not marking it, the portion that is CUI, so that 14 it would have no markings on it, but I think that the 15 concern with that approach is that it would be 16 difficult from a staff perspective, because we might 17 have the whole document marked when it's in our 18 possession. Now we have to go and create almost like 19 a separate document with different markings.
20 And there were concerns about potential 21 inadvertent release. So we still have to consider 22 those issues like how we would parse it out. Are we 23 going to do portion marking so that we can clarify 24 further that this is the specific paragraph that's 25 CUI, so then you would know? I think we would NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
60 1 encourage that, but the working group just hasn't 2 gotten there yet.
3 MR. CASEY: So this is Devin Casey. The 4 sharing of controlled and classified information back 5 to the holder who's not obligated to protect it is, it 6 falls kind of in a gray area of our policy.
7 So it's not a disclosure related to a 8 statute, in which case we generally remove the 9 markings like FOIA. It's also not decontrol of that 10 information, because we are not actually decontrolling 11 it. We're still protecting it at the executive branch 12 entity. But we're returning it to an entity that's 13 not obligated to protect it.
14 And that's why it's kind of up to an 15 agency's implementation and plan to determine whether 16 or not they're going to strip markings off, or 17 communicate that that information doesn't require 18 protection, or if it's going to be left to an 19 understanding of how the CUI policy works that the 20 recipient doesn't have to protect CUI that is only 21 marked CUI because it's their information. They've 22 received it back.
23 So it's kind of up to a lot of 24 interpretation and policy in how this working group 25 solves it. There's a lot of flexibility in how they NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
61 1 can go about that.
2 MR. MOSES: This is John Moses from 3 the NRC. This is a suggestion or comment for Devin 4 and our NARA colleagues. Would there be a way to 5 show provenance in the markings that may 6 essentially disambiguate some of these challenges?
7 There are concerns about the separation 8 of cover sheets that designate the origination of 9 the CUI. Let's say an external party sends privacy 10 information to an agency with a cover sheet 11 indicating the originator. The agency correctly marks 12 and handles the privacy information as CUI. However, 13 when the agency provides the privacy information 14 marked as CUI back to the external party without a 15 cover sheet indicating the originator of the 16 information. The external party may incorrectly 17 handle its own privacy information as CUI.
18 MR. CASEY: So Devin Casey, ISOO, again.
19 So the only problem with a marker on a CUI document is 20 the agency marker for who controls it. Because the 21 requirement that any CUI that is controlled is 22 identified by at least the agency that's controlled 23 the information, so the designation indicator.
24 Outside of that, we do allow for markings 25 on documents that aren't strictly security related.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
62 1 So we have administrative controls that are allowed to 2 be marked on documents, but we also encourage the 3 continued use of things like paragraphs or other 4 identifiers on a document that speak to the content or 5 purpose of that document.
6 So frequently in the contracting realm, 7 we're not going to create a new government marking for 8 every contracting entity that does business with the 9 government so that we can have the entity represented 10 in the CUI marking. It would break information 11 sharing at DoD alone, let alone the executive branch.
12 That doesn't mean that people who you 13 share that CUI proprietary information with aren't 14 putting on that document or ensuring that there's 15 letterhead identifying the entity that's shared it 16 with them.
17 So we do allow for that sort of the 18 practice of, you know, entity letterhead, things of 19 that nature, to remain on the document to give you an 20 indicator you've just received your own information 21 back.
22 Normally in the contracting world, that's 23 ironed out through part of the contracting agreement 24 of, you know, here's how you give it to us. And when 25 we give it back to, here's how we'll do it, and here's NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
63 1 what it looks like.
2 Obviously, this is a bit broader of an 3 environment and therefore harder in some ways to 4 handle which I think the value of a common agreement 5 would be very valuable to understand how that process 6 works, whether or not you should expect it to be 7 marked and to do the work yourself of identifying if 8 it was really yours, or whether or not that marking 9 will be removed, or if there will be a notice supplied 10 to the particular types of information that are yours 11 being given back to you.
12 MR. MOSES: This is John Moses. So, an 13 agency is permitted to use an administrative label, 14 such as "provided to the NRC by X" to indicate the 15 originator of CUI provided to the agency?
16 17 MR. CASEY: Yes. Whatever works for you.
18 MR. MOSES: Okay, thank you.
19 MR. CASEY: This is Devin Casey again.
20 Because administrative labels do not add controls to 21 the document. We do jealously guard our markings.
22 We don't want you to add controls to how a document 23 is protected.
24 That doesn't come with a cyber security 25 requirement. It doesn't change the destruction NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
64 1 requirements. It doesn't make you put it in a GSA 2 safe. So it's not infringing on our security marking.
3 Our only note would be don't put it in our banner, so 4 it's not confused with the CUI banner or other CUI 5 markings.
6 MR. MOSES: Thank you.
7 MS. MENSAH: This is Tanya Mensah. It's 8 about 3:20. And I know we have another presentation.
9 Are there any other questions or comments on the 10 phone?
11 OPERATOR: Yes, we have a question from 12 Jason. Your line is now open.
13 JASON: Hello, Tanya. Does the CUI only 14 apply to Part 73?
15 MR. MOSES: This is John Moses. I'm not 16 sure Tanya heard that. Was the question does CUI only 17 apply to Part 73?
18 JASON: Correct, versus 437.
19 MR. MOSES: So I can answer that. CUI 20 transcends all those parts, because it is impacting 21 different kinds of information that are outside of or 22 tangential to those parts.
23 MR. GOLDBERG: Jason, you referred to Part 24 37.
25 JASON: Okay.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
65 1 MR. GOLDBERG: Hi, this is Paul Goldberg.
2 CUI does not apply to Part 37. As John was saying, 3 you know, in addition to Part 73, it does apply to a 4 number of other categories of information, clearly 5 ones that Tanya mentioned earlier, privacy, 6 investigation, allegations, proprietary, export 7 control, categories like that.
8 JASON: Thank you.
9 MS. MENSAH: Thank you. Are there any 10 other questions on the phone?
11 OPERATOR: Our next question comes from 12 Dwayne. Your line is now open.
13 DWAYNE: Yes. I was wondering can someone 14 elaborate a little bit on paper versus electronic 15 protection?
16 MR. CASEY: This is Devin Casey, ISOO. So 17 the protection of physical CUI is essentially it must 18 be stored in a controlled environment and behind a 19 locking barrier. We don't go too much further in 20 defining what that means. That's up to agency or 21 entity policy so, you know, something like your 22 physical security SOP or policy would define a 23 controlled environment. Then, of course, a locking 24 barrier is something that locks and provides evidence 25 of tamper.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
66 1 And then there's requirements for the 2 physical destruction of paper documents in accordance 3 with NIST 800-88 which is generally either a 4 classified shredder or one meeting the standards of a 5 classified shredder, a five millimeter, or a 6 multi-step destruction process.
7 The electronic requirements for 8 safeguarding CUI are a bit more complicated. If it's 9 a federal information system, it has to be moderate 10 confidentiality impact value. If it's a non-federal 11 information system, it's supposed to be minimally NIST 12 800-171 compliant which defines moderate 13 confidentiality for a non-federal information system.
14 DWAYNE: Okay, thank you very much.
15 MR. CASEY: And outside of a NIST 800-171 16 compliance system, it must be encrypted, that in 17 accordance with FIPS encryption standards.
18 MS. MENSAH: Thank you. This is Tanya 19 Mensah. Are there any other questions. I think we 20 have time for a couple more. And then we'll go to 21 Maggie for the NEI presentation.
22 OPERATOR: Our last question comes from 23 Crystal Shaw. Your line is now open.
24 MS. SHAW: Hi, Tanya. It seems from the 25 discussion that's taking place that we are being NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
67 1 encouraged to maintain a completely separate program 2 with the CUI with information that is submitted from 3 the NRC. And what I mean when I say that is for 4 information that's coming in, it'll be marked CUI.
5 But it almost seems like we should not take that and 6 tag that within our safeguards program.
7 If a licensee chose to do that, and the 8 NRC inspected it, would there be any liabilities with 9 that, because he did not have something marked 10 safeguard in accordance with our program but were 11 keeping it in accordance with the CUI?
12 MR. MOSES: So this is John Moses from the 13 NRC. And I'll defer to other folks from NRC. If it 14 is safeguards information, it needs to be 15 handled according to those requirements. The 16 handling requirements do not change because of CUI, 17 although the labeling might be slightly different.
18 Safeguards information still has to be handled as 19 such.
20 CUI includes many types of information, in addition to safeguards. Just to be 21 clear, CUI can be characterized as basic CUI or 22 specified CUI. Safeguards is specified CUI with 23 24 specific requirements for the different aspects of the life cycle - designation, marking, controlling 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
68 1 decontrolling and destruction.
2 That's a little different than other types 3 of CUI. So they would have to be handled, if received 4 and maintained, according to the CUI standards for 5 basic. Hopefully that's instructive. Devin, 6 James, or Tanya, do you want to comment?
7 MR. CASEY: Devin Casey, that's exactly 8 right.
9 MS. SHAW: So that I do understand. I 10 understand the difference, and I understand that there 11 would be controls on something marked CUI specific.
12 However, if we chose not to stamp it safeguard and 13 follow or safeguard program as well, but maintain 14 those controls with those markings, is that 15 inappropriate?
16 MR. CASEY: This is Devin Casey. So is 17 the question do safeguarding markings have to also be 18 applied to CUI safeguarding information?
19 MR. MOSES: There's a type of information called safeguards information. The 20 marking of safeguards information would have to 21 be in accordance to the existing requirements 22 for safeguards information. Perhaps, I'm not fully 23 grasping what you're asking. It wouldn't change.
24 25 MS. LYONS-BURKE: This is Kathy NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
69 1 Lyons-Burke from the NRC. The safeguards regulations 2 require that that information be labeled in a very 3 specific way.
4 MR. MEYER: This is Steve Meyer, STARS 5 Alliance. I guess what I'm picturing this as, as a 6 licensee, is that you get these CUI-specific 7 safeguards. And I think what Crystal is asking is if 8 the NRC inspected us, I think they would expect to 9 find that in our safeguards control area, in a folder 10 labeled CUI so that it's clearly evident that we 11 followed safeguards, we control it that way, and it 12 was sent by the relevant agency, NRC, as CUI. And we 13 have an NDA that maintained it that way, and we'd have 14 to keep it marked that way. So we'd have to meet both 15 requirements. Isn't that what this comes down to?
16 MR. ADLER: Well, I think what you just 17 described there was correct. Hopefully, that answers 18 the question.
19 MR. CASEY: Devin Casey, ISOO. Yes, that 20 does sound like the correct description of it. You're 21 required to follow the tenets of the CUI program as 22 required in the contractor agreement but also the 23 existing statutory requirements for that information.
24 If there is a point where they do directly 25 conflict, then please raise that to your regulatory NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
70 1 bodies, or entities, or points of contact to have that 2 policy updated or changed. And then we would, you 3 know, we, or they, or whatever the entity is would 4 issue a notice to address that in the interim.
5 MS. MENSAH: This is Tanya Mensah. Are 6 there any additional questions on the phone?
7 OPERATOR: I'm showing no further 8 questions at this time.
9 MS. MENSAH: Okay. Are there any 10 additional clarifying questions in the room?
11 (No audible response.)
12 MS. MENSAH: Okay. So, Maggie, I'll turn 13 it over to you so that you can jump right in to the 14 NEI presentation if that's okay.
15 MS. STAIGER: Thank you, Tanya. Again, 16 This is Maggie Staiger with NEI. I just wanted to 17 thank Tanya and the NRC again for this great 18 discussion. I think we were able to answer a lot of 19 questions.
20 On behalf of NEI and the industry, I want 21 to go over some quick highlights of where we see this 22 year progressing. Again, NEI does not want to get 23 ahead of themselves. We understand there's a lot of 24 discoveries that are going on with the working group.
25 And we appreciate that. But we wanted to share where NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
71 1 we see this year's progress going for us.
2 So for instance, we issued an APC letter 3 notifying our licensees of the upcoming CUI rule. We 4 did that this January. So we've started the 5 discussion and, again, we appreciate this public 6 meeting so quick after.
7 We are currently in the process of 8 evaluating the impacts of the rules, 32 CFR 2002, and 9 the NIST requirements in doing a gap analysis. Right 10 now, that's progressing. In some cases, we're getting 11 some feedback that we expect. Licensees will need 12 from a year to two years to adhere and fill the gaps 13 that we're identifying with the NIST standard.
14 Now again, this isn't immediate from once 15 we're identifying these gaps. It's going to rely on 16 feedback that we receive from the NRC once the 17 management directive is released as well as the 18 policy statements.
19 And in addition to any other 20 communications that we have with DoD, or DOE, and the 21 other federal agencies that we share information with, 22 right now we've had the most communication with the 23 NRC. And we do thank you for that. We appreciate 24 this open and transparency that you've provided for 25 this. But there is some concern regarding the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
72 1 progress that the industry received for these other 2 agencies.
3 So those timelines continue to be pushed.
4 So we appreciate that the NRC is looking at making the 5 CUI program active in December of 2021. And we 6 understand that that's a rolling timeline. But we 7 just want to stress too NARA that, for the industry to 8 adhere to these new standards that are coming out, it 9 will take time and perhaps funding, which means we 10 have to get the budgetary estimates in for the 11 upcoming years, which also shortens the timeline that 12 we have to work with it.
13 Moving forward, in addition to that, this 14 year we're looking at determining negotiations and any 15 type of NDA agreements that we can work through. We 16 appreciate NARA releasing that draft document, and we 17 have started looking at it.
18 We're hopeful that we can utilize this 19 agreement to take credit and perhaps reduce some of 20 the scope that the NIST standard is going to require 21 for electronic controls.
22 For instance, one example would be FS 23 screen and using the NDA to accept that closed network 24 systems, such as our PADS system that we are currently 25 using, could be incorporated into this without NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
73 1 adhering to some of the rigorous NIST standards so 2 that you could take CUI information that would be 3 provided from the NRC, for instance, Social Security 4 numbers for incoming inspectors. We would have to 5 take that information and input it into our current FS 6 screen program.
7 While, yes, that information is considered 8 CUI under the new rule, we want to be able to continue 9 using the approved processes that we have without 10 additional burden. So we'd be interested in looking 11 into that opportunity with taking credit through the 12 NDA.
13 Now that we have that available, we'll 14 continue with communications. Again, once the 15 management directive from the NRC is released, which 16 we expect sometime this summer per your presentation, 17 NEI is going to work on developing a change of 18 management plan and a template. And we'll provide 19 that to the NRC and the industry to help facilitate 20 this change moving forward.
21 And then finally, towards the third 22 quarter of this year, we would like to be wrapping up 23 these NDA agreements. Of course, that will rely a lot 24 on the input that we receive from the other federal 25 agencies and the working groups. But we continue to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
74 1 value this close working relationship that we have.
2 And we look forward to this continued effort for it.
3 In addition to some of the challenges that 4 the licensees will experience, specifically with the 5 NIST 800-171, we do acknowledge that there will be 6 more public meetings addressing this in great detail.
7 And we do look forward to that.
8 But just as some precursory discussions, we do 9 have some concerns. We understand that, per the NARA 10 presentation in February, the federal agencies are 11 required to have an accredited NIST program. Is that 12 accreditation intended to trickle down to the 13 licensees, and if so to what point or to what extent?
14 MR. CASEY: This is Devin Casey, ISOO. So 15 only one executive branch entity is looking at 16 actually accrediting non-federal information systems.
17 So that is a proposed DoD plan for CMMC which you can 18 learn more about on DoD's website if you Google CMMC.
19 That is DoD only entered as not a CUI element. CUI 20 informs on the level of certification required to 21 contract or enter into agreements with DoD.
22 For instance, if CUI is included in that 23 exchange, that would be Level 3 to 5. But it's not an 24 actual implementation of the CUI program. So 25 accreditation of non-federal information systems is NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
75 1 something the CUI program actually specifically 2 avoided including. That's why NIST 800-171 systems 3 are self-certified and then overseen by the executive 4 branch as needed.
5 MS. STAIGER: Thank you, Devin. I 6 appreciate that. Looking more at a broader picture, 7 does the NRC and NARA have any interpretation on a 8 transition period that you would expect the licensees 9 to adhere to?
10 MR. CASEY: Devin Casey again, so DoD did 11 roll out, a couple of years ago now, DFARS 70-12. And 12 when they rolled out DFARS 70-12, it pushed the NIST 13 800-171 requirements on all of its contracting 14 entities that entered into a new contract with DoD 15 that year. And it required compliance immediately.
16 This is why they've been regarded as a quick mistake.
17 They then quickly adjusted how that would 18 would work and specifically stated that they had 12 19 months or close to that until the next beginning of 20 the new calendar year to become compliant with NIST 21 800-171.
22 Another note is that after that initial 23 push NIST 800-171, Revision 1, which we're now on 24 Revision 2, came out. And what it did was explicitly 25 include the requirement to have a fully created system NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
76 1 security plan.
2 And part of that system security plan 3 includes a plan of action, also frequently referred to 4 as a plan of action milestones, that outlines how 5 currently unimplemented controls are planned to be 6 implemented.
7 And NIST 800-171 actually says, as long as 8 you have a system security plan and a plan of action, 9 you are compliant unless the government requires you 10 to not have a plan of action. So unless they come in 11 and specifically say that you must be done, then you 12 can have a plan of action.
13 So that actually helps kind of alleviate 14 a lot of those initial concerns that a lot of those 15 DoD entities had. And it built an idea of 16 implementation plan into 171 itself. So if someone 17 were to require a 171, really you have, you know, 18 should give them a grace period to get their ducks in 19 a row and have an SSP and POAM. But after that, that 20 can be acceptable.
21 One key note is, you know, POAM should be 22 reasonable. And once you have a POAM and you certify 23 with the government that you're going to stay 800-171 24 compliant, you are kind of held to the timelines of 25 that POAM now to an external entity, not just NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
77 1 internally which may surprise some CIO offices across 2 the United States.
3 Having external deadlines is very 4 different from internal goals. So that is a 5 consideration there that significant deviation from 6 that POAM should actually be communicated back to the 7 entities to which you have contracts or agreements 8 certifying your compliance.
9 MR. MEYER: Steve Meyer, STARS Alliance, 10 and talking about the example that you mentioned, it 11 was at 12 months following DoD's requirement that the 12 contractors had to implement that?
13 MR. CASEY: Devin Casey, ISOO, yes. Yes, 14 it was 12 months after. So there were, because of the 15 number of contracts, it was included. And it wasn't 16 12 months after the issuance of a new contract. DoD 17 just set a single date and says it's approximately 12 18 months from now. So what they said was it was 19 essentially, it gave them until the end of that 20 calendar year. So I think it ended up being 11 months 21 or something.
22 MR. MEYER: Okay, good to know. And I 23 think that that's very important for the power reactor 24 licensees. Because as Maggie explained, you know, 25 we're following along and managing our leads as the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
78 1 NRC is moving ahead and implementing. But there's 2 things that we need to do.
3 And as we get into it, it's kind of like 4 NRC has discovered more, and it keeps growing. And 5 the thing that I notice is they're, you know, it's 6 really not clear what NARA's expectation was for after 7 the agencies implement how long, you know, their 8 customers or their stakeholders have to implement. So 9 I think that's something we need to work towards on 10 our end.
11 The other thing, Devin, is that I think 12 what makes it somewhat more difficult, at least on our 13 end on the power reactor licensees and working with 14 the NRC, is that it doesn't seem like we're hearing 15 the same level of push, I think Maggie spoke to this, 16 from the other agencies.
17 So when we get to the corporate, you know, 18 the 800-171 assessments and changes that they needed 19 are obviously not just nuclear, it's corporate level.
20 You know, when we start talking to corporations, you 21 know, it's almost as if they haven't heard it from the 22 other executive agency counterparts. Can you help and 23 shed some light as to what's going on there?
24 MR. CASEY: Yes, Devin Casey, ISOO, again.
25 It hasn't spread much beyond DoD yet, because DoD is NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
79 1 the only one to put it into existing contracts and 2 agreements. Actually, I think a couple of their 3 agencies have. I believe NASA has already included 4 the requirements occasionally.
5 Most agencies and entities are waiting for 6 out FAR case to come out. So we are coming out with 7 a CUI FAR case. It will standardize the application 8 of the CUI requirements and the non-federal entities 9 through contracts that are subject to FAR 10 requirements.
11 That will include the NIST 800-171 in it.
12 And, you know, the executive branch will add it to the 13 extent that most entities in the executive branch 14 that spend money are required to comply with the FAR, 15 and many that aren't required voluntarily do. So 16 there'll be a rather large shift at that moment.
17 Other entities have looked at it, and the 18 Department of Education has looked at how colleges and 19 academia will be applying this to 800-171 standards 20 for information that is collected on their behalf as 21 well. So it's trickling out there.
22 As far as the defense industrial base goes, it 23 is very much out there. But the rest of the civilian 24 infrastructure, it hasn't really trickled down to 25 there yet, unless there's been a defense tie in.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
80 1 MR. MEYER: And are they, CUI industry day 2 I thought that the entire, you know, all agency 3 implementation date was 9/30 of '21. So are they 4 working to that date or a different date then?
5 MR. CASEY: So we'll be publishing 6 something shortly that speaks to agency 7 implementation. We've done it twice in the past about 8 agency timelines. We are looking at a new document 9 that'll come out and discuss, you know, where we think 10 agencies, you know, start giving them firmer deadlines 11 for implementation. But they do have quite a lot of 12 flexibility currently.
13 I can say in the next 12 to 18 months a 14 lot of work and changes will start to be communicated 15 outside of the executive branch, because that's after 16 policies get published.
17 We do limited coordination as we're 18 working on policies with stakeholders and experts who 19 can inform on the creation of the policy. But we 20 don't, you know, do quite the same amount of work with 21 the drafts as we do once it's finally out and we 22 start, you know, really talking about what the 23 requirements are to all of our entities and getting 24 them ready for it. So there will be a significant 25 change in the next years.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
81 1 MS. MENSAH: And, Maggie, just to 2 follow-up on your question, this is Tanya Mensah, so 3 as the NRC working group, we will be looking through 4 these interactions that we're having to get 5 recommendations regarding the amount of time and 6 resources it would take for a specific stakeholder to 7 transition.
8 One of the things we recognize is that we 9 have different stakeholders with different resources 10 and schedules. And so we have operating reactors, but 11 we also have, like, universities for non-power. So 12 we're looking to get some feedback on the sense of 13 what that time table might look like. It might be 14 different for different stakeholders. We just don't 15 know yet.
16 Another thing I think that has come up, at 17 least at a working group level, is we're trying to 18 understand, and maybe, Devin, you can address this as 19 well, are you seeing that agencies are preparing to 20 transition to CUI, that their goal is, once they 21 transition, then they're going to give the 22 non-executive branch entities another 12 months to 23 complete their transition?
24 Or is this something that's being done in 25 parallel so that, by the time the agency says, okay, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
82 1 now we're implementing CUI, that their entities that 2 they're planning to share CUI with have already 3 transitioned?
4 MR. CASEY: Devin Casey, ISOO. We've kind 5 of seen it all. And some agencies have, you know, 6 chunked different aspects of the program into 7 different phases of development. So obviously, DoD 8 pushed the cyber security requirements out before 9 they'd even published CUI policy. So they reference 10 NIST 800-171 right off the bat.
11 Other entities have looked at doing things 12 similar with their 171 requirements. At the same 13 time, other agencies have sat and said, you know, 14 we're not going to start pushing these requirements 15 out to industry until we're ready to do a good job 16 marking and identifying that information in a way that 17 supports that effort.
18 As far as timelines for implementation 19 after that, that's something that our FAR, when our 20 FAR comes out, one of the last phases of determining 21 implementation for it and what those timelines look 22 like, one note is if a non-federal entity, you know, 23 figured out how their system is currently configured 24 and goes to the work of identifying how they're going 25 to budget to bring it into NIST 800-171 compliance, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
83 1 well, in order to do that you have to have a system 2 security plan and a plan of action.
3 So at that point, you're already minimally 4 compliant with the 171 program. So while you might be 5 two years of your POAM, you're already meeting the 6 requirements as far as the minimal requirements for 7 171 compliance or concern. So that usually addresses 8 a lot of the concerns right there. And it's part of 9 the reason we made that change to the 171.
10 Because we do understand, we don't expect 11 you to implement multi-factor authentication at a 12 non-federal entity in six months. That's a two-year 13 plan generally, you know, a year of planning and a 14 year of implementations.
15 MR. MOSES: This is John Moses from the NRC. Devin, could you comment on the external 16 deadlines in terms of plan of action and 17 18 milestones of POAMs?
19 MR. CASEY: Yes. So, and this is 20 especially pertinent in the contracting realm. One of 21 the things that we started to see with industry's 22 happiness of having the ability to create a plan of 23 action and milestones, is the same thing that we see 24 on any plan of actions and milestones. The dates come 25 and go, and the actions don't get implemented.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
84 1 So at the point where you've entered into 2 an agreement certifying compliance with NIST 800-171, 3 and part of that compliance is your plan of action, 4 that tacitly means that you've agreed to meet those 5 deadlines that are in your plan of action.
6 So there's a requirement or understanding 7 that you will do your best to meet the plan of action 8 and milestones as outlined to implement those 9 unimplemented controls for 171. You can't enter into 10 an agreement with the United States, but in 11 multi-factor authentication we'll get this done 12 sometime and never meet it.
13 That doesn't meet the requirements for a 14 plan of action, and it's not something that, again, 15 the goal is to have all systems that process CUI be 16 fully compliant with 171 and to have plans of action 17 only be there for, you know, we're adding a new 18 system, we're expanding to the Cloud, and we have 19 mitigating actions in place that they'll still be used 20 but not for a long term postponement of implementing 21 controls.
22 MR. MOSES: If I could focus the 23 discussion. If contracting entities are handling CUI 24 on behalf of the federal government, they have to 25 comply with CUI requirements. But for NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
85 1 stakeholders, is NARA looking at inspection 2 requirements? My understanding of the 3 government's enforcement mechanism for stakeholders 4 is for the government to cease sharing CUI 5 information. Devin, please clarify if I'm incorrect.
6 MR. CASEY: We leave that oversight to the 7 entity that has the contractor agreement, so we won't 8 step in and do that. We will evaluate entities' 9 oversight of their non-federal entities, agencies' 10 oversight of non-federal entities. But we do that, 11 you know, based off of risk acceptance.
12 So we understand that, you know, you may 13 set your own, like for instance, you could come up 14 with, you know, have a plan of actions and milestones, 15 but we do expect all existing entities to be fully 16 compliant within five years.
17 That's something that you could communicate out. So, you know, DoD has put out 18 contracts where they're not too concerned about how 19 20 compliant with 171 you are as long as you're trying.
And they've put out others that require full 21 22 compliance on day one.
23 MR. MOSES: And those are contracts, not 24 agreements?
25 MR. CASEY: Yes, those are contracts. And NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
86 1 again, they're based off of the quality and quantity 2 of CUI. So that is left up to the entity entering 3 into that agreement to set those additional deadlines.
4 MR. MOSES: So the emphasis essentially is 5 a risk-based decision?
6 MR. CASEY: Very much so.
7 MR. MOSES: Thank you.
8 MS. STAIGER: This is Maggie Staiger with 9 NIE. To follow-up on the NIST discussion that we've 10 had, for some of our smaller entities, such as 11 universities, there has been some consideration of not 12 receiving information in electronic format to avoid 13 the new requirements within NIST. Has there been any 14 discussion about purely using the physical kind of 15 communication?
16 MR. CASEY: Devin Case, ISOO. Yes, 17 there's a lot of, I hesitate to call them fun 18 solutions, but there's a lot solutions to avoid coming 19 up with another NIST 800-171 compliant environment.
20 And then the physical sharing of information is one of 21 them. There are requirements for how we send, and 22 it's pretty simple for how you physically send 23 information, receive it, and store it in the physical 24 environment.
25 We also strongly encourage providing NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
87 1 access, so things like portals, or remote access, 2 VPNs. Using existing infrastructure and resources in 3 gaining access to that through an agreement is an 4 excellent way to, you know, to help out those smaller 5 entities that don't want to or have trouble setting up 6 their own smaller enclaves.
7 So you can bring them into the fold, 8 whether it is, you know, simplifying by sending 9 physical copy or letting them take physical copy home 10 from accessing the environment. The remote portals 11 and access are very good ways of distributing that 12 information.
13 And then obviously, you know, printing off 14 and taking home local physical copies is a viable 15 alternative, because it does prevent the loss of that 16 information on the Internet which is a lot of what 17 we're going for.
18 MS. MENSAH: This is Tanya Mensah.
19 Maggie, does that conclude your questions or 20 presentation?
21 MS. STAIGER: Yes, it does.
22 MS. MENSAH: Okay.
23 MS. STAIGER: So we can open up questions.
24 MS. MENSAH: Okay, great. So at this 25 time, I know we're nearing the end of the meeting, but NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
88 1 we want to allow another opportunity for questions and 2 comments, not only here in the room but on the phone.
3 So I'll start here in the room. Are there any 4 additional questions?
5 (No audible response.)
6 MS. MENSAH: Okay. At this time, for the 7 operator, are there any additional questions or 8 comments on the phone?
9 OPERATOR: We have one question. One 10 moment.
11 MS. MENSAH: Thank you.
12 OPERATOR: Our first question is from 13 Ryan. Your line is now open.
14 MR. LIGHTY: Hi, good afternoon. This is 15 Ryan Lighty with Morgan Lewis. I just had a quick 16 question about the concept of legacy information. And 17 I was curious what the expectation might be around 18 that.
19 For example, if information was shared 20 before the CUI requirements become effective, and that 21 information would be considered CUI after the 22 effective date, is there any expectation that 23 licensee's would need to go back through and try to 24 identify legacy information that would otherwise be 25 CUI?
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
89 1 MS. MENSAH: This is Tanya Mensah. My 2 understanding is that licensee's do not have legacy 3 information unless somehow we specified that in a 4 written agreement, that you have to do something 5 different but that you don't have, non-executive 6 branch entities don't have legacy information. You 7 just have information that you received prior to that 8 agencies transition to CUI. And, Devin, I'll allow 9 you to elaborate if there's any other ---
10 MR. CASEY: You said it about as well as 11 I could, Devin Casey, ISOO. Non-federal entities have 12 information that they receive pursuant to a previous 13 or existing contract or an agreement.
14 And they must continue to protect it in 15 accordance with the terms of that contract or 16 agreement. They do not have to modify those 17 protections unless the other party they entered into 18 an agreement to opens up negotiation and modifies that 19 agreement following whatever approved legal standards 20 are required for that.
21 MS. MENSAH: Does that address your 22 question?
23 MR. LIGHTY: Yes, thank you.
24 MS. MENSAH: Thank you. Are there any 25 other questions or comments on the phone?
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
90 1 OPERATOR: I'm showing no further 2 questions at this time.
3 MS. MENSAH: Okay. Well, we have come to 4 the end of our allotted time. And on behalf of the 5 NRC, we appreciate everyone's time and support this 6 afternoon. I think it's been a very good discussion 7 just for everybody's awareness.
8 This meeting, again, was transcribed by a 9 court reporter. And so afterwards the transcript will 10 be made public in ADAMS, and I will be preparing a 11 meeting summary where it will be referenced. And so 12 if you sent me your information by email to request a 13 call-in number, if you let me know if you want to be 14 notified when the meeting summary is available, I can 15 make you aware of that by email as well once it's 16 publicly available.
17 For those in the room, on your way out 18 please feel free to take a public meeting feedback 19 form at the table, and I'll ask you to complete the 20 form. Again, you can mail that back in or you can 21 scan it and PDF it back to me, however you prefer. My 22 email address is on the public meeting notice.
23 I will ask John Moses if he has any final 24 remarks before we conclude.
25 MR. MOSES: This is John Moses. Once NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
91 1 again, I'd like to thank everyone for taking the time 2 and the effort to get ready for and participate in 3 this meeting. I know sometimes preparing for these 4 meetings takes longer than the actual meeting.
5 I appreciate all of your the insights, feedback, 6 and recommendations.
7 I also want thank Devin and his colleagues 8 from the National Archives for joining us here and 9 fielding a lot of challenging, thoughtful questions.
10 We will stay here for a bit longer 11 if you didn't get an opportunity to ask your 12 question. If something comes up later, please 13 contact Tanya or me. We're interested in figuring out how we can implement this in the most effective and 14 efficient way. We will succeed by ensuring a 15 standard method to protect and share information in a 16 17 way that doesn't cause an undue burden. Thank you.
MS. MENSAH: At this time, we will 18 adjourn. Thank you again for your time. And have 19 safe travels home. Thank you to the operator. We're 20 going to hang up now.
21 (Whereupon, the above-entitled matter went 22 off the record at 5:23 p.m.)
23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433