ML20288A425
| ML20288A425 | |
| Person / Time | |
|---|---|
| Issue date: | 10/26/2017 |
| From: | NRC/OCIO |
| To: | |
| Shared Package | |
| ML20288A411 | List: |
| References | |
| FOIA, NRC-2018-000096 | |
| Download: ML20288A425 (132) | |
Text
From:
Sent:
To:
Subject:
Follow Up Flag:
Flag Status:
McAndrew, Sara Monday, June 06, 2016 1:28 PM Gagnon, Ronald RE: Draft SUNS! responses Follow up Flagged
- Ron, Thank you for your quick tum around. !
~b)(5)
Sara Sara McAndrew Senior Attorney 301-287-0976 OWFN15A66 From: Gagnon, Ronald Sent: Monday, June 06, 2016 12:31 PM To: McAno'rew, Sara <Sara.McAndrew@nrc.gov>
Cc: Janney, Margie <Margie.Janney@nrc.gov>; Weber, Michael <Michael.Weber@nrc.gov>; Brown, Frederick
<Frederick.Brown@nrc.gov>; Correia, Richard <Richard.Correia@nrc.gov>; Le, Hong <Hong.Le@nrc.gov>;
Rheaume, Cynthia <Cynthia.Rheaume@nrc.gov>
Subject:
RE: Draft SUNSI responses
- Sara, Thank you for the quick response...
l(b_) 5_) ________________ __.I*
Ron Ronald E. Gagnon OCIO I PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301-415-6873 From: McAndrew, Sara Sent: Monday, June 06, 2016 11 :50 AM To: Gagnon, Ronald <Ronald.Gagnon@nrc.gov>
Cc: Janney, Margie <Margie.Janney@nrc.gov>; Weber, Michael <Michaet.Weber@nrc.gov>: Brown, Frederick
<Frederick.Brown@nrc.gov>; Correia, Richard <Richard.Correia@nrc.gov>
Subject:
RE: Draft SUNSI responses
Thanks for your help, Sara Sara McAndrew Senior Attorney 301-287-0976 OWFN15A66 From: Gagnon, Ronald Sent: Monday, June 06, 2016 11 :10 AM To: McAndrew, Sara <Sara.McAndrew@nrc.gov>
Cc: Janney, Margie <Margie.Janney@nrc.gov>
Subject:
RE: SUNSI responses Good morning Sara, Thank you, Ron Ronald E. Gagnon OCIO I PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301-415-6873 From: Gagnon, Ronald Sent: Tuesday, May 31, 2016 7:29AM To: McAndrew, Sara <Sara.McAndrew@nrc.gov>
Subject:
RE: SUNSI responses Good morning Sara, Let me know if you have a few minutes to meet when you get in today.
Thank you, Ron 2
Ronald E. Gagnon OCIO I PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockville, MO 20852 Office: 301-415-6873 From: McAndrew, Sara Sent: Wednesday, May 25, 2016 4:25 PM To: Gagnon, Ronald <Ronald.Gagnon@nrc.gov>
Subject:
SUNS! responses
~ -
Sara
! Thank you.
Sara McAndrew Senior Attorney 301-287-0976 OWFN15A66 3
From:
Sent:
To:
Cc:
Subject:
Follow Up Flag:
Flag Status:
Correia, Richard Thursday, June 09, 2016 12:44 PM Gagnon, Ronald McAndrew, Sara; Janney, Margie; Le, Hong; Rheaume, Cynthia RE: Draft SUNS! responses Follow up Flagged Many thanks Ron. Appreciate your great support.
Best Rich Richard P. Correia, P.E.
Director, Division of Risk Analysis Office of Nuclear Regulatory Research U.S. NRC From: Gagnon, Ronald Sent: Wednesday, June 08, 2016 9:02 AM To: Correia, Richard <Richard.Correia@nrc.gov>
Cc: McAndrew, Sara <Sara.McAndrew@nrc.gov>; Janney, Margie <Margie.Janney@nrc.gov>; Le, Hong
<Hong.Le@nrc.gov>; Rheaume, Cynthia <Cynthia.Rheaume@nrc.gov>
Subject:
RE: Draft SUNS! responses Good morning Rich.
I agree tha the information will be a good resource for NRC employees. I'll forward your proposal to the OCIO leadership team for their input/ action. Please copy me with your response to the employee.
Thank you for your assistance.
Ron Ronald E. Gagnon OCIO I PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301-415-6873 From: Correia, Richard Sent: Wednesday, June 08, 2016 8:48 AM
To: Gagnon, Ronald <Ronald.Gagnon@nrc.gov>
Cc: McAndrew, Sara <Sara.McAndrew@nrc.gov>
Subject:
FW: Draft SUNSI responses attorney client privileged information attorney work product Good morning Ron, (b)(5)
Best Rich Richard P. Correia, P.E.
Director, Division of Risk Analysis Office of Nuclear Regulatory Research U.S. NRC From: McAndrew, Sara Sent: Monday, June 06, 2016 1:31 PM To: Correia, Richard <Richard.Correia@nrc.gov>
Cc: Weber, Michael <M chael.Weber@nrc.gov>
Subject:
FW: Draft SUNSI responses attorney client privileged information attorney work product Sara Sara McAndrew Senior Attorney 301-287-0976 OWFN15A66 From: Gagnon, Ronald Sent: Monday, June 06, 2016 12:31 PM To: McAndrew, Sara <Sara.McAndrew@nrc.gov>
Cc: Janney, Margie <Margie.Janney@nrc.gov>; Weber, Michael <Michael.Weber@nrc.gov>; Brown, Frederick
<Frederick.Brown@nrc.gov>; Correia, Richard <Richard.Correia@nrc.gov>; Le, Hong <Hong.Le@nrc.gov>;
Rheaume, Cynthia <Cynthia.Rheaume@nrc.gov>
Subject:
RE: Draft SUNSI responses
- Sara, Thank you for the quick response. l (b-)(5_l ________________
2
Ron Ronald E. Gagnon OCIO I PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockvute, MD 20852 Office: 301-415-6873 From: McAndrew, Sara Sent: Monday, June 06, 2016 11 :50 AM To: Gagnon, Ronald <Ronald.Gagnon@nrc.gov>
Cc: Janney, Margie <Margie.Janney@nrc.gov>; Weber, Michael <Michael.Weber@nrc.gov>; Brown, Frederick
<Frederick.Brown@nrc.gov>; Correia, Richard <Richard.Correia@nrc.gov>
Subjeot RE: Draft SUNS! responsea b)(5)
Thanks for your help, Sara Sara McAndrew Senior Attorney 301-287-0976 OWFN15A66 From: Gagnon, Ronald Sent: Monday, June 06, 2016 11:10 AM To: McAndrew, Sara <Sara.McAndrew@nrc.gov>
Cc: Janney, Margie <Margie.Janney@nrc.gov>
Subject:
RE: SUNSI responses Good morning Sara, Thank you, Ron Ronald E. Gagnon OCIO I PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 3
Rockville, MD 20852 Office: 301-415-6873 From: Gagnon, Ronald Sent: Tuesday, May 31, 2016 7:29 AM To: McAndrew, Sara <Sara.McAndrew@nrc.gov>
Subject:
RE: SUNSI responses Good morning Sara, Let me know if you have a few minutes to meet when you get in today.
Thank you, Ron Ronald E. Gagnon OCIO I PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H1 1 Rockville, MD 20852 Office: 301-415-6873 From: McAndrew, Sara Sent: Wednesday, May 25, 2016 4:25 PM To: Gagnon, Ronald <Ronald.Gagnon@nrc.gov>
Subject:
SUNSI responses
,.B.Q!!J
~a:,;~l(~S;..,,,_ __
~ hank you.
Sara Sara McAndrew Senior Attorney 301-287-0976 OWFN15A66
From:
Sent:
To:
Subject:
Thanks, Ron From: Gagnon, Ronald Weber, Michael Monday, June 06, 2016 3:48 PM Gagnon, Ronald RESPONSE - Draft SUNS! responses Sent: Monday, June 06, 2016 12:31 PM To: McAndrew, Sara <Sara.McAndrew@nrc.gov>
Cc: Janney, Margie <Margie.Janney@nrc.gov>; Weber, Michael <Michael.Weber@nrc.gov>; Brown, Frederick
<Frederick.Brown@nrc.gov>; Correia, Richard <Richard.Correia@nrc.gov>; Le, Hong <Hong.Le@nrc.gov>;
Rheaume, Cynthia <Cynthla.Rheaume@nrc.gov>
Subject:
RE: Draft SUNSI responses
- Sara, Thank you for the quick response... r_l(_
5l _________________ _
Ron Ronald E. Gagnon OCIO I PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop 0-6H11 Rockville, MD 20852 Office: 301-415-6873 From: McAndrew, Sara Sent: Monday. June 06, 201611 :50 AM To: Gagnon, Ronald <Ronald.Gagnon@nrc.gov>
Cc: Janney, Margle <Margie.Janney@nrc.gov>; Weber, Michael <Michael.Weber@nrc.gov>; Brown, Frederick
<Frederlck.Brown@nrc.gov>; Correia, Richard <Richard.Correia@nrc.gov>
Subject:
RE: Draft SUNSI responses Thanks for your help, Sara Sara McAndrew Senior Attorney 301-287-0976 OWFN15A66
From: Gagnon, Ronald Sent: Monday, June 06, 2016 11:10 AM To: McAndrew, Sara <Sara.McAndrew@nrc.gov>
Cc: Janney, Margie <Margie.Janney@nrc.gov>
Subject:
RE: SUNSI responses Good morning Sara, lfu)(5)
Thank you, Ron Ronald E. Gagnon OCIO I PMPD / IPB United Stat,es Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301-415-6873 From: Gagnon, Ronald Sent: Tuesday, May 31, 2016 7:29 AM To: McAndrew, Sara <Sara.McAndrew@nrc.gov>
Subject:
RE: SUNS! responses Good morning Sara, Let me know if you have a few minutes to meet when you get in today.
Thank you, Ron Ronald E. Gagnon OCIO I PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301-415-6873 From: McAndrew, Sara Sent: Wednesday, May 25, 2016 4:25 PM To: Gagnon, Ronald <Ronald.Gagnon@nrc.gov>
2
Sara Sara McAndrew Senior Attorney 301-287-0976 OWFN15A66 3
From:
McAndrew, Sara Sent To:
Monday, June 06, 2016 11:50 AM Gagnon, Ronald Cc:
Janney, Margie; Weber, Michael; Brown, Frederick; Correia, Richard Subjed:
RE: Draft SUNSI responses The 2-page draft attachment has been withheld in lull Attachments:
SUNS! answers sent to 000 June 6.docx on the basis of FOIA exemption 5.
attorney client privileged information attorney work product Ron, Thanks for your help, Sara Sara McAndrew Senior Attorney 301 -28 7-0976 OWFN15A66 From: Gagnon, Ronald Sent: Monday, June 06, 2016 11:10 AM To: McAndrew, Sara <Sara.McAndrew@nrc.gov>
Cc: Janney, Margie <Margie.Janney@nrc.gov>
Subject:
RE: SUNS! responses Good morning Sara, Thank you, Ron Ronald E. Gagnon OCIO / PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop 0-6H11 Rockville, MD 20852 Office: 301-415-6873 From: Gagnon, Ronald Sent: Tuesday, May 31, 2016 7:29 AM To: McAndrew, Sara <Sara.McAndrew@nrc.gov>
1
Subject:
RE: SUNSI responses Good morning Sara, Let me know if you have a few minutes to meet when you get in today.
Thank you, Ron Ronald E. Gagnon OCIO I PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop 0-6H11 Rockville, MD 20852 Office: 301-415-6873 From: McAndrew, Sara Sent: Wednesday, May 25, 2016 4:25 PM To: Gagnon, Ronald <Ronald.Gagnon@nrc.gov>
Subject:
SUNSI responses
~
l..._
(bb __
)l((55 __
Ll ---~hank you.
Sara Sara McAndrew Senior Attorney 301-287-0976 OWFN15A66 2
From:
Rheaume, Cynthia Sent:
To:
Cc:
Friday, May 27, 2016 12:42 PM Le, Hong; Gagnon, Ronald Janney, Margie; Flanagan, James
Subject:
RE: Confusion regarding Ron Gagnon*s answers to Need-to-Know for SUNS!
Follow Up Flag:
Follow up Flag Status:
Flagged All - no need to coordinate with the IG, as clarified by Jim this AM. He would like for OGC to handle all fLtrther communications.
From: Flanagan, James Sent: Friday, May 27, 201611:39 AM To: Rheaume, Cynthia; Le, Hong; Gagnon, Ronald Cc: Janney, Margie
Subject:
RE: Confusion regarding Ron Gagnon's answers to Need-to-Know for SUNS!
Yes, please discuss with OGC and have them frame a response. This email exchange is likely to get argumentative and it is not something that we wish to continue to engage in. Before we send anything back to this individual please connect with Fred so that he can review Thank you, James P. Flanagan Deputy, Chief Information Officer Office of the Chief Information Officer United States Nuclear Regulatory Commission One While Flint North 11555 Rockville Pike, Mail Stop O-6E7A Rockville, MO 20852-2738 Telephone 301-415-8700 From: Rheaume, Cynthia Sent: Friday, May 27, 2016 11:17 AM To: Le, Hong <Hon.Le nrc. ov>; Gagnon, Ronald <Ronald.Ga non nrc. ov>
Cc: Flanagan, James <James.Flana an nrc. ov>; Janney, Margie <MargieJanney@nrc.gov>
Subject:
RE: Confusion regarding Ron Gagnon's answers to Need-to-Know for SUNSI Jim - I thought I heard you say you also wanted us to coordinate with the IG, correct?
From: Le, Hong Sent: Friday, May 27, 2016 10:10 AM 1
To: Gagnon, Ronald <Ronald.Ga non nrc. oV>
Cc: Rheaume, Cynthia <C~nthia.Rheaume nrc. ov>; Flanagan, James <lames.Flanagan~ nrc.gov>; Janney, Margie
< Ma rgte.Jarmey@nrc.gov>
Subject:
Re: Confusion regarding Ron Gagnon's answers to Need-to-Know for SUNSI Ron - plea do not respond. We need to con ult with Fred/Jim and/or 0 n: 27 ay 20 16 I 0:04 " ri cion, Lawrence" <Lawrenc. ri-'-ciqn rc_, nrc. 'Q > wrote:
- Ron, Regarding your answer to Question 1, I still do not understand if bargaining unit personnel are allowed to discuss SUNSI with any colleague whose opinion they so choose to seek. It would be most helpful if, when answering question 1, you begin your nswer with a "Yes" or a "No.
Regarding your answer to Question 2, neither your answer nor the Yellow Announcement you refer me to contain any information that would allow me to determine which colleague cannot know of SUNSI nuclear safety concern. Pleas e><plain to me how I am to determine which colleagues cannot know of SUNSI nuclear safety concern.
Regarding you answer to Question 3, are you stating that employees must go through the Office of Congressional Affairs prior to providing Information to Congress and cannot directly provide information to Congress on their own? If not, pl ase clearly state.
Regarding your answer to Question 4, with whom In OCA and OGC should I address my questions?
My questions are straight forward questions and I would appreciate straight forward answers. If you are not comfortable answering my questions in a clear and concise manner, that should tell you something about our policies.
Thank you, Larry From: Gagnon, Ronald Sent: Wednesday, May 25, 2016 3:23 PM To; Criscione, Lawrence <!.awrencg_.(Jisclone nrc. oV>
Cc: Janney, Margie <Margie.Janney@nrc.gov>; Flanagan, James <James.Flana an W re. OV>; Carpenter, Cynthia nthia.Car enter nrc. ov>; Le, Hong <Hong.Le@nrc.gov>; Chen, Yen-Ming <Yen-Min.
en a nrc. ov>; Hackett, Edwin <_Edwin.Hackett nrc. ov>; Correia, Richard <Richard.Corr..e1a 1 *nrc. ov>; Peters, Sean <~ean.Peters,onrc. O','.>;
Heard, Robert <Rob rt.Heard *n1nrc. ov>; Schwartz, Maria <Marla.Schwartz nrc. ov>; NTEU, Chapter 208
<NTF.U nrc. ov>; Weber, Michael <Michael.Weber ilnrc. ov>
Subject:
Who Determines Need-To-Know for OUO?
Mr. Criscione:
You inquired regarding the following:
- 1. Are bargaining unit employees allowed to discuss SUNSI (i.e. information that is neither unclassified nor Safeguards} with any colleague whose opinion they so choose to seek?
- 2. If not, how is the need-to-know determined? That is, how is an employee to determine which colleagues cannot know of SUNSI nuclear safety concern?
- 3. ls there any SUNSI material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Special Counsel?
- 4. If so, who makes that determination?
2
Question 1: Are bargaining unit employees allowed to discuss SUNS/ (I.e. Information that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?
Reply: NRC SUNS! Policy clearly states that... "except as the Commission may otherwise authorize, no person, including employees of the U.S. Government. NRC, an NRC licensee or certificate holder, or an employee, agent, or contractor of a license applicant may have access to SUNSI unless that person has an established need-to-know the information for conducting official business." See below:
NRC Policy For Handling, Marking, and Protecting Sensitive Unclassified Non-Safeguards Information section 0(2) - Need to know access See: http://www.internal.nrc.gov/sunsi/pdf/SUNSI-Policy-Procedures.pdf Need-To-Know Access A security clearance is not required for access to SUNSI. However, except as the Commis.sion may otherwise authorize, no person, including employees of the U.S. Govemment, NRC, an NRC licensee or certificate holder, or an employee, agent, or contractor of a license applicant may have access to SUNSI unless that person has an established need-to-know the information for conducting official business.
Question 2: If not, how Is the need-to-know determined? That is, how is an employee to determine which colleagues cannot know of SUNS/ nuclear safety concern?
Reply: The NRC recently published a yellow announcement addressing this issue. See htl_Qs://drupal.nrc.gov/a_nnouncernE1nts/yellow/policy/23578 Yellow Announcement YA 16-0052 defines "Need to Know" in the context of sensitive unclassified information.
See Below:
Need-to-Know
- 1. A determination by a person having responsibility for protecting or holding the sensitive information, be it classified information, safeguards information, or sensitive unclassified information, that a proposed recipient's access to the sensitive information is necessary in the performance of an official and lawful requirement.
- 2. Knowledge, possession of, or access to, sensitive information including classified, safeguards, and/or sensitive unclassified information shall not be afforded to any individual solely by virtue of the individual's office, position, or security clearance.
Question 3: Is there any SUNS/ material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Special Counsel?
Reply: The NRC's Office of Congressional Affairs (OCA) (see MD 9.13) Is tasked with com munlcating with Congress on behalf of the NRC. The office is responsible for administering the agency's Congressional Affairs Program, and for providing advice and assistance to the Chairman, the Commission, and the NRC staff on all NRC relations with the Congress. Specifically, the office-
- Provides the Chairman, the Commission, the Executive Director for Operations (EDO), and the NRC staff with advice and counsel concerning relations with Congress; keeps NRC currently and fully informed on the views of Congress toward NRC policies, plans, and activities; and pursuant to Section 303 of the Atomic Energy Act of 1954, as amended, keeps Congress currently and fully informed of NRC's policies, plans, and activities. Coordinates all official contacts for the Chairman, the Commission, the EDO, and the NRC staff with members of Congress, their committees, and their staffs.
- Serves as the liaison with the NRC oversight committees, other congressional committees, as appropriate, and individual members of Congress with respect to matters of interest and concern to NRC.
- Serves as the contact point for all NRC communications, written and oral, with the Congress; routinely receives copies of all correspondence from members of Congress and congressional committees except for 3
those of a personal nature and those addressed to the Office of the Inspector General; provides for the prompt acknowledgment of this correspondence, as appropriate; reviews and concurs in all NRC responses and other outgoing communications to members of Congress and congressional committees, with the exception of matters witihin the cognizance of the Inspector General, and coordinates all financial information with the Deputy Chief Financial Officer/Controller before release.
- Transmits routine communications to Congress, including notifications of proposed rulemakings, new and revised regulatory guides, announcements of regulatory actions, studies, reports, public documents, and other items of a routine nature; prepares direct responses to routine congressional requests and inquiries, when appropriate and with the concurrence of the EDO.
- Coordinates internal NRC activities that bear directly on NRC relations with Congress including, but not limited to, all hearings and attendance before the Congress by all NRC personnel, drafting testimony, editing hearing transcripts, and preparing supplemental materials, correspondence, and announcements.
- Transmits classified documents to Congress in accordance with NRC security directives and procedures and congressional regulations regarding the transmission of classified material. Transmits documents that are not publicly available (unclassified) with a special cover letter.
- Monitors all legislative proposals, bills, congressional hearings, debates, and other activities of potential interest and concern to NRC and advises the Chairman, the Commission, and the NRC staff, as appropriate.
- Participates in planning and developing NRC's legislative program in close cooperation with the Office of the General Counsel (OGC), coordinates with OGC concerning responses to legislation submitted to the NRC for comment, and coordinates legislative liaison in financial management activities with the Chief Financial Officer or the Deputy Chief Financial Officer/Controller, as appropriate.
- Represents the Commission, as appropriate, in conferences and meetings with members of Congress and their staffs and arranges for appearances for NRC representatives before congressional committees.
- Coordinates internal NRC activities and arrangements for visits, tours, notifications, presentations, briefings, and other activities with individual members of Congress or congressional committees and their staffs to inform them more fully of the role and activities of NRC and significant events. Develops and establishes records, policies, and procedures necessary for the effective conduct of NRC relations with Congress, and provides for monitoring the status and timeliness of NRC's responses to congressional correspondence.
- Performs any other functions assigned by the Chairman.
Question 4: "so, who makes that determination?
Reply: See the Office of Congressional Affairs and Office of General Council regarding communications with Congress.
Please let me know If you have additional questions or concerns.
Ronald E. Gagnon SUNSI / CUI Program Manager Office of the Chief Information Officer IT/IM Policy Branch United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301-415-6873 4
From:
Sent:
To:
Cc:
Subject:
Attachments:
Follow Up Flag:
Flag Status:
Flanagan, James Friday, May 27, 2016 11:42 AM Rheaume, Cynthia; Le, Hong; Gagnon, Ronald Janney, Margie RE: Confusion regarding Ron Gagnon's answers to Need-to-Know for SUNST RE: FYI - Confusion regarding Ron Gagnon's answers to Need-to-Know for SUNSI Follow up Flagged Also. the OGC point of contact 1s attached. Please mark all "Attorney Client Privilege" from this point forward.
- Regards, James P. Flanagan Deputy, Chief Information Officer Office of the Chief Information Officer United States Nuclear Regulatory Commission One White Flint North 11555 Rockville Pike, Mail Stop O-6E7A Rockville, MD 20852-2738 Telephone 301-415-8700 James.Flanagan@nrc.gov From: Flana,gan, James Sent: Friday, May 27, 201611:39 AM To: Rheaume, Cynthia; Le, Hong; Gagnon, Ronald Cc: Janney, Margie
Subject:
RE: Confusion regarding Ron Gagnon's answers to Need-to-Know for SUNSI Yes, please discuss with OGC and have them frame a response This email exchange is likely to get argumentative and it is not something that we wish to continue to engage in Before we send anything back to this individual please connect with Fred so that he can review Thank you, James P. Flanagan Deputy, Chief Information Officer Office of the Chief Information Officer United States Nuclear Regulatory Commission One White Flint North 11555 Rockville Pike, Mail Stop 0-6E7A Rockville, MD 20852-2738
Telephone 301-415-8700 From: Rheaume, Cynthia Sent: Friday, May 27, 201611:17 AM To: le, Hong; Gagnon, Ronald Cc: Flanagan, James ; Janney, Margie
Subject:
RE: Contusion regarding Ron Gagnon's answers to Need-to-Know for SUNSI Jim - I thought I heard you say you also wanted us to coordinate with the IG, correct?
From: Le, Hong Sent: Friday, May 27, 201610:10 AM To: Gagnon, Ronald <Repaid.Ga n
- c. o Cc: Rheaume, Cynthia <C nthia.Rheaume nrc. ov>; Flanagan, James <James.Flarray n
<Mar I.Janne nrc. ov>
Subject:
Re: Confusion regarding Ron Gagnon's answers to Need-to-Know for SUNS!
Ron - pleas do not r spond. W ne d to consult with Fred/Jim and/or G.
n: 27 May 201 6 10:04, ri cion Lawr nc " <Lnwrence.
- Ron, Regarding your answer to Question 1, I still do not understand if bargaining unit personn I are allowed to discuss SUNSI with any colleague whose opinion they so choose to seek. It would be most helpful if, when answering question 1, you begin your answer with a "Yes" or a "No".
Regarding your answer to Question 2, neither your answer nor the Yellow Announcement you referr me to contain any information that would allow me to determine which colleagues canno know ofSUNSI nuclear safety concern. Please explain to me how 1 am to determine which colleagues cannot know of SUNSI nuclear safety concern.
Regarding you answer to Question 3, are you stating that employees must go through the Office of Congressional Affairs prior to providtng information to Congress and cannot directly provide information to Congress on their own? If not, please clearry state.
Regarding your answer to Question 4, with whom In OCA and OGC should I address my questions?
My questions are straight forward questions and I would appreciate straight forward answers. If you are not comfortable answering my questions in a clear and concise manner, that should tell you something about our policies.
Thank you, Larry From: Gagnon, Ronald Sent: Wednesday, May 25, 2016 3:23 PM To: Criscione, Lawrence <Lawrence.Criscione @nrc. ov>
Cc: Janney, Margie <Margi,Janney@nrc.gov>; Flanagan, James <James.Flana anl nrc. ov>; carpenter, Cynthia 2
<Cynthla.Carpenter@nrq~.Qy>; Le, Hong <Hong.Le@nrc.gov>; Chen, Yen-Ming <Yen-Min t,Chen@nrc,i ov>; Hackett, Edwin <Edwin.Hackett_@Nc.gov>; Correia, Richard <Richard.Correia@nrc.gov>; Peters, Sean <Sean.Peters@nrc.gov>;
Heard, Robert <Robert.Heardlilnrc..,oV>; Schwartz, Maria <Maria.Schwartz(a nrq.ov>; NTEU, Chapter 208
<NTEU@nrc.gov>; Weber, Michael <Mi1hael.Weber@nrc.11ov>
Subject:
Who Determines Need-To-Know for OUO?
Mr. Criscione:
You inquired regarding the following:
- 1. Are bargaining unit employees allowed to discuss SUNSI (i.e. information that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?
- 2. If not, how is the need-to-know determined? That is, how is an employee to determine which colleagues cannot know of SUNSI nuclear safety concern?
- 3. Is there any SUNS! material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Special Counsel?
- 4. If so, who makes that determination?
Question 1: Are bargaining unit employees allowed to discuss SUNS/ (I.e. information that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?
Reply: NRC SUNSI Policy clearly states that... "except as the Commission may otherwise authorize, no person, Including employees of the U.S. Government, NRC, an NRC licensee or certificate holder, or an employee, agent, or contractor of a license applicant may have access to SUNS! unless that person has an established need-to-know the information for conducting official business." See below:
NRC Policy For Handling, Marking, and Protecting Sensitive Unclassified Non-Safeguards Information section 0(2) - Need to know access See: http://www.lnternal.nrc.gov/sunsi/pdf/SUNSI-Policy-Procedures.pdf Need-To-Know Access A security clearance is not required for access to SUNSI. However, except as the Commission may otherwise authorize, 110 person, including employees of the U.S. Government, NRC, an NRC licensee or certificate holder, or an employee, agent, or contractor of a license applicant may have access to SUNSI unless that person has an established need-to-know the information for conducting official business.
Question 2: If not, how is the need-to-know determined? That is, how is an employee to determine which colleagues cannot know of SUNS/ nuclear safety concern?
Reply: The NRC recently published a yellow announcement addressing this issue. See https://drupal.nrc.gov/announcements/yellow/policy/23578 Yellow Announcement YA 16-0052 defines "Need to Know" in the context of sensitive unclassified information.
See Below:
Need-to-Know
- 1. A determination by a person having responsibility for protecting or holding the sensitive information, be It classified information, safeguards information, or sensitive unclassified information, that a proposed recipient's access to the sensitive information is necessary in the performance of an official and lawful req1Uirement.
- 2. Knowledge, possession of, or access to, sensitive information including classified, safeguards, and/or sensitive unclassified information shall not be afforded to any individual solely by virtue of the individual's office, position, or security clearance.
3
Question 3: Is there any SUNS/ material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Spec/a/ Counsel?
Reply: The NRC's Office of Congressional Affairs (OCA) (see MD 9.13) is tasked with communicating with Congress on behalf of the NRC. The office is responsible for administering the agency's Congressional Affairs Program, and for providing advice and assistance to the Chairman, the Commission, and the NRC staff on all NRC relations with the Congress. Specifically, the office-
- Provides the Chairman, the Commission, the Executive Director for Operations (EDO), and the NRC staff with advice and counsel concerning relations with Congress; keeps NRC currently and fully informed on the views of Congress toward NRC policies, plans, and activities; and pursuant to Section 303 of the Atomic Energy Act of 1954, as amended, keeps Congress currently and fully informed of NRC's policies, plans, and activities. Coordinates all official contacts for the Chairman, the Commission, the EDO, and the NRC staff with members of Congress, their committees, and their staffs.
- Serves as the liaison with the NRC oversight committees, other congressional committees, as appropriate, and individual members of Congress with respect to matters of interest and concern to NRC.
- Serves as the contact point for all NRC communications, written and oral, with the Congress; routinely receives copies of all correspondence from members of Congress and congressional committees except for those of a personal nature and those addressed to the Office of the Inspector General; provides for the prompt acknowledgment of this correspondence, as appropriate; reviews and concurs in all NRC responses and other outgoing communications to members of Congress and congressional committees, with the exception of matters within the cognizance of the Inspector General, and coordinates all financial information with the Deputy Chief Financial Officer/Controller before release.
- Transmits routine communications to Congress, including notifications of proposed rulemakings, new and revised regulatory guides, announcements of regulatory actions, studies, reports, public documents, and other items of a r,outlne nature; prepares direct responses to routine congressional requests and inquiries, when appropriate and with the concurrence of the EDO.
- Coordinates internal NRC activities that bear directly on NRC relations with Congress including, but not limited to, all hearings and attendance before the Congress by all NRC personnel, dr.afting testimony, editing hearing tralilscripts, and preparing supplemental materials, correspondence, and announcements,
- Transmits classified documents to Congress in accordance with NRC security directives and procedures and congressional regulations regarding the transmission of classified material. Transmits documents that are not publicly available (unclassified) with a special cover letter.
- Monitors all legislative proposals, bills, congressional hearings, debates, and other activities of potential interest and concern to NRC and advises the Chairman, the Commission, and the NRC staff, as appropriate.
- Participates In planning and developing NRC's legislative program In close cooperation with the Office of the General Counsel (OGC), coordinates with OGC concerning responses to legislation submitted to the NRC for comment, and coordinates legislative liaison in financial management activities with the Chief Financial Officer or the Deputy Chief Financial Officer/Controller, as appropriate.
- Represents the Commission, as appropriate, in conferences and meetings with members of Congress and their staffs and arranges for appearances for NRC representatives before congressional committees.
- Coordinates internal NRC activities and arrangements for visits, tours, notifications, presentations, briefings, and other activities with individual members of Congress or congressional committees and their staffs to inform them more fully of the role and activities of NRC and significant events. Develops and establishes records, policies, and procedures necessary for the effective conduct of NRC relations with Congress, and provides for monitoring the status and timeliness of NRC's responses to congressional correspondence.
- Performs any other functions assigned by the Chairman.
Question 4: If so, who makes that determination?
Reply: See the Office of Congressional Affairs and Office of General Council regarding communications with Congress.
Please let me know if you have additional questions or concerns.
4
Ronald E. Gagnon SUNSI / CUI Program Manager Office of the Chief Information Officer IT/IM Policy Branch United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301-415-6873 5
From:
Sent To:
Cc:
Subject:
McAndrew, Sara Friday, May 27, 2016 10:41 AM Flanagan, James Gagnon, Ronald; Maxin, Mar~ Weber, Michael; Correia, Richard; Thaggard, Mark RE: FYI
- Confusion regarding Ron Gagnon's answers to Need-to-Know for SUNS!
Attorney clienJ!t..1:o!!Jri,Yjvil!!le:.910~,e----------------------------7 Thanks, Jim.I (b)(5), (b)(6)
(b)(5)
Sara McAndrew Senior Attorney 301-287-0976 OWFN15A66 From: Flanagan, James Sent: Friday, May 27, 2016 1 O: 15 AM I
To: Weber, Michael <Michael.Weber@nrc.gov>; Gagnon, Ronald <Ronald.Gagnon@nrc.gov>
Cc: McAndrew, Sara <Sara.McAndrew@nrc.gov>; Correia, Richard <Richard.Correia@nrc.gov>; Thaggard, Mark <Mark.Thaggard@nrc.gov>; Brown, Frederick <Frederick.Brown@nrc.gov>; Janney, Margie
<Margie.Janney@nrc.gov>
Subject:
RE: FYI
- Confusion regarding Ron Gagnon's answers to Need-to-Know for SUNSI
- Mike, Thank you, Hong Le, his manager had provided similar guidance. We will not be responding until OGC provides further insight.
Thank you, James P. Flanagan Deputy, Chief Information Officer Office of the Chief Information Officer United States Nuclear Regulatory Commission One White Flint North 11555 Rockville Pike, Mail Stop O-6E7 A Rockville, MD 20852-2738 Telephone 301-415-8700 1
James.Flanagan@nrc.gov From: Weber, Michael Sent: Friday, May 27, 2016 10:14 AM To: Gagnon, Ronald <Ronald.Gagnon@nrc.gov>
Cc: McAndrew, Sara <Sara.McAndrew@nrc.gov>; Correia, Richard <Richard.Correia@nrc.gov>; Thaggard, Mark <Mark.Thaggard@nrc.gov>; Brown, Frederick <Frederick.Brown@nrc.gov>; Flanagan, James
<James.Flanagan@nrc.gov>; Janney, Margie <Margie.Janney@nrc.gov>
Subject:
FYI - Confusion regarding Ron Gagnon's answers to Need-to-Know for SUNSI Good morning, Ron. Before you consider responding, suggest that you touch base with Sara McAndrew in OGC. Sara has been assisting us on questions like these from Larry Thanks From: Criscione, Lawrence Sent: Friday, May 27, 2016 10:05 AM To: Gagnon, Ronald <Ronald.Gagnon@nrc.gov>
Cc: Janney, Margie <Margie.Janney@nrc.gov>; Flanagan, James <James.Flanagan@nrc.gov>; Carpenter, Cynthia <Cynthia.Carpenter@nrc.gov>; Le, Hong <Hong.Le@nrc.gov>; Chen, Yen-Ming <Yen-Ming.Chen@nrc.gov>; Hackett, Edwin <Edwin.Hackett@nrc.gov>; Correia, Richard
<Richard.Correia@nrc.gov>; Peters, Sean <Sean.Peters@nrc.gov>; Heard, Robert <Robert.Heard@nrc.gov>;
Schwartz, Maria <Maria.Schwartz@nrc.gov>; NTEU, Chapter 208 <NTEU@nrc.gov>; Weber, Michael
<Michael.Weber@nrc.gov>
Subject:
Confusion regarding Ron Gagnon's answers to Need-to-Know for SUNSI
- Ron, Regarding your answer to Question 1, I still do not understand if bargaining unit personnel are allowed to discuss SU NSI with any colleague whose opinion they so choose to seek. It would be most helpful if, when answering question 1, you begin your answer with a n Yes<jj or a !I No<jj.
Regarding your answer to Question 2, neither your answer nor the Yellow Announcement you refer me to contain any information that would allow me to determine which colleagues cannot know of SUNSI nuclear safety concern. Please explain to me how I am to determine which colleagues cannot know of SUNSI nuclear safety concern.
Regarding you answer to Question 3, are you stating that employees must go through the Office of Congressional Affairs prior to providing information to Congress and cannot directly provide information to Congress on their own? If not. please clearly state.
Regarding your answer to Question 4, with whom in OCA and OGC should I address my questions?
My questions are straight forward questions and I would appreciate straight forward answers. If you are not comfortable answering my questions in a clear and concise manner, that should tell you something about our policies.
Thank you, Larry From: Gagnon, Ronald Sent: Wednesday, May 25, 2016 3:23 PM 2
To: Criscione, Lawrence <lawrence.Criscione@nrc.gov>
Cc: Janney, Margie <Margie.Janney@nrc.gov>; Flanagan. James <James.Flanagan@nrc.gov>; Carpenter, Cynthia <Cynthia.Carpenter@nrc.gov>; Le, Hong <Hong.Le@nrc.gov>; Chen, Yen-Ming <Yen-Ming.Chen@nrc.gov>; Hackett, Edwin <Edwin.Hackett@nrc.gov>; Correia, Richard
<Richard.Correia@nrc.gov>; Peters, Sean <Sean.Peters@nrc.gov>; Heard, Robert <Robert. Heard@nrc.gov>;
Schwartz, Maria <Maria.Schwartz@nrc.gov>; NTEU, Chapter 208 <NTEU@nrc.gov>; Weber, Michael
<Michael.Weber@nrc.gov>
Subject:
Who Determines Need-To-Know for OUO?
Mr. Criscione:
You inquired regarding the following:
- 1. Are bargaining unit employees allowed to discuss SUNSII (i.e. Information that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?
- 2. If not, how is the need-to-know determined? That is, how is an employee to determine which colleagues cannot know of SUNSI nuclear safety concern?
- 3. Is there any SUNSI material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Special Counsel?
- 4. If so, who makes that determination?
Question 1: Are bargaining unit employees allowed to discuss SUNSI (i.e. information that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?
Reply: NRC SUNS! Policy clearly states that I <fl except as the Commission may otherwise authorize, no person. including employees of the U.S. Government, NRC, an NRC licensee or certificate holder, or an employee, agent, or contractor of a license applicant may have access to SUNSI unless that person has an established need-to-know the information for conducting official business.<Jl See below:
NRC Polley For Handling, Marking, and Protecting Sensitive Unclassified Non-Safeguards Inf ormatlon section 0(2) T Need to know access See: http://www.internal.nrc.gov/sunsi/pdf/SUNSI-Policy-Procedures.pdf Need-To-Know Access A security clearance is not required for access to SUNSI. However, except as the Commission may otherwise authorize, no person, including employees of the U.S. Government, NRC, an NRC licensee or certificate holder, or an employee, agent, or contractor of a license applicant may have access to SUINSI unless that person has an established need-to-know the information for conducting official business.
Question 2: If not, how is the need-to-know determined? That is, how is an employee to determine which colleagues cannot know of SUNS! nuclear safety concern?
Reply: The NRC recently published a yellow announcement addressing this issue. See https://drupal.nrc.gov/announcements/yellow/policy/23578 Yellow Announcement YA 16-0052 defines n Need to Know!l in the context of sensitive unclassified information. See Below:
Need-to-Know
- 1. A determination by a person having responsibility for protecting or holding the sensitive information, be it classified information, safeguards information, or sensitive unclassified Information, that a proposed recipient! s access to the sensitive information is necessary in the performance of an official and lawful requirement.
- 2. Knowledge, possession of, or access to, sensitive information including classified, safeguards, and/or sensitive unclassified information shall not be afforded to any individual solely by virtue of tihe individual l s office, position, or security clearance.
3
Question 3: Is there any SUNSI material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Special Counsel?
Reply: The NRC I s Office of Congressional Affairs (OCA) (see MD 9.13) Is tasked with communicating with Congress on behalf of the NRC. The office is responsible for administering the agency's Congressional Affairs Program, and for providing advice and assistance to the Chairman, the Commission, and the NRC staff on all NRC relations with the Congress. Specifically, the office1 J. Provides the Chairman, the Commission, the Executive Director for Operations (EDO), and the NRC staff with advice and counsel concerning relations with Congress; keeps NRC currently and fully informed on the views of Congress toward NRC policies, plans, and activities; and pursuant to Section 303 of the Atomic Energy Act of 1954, as amended, keeps Congress currently and fully informed of NRC's policies, plans, and activities. Coordinates all official contacts for the Chairman, the Commission, the EDO, and the NRC staff with members of Congress, their committees, and their staffs.
J. Serves as the liaison with the NRC oversight committees, other congressional committees, as appropriate, and individual members of Congress with respect to matters,of interest and concern to NRC.
.1 Serves as the contact point for all NRC communications, written and oral, with the Congress; routinely receives copies of all correspondence from members of Congress and congressional committees except for those of a personal nature and those addressed to the Office of the Inspector General; provides for the prompt acknowledgment of this correspondence, as appropriate; reviews and concurs in all NRC responses and other outgoing communications to members of Congress and congressional committees, with the exception of matters within the cognizance of the Inspector General, and coordinates all financial information with the Deputy Chief Financial Officer/Controller before release.
.1 Transmits routine communications to Congress, including notifications of proposed rulemakings, new and revised regulatory guides, announcements of regulatory actions, studies, reports, public documents, and other items of a routine nature; prepares direct responses to routine congressional requests and inquiries, when appropriate and with the concurrence of the EDO.
J. Coordinates internal NRC activities that bear directly on NRC relations with Congress including, but not limited to, all hearings and attendance before the Congress by all NRC personnel, drafting testimony, editing hearing transcripts, and preparing supplemental materials, correspondence, and announcements.
.1 Transmits classified documents to Congress in accordance with NRC security directives and procedures and congressional regulations regarding the transmission of classified material. Transmits documents that are not publicly avallable (unclassified) with a special coveir letter.
.1 Monitors all legislative proposals, bills, congressional hearings, debates, and other activities of potential interest and concern to NRC and advises the Chairman, the Commission, and the NRC staff, as appropriate.
.1 Participates in planning and developing NRC's legislative program in close cooperation with the Office of the General Counsel (OGC), coordinates with OGC concerning responses to legislation submitted to the NRC for comment, and coordinates legislative liaison in financial management activities with the Chief Financial Officer or the Deputy Chief Financial Officer/Controller, as appropriate.
J. Represents the Commission, as appropriate, in conferences and meetings with members of Congress and their staffs and arranges for appearances for NRC representatives before congressional committees.
J. Coordinates internal NRC activities and arrangements for visits, tours, notifications, presentations, briefings, and other activities with individual members of Congress or congressional committees and their staffs to inform them more fully of the role and activities of NRC and significant events. Develops and establishes records, policies, and procedures necessary for the effective conduct of NRC relations with Congress, and provides for monitoring the status and timeliness of NRC's responses to congressional correspondence.
1 Performs any other functions assigned by the Chairman.
Question 4: If so, who makes that determination?
Reply: See the Office of Congressional Affairs and Office of General Council regarding communications with Congress.
Please let me know if you have additional questions or concerns.
4
Ronald E. Gagnon SUNS I / CUI Program Manager Office of the Chief Information Officer IT/IM Policy Branch United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockvrne, MD 20852 Office: 301-415-6873 s
From:
Flanagan, James Sent:
To:
Friday, May 27, 2016 10:24 AM Gagnon, Ronald Cc:
Subject:
Attachments:
Janney, Margie; Rheaume, Cynthia; Le, Hong; Chen, Yen-Ming; Brown, Frederick RE: Confusion regarding Ron Gagnon's answers to Need-to-Know for SUNS!
FYI - Who Determines Need-To-Know for OUO?
Follow Up Flag:
Flag Status:
- Team, Follow up Flagged Attached is additional matenal to support your OGC review This was provided by Mike Weber from an email to Cynthia Carpenter
- Regards, James P. Flanagan Deputy, Chief Information Officer Office of the Chief Information Officer United States Nuclear Regulatory Commission One White Flint North 11555 Rockville Pike, Mail Stop 0 -6E7 A Rockville, MD 20852-2738 Telephone 301-415-8700 James.Flana a_n nrc. ov From: Flanagan, James Sent: Friday, May 271 2016 10:07 AM To: Gagnon, Ronald Cc: Janney, Margie ; Rheaume, Cynthia ; Le, Hong; Chen, Yen-Ming ; Brown, Frederick
Subject:
RE: Confusion regarding Ron Gagnon's answers to Need-to-Know for SUNSI
- Ron, Please seek guidance from OGC and OCHCO related to any response. This is just getting argumentative and placing your factual response in a difficult position.
- Regards, James P. Flanagan Deputy, Chief Information Officer Office of the Chief Information Officer l
United States Nuclear Regulatory Commission1 One White Flint North 11555 Rockville Pike, Mail Stop O-6E7 A Rockville, MD 20852-2738 Telephone 301-415-8700 James.Flanagan@nrc.gov From: Criscione, Lawrence Sent: Friday, May 27, 201610:05 AM To: Gagnon, Ronald <Ronald.Gagnon@nrc.gov>
Cc: Janney, Margie <Margle.Janney@nrc.gov>; Flanagan, James <James.Flana,ian@nrc.gov>; Carpenter, Cynthia
<Cynthia.Carpenter@Jlrc,&Qv>; Le, Hong <Hong.Le@nrc.gov>; Chen, Yen-Ming <Yen-Mi11&.,,.Chen@n.(£:&.ov>; Hackett, Edwin <Edwin.Hackett@nrc.gov>; Correia, Richard <Richard.Correla@nrc.gov>; Peters, Sean <Sean.Peters@nrc.gov>;
Heard, Robert <8obert.Heard@nrc.gov>; Schwartz, Marla <Maria.Schwartz@nrc.gov>; NTEU, Chap,ter 208
<NTEU@nrc.gov>; Weber, Michael <Michael.Weber nrc. ov>
Subject:
Confusion regarding Ron Gagnon's answers to Need-to-Know for SUNSI
- Ron, Regarding your answer to Question 1, I still do not understand if bargaining unit personnel are allowed to discuss SUNSI with any colleague whose opinion they so choose to seek. It would be most helpful if, when answering question 1, you begin your answer with a "Yes" or a "No".
Regarding your answer to Question 2, neither your answer nor the Yellow Announcement you refer me to contain any information that would allow me to determine which colleagues cannot know of SUNS! nuclear safety concern. Please explain to me how I am to determine which colleagues cannot know of SUNSI nuclear safety concern.
Regarding you answer to Question 3, are you stating that employees must go through the Office of Congressional Affairs prior lo providing Information to Congress and cannot directly provide Information to Congress on their own? If not, please clearly state.
Regarding your answer to Question 4, with whom In OCA and OGC should I address my questions?
My questions are straight forward questions and I would appreciate straight forward answers. If you a re not comfortable answering my questions in a clear and concise manner, that should tell you something about our policies.
Thank you, Larry From: Gagnon, Ronald Sent: Wednesday, May 25, 2016 3:23 PM To: Criscione, Lawrence <Lawrence.Criscione.@nrc.gov>
Cc: Janney, Margie <Margie.Janney@nrc.gov>; Flanagan, James <James.Flanagan@nrc.gov>; Carpenter, Cynthia
<C~nthia.Camenter@nrc.gg_v>; Le, Hong <Hong.Le@nrc.gov>; Chen, Yen-Ming <Yen-Mln_g.Chen@.nrc_,K.ov>; Hackett, Edwin <Edwin.Hackett@nrc.gov>; Correia, Richard <Rlchard.Correia@nrc.gov>; Peters, Sean <Sean.Pete~
nrc.fil)v>;
Heard, Robert <Robert.Heard@nrc.gov>; Schwartz, Marla <Maria~Schwartz@nrc.gov>; NTEU, Chapter 208
<NTEU@nrc.gov>; Weber, Michael <Michael.Weber@nrc.gov>
Subject:
Who Determines Need-To-Know for QUO?
2
Mr. Criscione:
You inquired regarding the following:
- 1. Are bargaining unit employees allowed to discuss SUNSI o.e. information that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?
- 2. If not, how is the need-to-know detemiined? That is, how is an employee to determine which colleagues cannot know of SUNSI nuclear safety concern?
- 3. Is there any SUNSI material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Special Counsel?
- 4. If so, who makes that determination?
Question 1: Are bargaining unit employees allowed to discuss SUNS/ (i.e. Information that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?
Reply: NRC SUNSI Policy clearly states that... *except as the Commission may otherwise authorize, no person, including employees of the U.S. Government, NRC, an NRC licensee or certificate holder, or an employee, agent, or contractor of a license applicant may have access to SUNSI unless that person has an established need-to-know the information for conducting official business." See below:
NRC Policy For Handling, Marking, and Protecting Sensitive Unclasslfled Non-Safeguards Information section 0(2) - Need to know access See: http:l/www.internal.nrc.gov/sunsi/pdf/SUNSI-Policy-Procedures.pdf Need-To-Know Access A security clearance is not required for access to SUNSI. However, except as the Commission may otherwise authorize, no person, including employees of the U.S. Government, NRC, an NRC licensee or certificate holder, or an employee, agent, or contractor of a license applicant may have access to SU NS I unless that person has an established need-to-know the information for conducting official business.
Question 2: If not, how is the need-to-know determined? That is, how is an employee to determine which colleagues cannot know of SUNS/ nuclear safety concern?
Reply: The NRC recently published a yellow announcement addressing this issue. See https.//drupal.nrc.gov/announcements/yellow/policy/23578 Yellow Announcement YA 16-0052 defines "Need to Know" in the context of sensitive unclassified information.
See Below:
Need-to-Know
- 1. A determination by a person having responsibility for protecting or holding the sensitive information, be it classified information, safeguards information, or sensitive unclassified information, that a proposed recipient's access to the sensitive information is necessary in the performance of an official and lawful requirement.
- 2. Knowledge, possession of, or access to, sensitive information including classified, safeguards, and/or sensitive unclassified information shall not be afforded to any individual solely by virtue of the individual's office, position, or security clearance.
Question 3: Is there any SUNS/ material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Special Counsel?
Reply: The NRC's Office of Congressional Affairs (OCA) (see MD 9.13) is tasked with communicating with Congress on behalf of the NRC. The office is responsible for administering the agency's Congressional Affairs 3
Program, and for providing advice and assistance to the Chairman, the Commission, and the NRC staff on all NRC relations with the Congress. Specifically, the office-
- Provides the Chairman, the Commission, the Executive Director for Operations (EDO), and the NRC staff with advice and counsel concerning relations with Congress; keeps NRC currently and fully informed on the views of Congress toward NRC policies, plans, and activities; and pursuant to Section 303 of the Atomic Energy Act of 1954, as amended, keeps Congress currently and fully Informed of NRC's policies, plans, and activitie,s. Coordinates all official contacts for the Chairman, the Commission, the EDO, and the NRC staff with members of Congress, their committees, and their staffs.
- Serves as the liaison with the NRC oversight committees, other congressional committees, as appropriate, and individ1.Jal members of Congress with respect to matters of interest and concern to NRC.
- Serves as the contact point for all NRC communications, written and oral, with the Congress; routinely receives copies of all correspondence from members of Congress and congressional committees except for those of a personal nature and those addressed to the Office of the Inspector General; provides for the prompt acknowledgment of this correspondence, as appropriate; reviews and concurs in all NRC responses and other outgoing communications to members of Congress and congressional committees, with the exception of matters within the cognizance of the Inspector General, and coordinates all financial information with the Deputy Chief Financial Officer/Controller before release.
- Transmits routine communications to Congress, including notifications of proposed rulemakings, new and revised regulatory guides, announcements of regulatory actions, studies, reports, public documents, and other items of a r,outine nature; prepares direct responses to routine congressional requests and inquiries, when appropriate and with the concurrence of the EDO.
- Coordinat,es internal NRC activities that bear directly on NRC relations with Congress including, but not limited to, all hearings and attendance before the Congress by all NRC personnel, drafting testimony, editing hearing transcripts, and preparing supplemental materials, correspondence, and announcements.
- Transmits classified documents to Congress in accordance with NRC security directives and procedures and congressional regulations regarding the transmission of classified material. Transmits documents that are not publicly available (unclassified) with a special cover letter.
- Monitors all legislative proposals, bills, congressional hearings, debates, and other activities of potential interest and concern to NRC and advises the Chairman, the Commission, and the NRC staff, as appropriate.
- Participates in planning and developing NRC's legislative program in close cooperation with the Office of the General Counsel (OGC), coordinates with OGC concerning r,esponses to legislation submitted to the NRC for comment, and coordinates legislative liaison in financial management activities with the Chief Financial Officer or the Deputy Chief Financial Officer/Controller, as appropriate.
- Represents the Commission, as appropriate, in conferences and meetings with members of Congress and their staffs and arranges for appearances for NRC representatives before congressional committees.
- Coordinates internal NRC activities and arrangements for visits, tours, notifications, presentations, briefings, and other activities with individual members of Congress or congressional committees and their staffs to inform them more fully of the role and activities of NRC and significant events. Develops and establishes records, policies, and procedures necessary for the effective conduct of NRC relations with Congress, and provides for monitoring the status and timeliness of NRC's responses to congressional correspondence.
- Performs any other functions assigned by the Chairman.
Question 4: If so, who makes that determination?
Reply: See the Office of Congressional Affairs and Office of General Council regarding communications with Congress.
Please let me know if you have additional questions or concerns.
Ronald E. Gagnon SUNSI / CUI Program Manager Office of the Chief Information Officer IT/IM Policy Branch 4
United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301-415-6873 s
From:
Sent:
To:
Cc:
Subject:
(b)(5)
From: Criscione, Lawrence Weber. Michael Friday, May 27, 2016 10:21 AM McAndrew, Sara Thaggard, Mark; Correia, Richard; Hackett, Edwin; Flanagan, James; Carpenter, Cynthia FYI - Who Determines Need-To-Know for QUO?
Sent: Friday, May 27, 2016 9:49 AM To: Carpenter, Cynthia; Weber, Michael Cc: Hackett, Edwin ; Correla, Richard ; Peters, Sean ; Heard, Robert ; Schwartz, Maria ; NTEU, Chapter 208; Gagnon, Ronald ; Kirkwood, Sara; Holahan, Gary; Clark, Theresa
Subject:
RE: Who Determines Need-To-Know for OUO?
- Cynthia, If you review the lengthy email trail below, you will see that I've been down that route before. In February 2015, Ron Gagnon of the FOIA branch passed the buck on my concerns back to my RES supervision.
I believe that there is absolutely no basis for "Need-to-Know" to be applied to nuclear safety concerns such as catastrophic flooding at nuclear pow r plant sites du to upstream dam failures-failures caused by acts of nature and latent engineering flaws and not acts of sabotage. It is clear to me that these "Need-to-Know" res rictions are being set in place to prevent Inconvenient embarrassing Information from being widely accessed within the NRC and thus limit its likelihood of exiling the agency (as occurred In 2012 when I distributed some documents to Congress and the US Offic of Special Counsel).
I recognize that It is natural for a bureaucracy to place a primacy upon protecting its good name and reputation, but by restrlctl ng information on important nuclear safety issues to only those staff who can be "trusted to not disclose glaring unresolved public hazards we are undermining the Open & Collaborative Work Environment that h,s agency supposedly supports.
I will not be bouncing around FOIA and OCIO to discuss my concerns. My concerns have been well documented in the 3 1/2 year email trall below. Lack of understanding on this issue (I.e. Need-to-know regarding SUNSI) led directly to the NRC's JG Illegally seeking r lony charges against me In February 2013 for sharing SUNSI with som Congressional staffers-something I had a protected right to do under 5 use 7211. This is an issue that both the agency and the union should take seriously as it undermines the ability of the bargaining unit to vet their concerns with staff whom they trust-.g. in NRO they are currently restricted from discussing flooding Issues with staff who have not been specifically assigned to the work on the issue.
I've asked four questions below. According to Ron Gagnon's February 2012 responses to me, those questions fall under the purview of my RES chain of command. I would appreciate it if you and Mike Weber would recognize and respect the efforts I have taken since October 25, 2012 to get answers to these questions and not dish me off to the FOIA office and OCIO.
The simple questions I would like specific, non-bureaucratic answers to are:
- 1. Are, bargaining unit employees allowed to discuss SUNSI (i.e. Information that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?
- 2. If not, how Is the need-to-know determined? That Is, how is an employee to determine which colleagues cannot know of SUNSI nuclear safety concern?
- 3. Is there any SUNSI material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Special Counsel?
- 4. If so, who makes that determination?
Thank you, Larry 573-230-3959 From: Carpenter, Cynthia Sent: Wednesday, May 25, 2016 11:18 AM To: Criscione, Lawrence <Lawrence.Criscione@nrc.gov>; Weber, Michael <Mlchael.Weber@nrc.gov>
Cc: Hackett, Edwin <Edwln,Hackett@nrc.gov>; Correia, Richard <Richard.Correia@nrc.gov>; Peters, Sean
<Sean.Peters@nrc.gov>; Heard, Robert <Robert.Heard@nrc.gov>; Schwartz, Maria <Maria.Schwartz@nrc.gov>; NTEU, Chapter 208 <NTEU@nrc.gov>
Subject:
RE: Who Determines Need-To-Know for OUO?
Larry Please contact OCIO regarding your questions. Controlled Unclassified Information (i.e. currently SUNSI} falls under their area of expertise. If it were SGI or classified, it would be NSIR. I don't know who in OCIO has the lead for this, but I would start with the FOIA, Privacy and information collections branch.
From: Criscione, Lawrence Sent: Wednesday, May 25, 2016 8:57 AM To: Weber, Michael <Micbael.Weber@nrc.gov>; Carpenter, Cynthia <Cynthla,Carpenter@nrc.gov>
Cc: Hackett, Edwin <Edwln.Hackett@nrc.gov>; Correia, Richard <Rlchar.Correia nrc. ov>; Peters, Sean
<Sean.Peters@nrc.gov>; Heard, Robert <Robert.Heard@nrc.gov>; Schwartz, Maria <Maria.Schwartz@nrc.gov>; NTEU, Chapter 208 <NTEU@nrc.gov>
Subject:
RE: Who Determines Need-To-Know for OUO?
Mike/Cynthia, Yesterday the agency published a Yellow Announcement on Need-to-Know (ML16111A432) which-in my opinion-was not very informative. I still have the following questions regarding Need-to-Know as It pertains to nuclear safety issues marked as SUNSI (I have always had a very clear understanding regarding Need-to-know as applied to classified information and SGt)*
- 1. Are bargaining unit employees allowed to discuss SUNSI (1.e. information that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?
- 2. If not, how is the need-to-know determined? That is. how rs an employee to determine which colleagues cannot know of SUNS! nuclear safety concern?
3 Is there any SUNSI material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Special Counsel?
- 4. If so, who makes that determination?
- Thanks, 2
Larry Lawrence S. Criscione RES/DRA/HFRB From: Criscione, Lawrence Sent: Thursday, April 28, 2016 5:39 PM To: Weber, Michael <Mlchael.Weber@nrc.gov>; NTEU. Chapter 208 <NTEU@nrc.gov>
Cc: Hackett, Edwin <Edwln.Hackett@nrc.gov>; Correia, Richard <Richard.Correla@nrc.gov>; Peters, Sean
<Sean.Peters@nrc.gov>; Heard, Robert <Robert.Heard@nrc.goV>; Schwartz, Maria <Maria.Schwartz@nrc.gov>;
Campbell, Andy <Andy.Campbell@nrc.gov>; Bley, Dennis <Dennls.Bley@nrc.gov>
Subject:
Who Determines Need-To-Know for OU07 Mike/Sheryl, As can be seen from the email trail below, I have been trying to get an answer to the handling of Official Use Only information for quite some time.
Attached is a letter I received last week from the US Office of Special Counsel {OSC). In the letter It is stated that the OSC has referred my disclosure regarding the agency's failure to adequately address flooding from dam failures to the NRC Chairman for investigation and report. It is not yet known by me whom the Chairman intends to assign to investigate my concerns.
In anticipation of potentially meeting with the Chairman's assigned investigator, over lunch today I met with seven colleagues from RES, NRR and NRO to discuss outstanding flooding concerns. At that meeting I was informed that certain supervisors in NRO have deemed certain flooding information and studies as sensitive information subject to strict need-to-know restrictions.
That is, my NRO colleagues told me they had to talk around certain concerns because I-and others present-were not formally assigned to work on those issues and to know those concerns.
Please note that none of the issues were related to nuclear security. These issue pertained entirely to nuclear SAFETY issues {e.g. Probabilistic Maximum Precipitation estimates for certain sites, flood inundation levels, etc).
Please also see the attached OCWE flyer from Bill Borchardt.
To me, the restrictions placed on the NRO staff directly contradicts the work environment purported by Mr Borchardt.
But it is much worse than that.
One of the NRO staff informed me that she might not be able to discuss some of her specific flooding concerns with the Chairman's investigator since the issues could only be shared with those with a need-to-know.
Think about that for a minute. The staff of the NRC supports the work of the Commission. The President appoints the Chairman of the Commission The President appoints the Special CounseL The Special Counsel has directed the Chairman to furnish a report to her within 60 days regarding my flooding concerns so that she might forward the Chairman's investigative results on to the President. Yet NRO management has their staff so rattled and confused regarding *need-to-know" surrounding flooding concerns that a staff member is concerned that she cannot even discuss those issues with the Chairman's investigator That's messed up. Waaaaaay messed up.
Today, I also found out that the Advisory Committee on Reactor Safeguards needed to agree to a Memorandum of Understanding (MOU) prior to being allowed to see certain flooding ir.,formation 3
Think about that for a minute. This is unclassified information. It is not safeguards. None of it has any value in determining how to breach a dam. These studies were done at the request of the NRC to aid in determining how dam failures will affect the viabihty of reactor plants. Yet the Advisory Committee on Reactor Safeguards cannot automatically see these studies?????
I would appreciate it if I could get a definitive answer from Mike to the following:
- 1. Are bargaining unit employees allowed to discuss SUNSI (i.e. information that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?
- 2. If not, how is the need-to-know determined? That is, how is an employee to determine which colleagues cannot know of SUNSI nuclear safety concern?
- 3. Is there any SUNS! material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Special Counsel?
- 4. If so, who makes that determination?
I recognize Pll, allegation material, attorney/client privilege all fall under some definition of SUNSI. But in heu of a better term, I am using SUNS! to refer to nuclear safety related information that is. for whatever reason, not public information. I am not at all confused on the prohibition of sharing PII, allegation material, attorney-client privilege, etc. so please restrict your answer to SUNSI that pertains solely to nuclear safety.
Please answer my questions directly. As can be seen below, I have for several years been bounced around between various NRC offices, web pages, 10 CFR references, and obtuse Management Directive references that do not address these questions.
This is an Issue that gravely affects the Safety Culture of this agency. Imagine an individual with concerns regarding the flooding evaluation at Oconee being told that he cannot discuss the matter with fellow colleagues 1n his branch because they have no *need-to-know". Imagine the stress of being told by your superiors to sign off on an evaluation and not being able to discuss your concerns with your trusted peers T,hese are not hypotheticals; they have happened and are happening.
I would appreciate it from Sheryl if she would assist me in getting answers to my questions above This is an NRC issue not a RES issue (in fact, to my knowledge, there is nothing in RES restricted to a *need-to-know").
To me, this should be brought up at the ALMPC.
I am not saying there is no guidance. As can be seen from the email trail below, there is plenty of guidance It's just not in a form that can be applied.
I would like the NRC to go on record stating that there are certain SUNSI documents that cannot be supplied to Congress and the OSC or confirming that there are no prohibitions against providing SUNSI documents to Congress and the OSC And I would like the NRC to go on record stating that all employees can view discuss SUNSI nuclear safety concerns with their peers or confirming that there are certain prohibitions against sharing SUNS! material with peers not directly assigned to work on those materials.
V/r, Larry Lawrence S. Criscione RES/DRA/HFRB 573-230-3959 From: Criscione, Lawrence Sent: Tuesday, March 03, 2015 10:41 AM To: Correia, Richard <Richard.Correia@nrc.gov>; West, Steven <Steven.West@nrc.gov>; Peters, Sean
<Sean.Peters@nrc.gov>
Subject:
Management's Credibility 4
There has been much discourse on this SUNSI issue both v,a email and in cubicle and cafeteria conversations.
Much of it is stated less professionally and more cynically than Ed's email below Ed's mention of a DPO is a sarcastic reference to one of Ron's responses; no one is going to waste their time attempting to address any of these items with a DPO.
Just because most of your staff is focused on doing their jobs and do not wish to ruffle anyone's feathers, please don't think that there are only two people (i.e me and Richard Perkins) complaining about this. This has been a long-standing complaint amongst certain personnel at NRR long before I was ever hired at the NRC-rny involvement in this issue came as a result of their complaints to me. And there is widespread dissatisfaction in RES regarding these matters and how our management has avoided addressing them.
There might be a large contingent of managers and staff who resent "open government*, but there is a very concerned contingent of technical staff who are appalled at what we are not allowed to share with the public.
And they are equally appalled by the lack of professionalism that has gone into resolving this issue. We expect our leaders to lead and not to politically avoid the difficult questions they are well-paid to confront. Balancing open government and SUNSI is one such issue.
Ron Gagnon is the supposed SUNSI expert for the agency and It Is his determination that many of these questions are the prerogative of the office. I say we run with that determination. I say that in the absence of agency ownership of SUNSI, we take ownership of the SUNSI policies for our office. If you would like me to (and if Sean will allow me time to work on it), I can draft some guidance on how to determine what is SUNSI, how to apply *need-to-know* and how to conduct "portion-marking 0
I know Brian believes SUNS! is owned by ADM, but ADM-and specifically the SUNSI lead in ADM-believes that specific SUNS! guidance (vice the broad policies put out by ADM in MD 12.6) is the prerogative of the individual offices. This makes sense. Understandably ADM oloes not feel comfortable writing prescriptive guidance for NRR, RES, etc. We know our work and should be the ones translating the high-level ADM SUNSI policies into workable prescriptive guidance for our people.
V/r, Larry From: ODonnell, Edward Sent: Monday, March 02, 2015 1:53 PM To: Orr, Mark; Barr, Jonathan; Criscione, Lawrence
Subject:
FIN: Need-to-Know requirements for SUNS!
The answers leave one hanging. Perhaps a differing professional opinion should be Invoked regarding them.
From: Gagnon, Ronald Sent: Monday, March 02, 2015 1:49 PM To: Criscione, Lawrence Cc: Janney, Margie; Correla, Richard; Sullivan, Randy; Perkins, Richard; Bensl, Michelle; Sancaktar, Selim; Philip, Jacob; Mitman, Jeffrey; Ferrante, Fernando; Barnes, Valerie; Desaulniers, David; ODonnell, Edward; Kanney, Joseph; Patterson, Malcolm; King, Mark; Burton, Thomas; Peters, Sean; cardenas, Daniel
Subject:
RE: Need-to-Know requirements for SUNSI
- Larry, Please see my replies adjacent to your questions.
Thank you, Ron 5
Ronald E. Gagnon OIS I PrMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301-415-6873 From: CrisciOne, Lawrence Sent: Friday, February 27, 2015 3:23 PM To: Gagnon, Ronald Cc: Janney, Margie; Correia, Richard; Sullivan, Randy; Perkins, Riohard; Bensi, Michelle; Sancaktar, Selim; Philip, Jacob; Mitman, Jeffrey; Ferrante, Fernando; Barnes, Valerie; Desaulniers, David; ODonnell, Edward; Kanney, Joseph; Patterson, Malcolm; King, Mark; Burton, Thomas; Peters, Sean; cardenas, Daniel
Subject:
RE: Need-to*Know requirements for SUNS!
Thanks Ronald. I've copied some colleagues on this email so they can see your answer below and so that they might contact you If they have their own questions about it.
I've highlighted two items below that are still unclear (subject matter expert and need-to-know determination):
1.a) Who are the subject matter experts for flooding and dam failures? Check with your office leadership.
1.b) What document designates them as such? Check with your office leadership.
1.c) What guidance do they use to determine what is sensitive and what Is not? Check with your office leadership, (reference internal NRC SUNSI, SGI, Classified guidance).
1.d) If you disagree with their determination, is there an appeal process?
As you probably already know, NRC has a mechanism in place where differing professional opinions can be discussed and resolved. The NRC Differing Professional Opinions Program, Management Directive 10.159 states the following objectives: To foster informal discussions with peers and supervisors on issues involving professional judgments that may differ from a currently held view or practice, To establish a formal process for expressing differing professional opinions (DPOs) concerning issues directly related to the mission of NRC, To ensure the full consideration and prompt disposition of DPOs by affording an independent, impartial review by knowledgeable personnel, To ensure that all employees have the opportunity to (a) express DPOs in good faith, (b) have their views heard and considered by NRC management, and (c) be kept fully infonned of the status of milestones. throughout the process, To protect employees from retaliation in any form for expressing a differing opinion, To recognize submitters of DPOs when their DPOs have resulted in significant contributions to the mission of the agency, To provide for agency-wide oversight and monitoring, to ensure that implementation of these procedures accomplishes the stated objectives, and to recommend appropriate changes when required 2.a) For SUNSI, do we (I.e. the technical staff) need to obtain our supervisor's permission prior to sharing information with a Congressional office? This question is outside the scope of SUNSI. Please check with your leadership for official NRC policies regarding communications with Congress. The Office of Congressional Affairs should be able to articulate current policies regarding this question.
2.b) For SUNSI that is related to nuclear safety issues or to agency policies on applying FOIA redactions (i.e. not PII. allegation material, or other highly specific forms of SUNSI that have nothing to do with typical NRC correspondence and reports) do we need our supervisor's permission prior to discussing the information with our NRC colleagues who are not formally assigned to work on the issue? That is, can I share nuclear safety information with my NRC co-workers even though that information has been 6
designated SUNSI and they have not been formally assigned to work on the issue? Please check with your leadership and the FOIA office (if you have a FOIA redaction question). As you are aware, in addition to having authorized access to SUNSI information there Is a need to know component to SUNSI. In order to allow access to another party, an authorized holder of SUNSI information must make a determination that a prospective recipient requires access to specific information to perform or assist in a lawful and authorized governmental function.
2.c) If I can get to it in ADAMS, can I assume I have a de-facto right to know it? Perhaps, but not exclusively. For example, if a document has been mistakenly categorized/ entered into ADAMS it does not give an employee the right to view or distribute it without the proper access credentials. If a government employee came across a classified document on-hne through a Google search, that government employee is not authorized access unless they have the proper clearance and need to know, even though the document is easily available t,o anyone searching for it. If not, how do I determine that I have accessed a document that I have no right to see and to whom do I report it? One way to report a document spill would be by advising your supervisor and accessing the following link:
http://www.internal.nrc.gov/incident.html {please note that other notifications may be necessary depending on the type of spill).
R/
Larry From: Gagnon, Ronald sent: Friday, February 27, 2015 2:15 PM To: Criscione, Lawrence Cc: Janney, Margie; Correia, Richard
Subject:
RE: Need-to-Know requirements for SUNS!
Good afternoon Larry, It was a pleasure speaking with you this afternoon. During our conversation we explored several topics including your questions below. We discussed the Controlled Unclassified Program (CUI) and how it would consolidate the SUNSI and SGI programs at the NRC, and how 1t would offer a government-wide, uniform way of handling1 sensitive unclassified information. Your asked the following SUNSI related questions:
1 If I am referencing a document marked SUNSI, since there are no portion markings how do I determine what material is SUNSI and what is not? If I reference anything in the document, must my new document now be marked as SUNSI?
Derivative products should always be marked to ensure that the sensitive information in the document is fully protected according to agency policy. If the document is not portion marked, then the entire document is considered SUNSI until such time as a subject matter expert determines otherwise.
Documents that are marked SUNSI and not portion marked can be reviewed by the originator to determine which portion is sensitive, ie. 2.390 information. A derivative document using any information from a SUNSI document that is not portion marked must have the referenced portion marked as SUNSI.
- 2. How do I determine need-to-know with regard to SUNSI? If I come across an interesting nuclear issue (e.g. a nuclear site which some colleagues believe is inadequately protected from flooding), can I discuss that issue with my fellow employees or is there some type of vetting process I must use? That is, are unclassified and non-Safeguards nuclear safety concerns fair game for discussion with all NRC colleagues or must information be "silo-ed" into a tightly controlled group of individuals who are officially assigned to address the issue?
7
Nead-to-know typically means a determination made by an authorized holder of information that a prospective recipient requires access to specific information to perform or assist in a lawful and autlhorized governmental function. This determination would be made by the leadership elements in the office where the work is performed.
Please let me know if I can be of further assistance.
Thank you for your questions, Ronald E. Gagnon 01S I PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545*Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301-415-6873 From: SUNS! Resource Sent: Wednesday, February 25, 2015 7:44 AM To: Gagnon, Ronald; Janney, Margie
Subject:
FW: Need-to-Know requirements for SUNSI From: Criscione, Lawrence Sent: Wednesday, February 25, 2015 7:44:21 AM To: SUNSI Resource Cc: Correia, Richard; Peters, Sean; Perkins, Richard; Bensi, Michelle; Sancaktar, Selim; Phlhp, Jacob; Mitman, Jeffrey; Ferrante, Fernando; Barnes, Valerie; Desaulniers, David; ODonnell, Edward; King, Mark; Burton, Thomas; Patterson, Malcolm; Kanney, Joseph
Subject:
Need-to-Know requirements for SUNS!
Auto forwarded by a Rule SUNSI Resource*
I have some questions regarding SUNSI which my division director has been attempting to help me get answered. He provided me the following references but neither of them address the questions I have:
NRC's SRI guidance: http://www.intemal.nrc.gov/sunsi/security.html FAQs available on the SUNSI website address commonly requested topics:
htt.//www.internal.nrc. ov/su si/fa.html My questions are.
1 If I am referencing a document marked SUNSI, since there are no portion markings how do I determine what material is SUNSI and what is not? If I reference anything in the document, must my new document now be marked as SUNSI?
8
- 2. How do I determine need-to-know with regard to SUNSI? If I come across an interesting nuclear issue (e.g. a nuclear site which some colleagues believe is inadequately protected from flooding), can I discuss that issue with my fellow employees or is there some type of vetting process I must use? That is, are unclassified and non-Safeguards nuclear safety concerns fair game for discussion with all NRC colleagues or must information be "silo-ed" into a tightly controlled group of individuals who are officially assigned to address the issue?
Also. I have some comments about the "SUNSI Awareness Training* linked to from the SUNSI "Frequently Asked Questions" website (and attached to this email). On slide 6 a colloquial definition of SUNSI is provided as:
"Or put another way.. If information appeared on the front page of the Washington Post and you cnnge when you see it.... It's probably sensitive".
I believe that:
The above definition Is deleterious to our goals of openness and transparency Unfortunately, your colloquial definttion is broadly used within the NRC That is, it is my experience that most SUNSI rnalt:11c:1I is 111c:11 kt:d lhat way be1.,-ause if it
- i:Jµµec1recJ on the front µi:Jgf:J or (he Washingto11 Posr it would make us cringe.
I'm not the only NRC employee who has been asking these questions. How we determine SUNSI is a concern shared by several of my colleagues.
Larry Lawrence S. Criscione 573-230-3959 From: l(b)(7)(C)
I Sent: Wednesday, February 18, 2015 3:48 PM To: Criscione, Lawrence Cc: Peters, Sean; Madden, Patrick SUbject: RE: OIG case 13-001 and OUO-SRI
htt ://www.internal.nrc. ov/sunsi/securi.html as a source of information. Please take a look at the information at the link and let me know if it has the information you are seeking.
Regards (b)(7)(C)
From: Criscione, Lawrence Sent: Thursday, February 12, 2015 11:28 AM 9
l(b)(7)(C)
To:._ _____ _,
Subject:
RE: OIG case 13-001 and OUO-SRI Thanksl(b)(?)(C)
Daniel Cardenas referred me lo Admin but did not give me the name of a contact.
From: l(b)(7)(C)
Sent: Thursday, February 12, 2015 9:08 AM To: Criscione, Lawrence subject: RE: OIG case 13-001 and OUO-SRI Let me make some phone calls Larry (b)(7)(C)
From: Criscione, Lawrence Sent: Wednesday, February 11, 2015 1 :48 PM To: !(bl(7)(Cl I
Subject:
OIG case 13-001 and OUO-SRI l(b)(7)(C)
Attached is the transcript from your 2012 Interview with OIG concerning Case 13-001 It was provided to me as part of a Privacy Act request and I'm sending it along to you in case you would like a copy.
Please see my email below to (b)r71( l I still have a lack of understanding on OUO..SRI, mostly stemming from the fact that-un I e an c assified information-it (1) is not portion marked, (2) has no derivative classifiers, and (3) is applied to such broad topics that it has no well-defined need-to-know (e.g. who has a need-to-know about the Oconee flooding issues? Is it only the narrow set of NRR employees addressing it? Or is it any concerned NRC employee who might have an opinion that adds to the discussion?).
V/r, Larry From: Criscione, Lawrence Sent: Wednesda February 11, 2015 1 :37 PM To: (b)(7)(C)
Sub ect: OIG case 13-001 l(b)(7)(C)
Attached is the transcript from your 2012 interview with OIG concerning Case 13-001. It was given to me as part of a Privacy Act request and I'm sending it along *to you in case you would like a copy The investigation for Case 13-001 closed on September 11, 2013 10
As part of the resolution to the PEER v. NRC lawsuit. the on September 13, 2013 the NRC publicly released the two documents which were the subject of the NRC Form 183 security incident which was flied against me on September 20, 2012. Those documents can be found at:
http://pbadupws.nrc.gov/docs/ML 1325/ML13256A372.pdf http://pbadupws.nrc.gov/docs/ML 1325/ML13256A370.pdf The only redactions to those documents are my home address, my cell phone number and my personal email account. This indicates-to me-that I was not in error when I failed to mark these documents as Official Use Only - Security-Related Information".
Given that OUO-SRI documents are not portion marked, I still have no understanding of:
1 How I am to determine what exactly in those documents is OUO-SRI
- 2. How-when I am preparing a downstream document which references information found in OUO-SRI documents-I am to determine the final designation of my document and who the authority is if I have questions
- 3. To whom do I appeal if I do not agree with the OUO-SRI designation of a document
- 4. How to determine who has a "need to know* with regard to OUO-SRI information R,
Larry From: Criscione, Lawrence Sent: Tuesday, June 10, 2014 9:27 AM To: Correia, Richard; Weber, Mlchael; Sheron, Brian; Madden, Patrick; Peters, Sean; Sulllvan, Randy; Burrows, Sheryl; ODonnell, Edward
Subject:
Who Determines Need-to-Know?
Thanks Rich.
I'd like to clarify though that even if we have a precise definition, a large part of my concern is "Who determines need-to-know?"
For example, if I am confident that a document marked "Not for Public Disclosure* can go to a congressional office, can I send it to them or must I first go through OGC and OCA?
Or, if I am confident that an INL contractor has a need to know proprietary information we got from INPO, can I directly send it to him or do I first need to consult with my supervisor, the NRC owner of the INPO MOU, OGC.
etc.?
From: Correia, Richard Sent: Tuesclay, June 10, 2014 7:02 AM To: Criscione, Lawrence; Weber, Michael; Sheron, Brian1; Madden, Patrick; Peters, Sean; Sullivan, Randy; Burrows, Sheryl; ODonnell, Edward
Subject:
RE: Need Assistance from RES and NTEU
- Larry, I contacted folks in the Information Security Branch of NSIR and they pointed out that wneed to know" is. defined in 1 OCFR73.2 for handling safeguards information. I'm not certain if it would have a similar definition for SUNSI. I'll follow up with OGC on whether need to know has a definition for SUNSI.
Rich 11
Richard Correia. PE
- Director, Division of Risk Analysis Office of Nuclear Regulatory Research US NRC richard.correia@nrc.gov From: Criscione, Lawrence Sent: Monday, June 02, 2014 5:50 PM To: Weber, Michael; Sheron, Brian; Correia, Richard; Madden, Patrick; Peters, Sean; Sullivan, Randy; Burrows, Sheryl; ODonnell, Edward
Subject:
Need Assistance from RES and NTEU Please see my October 25, 2012 email below to Dan Cardenas. I've highlighted several questions in that email which I never received answers to.
On October 25, 2012 I was directed to review our SUNSI guidance and to discuss it with the chief of the Facilities Security Branch. I reviewed the guidance but had some questions which, 19-months later, I still do not know the answers to.
I would like the assistance of RES management and the NTEU in obtaining answers from Mr. Cardenas. I believe I am not the only one at the NRC who is unclear as to what exactly constitutes a "need to know' and "conducting official government business*. Better clarifying these terms, especially with regard to OIG Case 13-001 which led to a criminal referral to the Department of Justice, is in the interest of the NRC staff.
If you have advice for me as to how to obtain answers from the requisite SUNSI experts, please let me know.
Thank you, Larry Lawrence S. Criscione 573-230-3959 From: Criscione, Lawrence Sent: Monday, June 02, 2014 5:35 PM To: cardena,s, Daniel; Ross-Lee, MaryJane Cc: Beasley, Benjamin; Peters, Sean; Correla, Richard; Sullivan, Randy; NTEU, Chapter 208; Burrows, Sheryl
Subject:
FW: Questions
- Dan, Attached to this email is a document entitled "Exhibit 3 to OIG Case 13-
~.J.u.WIII.'-', received today in response to FOIA 2014-0236. The memo is undated. Could either you or 1bY7)1Cl please tell me the date on which i(b)(7)(C)
!sent this memo to!(b)(7J(GJ P. Was it before or after our correspondence in the email trail below On February 4, 2013 agents of the NRC's Inspector General approached the Assistant US Attorney's office in Springfield, IL and requested of them that I be indicted on federal felony charges (18 USC §1030) for obtaining supposed security-sensitive information from a government database (i.e NRC Internal ADAMS) and supposedly colluding to distribute that information to the public (e.g. via a Congressional hearing). The Information of concern was my September 18, 2012 letter to the NRC Chairman, the email distributing it, and the nine reference documents. These are the same documents of concern in our email trail below.
u
In an October 25, 2012 email (included immediately below) I asked you a series of questions regarding MD 12.6, various guidance you directed me to review (found at http:/Jwww.internal.nrc.gov/sunsiD, and an explanation of what exactly constitute *need to know" and "conducting official government business". I have highlighted those questions in the email below. The documents attached to this email refer to some of those questions.
I never received any answers to the questions I posed to you 19 months ago in the email below. And after being the subject of an OIG criminal Investigation for the distribution of supposed security related documents to individuals without a supposed *need to know", I still do not know the answers to the questions I pose below.
OIG Case 13-001 has been closed for over 9 months. Please provide me answers to my questions below as I am still uncertain what exactly I can and cannot share with our Congressional overseers and the precise channels I am required to follow I look forward to your answers.
Thank you.
Larry Lawrence S. Criscione 573-230-3959 From: Criscione, Lawrence Sent: Thursday, October 25, 2012 9:37 PM To: cardenas, Daniel Cc: Beasley, Benjamin; Coe, Doug; Ross-Lee, MaryJane; Pretzello, Andrew; Skidmore, Karen; ODonnell, Edward; Sulllvan, Randy
Subject:
Questions
ttl) ln the attached document "2005-10-26 guidancc.pdF I've highlighted a sentence stating that portion markings are not required. However, In the document "2010-04-27 guidance.pdf' I've highlighted where it states:
When Is portion or page marking required? On documents.that may be released following redaction of sensitive information. If an entire page Is not sensitive, place marking adjacent to the sensitive information.
I am a big believer !n portion markings. It frustrates me to no end that none of the 2008-2012 OUO correspondence between the NRC and Duke Energy regarding Jocassee Dam Is portion marked. This correspondence clearly meets the Instructions above for requiring that the documents be portion marked. That is, the overwhelming majority of the pages in the NRC/Duke correspondence have portions that are not sensitive and this NRC correspondence with a licensee concerning a serious safety concern should certainly be released foflowlng redaction of sensitive information. Yet there are no portion markings. Which guidance is correct: the 2005-10-26 or the 2010-04-27 guidance? Should NRR's correspondence with Duke Energy from May 2010 through the present have been portion marked?
- 2) On page 2 of the attached "NRC Policy for Handling Marking and Protection SUNSl.pdf" I have highlighted a paragraph on "Need-To-Know Access". This paragraph contains the words:
"... no person, including employees of the U.S. Government, NRC,....... may hove access to SUNS/ unless that person has an established need-to-know the information for conducting official business."
I am unclear what exactly constitutes "on established need-to-know the information for conducting official business."
Some of my co-workers (particularly Richard Perkins, but many others as well) expressed concern to me that flooding issues at Oconee Nuclear Station and Fort Calhoun were not being adequately addressed. Although it is my job (and the 13
job of al I NRC employees) to take allegations from licensees, I do not believe it is my job (i.e. "conducting official business") to take allegations from my fellow NRC co-workers. Nonetheless, I reviewed some of the source documents regarding Jocassee Dam because I was concerned with the opinions I was hearing expressed from my co-workers. It was not my job to review these documents. Most of the review of these documents occurred after normal working hours, including times when - although allowed to be In the office or on Citrlx - I am not allowed to formally work (I.e. beyond 8 pm, Sundays, while using annual leave/credit hours). Since I was reviewing this Information on my own time and not "for conducting official business", was I violating the uNeed-to-Know".
Although I have only shared SUNSI with "employees of the U.S. Government", I am not certain all of them had "on established need-to-know the in/ormotion for conducting officio/ business":
Does a staffer on the Senate Committee on Homeland Security & Governmental Affairs have "an established need-to-know the Information for conducting officio/ business"? If he does, must I send him through the Office of Congressional Affairs? Am I violating "Need-to-Know" by directly sending him reference!> he requested?
Does the intern for Representative Duncan of South Carolina's 3rd congressional district have "on established need-to-know the Information for conducting o/ficlal business" when she Is not Investigating any matter for a congressional oversight committee and I am merely copying her as a courtesy to keep her representative abreast of a concern regarding a nuclear plant in his district?
Does the Office of the Special Counsel have "an established need-to-know the Information for conducting officio/
business" when the information is not being formally submitted with an OSC Form 127 Does the Downstate Director (i.e. Springfield, IL office chief) of Senator Durbin have "an established need-to-know the information for conducting official business when I am merely meeting with him to get his advice as to whether or not my senator would be willing to write the NRC Chairman regarding the NRC's SUNSI policies?
- 3) Assuming that the US Special Counsel or a congressional staffer has "an established need-to-know", I am uncertain as to what is required by the "Access" requirements on page 5 of Part II of MD 12.6. Prior to sharing SUNSI wilh the US Special Counsel or congressional staffers, before providing the information must I first consult the three parties listed In MD 12.6:
NRC office originating the information Office that has primary interest in the information Source from which the information was derived 114) If I am writing a letter regarding how the Office of Nuclear Reactor Regulation is inappropriately stamping safety-related correspondence as "Security-Related Information", and if I am sending that letter to the US NRC Chairman and copying It to concerned congressional offices, and if I do not believe that marking the letter Is essential to ensure proper handling and to ensure all persons having access to the letter will be aware that it (1) must not be publicly released and (2) must be distributed only to those who have a need-to-know to conduct official business, then am I in violation of MD 12.6 because I did not stamp the letter HOfficlal Use Only - Security-Related Information"?
I was asked by a congressional staffer last month whether I believed the "Security-Related Information" stamps were hindering the open discussion of the Jocassee Dam/Oconee issue amongst the NRC staff. His co nee rn was based on the fact that some of NRR's Jocassee Dam correspondence contain the stamp "Limited Internal Distribution Permitted. My answer to him was that, although I believed these stamps were inappropriately keeping a serious safety concern from public scrutiny, these markings were not In any way hindering the professional internal discussion of concerns regarding Jocassee Dam. Based on what I have read in MD 12.6 tonight, I do not know if I still agree with that answer. When possible, I would like to meet with you regarding the four questions above. Also, I have had people within the NRC request to see my 2012-09-18 letter to the chairman but I have been unwilling to share it with anyone since being told I was violating SUNSI guidance by not properly stamping it QUO - SRI. I would like to review that letter with you and get your assessment as to how it should be stamped.
R, l4
Larry From: Criscione, Lawrence Sent: Thursday, October 25, 2012 5:50 PM To: Cardenas, Daniel
Subject:
RE: Information Release The version of MD 12.6 that is linked to in the SUNSI website is from December 20, 1999. Is this the version I am supposed to review or is there a more current revision?
From: cardenas, Daniel Sent: Thursday, October 25, 2012 5:39 PM To: Criscione, Lawrence Cc: Beasley, Benjamin; Coe, Doug; Ross-Lee, MaryJane; Pretzello, Andrew; Skidmore, Karen; ODonneJI, Edward; Sulllvan, Randy SUbject: Re: Information Release Larry-If you have read and understand the SUNSI guidance, then a meebng may not be necessary. I will contact you if a meeting is necessary. In regards to transmission of SUNSI outside the NRC, please contact your supervisor as Identified in MD 12.6 and follow applicable guidance located on the 0 1S SUNSI website.
Regards.
Dan
~ Sent from an NRC Blackberry -
Daniel Cardenas, Chief Facilities Security Branch Division of Facllftles and Security Office of Administratlon U. S. Nuclear Regulatory Commission Office Email: DanieLCardenas Office Number: ~301 ) 415-6184 Cell Number !(b (6)
I Fax Number: (301) 415-5132 From: Criscione, Lawrence To: Cardenas, Daniel Cc: Beasleyr Benjamin; Coe, Doug; Ross-Lee, MaryJane; Pretzello, Andrew; Skidmore, Karen; ODonnell, Edward; Sulllvan, Randy Sent: Thu Oct 25 17:31:31 2012
Subject:
RE: Information Release
- Daniel, My Outlook calendar Is up to date through the end of the year. I should be able to review MO 12.6 and the other guidance by tomorrow morning.
The only personnel outside the NRC to whom I have provided "Official Use Only-Security Related Information" are either with the Office of the Special Counsel, staffers of US Senators or staffers of members of the US House of IS
Representatives. I will not release any additional information to the Office of the Special Counsel or to members of the US Congress until I have met with you.
Please send me a copy of the NRC Form 183 mentioned below so that I may review it prior to our meeting.
Is my union steward allowed to accompany me to the meeting?
V/r, Larry Criscione 573-230-3959 From: Cardenas, Daniel Sent: Thursday, October 25, 2012 5:01 PM Toe Criscione, Lawrence Cc: Beasley, Benjamin; Coe, Doug; Ross-lee, MaryJane; Pretzello, Andrew; Skidmore, Karen
Subject:
Information Release Importance: High Mr. Criscione-I have received a NRC Form 183 "Report of Security Incident" indicating that you have released information (Official Use Only - Security Related Information, etc) to personnel outside of the NRC. This release of information must "stop" immediately. The guidance for handling Sensitive Uncla1sslfied non-Safeguards Information (SUNSI) Is identified In MD 12.6 and on the 01S webpage. Please see the following link, which provides detailed information on the handling of this type of information.
http://www.lnternal.nrc,gov/sunsl/
If you have released any other information, you must cease these activities, and report the releases to the Director, Division of Facilities and Security.
Please schedule a time to discuss this matter with me.
Regards.
Oanlcl CardtnBJ Chief, Fucihtics Security Branch Division ofFacihrics and Security, Office of Admimsm1uon Location: T6-E3 I OOicc !:mall. D1t111cl.CerdenaSJ.!.Oro,LOV Otlicc Number: 301 415-6184 NRC Blackberry"rlb_,.6.,.,.,.,...... __.
NRC Fax: (301) I
- l 16
From:
Sent To:
Cc:
Subject:
Importance:
Follow Up flag:
Flag Status:
- Ron, Janney, Margie Thursday, May 26, 2016 12:41 PM Gagnon, Ronald Rheaume, Cynthia; Le, Hong FW: Who Determines Need-To-Know for OUO?
High Follow up Flagged At this morning's ET/Division Directors meeting, both Jim and Fred requested that you consult with OIG to provide additional information to clarify to Larry about your answer to hrs third question.
Please see Cindy or Jim 1f you need more explanation Thank you,
-Margie Marg e Janney CRM/NS Chi f, IT/IM Polley Br nch IT/IM Portfolto Management and Planning Div1s10n Office of the Chier Inform tlon Officer U S. Nuclear Regulatory Commlss on 301-415-7245 marale.lann y@nrc.gov From: Gagnon, Ronald Sent: Wednesday, May 25, 2016 3:23 PM To: Criscione, Lawrence Cc: Janney, Margie ; Flanagan, James ; Carpenter, Cynthia ; le, Hong ; Chen, Yen-Ming ; Hackett, Edwin ; Correia, Richard
- Peters, Sean ; Heard, Robert; Schwartz, Marla ; NTEU, Chapter 208 ; Weber, Michael
Subject:
Who Determines Need-To-Know for OUO7 Mr. Criscione:
You inquired regarding the following:
- 1. Are bargaining unit employees allowed to discuss SUNSI (i.e. information that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?
- 2. If not, how is the need-to-know determined? That is, how is an employee to determine which colleagues cannot know of SUNSI nuclear safety concern?
- 3. Is there any SUNSI material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Special Counsel?
- 4. If so, who makes that determination?
Question 1: Are bargaining unit employees allowed to discuss SUNS/ (i.e. informatlon that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?
Reply: INRC SUNSI Policy clearly states that... "except as the Commission may otherwise authorize, no person, including employees of the U.S. Government, NRC, an NRC licensee or certificate holder, or an employee, agent, or contractor of a license applicant may have access to SUNSI unless that person has an established need-to-know the Information for conducting official business." See below:
NRC Policy For Handling, Marking, and Protecting Sensitive Unclassified Non-Safeguards lnfonnation section D( 2) - Need to know access See: http:l/www.internal.nrc.gov/sunsi/pdf/SUNSI-Policy-Procedures.pdf Need-To-Know Access A security clearance is not required for access to SUNSI. However, except as the Commission may otherwise authorize, no person, including employees of the U.S. Government, NRC, an NRC licensee or certificate holder, or an employee, agent, or contractor of a license applicant may have access to SUNSI unless that person has an established need-to-know the information for conducting official business.
Question 2: If not, how is the need-to-know determined? That is, how is an employee to determine which colleagues cannot know of SUNS/ nuclear safety concern?
Reply: The NRC recently published a yellow announcement addressing this issue. See https://drupal.nrc.gov/announcements/yellow/policy/23578 Yellow Announcement YA 16-0052 defines "Need to Know" in the context of sensitive unclassified information.
See Below:
Need-to-Know 1 A determination by a person having responsibility for protecting or holding the sensitive information, be it classified information, safeguards information, or sensitive unclassified information, that a proposed recipient's access to the sensitive information is necessary in the performance of an official and lawful requirement.
- 2. Knowledge, possession of, or access to, sensitive information including classified, safeguards, and/or sensitive unclassified information shall not be afforded to any individual solely by virtue of the individual's office, position, or security clearance.
Question 3: Is there any SUNS/ material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Spec/al Counsel?
Reply: The NRC's Office of Congressional Affairs {OCA) {see MD 9.13) is tasked with communicating with Congress on behalf of the NRC. The office is responsible for administering the agency's Congressional Affairs Program, and for providing advice and assistance to the Chairman, the Commission, and tlhe NRC staff on all NRC relations with the Congress. Specifically, the office-
- Provides the Chairman. the Commission, the Executive Director for Operations (EDO), and the NRC staff with advice and counsel concerning relations with Congress; keeps NRC currently and fully informed on the views of Congress toward NRC policies, plans, and activities; and pursuant to Section 303 of the Atomic Energy Act of 1954, as amended, keeps Congress currently and fully informed of NRC's policies, plans, and activities. Coordinates all official contacts for the Chairman, the Commission, the EOO, and the NRC staff with members of Congress, their committees, and their staffs.
- Serves as the liaison with the NRC oversight committees, other congressional committees, as appropriate, and individual members of Congress with respect to matters of interest and concern to NRC.
- Serves as the contact point for all NRC communications, written and oral, with the Congress; routinely receives copies of all correspondence from members of Congress and congressional committees except for those of a personal nature and those addressed to the Office of the Inspector General; provides for the prompt acknowledgment of this correspondence, as appropriate; reviews and concurs in all NRC responses and other outgoing communications to members of Congress and congressional committees, with the exception of matters within the cognizance of the Inspector General, and coordinates all financial information with the Deputy Chief Financial Officer/Controller before release.
2
- Transmits routine communications to Congress, including notifications of proposed rulemakings, new and revised regulatory guides, announcements of regulatory actions, studies, reports, public documents, and other items of a routine nature; prepares direct responses to routine congressional requests and inquiries, when appropriate and with the concurrence of the EOO.
- Coordinates internal NRC activities that bear directly on NRC relations with Congress including, but not limited to, all hearings and attendance before the Congress by all NRC personnel, drafting testimony, editing hearing transcripts, and preparing supplemental materials, correspondence, and announcements.
- Transmits classified documents to Congress in accordance with NRC security directives and procedures and congressional regulations reg!Jrding the transmission of classified material. Transmits documents that are not publicly available (unclassified) with a special cover letter.
- Monitors all legislative proposals, bills, congressional hearings, debates, and other activities of potential interest and concern to NRC and advises the Chairman, the Commission, and the NRC staff, as appropriate.
- Participates in planning and developing NRC's legislative program in close cooperation with the Office of the General Counsel (OGC), coordinates with OGC concerning responses to legislation submitted to the NRC for comment, and coordinates legislative liaison in financial management activities with the Chief Financial Officer or the Deputy Chief Financial Officer/Controller, as appropriate.
- Represents the Commission, as appropriate, In conferences and meetings with members of Congress and their staffs and arranges for appearances for NRC representatives before congressional committees.
- Coordinates internal NRC activities and arrangements for visits, tours, notifications. presentations, briefings, and other activities with individual members of Congress or congressional committees and their staffs to inform them more fully of the role and activities of NRC and significant events. Develops and establishes records, policies, and procedures necessary for the effective conduct of NRC relations with Congress, and provides for monitoring the status and timeliness of NRC's responses to congressional correspondence.
- Performs any other functions assigned by the Chairman.
Question 4: If so, who makes that determination?
Reply: See the Office of Congressional Affairs and Office of General Council regarding communications with Congress.
Please let me know if you have additional questions or concerns.
Ronald E. Gagnon SUNSI / CUI Program Manager Office of tine Chief Information Officer IT/IM Policy Branch United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301-415-6873 3
From:
Sent:
To:
Cc:
Subject:
Attachments; Follow Up Flag:
Flag Status:
- Margie, Gagnon, Ronald Wednesday, May 25, 2016 3:06 PM Janney, Margie Flanagan, James; Carpenter, Cynthia; Le, Hong; Chen, Yen-Ming RE: Who Determines Need-To-Know for OUO?
RE: Need-to-Know reauirements for SUNS); DCPD-201300092.od.odf The 1st attachment is an This 2nd attachment is publicly available at Follow up email string beginning with https://obamawhitehouse.archives.gov/the-Flagged Mr. Criscione's 03-03-15 8:51 press-office/2013/02/12/fact-sheet-presidential AM that appears in the next
-policy-directive-critical-infrastructure-security.
record.
Mr. Criscione is asking the following:
- 1. Are bargaining unit employees allowed to discuss SUNSI (1.e information that Is neither unclassified nor Safeguards} with any colleague whose opinion they so choose to seek?
- 2. If not, how is the need-to-know determined? That is, how is an employee to determine which colleagues cannot know of SUNSI nuclear safety concern?
- 3. Is there any SUNSI material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Special Counsel?
- 4. If so, who makes that determination?
Question 1: Are bargaining unit employees allowed to discuss SUNS/ (I.e. information that Is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?
Reply: NRC SUNSI Policy clearly states that... *except as the Commission may otherwise authorize, no person, including employees of the U.S. Government, NRC, an NRC licensee or certificate holder, or an employee, agent, or contractor of a license applicant may have access to SUNSI unless that person has an established need-to-know the information for conducting official business: See below:
NRC Policy For Handling, Marking, and Protecting Sensitive Unclassified Non-Safeguards Information section D( 2) - Need to know access See: http://www.internal. nrc. gov/sunsi/pdf/S UN SI-Policy-Procedures. pdf Need-To-Know Access A security clearance is not required for access to SUNSI. However, except as the Commission may otherwise authorize, no person, including employees of the U.S. Government. NRC, an NRC licensee or certificate holder, or an employee, agent, or contractor of a license applicant may have access to SUNSI unless that person has an established need-to-know the information for conducting official business.
Question 2: If not, how Is the need*to-know determined? That Is, how Is an employee to determine which colleagues cannot know of SUNS/ nuclear safety concern?
Reply: The NRC recently published a yellow announcement addressing this issue. See https://drupal.nrc.gov/announcements/yellow/policy/23578 Yellow Announcement YA 16--0052 defines "Need to Kno in the context of sensitive unclassified information.
See Below:
Need.to-Know
1 A determination by a person having responsibility for protecting or holding the sensitive information, be it classtfted information, safeguards information, or sensitive unclassified Information, that a proposed recipient's access to the sensitive information is necessary in the performance of an official and lawful requirement.
- 2. Knowledge, possession of, or access to, sensitive information including classified, safeguards, and/or sensitive unclassified information shall not be afforded to any individual solely by virtue of the individual's office, position, or security clearance.
Question 3: Is there any SUNS/ material which N.RC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Special Counsel?
Reply: The NRC's Office of Congressional Affairs (OCA) (see MD 9.13) is tasked with communicating with Congress on behalf of the NRC. The office is responsible for administering the agency's Congressional Affairs Program, and for providing advice and assistance t,o the Chairman, the Commission, and the NRC staff on all NRC relations with the Congress. Specifically, the office-
- Provides the Chairman, the Commission, the Executive Director for Operations (EDO), and the NRC staff with advice and counsel concerning relations with Congress; keeps NRC currently and fully informed on the views of Congress toward NRC policies, plans, and activities; and pursuant to Section 303 of the Atomic Energy Act of 1954, as amended, keeps Congress currently and fully informed of NRC's policies, plans, and activities. Coordinates all official contacts for the Chairman, the Commission, the EDO, and the NRC staff with members of Congress, their committees, and their staffs.
- Serves as the lialson with the NRC oversight committees, other congressional committees, as appropriate, and Individual members of Congress with respect to matters of interest and concern to NRC.
- Serves as the contact point for all NRC communications, written and oral, with the Congress; routinely receives copies of all correspondence from members of Congress and congressional committees except for those of a personal nature and those addressed to the Office of the Inspector General; provides for the prompt acknowledgment of this correspondence, as appropriate; reviews and concurs in all NRC responses and other outgoing communications to members of Congress and congressional committees, with the exception of matters within the cognizance of the Inspector General, and coordinates all financial information with the Deputy Chief Financial Officer/Controller before release.
- Transmits routine communications to Congress, Including notifications of proposed rulemakings, new and revised regulatory guides, announcements of regulatory actions, studies, reports, public documents, and other items of a routine nature; prepares direct responses to routine congressional requests and 1inquiries, when appropriate and with the concurrence of the EDO.
- Coordinates internal NRC activities that bear directly on NRC relations with Congress including, but not limited to, all hearings and attendance before the Congress by all NRC personnel, drafting testimony, editing hearing transcripts, and preparing supplemental materials, correspondence, and announcements.
- Transmits classified documents to Congress in accordance with NRC security directives and procedures and congressional regulations regarding the transmission of classified material. Transmits documents that are not publicly available (unclassified) with a special cover letter.
- Monitors all legislative proposals, bills. congressional hearings, debates, and other activities of potential interest and concern to NRC and advises the Chairman, the Commission, and the NRC staff, as appropriate.
- Participates in planning and developing NRC's legislative program In close cooperation with the Office of the General Counsel (OGC), coordinates with OGC concerning responses to legislation submitted to the NRC for comment, and coordinates legislative liaison in financial management activities with the Chief Financial Officer or the Deputy Chief Financial Officer/Controller, as appropriate.
- Represents the Commission, as appropriate, in conferences and meetings with members of Congress and their staffs and arranges for appearances for NRC representa ives before congressional committees.
- Coordinates internal NRC activities and arrangements for visits, tours, notifications, presentations, briefings, and other activities with individual members of Congress or congressional committees and their staffs to inform them more fully of the role and activities of NRC and significant events. Develops and establishes records, policies, and procedures necessary for the effective conduct of NRC relations with Congress, and provides for monitoring the status and timeliness of NRC's responses to congressional correspondence.
- Performs any other functions assigned by the Chairman.
2
Question 4: If so, who makes that determination?
Reply: See the Office of Congressional Affairs and Office of General Council regarding communications with Congress.
Please let me know if you have additional questions or concerns.
Ronald E. Gagnon SUNSI / CUI Program Manager Office of the Chief Information Officer IT/IM Polley Branch United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mall Stop O-6H 11 Rockville, MD 20852 Office: 301-415-6873 From: Janney, Margie Sent: Wednesday, May 25, 2016 11:41 AM To: Gagnon, Ronald Cc: Flanagan, James ; Carpenter, Cynthia ; Le, Hong; Chen, Yen-Ming
Subject:
FW: Who Determines Need-To-Know for OU07 Ron.
Assuming he has asked the same questions as last time, I suggest you answer Larry with a reference back to that answer. Note he refers to you in his March 3 email below.
-Margie Margie Janney. CRM/NS Chief. IT/IM Pohcy Branch ITl1M Portfolio Management and Planning OMst0n Office of the Chief lnfonnallon Officer U.S Nuclear Regulatory Commission 301-41 5-7245 margJe iannev@nrc gov From: Flanagan, James Sent: Wednesday, May 25, 2016 11:32 AM To: Carpenter, Cynthia <Cvnthia.Carpenter@nrc.gov>; Le, Hong <Hong.Le@nrc.goV>; Janney, Margie
<Margie.Jan,ney@nrc.gov>
Cc: Chen, Yen-Ming <Yen-Ming.Chen@nrc.gov>
Subject:
FW: Who Determines Need-To-Know for OUO?
Cynthia, Hong and Margie.
Can we answer these questions or can we direct the individual to the party that can answer them?
- Regards, 3
James P. Flanagan Deputy, Chief Information Officer Office of the Chief Information Officer United States Nuclear Regulatory Commission One White Fltnt North 11555 Rockville Pike, Mail Stop 0-6E7 A Rockville, MD 20852-2738 Telephone 301-415-8700 James. Fla nagan@nrc.gov From: Carpenter, Cynthia Sent: Wednesday, May 25, 2016 11:18 AM To: Criscione, Lawrence <Lawrence.Criscione@nrc.gov>; Weber, Michael <Mlchael.Weber@nrc.gov>
Cc: Hackett, Edwin <Edwin.Hackett@nrc.gov>; Correia, 'Richard <Richard,Correia@nrc.gov>; Peters, Sean
<Sean.peters@nrc.gov>; Heard, Robert <Robert.Heard@nrc.gov>; Schwartz, Marla <Maria.Schwartz@nrc.gov>; NTEU, Chapter 208 <NTEU@nrc.gov>
Subject:
RE: Who Determines Need-To-Know for OUO?
Larry Please contact OCIO regarding your questions. Controlled Unclassified Information (i.e. currently SUNSI) falls under their area of expertise. If it were SGI or classified, it would be NSIR. I don't know who in OCIO has the lead for this, but I would start with the FOIA, Privacy and information collections branch.
From: Criscione, Lawrence Sent: Wednesday, May 25, 2016 8:57 AM To: Weber, Michael <Michael.Weber@nrc.gov>; Carpenter, Cynthia <Cynthia.Carpenter@nrc,goy>
Cc: Hackett, Edwin <Edwin.Hackett@nrc.gov>; Correia, Richard <Richard.Correia@nrc.gov>; Peters, Sean
<Sean.Peters@nrc.gov>; Heard, Robert <Robert.Heard@nrc.gov>; Schwartz, Marla <Maria.Schwartz@nrc.gov>; NTEU, Chapter 208 <NTEU@nrc.gov>
Subject:
RE: Who Determines Need-To-Know for OUO?
Mike/Cynthia, Yesterday the agency published a Yellow Announcement on Need-to-Know (ML16111A432) which-in my opinion-was not very informative. I still have the following questions regarding Need-to-Know as it pertains to nuclear safety issues marked as SUNSI (I have always had a very clear understanding regarding Need-to-know as applied to classified information and SGI)*
- 1. Are bargaining unit employees allowed to discuss SUNSI (i e. information that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?
- 2. If not, how is the need-to-know determined? That is, how is an employee to determine which colleagues cannot know of SUNSI nuclear safety concern?
- 3. Is there any SUNSI material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Special Counsel?
4
- 4. If so, who makes that determination?
- Thanks, Larry Lawrence S. Criscione RES/DRA/HFRB From: Criscione, Lawrence Sent: Thursday, April 28, 2016 5:39 PM To: Weber, Michael <Michael. Weber@nrc.gov>; NTEU, Chapter 208 <NTEU@nrc.gov>
Cc: Hackett, Edwin <Edwin.Hackett@nrc.gov>; Correla, Richard <Richard.Correia@nrc.gov>; Peters, Sean
<Sean.Peters@nrc.gov>; Heard, Robert <Robert.Heard@nrc.gov>; Schwartz, Maria <Maria.Schwartz@nrc.gov>;
Campbell, Andy <Andy.Campbell@nrc.goV>; Bley, Dennis <Dennls.Bley@nrc.goV>
Subject:
Who Determines Need-To-Know for OUO?
Mike/Sheryl, As can be seen from the email trail below, I have been trying to get an answer to the handling of Official Use Only Information for quite some time.
Attached Is a letter I received last week from the US Office of Special Counsel (OSC). In the letter it is stated that the OSC has referred my disclosure regarding the agency's failure to adequately address flooding from dam failures to the NRC Chairman for investigation and report It is not yet known by me whom the Chairman intends to assign to investigate my concerns.
In anticipation of potentially meeting with the Chairman's assigned investigator, over lunch today I met with seven colleagues from RES, NRR and NRO to discuss outstanding flooding concerns. At that meeting I was informed that certain supervisors in NRO have deemed certain flooding information and studies as sensitive information subject to strict need-to-know restrictions.
That is, my NRO colleagues told me they had to talk around certain concerns because I-and others present-were not formally assigned to work on those issues and to know those concerns.
Please note that none of the issues were related to nuclear security. These issue pertained entirely to nuclear SAFETY issues (e.g. Probabilistic Maximum Precipitation estimates for certain sites, flood inundation levels.
etc.).
Please also see the attached OCWE flyer from Bill Borchardt.
To me, the restrictions placed on the NRO staff directly contradicts the work environment purported by Mr Borchardt.
But it is much worse than that One of the NRO staff informed me that she might not be able to discuss some of her specific flooding concerns with the Chairman's investigator since the issues could only be shared with those with a need-to-know.
Think about that for a minute. The staff of the NRC supports the work of the Commission. The President appoints the Chairman of the Commission The President appoints the Special Counsel. The Special Counsel has directed the Chairman to furnish a report to her within 60 days regarding my flooding concerns so that she might forward the Chairman's investigative results on to the President. Yet NRO management has their staff so rattled and confused regarding *need-to-know" surrounding flooding concerns that a staff member is concerned that she cannot even discuss those issues with the Chairman's investigator That's messed up. Waaaaaay messed up.
s
Today, I also found out that the Advisory Committee on Reactor Safeguards needed to agree to a Memorandum of Understanding (MOU) prior to being allowed to see certain flooding information.
Think about that for a minute. This is unclassified information. It is not safeguards. None of it has any value in determining how to breach a dam. These studies were done at the request of the NRC to aid in determining how dam failures wlll affect the viability of reactor plants. Yet the Advisory Committee on Reactor Safeguards cannot automatically see these studies?????
I would appreciate It if I could get a definitive answer from Mike to the following.
Are bargaining unit employees allowed to discuss SUNSI (i.e. information that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?
- 2. If not, how is the need-to-know determined? That is, how is an employee to determine which colleagues cannot know of SUNSI nuclear safety concern?
3 Is there any SUNSI material which NRC employees are prohibited from providing to, Congressional Oversight Committees and/or to staff of the US Office of Special Counsel?
- 4. If so, who makes that determination?
I recognize PII, allegation material, attorney/client privilege all fall under some definition of SUNSI. But in lieu of a better term, I am using SUNSI to refer to nuclear safety related information that is, for whatever reason, not public information. I am not at all confused on the prohibition of sharing PII, allegation material, attorney-client privilege, etc. so please restrict your answer to SUNSI that pertains solely to nuclear safety.
Please answer my questions directly. As can be seen below, I have for several years been bounced around between various NRC offices, web pages, 10 CFR references, and obtuse Management Directive references that do not address these questions.
This is an issue that gravely affects the Safety Culture of this agency. Imagine an individual with concerns regarding the flooding evaluation at Oconee being told that he cannot discuss the matter with fellow colleagues in his branch because they have no "need-to-know". Imagine the stress of being told by your superiors to sign off on an evaluation and not being able to discuss your concerns with your trusted peers. These are not hypotheticals; they have happened and are happening.
I would appreciate it from Sheryl 1f she would assist me in getting answers to my questions above. This is an NRC Issue not a RES issue (in fact, to my knowledge, there is nothing in RES restricted to a "need-to-know").
To me, this should be brought up at the ALMPC.
I am not saying there is no guidance. As can be seen from the email trail below, there is plenty of guidance It's Just not in a form that can be applied I would like the NRC to go on record stat.mg that there are certain SUNSI documents that cannot be supplied to Congress and the OSC or confirming that there are no prohibitions against providing SUNSI documents to Congress and the OSC And I would like the NRC to go on record stating that all employees can view discuss SUNSI nuclear safety concerns with their peers or confirming that there are certain prohibitions against sharing SUNSI material with peers not directly assigned to work on those materials.
V/r, Larry Lawrence S. Criscione RES/DRNHFRB 573-230-3959 From: Criscione, Lawrence Sent: Tuesday, March 03, 2015 10:41 AM 6
To: Correia, Richard <Richard.Corr~ia@nrc.gov>; West, Steven <Steven.West@nrc.gov>; Peters, Sean
<Sean.Peters@nrc.gov>
Subject:
Management's Credlbllity There has been much discourse on this SUNSI issue both via email and in cubicle and cafeteria conversations.
Much of it is stated less professionally and more cynically than Ed's email below. Ed's mention of a DPO is a sarcastic reference to one of Ron's responses; no one is going to waste their time attempting to address any of these items with a DPO.
Just because most of your staff is focused on doing their jobs and do not wish to ruffle anyone's feathers, please don't think that there are only two people (i.e. me and Richard Perkins) complaining about this. This has been a long-standing complaint amongst certain personnel at NRR long before I was ever hired at the NRC-my involvement in this issue came as a result of their complaints to me. And there is widespread dissatisfaction in RES regarding these matters and how our management has avoided addressing them.
There might be a large contingent of managers and staff who resent *open government*, but there is a very concerned contingent of technical staff who are appalled at what we are not allowed to share with the public.
And they are equally appalled by the lack of professionalism that has gone into resolving this issue. We expect our leaders to lead and not to politically avoid the difficult questions they are well-paid to confront. Balancing open government and SUNSI is one such issue.
Ron Gagnon is the supposed SUNSI expert for the agency and it is his determination that many of these questions are the prerogative of the office. I say we run with that determination. I say that in the absence of agency ownership of SUNSI, we take ownership of the SUNSI policies for our office. If you would like me to (and if Sean will allow me time to work on it), I can draft some guidance on how to determine what is SUNSI, how to apply "need-to-know" and how to conduct "portion-marking".
I know Brian believes SUNSI 1s owned by ADM, but ADM-and specifically the SUNSI lead In ADM-believes that specific SUNSI guidance (vice the broad policies put out by ADM in MD 12.6) is the prerogative of the individual offices. This makes sense. Understandably ADM does not feel comfortable writing prescriptive guidance for NRR, RES, etc. We know our work and should be the ones translating the high-level ADM SUNSI policies into workable prescriptive guidance for our people.
V/r, Larry From: ODonnell, Edward Sent: Monday, March 02, 2015 1:53 PM To: Orr, Mark; Barr, Jonathan; Criscione, Lawrence
Subject:
FW: Need-to-Know requirements for SUNSI The answers leave one hanging. Perhaps a differing profess1ional opinion should be invoked regarding them.
From: Gagnon, Ronald Sent: Monday, March 02, 2015 1:49 PM To: Criscione, Lawrence Cc: Janney, Margie; Correia, Richard; Sullivan, Randy; Perkins, Richard; Bensl, Michelle; Sancaktar, Selim; Philip, Jacob; Mitman, Jeffrey; Ferrante, Fernando; Barnes, Valerie; Desaulniers, David; ODonnell, Edward; Kanney, Joseph; Patterson, Malcolm; King, Mark; Burton, Thomas; Peters, Sean; cardenas, Daniel
Subject:
RE: Need-to-Know requirements for SUNSI
- Larry, Please see my replies adjacent to your questions.
7
Thank you, Ron Ronald E. Gagnon OIS / PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301-415-6873 From: Criscione, Lawrence Sent: Friday, February 27, 2015 3:23 PM To: Gagnon, Ronald Cc: Janney, Margie; Correia, Richard; Sullivan, Randy; Perkins, Richard; Bens!, Michelle; Sancaktar, Selim; Philip, Jacob; Mitman, Jeffrey; Ferrante, Fernando; Barnes, Valerie; Desaulnlers, David; ODonnen, Edward; Kanney, Joseph; Patterson, Malcolm; King, Mark; Burton, Thomas; Peters, Sean; Cardenas, Daniel
Subject:
RE: Need-1:!rKnow requirements for SUNSI Thanks Ronald. I've copied some colleagues on this email so they can see your answer below and so that they might contact you if they have their own questions about it.
I've highlighted two items below that are still unclear (subject matter expert and need-to-know determination):
1.a) Who are the subject matter experts for flooding and dam failures? Check with your office leadership.
1.b) What document designates them as such? Check with your office leadership.
1.c) What guidance do they use to determine what is sensitive and what is not? Check with your office leadership, (reference internal NRC SUNSI. SGI, Classified guidance).
1.d) If you disagree with their determination, is there an appeal process?
As you probably already know, NRC has a mechanism in place where differing professional opinions can be discussed and resolved. The NRC Differing Professional Opinions Program, Management Directive 10.159 states the following objectives: To foster informal discussions with peers and supervisors on issues involving professional judgments that may differ from a currently held view or practice, To establish a formal process for expressing differing professional opinions (DPOs) concerning issues directly related to the mission of NRC, To ensure the full consideration and prompt disposition of DPOs by affording an independent, impartial review by knowledgeable personnel, To ensure that all employees have the opportunity to (a) express DPOs in good faith, (b) have their views heard and considered by NRC management, and (c) be kept fully informed of the status of milestones throughout the process, To protect employees from retaliation in any form for expressing a differing opinion, To recognize submitters of DPOs when their DPOs have resulted in significant contributions to the mission of the agency, To provide for agency-wide oversight and monitoring, to ensure that implementation of these procedures accomplishes the stated objectives, and to recommend appropriate changes when required.
2.a) For SUNSI, do we (i.e. the technical staff) need to obtain our supervisor's permission prior to sharing information with a Congressional office? This question is outside the scope of SUNSI. Please check with your leadership for official NRC policies regarding communications with Congress. The Office of Congressional Affairs should be able to articulate current policies regarding this question.
2.b) For SUNSI that is related to nuclear safety issues or to agency policies on applying FOIA redactions (i.e. not PII, allegation material, or other highly specific forms of SUNSI that have nothing to do with 8
typical NRC correspondence and reports) do we need our supervisor's permission prior to discussing the information with our NRC colleagues who are not formally assigned to work on the issue? That is, cam I share nuclear safety information with my NRC co-workers even though that information has been designated SUNSI and they have not been formally assigned to work on the issue? Please check with your leadership and the FOIA office (if you have a FOIA redaction question). As you are aware, in addition to having authorized access to SUNSI information there is a need to know component to SUNSI. In order to allow access to another party, an authonzed holder of SUNSI information must make a determination that a prospective recipient requlfes access to specific information to perform or assist m a lawful and authonzed governmental function.
2.c) If I can get to it in ADAMS, can I assume I have a de-facto right to know 1t? Perhaps, but not exclusively. For example, if a document has been mistakenly categorized I entered into ADAMS it does not give an employee the right to view or d1stnbute 1t without the proper access credentials. If a government employee came across a class1f1ed document on-line through a Google search, that government employee 1s not authorized access unless they have the proper clearance and need to know, even though the document is easily available to anyone searching for,t. If not, how do I determine that I have accessed a document that I have no right to see and to whom do I report 1t? One way to report a document sptll would be by adv1s1ng your supervisor and accessing the following hnk:
http://www.internal.nrc.gov/inc1dent.html {please note that other notifications may be necessary depending on the type of spill).
R/
Larry From: Gagnon, Ronald Sent: Friday, February 27, 2015 2:15 PM To: Criscione, Lawrence Cc: Janney, Margie; Correla, Richard SUbJect: RE: Need-to-Know requirements for SUNS!
Good afternoon Larry, It was a pleasure speaking with you this afternoon. During our conversation we explored several topics including your questions below We discussed the Controlled Unclassified Program (CUI) and how it would consolidate the SUNS! and SGI programs at the NRC, and how,t would offer a government-wide, uniform way of handling sensitive unclassified information. Your asked the following SUNSI related questions*
- 1. If I am referencing a document marked SUNSI, since there are no portion markings how do I determine what material is SUNSI and what is not? If I reference anything in the document, must my new document now be marked as SUNSI?
Derivative products should always be marked to ensure that the sensitive information in the document is fully protected according to agency policy. If the document is not portion marked, then the entire document is considered SUNSI until such time as a subJed matter expert determines otherwise.
Documents that are marked SUNSI and not portion marked can be reviewed by the originator to determine which portion is sensitive, ie. 2.390 information. A derivative document using any Information from a SUNSI document that is not portion marked must have the referenced portion marked as SUNSI.
- 2. How do I determine need-to-know with regard to SUNSI? If I come across an interesting nuclear issue (e.g. a nuclear site which some colleagues believe ls inadequately protected from flooding), can I discuss that issue with my fellow employees or is there some type of vetting process I must use? That is, are unclassrfied and non-Safeguards nuclear safety concerns fair game for discussion with all NRC 9
colleagues or must information be "silo-ad" into a tightly controlled group of individuals who are officially assigned to address the issue?
Need-to-know typically means a determination made by an authorized holder of information that a prospective recipient requires access to specific information to perform or assist In a lawful and authorized governmental function. This determination would be made by the leadership elements in the office where the work is performed.
Please let me know if I can be of further assistance.
Thank you for your questions, Ronald E. Gagnon OIS / PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301-415-6873 From: SUNSI Resource Sent: Wednesday, February 25, 2015 7:44 AM To: Gagnon, Ronald; Janney, Margie SubJec.t: FW: Need-to-Know requlr ments for SUNSI From: Criscione, Lawrence Sent: Wednesday, February 25, 2015 7:44 21 AM To: SUNSI Resource Cc: Correla, Richard; Peters, Sean; Perkins, Richard; Bensi, Michelle; Sancaktar, Selim; Philip, Jacob, Mitman, Jeffrey; Ferrante, Fernando; Barnes, Valerie; Desaulniers, David; ODonnell, Edward, King, Mark, Burton, Thomas; Patterson, Malcolm; Kanney, Joseph
Subject:
Need-to-Know requirements for SUNSI Auto forwarded by a Rul SUNSI Resource:
I have some questions regarding SUNSI which my div1s1on director has been attempting to help me get answered. He provided me the following references but neither of them address the questions I have*
NRC's SRI guidance: htt.//www.internal.nrc. ov/sunsi/securit.html FAQs available on the SUNSI website address commonly requested topics:
http.//www.internal.nrc.gov/sunsi/fag. html My questions are:
10
- 1. If I am referencing a document marked SUNSI, since there are no portion markings how do I determine what material is SUNSI and what is not? If I reference anything in the document, must my new document now be marked as SUNSI?
- 2. How do I determine need-to-know with regard to SUNSI? If I come across an interesting nuclear issue (e.g. a nuclear site which some colleagues believe is inadequately protected from flooding), can I discuss that issue with my fellow employees or is there some type of vetting process I must use? That is, are unclassified and non-Safeguards nuclear safety concerns fair game for discussion with all NRC colleagues or must information be "silo-ed" into a tightly controlled group of individuals who are officially assigned to address the issue?
Also, l have some comments about the "SUNSI Awareness Training* linked to from the SUNSI "Frequently Asked Questions* website (and attached to this email). On slide 6 a colloquial definition of SUNSI is provided as:
"Or put another way. If information appeared on the front page of the Washington Post and you cringe when you see if.... It's probably sensitive" I believe that:
The above definition is deleterious to our goals of openness and transparency Unfortunately, your colloquial definition is broadly used within the NRC. That is. it is my experience that most SUNS! matenal is marked that way because if it "appeared on the front page of the Washington Posr it would make us cringe.
I'm not the only NRC employee who has been asking these questions. How we determine SUNS! is a concern shared by several of my colleagues.
Larry Lawrence S. Criscione 573-230-3959 From:l(b)(7)(C)
I Sent: Wednesday, February 81 2015 3:48 PM To: Criscione, Lawrence Cc: Peters, Sean; Madden, Patrick
Subject:
RE: OIG case 13-001 and OUO-SRI
htt ://www.internal.nrc. ov/sunsi/secur*.html as a source of information. Please take a look at the information at the link and let me know if it has the information you are seeking.
Regards (b)(7)(C) 11
From: Criscione, Lawrence 1.1.i..Ji,1,W.1..i!WliJl,,,J;.UL.LlfJry 12, 201511:28 AM T
se 13-001 and OUO-SRJ Thanks l(b)(l)(C)
Daniel Cardenas referred me to Admin but did not give me the name of a contact.
From: l(b}(7)(C}
I Sent: Thursday, February 12, 2015 9:08 AM To: Criscione, Lawrence
Subject:
RE: OIG Case 13-001 and OUO-SRI Let me make some phone calls Larry (b)(7)(C}
From: Oiscione, Lawrence Sen
- ary 11, 2015 1 :48 PM To: (b}(7}(C)
Subject:
OIG case 13-001 and OU~SRI (b)(7)(C)
Attached is the transcript from your 2012 interview with OIG concerning Case 13-001 It was provided to me as part of a Privacy Act request and I'm sending it along to you in case you would like a copy Please see my email below to!(b}(7)(Cl l l stlll have a lack of understanding on OUO-SRI, mostly stemming from the fact that-unlike SGI and classtfied information-it {1) is not portion marked, (2) has no derivative classifiers, and (3) is applied to such broad topics that it has no well-defined need-to-know (e.g. who has a need-to-know about the Oconee flooding issues? Is it only the narrow set of NRR employees addressing It? Or is it any concerned NRC employee who might have an opinion that adds to the discussion?)
V/r.
Larry From: Criscione, Lawrence Sen
- bruary 11, 2015 1:37 PM To: (b)(7)(C)
Subject:
OJG Case 13-001 (b)(7)(C)
Attached is the transcript from your 2012 interview with OIG concerning Case 13-001. It was iven to me as part of a Privacy Act request and I'm sending it along to you in case you would like a copy.
12
The investigation for Case 13-001 closed on September 11, 2013.
As part of the resolution to the PEER v. NRC lawsuit, the on September 13, 2013 the NRC publicly released the two documents which were the subject of the NRC Form 183 security incident which was filed against me on September 20, 2012. Those documents can be found at:
http://pbadupws.nrc.gov/docs/ML 1325/ML13256A372.pdf http://pbadupws.nrc.gov/docs/ML 1325/ML13256A370.pdf The only redactions to those documents are my home address, my cell phone number and my personal email account. This indicates-to me-that I was not in error when I failed to mark these documents as "Official Use Only - Security-Related Information*
Given that QUO-SRI documents are not portion marked, I still have no understanding of:
- 1. How I am to determine what exactly in those documents Is OUO-SRI
- 2. How-when I am preparing a downstream document which references information found in OUO-SRI documents-I am to determine the final designation of my document and who the authority is if I have questions
- 3. To whom do I appeal if I do not agree with the OUO-SRI designation of a document
- 4. How to determine who has a "need to know" with regard to OUO-SRI information R,
Larry From: 0-lsdone, Lawrence Sent: Tuesday, June 10, 2014 9:27 AM To: Correla, Richard; Weber, Michael; Sheron, Brian; Madden, Patrick; Peters, Sean; Sullivan, Randy; Burrows, Sheryl; ODonnell, Edward subject: Who Determines Need-to-Know?
Thanks Rich.
I'd like to clarify though that even if we have a precise definition, a large part of my concern Is "Who determines need-to-know?"
For example, if I am confident that a document marked "Not for Public Disclosure* can go to a congressional office, can I send it to them or must I first go through OGC and OCA?
Or, if I am confident that an INL contractor has a need to know proprietary information we got from INPO, can I directly send it to him or do I first need to consult with my supervisor, the NRC owner of the INPO MOU. OGC, etc.?
From: Correia, Richard Sent: Tuesday, June 10, 2014 7:02 AM To: Criscione, Lawrence; Weber, Michael; Sheron, Brian; Madden, Patrick; Peters, Sean; Sullivan, Randy; Burrows, Sheryl; ODonnell, Edward
Subject:
RE: Need Assistance from RES and NTEU
- Larry, 13
I contacted folks in the Information Security Branch of NSIR and they pointed out that "need to know" is defined in 1 0CFR73.2 for handling safeguards information. I'm not certain if it would have a similar definition for SUNSI I'll follow up with OGC on whether need to know has a definition for SUNSI.
Rich Richard Correia, PE
- Director, Division of Risk Analysis Office of Nuclear Regulatory Research US NRC richard.correla@nrc.gov From: Criscione, Lawrence sent: Monday, June 02, 2014 5:50 PM To: Weber, Michael; Sheron, Brian; Correia, Richard; Madden, Patrick; Peters, 5ean; Sulllvan, Randy; Burrows, Sheryl; ODonnell, Edward
Subject:
Need Assistance from RES and NTEU Please see my October 25, 2012 email below to Dan Cardenas. I've highlighted several questions in that email which I never received answers to.
On October 25, 2012 I was directed to review our SUNSI guidance and to discuss it with the chief of the Facilities Security Branch. I reviewed the guidance but had some questions which, 19-months later, I still do not know the answers to.
I would like the assistance of RES management and the NTEU in obtaining answers from Mr. Cardenas. I believe I am not the only one at the NRG who is unclear as to what exactly constitutes a "need to know" and "conducting official government business*. Better clarifying these terms, especially with regard to OIG Case 13-001 which led to a criminal referral to the Department of Justice, is in the interest of the NRC staff.
If you have advice for me as to how to obtain answers from the requisite SUNSI experts, please let me know.
Thank you, Larry Lawrence S. Criscione 573-230-3959 From: Criscione, Lawrence sent: Monday, June 02, 2014 5:35 PM To: Cardenas, Daniel; Ross-Lee, MaryJane Cc: Beasley, Benjamin; Peters, Sean; Correla, Richard; Sullivan, Randy; NTEU, Chapter 208; Burrows, Sheryl
Subject:
FW: Questions
- Dan, Attached to this email is a document entitled "Exhibit 3 to 0/G Case 13-001" which I received today in response to FOIA 2014-0236. The remo js undated. Could either you or!lb} 7J(C) please tell me the date on whichl(b)(?)(C)
~ent this memo to (b)(7)(C
~ Was it before or after our correspondence in the email trail below ?
On February 4, 2013 agents of the NRC's Inspector General approached the Assistant US Attorney's office in Springfield, IL and requested of them that I be indicted on federal felony charges (18 USC §1030) for obtaining 14
supposed security-sensitive information from a government database (i.e. NRC internal ADAMS) and supposedly colluding to distribute that information to the public (e.g. via a Congressional hearing). The information of concern was my September 18, 2012 letter to the NRC Chairman, the email distributing it, and the nine reference documents. These are the same documents of concern in our email trail below.
In an October 25, 2012 email (included immediately below) I asked you a series of questions regarding MD 12.6, various guidance you directed me to review {found at http://www.internal.nrc.gov/sunsl/), and an explanation of what exactly constitute need to know" and "conducting official government business". I have highlighted those questions in the email below. The documents attached to this email refer to some of those questions.
I never received any answers to the questions I posed to you 19 months ago in the email below. And after being the subject of an OIG criminal investigation for the distribution of supposed security related documents to individuals without a supposed "need to know", I still do not know the answers to the questions I pose below.
OIG Case 13-001 has been closed for over 9 months. Please provide me answers to my questions below as I am still uncertain what exactly I can and cannot share with our Congressional overseers and the precise channels I am required to follow.
I look forward to your answers.
Thank you, Larry Lawrence S. Criscione 573-230-3959 From: Criscione, Lawrence Sent: Thursday, October 25, 2012 9:37 PM To: Cardenas, Daniel Cc: Beasley, Benjamin; Coe, Doug; Ross-Lee, MaryJane; Pretzello, Andrew; Skidmore, Karen; ODonneil, Edward; Sullivan, Randy
Subject:
Questions
- 1) In the attached document "2005-10-26 guidance.pdf" I've highlighted a sentence stating that portion markings are not required. However, In the document "2010-04-27 guidance.pelf" I've highlighted where it states:
When Is portion or page marking required? On documents that may be released following redaction of sensitive information. If an entire page is not sensitive, place marking adjacent to the sensitive Information.
I am a big believer in portion markings. It frustrates me to no end that none of the 2008-2012 QUO correspondence between the NRC and Duke Energy regarding Jocassee Dam Is portion marked. This correspondence clearly meets the instructions above for requiring that the documents be portion marked. That is, the overwhelming majority of the pages in the NRC/Duke correspondence have portions that are not sensitive and this NRC correspondence with a licensee concerning a serious safety concern should certainly be released following redaction of sensitive Information. Yet there are no portion markings. Which guidance Is correct: the 2005-10-26 or the 2010-04-27 guidance? Should NRR's correspondence with Duke Energy from May 2010 through the present have been portion marked?
- 2) On page 2 of the attached "NRC Policy for Handling Marking and Protection SUNSl.pdf I have highlighted a paragraph on "Need-To-Know Access". This paragraph contains the words:
15
"... no person, Including employees of the U.S. Government, NRC,....... moy hove access to SUNS/ unless that person has an established need-to-know the information for conducting official business."
I am unclear what exactly constitutes "an established need-to-know the information for conducting official business."
Some of my co-workers (particularly Richard Perkins, but many others as well) expressed concern to me that floodlng Issues at Oconee Nuclear Station and Fort Calhoun were not being adequately addressed. Although it is my Job (and the job of all NRC employees) to take allegations from licensees, I do not believe it is my job (i.e. "conducting official business") to take allegations from my fellow NRC co-workers. Nonetheless, I reviewed some of the source documents regarding Jocassee Dam because I was concerned with the opinions I was hearing expressed from my co-workers. It was not my Job to review these documents. Most of the review of these documents occurred after normal working hours, including times when - although allowed to be in the office or on Citrix - I am not allowed to formally work (i.e. beyond 8 pm, Sundays, while using annual leave/credit hours). Since I was reviewing this information on my own time and not "for conducting official business", was I violating the HNeed-to-Know".
Although I have only shared SUNS! with "employees of the U.S. Government", I am not certain all of them had "an established need-to-know the information for conducting official business":
Does a staffer on the Senate Committee on Homeland Security & Governmental Affairs have "on established need-to-know the information for conducting officio/ business"? If he does, must I send him through the Office of Congressional Affairs? Am I violating "Need-to-Know" by directly sending him references he requested?
Does the Intern for Representative Duncan of South carolina's 3rd congressional district have "an established need-to-know the information for conducting officio/ business" when she is not investigating any matter for a congressional oversight committee and I am merely copying her as a courtesy to keep her representative abreast of a concern regarding a nuclear plant in his district?
Does the Office of the Special Counsel have "an established need-to-know the Information for conducting official business" when the information Is not being formally submitted with an OSC Form 127 Does the Downstate Director (i.e. Springfield, IL office chief) of Senator Durbin have "on established need*to-know the information for conducting official business" when I am merely meeting with him to get his advice as to whether or not my senator would be wllllng to write the NRC Chairman regarding the NRC's SUNSI policies?
113) Assuming that the US Special Counsel or a congressional staffer has "an established need-to-know, I am uncertain as to what ls required by the "Access" requirements on page S of Part II of MD 12.6. Prior to sharing SUNSI with the US Special Counsel or congressional staffers, before providing the information must I first consult the three parties listed In MO 12.6:
NRC office originating the information Office that has primary interest in the information Source from which the information was derived
- 4) If I am writing a letter regarding how the Office of Nuclear Reactor Regulation Is Inappropriately stamping safety-related correspondence as "Security-Related Information", and if I am sending that letter to the US NRC Chairman and copying It to concerned congressional offices, and If I do not belleve that marking the Jetter is essential to ensure proper handling and to ensure all persons having access to the letter will be aware that ft (1) must not be publicly released and (2) must be distributed only to those who have o need-to-know to conduct official business, then am I In violation of MD 12.6 because I did not stamp the letter "Official Use Only-Security-Related Information"?
I was asked by a congressional staffer last month whether I believed the "Security-Related Information" stamps were hindering the open discussion of the Jocassee Dam/Oconee issue amongst the NRC staff. His concern was based on the fact that some of NRR's Jocassee Dam correspondence contain the stamp "limited Internal Distribution Permitted. My answer to him was that, although I believed these stamps were inappropriately keeping a serious safety concern from public scrutiny, these markings were not in any way hindering the professional Internal discussion of concerns regarding Jocassee Dam. Based on what I have read in MD 12.6 tonight, I do not know if I still agree with that answer. When 16
possible, I would like to meet with you regarding the four questions above. Also, I have had people within th NRC request to see my 2012-09-18 letter to the chairman but I have been unwilling to share It with anyone since being told I was violating SUNS! guidance by not prop rly stamping it OUO-SRI. I would like to review that letter with you and get your assessment as to how it should be stamped.
R, Larry From: Criscione, Lawrence Sent: Thursday, October 25, 2012 5:50 PM To: cardenas, Daniel
Subject:
RE: Information Release The version of MO 12.6 that is linked to in the SUNSI website is from December 20, 1999. Is this the version I am supposed to review or is there a more current revision?
From: Cardenas, Daniel Sent: Thursday, October 25, 2012 5:39 PM To: Criscione, Lawrence Cc: Beasley, Benjamin; Coe, Doug; Ross-Lee, MaryJane; Pretzello, Andrew; Skidmore, Karen; ODonnell, Edward; Sullivan, Randy
Subject:
Re: Information Release Larry-If you have read and understand the SUNSI guidance, en a meeting may not be necessary. I will contact you If a meeting is necessary. In regards to transmission of SUNSI outside the NRC, please contact your supervisor as identified in MD 12.6 and follow applicable guidance located on the 01S SUNSI website.
Regards.
Dan
- Sent from an NRC Blackberry -
Daniel Cardenas, Chief Facilities Security Branch Division of Facilities and Security Office of Administration U. S. Nuclear Regulatory Commission Office Email:
ardena Office Num Cell Number:
Fax Number:.....,.,................,,....,...,...,.,...
From: Criscione, Lawrence To: cardenas, Daniel Cc: Beasley, Benjamin; Coe, Doug; Ross-Lee, MaryJane; Pretzello, Andrew; Skidmore, Karen; ODonnell, Edward; Sullivan, Randy Sent: Thu Oct 25 17:31:31 2012
Subject:
RE: Cnformatlon Release
- Daniel, 17
My Outlook calendar is up to date through the end of the year. I should be able to review MD 12.6 and the other guidance by tomorrow morning.
The only personnel outside the NRC to whom I have provided HOfficial Use Only - Security Related Information" are either with the Office of the Special Counsel, staffers of US Senators or staffers of members of the US House of Representatives. I will not release any additional Information to the Office of the Special Counsel or to members of the US Congress until I have met with you.
Please send me a copy of the NRC Form 183 mentioned below so that I may review it prior to our meeting.
Is my union :steward allowed to accompany me to the meeting?
V/r, Larry Criscione 573-230-3959 From: cardenas, Daniel Sent: Thursday, October 25, 2012 5:01 PM To: Criscione, Lawrence Cc: Beasley, Benjamin; Coe, Doug; Ross-Lee, MaryJane; Pretzello, Andrew; Skidmore, Karen
Subject:
Information Release Importance: High Mr. Criscione-I have received a NRC Form 183 "Report of Security Incident" indicating that you have released information {Official Use Only - Security Related Information, etc) to personnel outside of tlhe NRC. This release of information must "stop" Immediately. The guidance for handllng Sensitive Unclassified non-Safeguards Information (SUNSI) is identified In MD 12.6 and on the 01S webpage. Please see the following link, which provides detailed information on the handling of this type of Information.
win ernal.
If you have released any other information, you must cease these activities, and report the releases to the Director, Division of Facilities and Security.
Please schedule a time to discuss this matter with me.
Regards.
0111lcl Carduu Chief, Fac1litic<1 Securily Branch 01V1s1on or f'ai:ilhics end Sccuri1y, omcc of AdmimstratlOII Location: T6-l'J I Office Emoil: DwJjc:I.Canlenas!!J!rc,!Ov omce Number. r3Q1 )4 t5;618 NRC Blnck:bcrry._!fb~H...,61..,... __
NRC Fax: (301)415-5132 18
From:
Sent:
To:
Subject:
Gentlemen, Gagnon, Ronald Tuesday, March 03, 2015 9:16 AM Norman, Robert; Adler, James FW: Need-to-Know requirements for SUNSI Good morning. I thought that I would share the exchange below since part of what is discussed will soon fall under CUI.
Ron Ronald E. Gagnon CUI Program Manager IT/IM Policy Branch United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop 0-6H 11 Rockville, MD 20852 Office: 301-415-6873 From: Criscione, Lawrence Sent: Tuesday, March 03, 2015 8:57 AM To: Correla, Richard; West, Steven Cc: Janney, Margie; Sullivan, Randy; Perkins, Richard; Bens!, Michelle; Sancaktar, Selim; Philip, Jacob; Mitman, Jeffrey; Ferrante, Fernando; Barnes, Valerie; Desaulniers, David; ODonnell, Edward; Kanney, Joseph; Patterson, Malcolm; King, Mark; Burton, Thomas; Peters, Sean; carclenas, Daniel; Gagnon, Ronald
Subject:
RE: Need-to-Know requirements for SUNSI Steve/Rich, Once again, my direct questions on SUNSI were side-stepped. Other than items 1.d and 2. c below, I did not get answers but rather a re-iteration of obfuscated policies Items 1.a, 1.b, and 1.c were dished off to you (i.e. my office leadership). Please provide me answers:
1.a) Who are the subject matter experts for flooding and dam failures?
1.b) What document designates them as such?
1.c) What guidance do they use to determine what is sensitive and what is not?
If you cannot answer these questions, it's likely because there is no appointed authority and guidance for determ*ning what is and what is not SUNSI with regard to flooding/dam failure information. That is, we are not professionally addressing this issue but are rather just conservatively caving in to "speculaUve or abstract/ears
instead of diligently balancing wide and open discussion of significant nuclear safety issues (e.g. a Fukushima scenario in South Carolina or Nebraska) against realistic terrorist capabilities and threats.
I find it disturbing that item 2.a cannot be directly answered The answer should be: per federal law (5 USC
§7211) Congressional offices have a de-facto right to information that is not otherwise legally restricted. That is, the right of Congress to receive information is vividly clear in 5 USC §7211 and as long as the sharing of that information does not conflict with other federal laws which the Congress has passed (e.g. laws limiting the distribution of Special Compartmentalized Information) then the information can be directly shared with any Congressional office (i.e. Congressional offices have a de-facto *need-to-know* with regard to SUNSI). I find it troubling that no one is willing to give me this answer. By failing to give me this answer, I am unsure as to whether or not I am allowed-if I feel a significant nuclear safety issue is not be adequately addressed-"to petition Corrgress or a Member of Congress, or to furnish information to either House of Con,qress, or to a committee or Member thel'eo/. Please clarify whether or not the technical staff needs to obtain any permissions-such as permission from either their chain of command or from the Office of Congressional Affairs-prior to sharing information with a Congressional office.
Item 2.b is about internal need-to-know as it relates to SUNS!. Late last year, Richard Perkins shared a document with me that pertained to guidance provided for using Exemption 5 (pre-decisional information) in preparing documents for release under the FOIA. That guidance was marked KAttomey-Client Privilege" (a form of SUNSI). Note that I did not need *access to specdic information to perform or assist In a lawful and authorized governmental function". That is, I was not assigned to work on a FOIA that required use of the guidance. Richard shared it with me because he was concerned the guidance was illegal and he wanted my opinion. Did he violate "need-to-know"?
I have never been assigned any work pertaining to addressing flooding at nuclear power plants. Yet many of the people copied on this email have discussed SUNSI documents with me pertaining to that issue. Are they violating "need-to-know"? If so, how are they to determine with which of their colleagues can they discuss this nuclear safety issue? How are they to "make a determination that a prospective recipient requires access to specific Information to perform or assist In a lawful and authorized governmental function? For example, how is someone from NRR to know whether or not I have been authorized to work on flooding? Are they to contact my branch chief prior to having any discussion with me? And what then when they are told I am not assigned to work on any flooding issues? Are they allowed to collegially get my opinion on the documents anyway? Or is this nuclear safety information to be silo'd in the same manner that Special Compartmentalized Information concerning military operations is rightfully silo'd? These are not rhetorical questions. Please provide me answer,s. Are we allowed to get our colleague's opinions on issues to which they were not formally assigned?
Finally, if these are truly matters that should be decided at the office level (as Ron Gagnon indicated in his response below) then I would like to volunteer to become the RES subject matter expert on security issues surrounding flooding and dam failure-assuming my branch chief would support that. I will gladly determine what federal courses and workshops are available concerning the determination of security sensitivity and regarding open government initiatives. I can attend those workshops and develop guidance that diligently balances the public's right to know about significant nuclear safety issues against any legitimate security concerns that might exist.
V/r, Larry from: Gagnon, Ronald Sent: Monday, March 02, 2015 1:49 PM To: Criscione, Lawrence Cc: Janney, Margie; Correia, Richard; Sullivan, Randy; Perkins, Ric'hard; Bensi, Michelle; Sancaktar, Selim; Philip, Jacob; Mitman, Jeffrey; Ferrante, Fernando; Barnes, Valerie; Desaulniers, David; ODonnell, Edward; Kanney, Joseph; Patterson, Malcolm; King, Mark; Burton, Thomas; Peters, Sean; Cardenas, Daniel
Subject:
RE: Need-to-Know requirements for SUNSI
- Larry, Please see my replies adjacent to your questions.
2
Thank you, Ron Ronald E. Gagnon OIS / PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop 0-6H11 Rockville, MD 20852 Office* 301-415-6873 From: Criscione, Lawrence Sent: Friday, February 27, 2015 3:23 PM To: Gagnon, Ronald Cc: Janney, Margie; Correla, Richard; Sullivan, Randy; Perkins, Richard; Bensi, Michelle; Sancaktar, Selim; Philip, Jacob; Mitman, Jeffrey; Ferrante, Fernando; Barnes, Valerie; Desaulniers, David; ODonnell, Edward; Kanney, Joseph; Patterson, Malcolm; King, Mark; Burton, Thomas; Peters, Sean; cardenas, Daniel
Subject:
RE: Need-to-Know requirements for SUNSI Thanks Ronald. I've copied some colleagues on this email so they can see your answer below and so that they might contact you if they have their own questions about it.
I've highlighted two items below that are still unclear (subject matter expert and need-to-know determination):
1.a) Who are the subject matter experts for flooding and dam failures? Check with your office leadership.
1.b) What document designates them as such? Check with your office leadership.
1.c) What guidance do they use to determine what is sensitive and what is not? Check with your office leadership, (reference internal NRC SUNSI, SGI, Classified guidance).
1.d) If you disagree with their determination, is there an appeal process?
As you probably already know, NRC has a mechanism in place where differing professional opinions can be discussed and resolved. The NRC Differing Professional Opinions Program, Management Directive 10.159 states the following objectives: To foster informal discussions with peers and supervisors on issues involving professional judgments that may differ from a currently held view or practice, To establish a formal process for expressing differing professional opinions (DPOs) concerning issU'es directly related to the mission of NRC, To ensure the full consideration and prompt disposition of OPOs by affording an independent, Impartial review by knowledgeable personnel, To ensure that all employees have the opportunity to (a) express DPOs in good faith, (b) have their views heard and considered by NRC management, and (c) be kept fully informed of the status of milestones throughout the process, To protect employees from retaliation in any form for expressing a differing opinion, To recognize submitters of DPOs when their DPOs have resulted in significant contributions to the mission of the agency, To provide for agency-wide oversight and monitoring, to ensure that implementation of these procedures accomplishes the stated objectives, and to recommend appropriate changes when required.
2.a) For SUNSI, do we (i.e. the technical staff) need to obtain our supervisor's permission prior to sharing information with a Congressional office? This question is outside the scope of SUNSI. Please check with your leadership for official NRC policies regarding communications with Congress. The Office of Congressional Affairs should be able to articulate current policies regarding this question.
3
2.b} For SUNSI that is related to nuclear safety issues or to agency policies on applying FOIA redactions (i.e. not PII, allegation material, or other highly specific forms of SUNSI that have nothing to do with typical NRC correspondence and reports) do we need our supervisor's permission prior to discussing the information with our NRC colleagues who are not formally assigned to work on the issue? That is,
,can I share nuclear safety information with my NRC co-workers even though that information has been designated SUNSI and they have not been formally assigned to work on the issue? Please check with your leadership and the FOIA office (if you have a FOIA redaction question}. As you are aware, in addition to having authorized access to SUNSI information there is a need to know component to SUNSI. In order to allow access to another party, an authorized holder of SUNSI information must make a determination that a prospective recipient requires access to specific information to perform or assist in a lawful and authorized governmental function.
2.c) If I can get to it in ADAMS, can I assume I have a de-facto right to know it? Perhaps, but not exclusively. For example, if a document has been mistakenly categorized/ entered into ADAMS it does not give an employee the right to view or distribute it without the proper access credentials. If a government employee came across a classified document on-line through a Google search, that government employee is not authorized access unles-s they have the proper clearance and need to 1know, even though the document ls easily available to anyone searching for it. If not, how do I determine that I have accessed a document that I have no right to see and to whom do I report it? One way to report a document spill would be by advising your supervisor and accessing the following link:
http://www.internal.nrc.govnncident.html (please note that other notifications may be necessary depending on the type of spill).
R/
Larry From: Gagnon, Ronald Sent: Friday, February 27, 2015 2:15 PM To: Criscione, Lawrence Cc: Janney, Margie; Correla, Richard
Subject:
RE: Need*to-Know requirements for SUNS!
Good afternoon Larry.
It was a pleasure speaking with you this afternoon. During our conversation we explored several topics including your questions below. We discussed the Controlled Unclassified Program (CUI) and how it would consolidate the SUNSI and SGI programs at the NRC, and how it would offer a government-wide, uniform way of handling sensitive unclassified information. Your asked the following SUNSI related questions:
If I am referencing a document marked SUNSI, since there are no portion markings how do I determine what material is SUNSI and what is not? If I reference anything in the document, must my new document now be marked as SUNSI?
Derivative products should always be marked to ensure that the sensitive information in the document Is fully protected according to agency policy. If the document is not portion marked, then the entire document is considered SUNSI until such time as a subject matter expert determines otherwise.
Documents that are marked SUNSI and not portion marked can be reviewed by the originator to determine which portion Is sensitive, ie. 2.390 Information. A derivative document using any information from a SUNSI document that is not portion marked must have the referenced portion marked as SUNSI.
- 2. How do I determine need-to-know with regard to SUNSI? If I come across an interesting nuclear Issue (e.g. a nuclear site which some colleagues believe is 1inadequately protected from flooding), can I discuss that issue with my fellow employees or is there some type of vetting process I must use? That 4
Is, are unclassified and non-Safeguards nuclear safety concerns fair game for discussion with all NRC colleagues or must information be "silo-ed" into a tightly controlled group of individuals who are officially assigned to address the issue?
Need-to-know typically means a determination made by an authorized holder of information that a prospective recipient requires access to specific information to perform or assist in a lawful and authorized governmental function. This determination would be made by the leadership elements in the office where the work is performed.
Please let me know if I can be of further assistance.
Thank you for your questions.
Ronald E. Gagnon 01S / PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301-415-6873 From: SUNS! Resource Sent: Wednesday, February 25, 2015 7:44 AM To: Gagnoni, Ronald; Janney, Margie subject: FW: Need-to-Know requirements for SUNSI From: Criscione, Lawrence Sent: Wednesday, February 25, 2015 7:44:21 AM To: SUNSI Resource Cc: Correla, Richard; Peters, Sean; Perkins, Richard; Bensi, Michelle; Sancaktar, Selim; Philip, Jacob; Mitman, Jeffrey; Ferrante, Fernando; Barnes, Valerie; Desaulniers, David; OOonnell, Edward: King, Mark; Burton, Thomas; Patterson, Malcolm; Kanney, Joseph
Subject:
Need-to-Know requirements for SUNSI Auto forwarded by a Rule SUNSI Resource:
I have some questions regarding SUNSI which my division director has been attempting to help me get answered. He provided me the following references but nerther of them address the questions J have:
NRC's SRI guidance: http://www.internal.nrc.gov/sunsi/security.html FAQs available on the SUNSI website address commonly requested topics:
http://www.lnternal.nrc.gov/suns1/fag.html My questions are:
s
1 If I am referencing a document marked SUNSI, since there are no portion markings how do I determine what material is SUNSI and what is not? If I reference anything in the document. must my new document now be marked as SUNSI?
2 How do I determine need-to-know with regard to SUNSI? If I come across an interesting nuclear issue (e.g. a nuclear site which some colleagues believe is inadequately protected from flooding), can I discuss that issue with my fellow employees or is there some type of vetting process I must use? That is, are unclassified and non-Safeguards nuclear safety concerns fair game for discussion with all NRC colleagues or must information be "silo-ed" into a tightly controlled group of Individuals who are officially assigned to address the issue?
Also, I have some comments about the "SUNSI Awareness Training" linked to from the SUNSI "Frequently Asked Questions" website (and attached to this email). On slide 6 a colloquial definition of SUNSI is provided as:
- or put another way... If information appeared on the front page of the Washington Post and you cringe when you see it.... It's probably sensitive*.
I believe that:
The above definition is deleterious to our goals of openness and transparency Unfortunately, your colloquial definition is broadly used within the NRC. That is, it is my experience that most SUNSI material is marked that way because if it *appeared on the front page of the Washington Post it would make us cringe.
I'm not the only NRC employee who has been asking these questions. How we determine SUNS! is a concern shared by several of my colleagues.
Larry Lawrence S. Criscione 573-230-3959 sent:
ne ay, ruary 18, 2015 3:48 PM To: Criscione, Lawrence Cc: Peters, Sean; Madden, Patrick
Subject:
RE: OIG case 13-001 and QUO-SRI
http://www.internal.nrc.gov/sunsi/security.html as a source of information. Please take a look at the information at the link and let me know if it has the information you are seeking.
Regards (b){7)(C) 6
From: Criscione, Lawrence Se
- uary 12, 2015 11:28 AM To: (b)(7)(C)
SubJ se 13-001 and OUO-SRI Thanks~
Daniel Cardenas referred me to Admin but did not give me the name of a contact.
ur ay, e ruary 12, 2015 9:08 AM To: Criscione, Lawrence
Subject:
RE: OIG Case 13-001 and QUO-SRI Let me make some phone calls Larry (b)(?)(C)
From: Criscione, Lawrence Se :
ruary 11, 2015 1:48 PM To: (b)(7)(r)
~
~l~dOOO~ru l(b)(7)(C) I Attached is the transcript from your 2012 inteNiew with OIG concerning Case 13-001 It was provided to me as part of a Privacy Act request and I'm sending It along to you in case you would like a copy.
Please see my email below to Daniel Cardenas. I still have a lack of understanding on OUO-SRI, mostly stemming from the fact that-unlike SGI and classified information-it (1) is not portion marked, (2) has no derivative classifiers, and (3) is applied to such broad topics that it has no well-defined need-to-know (e.g. who has a need-to-know about the Oconee flooding issues? Is it only the narrow set of NRR employees addressing it? Or is It any concerned NRG employee who might have an opinion that adds to the discussion?).
V/r, Larry From: Criscione, Lawrence Sen
- ary 11, 2015 1 :37 PM To: (b)(7)(C)
Subject:
OIG Case 13-001 (b)(?)(C)
Attached 1s the transcript from your 2012 Interview with OIG concerning Case 13-001 It was given to me as part of a Privacy Act request and I'm sending it along to you in case you would like a copy.
7
The investigation for Case 13-001 closed on September 11, 2013.
As part of the resolution to the PEER v. NRC lawsuit, the on September 13, 2013 the NRC publicly released the two documents which were the subject of the NRC Form 183 security incident which was filed against me on September 20, 2012. Those documents can be found at:
http://pbadupws.nrc.gov/docs/ML 1325/ML13256A372.pdf http://pbadupws.nrc.gov/docs/ML 1325/ML13256A370.pdf The only redactions to those documents are my home address, my cell phone number and my personal email account. This indicates-to me-that I was not in error when I failed to mark these documents as "Official Use Only - Security-Related Information" Given that OUO-SRI documents are not portion marked, I still have no understanding of:
- 1. How I am to determine what exactly in those documents is OUO-SRI
- 2. How-when I am preparing a downstream document which references information found in OUO-SRI documents-I am to determine the final designation of my document and who the authority is if I have questions
- 3. To whom do I appeal if I do not agree with the OUO-SRI designation of a document
- 4. How to determine who has a "need to know" with regard to OUO-SRI information R,
Larry From: Criscione, Lawrence sent: Tuesday, June 10, 2014 9:27 AM To: COrreia, Richard; Weber, Michael; Sheron, Brian; Madden, Patrick; Peters, sean; Sullivan, Randy; Burrows, Sheryl; ODonnell, Edward
Subject:
Who Determines Need-to-Know?
Thanks Rich.
I'd like to clarify though that even if we have a precise definition, a large part of my concern ts "Who determines need-to-know?"
For example 1f I am confident that a document marked "Not for Public Disclosure* can go to a congressional office, can I send 1t to them or must I first go through OGC and OCA?
Or, 1f I am confident that an INL contractor has a need to know proprietary information we got from INPO, can I directly send It to him or do I first need to consult with my supervisor the NRC owner of the INPO MOU, OGC, etc.?
From: Correia, Richard Sent: Tuesday, June 10, 2014 7:02 AM To: Criscione, Lawrence; Weber, Michael; Sheron, Brian; Madden, Patrick.; Peters, Sean; Sullivan, Randy; Burrows, Sheryl; ODonnell, Edward
Subject:
RE: Need Assistance from RES and NTEU
- Larry, 8
I contacted folks in the Information Security Branch of NSIR and they pointed out that need to know" is defined in 1 OCFR73.2 for handling safeguards information. I'm not certain if it would have a similar definition for SUNSI. I'll follow up with OGC on whether need to know has a definition for SUNSI.
Rich Richard Correia, PE
- Director, Division of Risk Analysis Offlce of Nuclear Regulatory Research USNRC rlchard.correla@nrc.gov From: Criscione, Lawrence Sent: Monday, June 02, 2014 5:50 PM To: Weber, Michael; Sheron, Brian; Correia, Richard; Madden, Patrick; Peters, Sean; Sullivan, Randy; Burrows, Sheryl; ODonnell, Edward
Subject:
Need Assistance from RES and NTEU Please see my October 25, 2012 email below to Dan Cardenas. I've highlighted several questions in that email which I never received answers to.
On October 25, 2012 I was directed to review our SUNSI guidance and to discuss it with the chief of the Facilities Security Branch. I reviewed the guidance but had some questions which, 19-months later, I still do not know the answers to.
I would like the assistance of RES management and the NTEU in obtaining answers from Mr. Cardenas. I believe I am not the only one at the NRC who is unclear as to what exactly constttutes a "need to know' and
- conducting official government busmess*. Better clarifying these terms, especially with regard to OIG Case 13-001 which led to a criminal referral to the Department of Justice, is in the interest of the NRC staff.
If you have advice for me as to how to obtain answers from the requisite SUNSI experts, please let me know.
Thank you, Larry Lawrence S. Criscione 573-230-3959 From: Criscione, Lawrence Sent: Monday, June 02, 2014 5:35 PM To: Cardenas, Daniel; Ross-Lee, MaryJane Cc: Beasley, Benjamin; Peters, Sean; Correla, Richard; Sullivan, Randy; NTEU, Chapter 208; Burrows, Sheryl
Subject:
FW: Questions
- Dan, Attached to this email ts a document entitled "Exhibit 3 to OIG Case 13-001" which I received today 1n respo~se to FOi~ 2014-0236 The memo 1s undated Could either you or (bJ\\7)tCl please tell me the date on which Jbl(7)(CJ sent this memo to!(b)i7)(CJ V Was it before or after our rre pondence in the email trail below?
On February 4, 2013 agents of the NRC's Inspector General approached the Assistant US Attorney's office in Springfield, IL and requested of them that I be indicted on federal felony charges (18 USC §1030) for obtaining 9
supposed security-sensitive information from a government database (i.e. NRC internal ADAMS) and supposedly colluding to distribute that information to the public (e.g. via a Congressional hearing). The information of concern was my September 18, 2012 letter to the NRC Chairman, the email distributing it, and the nine reference documents. These are the same documents of concern in our email trail below.
In an October 25, 2012 email (included immediately below) I asked you a series of questions regarding MD 12.6, various guidance you directed me to review (found at http://www.internal.nrc.gov/sunsi/), and an explanation of what exactly constitute "need to know" and *conducting official government business". I have highlighted those questions in the email below. The documents attached to this email refer to some of those questions.
I never received any answers to the questions I posed to you 19 months ago in the email below. And after being the subject of an OIG criminal investigation for the distribution of supposed security related documents to individuals without a supposed *need to know", I still do not know the answers to the questions I pose below.
OIG Case 13-001 has been closed for over 9 months. Please provide me answers to my questions below as I am still uncertain what exactly I can and cannot share with our Congressional overseers and the precise channels I am required to follow.
I look forward to your answers.
Thank you, Larry Lawrence S. Criscione 573-230-3959 From: Criscione, Lawrence Sent: Thursday, October 25, 2012 9:37 PM To: Cardenas, Daniel Cc: Beasley, Benjamin; Coe, Doug; Ross-Lee, MaryJane; Pretzelfo, Andrew; Skidmore, Karen; ODonnell, Edward; Sullivan, Randy
Subject:
Questions
- 1) In the attached document "2005-10-26 guidance.pdf" I've highlighted a sentence stating that portion markings are not required. However, In the document "2010-04-27 guidance.pdf' I've highlighted where it states:
When is portion or page marking required? On documents that may be released following redaction of sensitive Information. If an entire page is not sensitive, place marking adjacent to the sensitive information.
I am a big believer in portion markings. It frustrates me to no end that none of the 2008-2012 OUO correspondence between the NRC and Duke Energy regarding Jocassee Dam Is portion marked. This correspondence clearly meets the instructions above for requiring that the documents be portion marked. That is, the overwhelming majority of the pages in the NRC/Duke correspondence have portions that are not sensitive and this NRC correspondence with a licensee concerning a serious safety concern should certainly be released following redaction of sensitive Information. Yet there are no portion markings. Which guidance Is correct: the 2005-10-26 or the 2010-04-27 guidance? Should NRR's correspondence with Duke Energy from May 2010 through the present have been portion marked?
- 2) On page 2 of the attached "NRC Policy for Handling Marking and Protection SUNSl.pdf" I have highlighted a paragraph on "Need-To-Know Access". This paragraph contains the words:
10
"... no person, including employees of the U.S. Government, NRC,....... moy have access to SUNS/ unless that person has an established need-to-know the information far conducting official business."
I am unclear what exactly constitutes "an established need-ta-know the information far conducting officio/ business."
Some of my co-workers (particularly Richard Perkins, but many others as well) expressed concern to me that flooding issues at Oconee Nuclear Station and Fort Calhoun were not being adequately addressed. Although it is my Job (and the Job of all NRC employees) to take allegations from licensees, I do mot believe it is my job (i.e. Hcanductlng official business") to take allegations from my fellow NRC co-workers. Nonetheless, I reviewed some of the source documents regarding Jocassee Dam because I was concerned with the opinions I was hearing expressed from my co-workers. It was not my job to review these documents. Most of the review of these documents occurred after normal working hours, Including times when - although allowed to be In the office or on Citrix - I am not allowed to formally work (i.e. beyond 8 pm, Sundays, while using annual leave/credit hours). Since I was reviewing this information on my own time and not "for conducting official businC?ss", was I violating the "Need-to-Know.
Although I have only shared SUNSI with "employees of the U.S. Government, I am not certain all of them had "an established need-to-know the Information far conducting official business":
Does a staffer on the Senate Committee on Homeland Security & Governmental Affairs have "on established need-ta-know the information for conducting officio/ business"? If he does, must I send him through the Office of Congressional Affairs? Am I violating "Need-to-Know" by directly sending h,m references he requested?
Does the intern for Representative Duncan of South Carolina's 3"1 congressional district have "an established need-to-know the information for conducting official business" when she Is not Investigating any matter for a congressional oversight committee and I am merely copying her as a courtesy to keep her representative abreast of a concern regarding a nuclear plant in his district?
Does the Office of the Special Counsel have "on established need-ta-know the information for conducting official business" when the Information Is not being formally submitted with an OSC Form 12?
Does the Downstate Director (i.e. Springfield, IL office chief) of Senator Durbin have "an established need-to-know the information for conducting official business" when I ~m merely meeting with him to get his advice as to whether or not my senator would be willing to write the NRC Chairman regarding the NRC's SUNSI policies?
- 3) Assuming that the US Special Counsel or a congressional staffer has "an established need-to-know", I am uncertain as to what Is required by the "Access" requirements on page 5 of Part II of MO 12.6. Prior to sharing SUNS! with the US Special Counsel or congressional staffers, before providing the information must I first consult the three parties listed in MD 12.6:
NRC office originating the information Office that has primary interest in the Information Source from which the information was derived
- 4) If I am writing a letter regarding how the Office of Nuclear Reactor Regulation Is inappropriately stamping safety-related correspondence as "Security-Related Information", and if I am sending that letter to the US NRC Chairman and copying It to concerned congressional offices, and if I do not believe that marking the Jetter is essential to ensure proper handlfng and to ensure all persons having access to the letter will be aware that it (1) must not be publ/cly released and (2) must be distributed only ta those who hove a need-to-know to conduct officio/ business, then am I in violation of MD 12.6 because I did not stamp the letter "Official Use Only-Security-Related Information"?
I was asked by a congressional staffer last month whether I believed the Security-Related information" stamps were hindering the open discussion of the Jocassee Dam/Oconee issue amongst the NRC staff. His concern was based on the fact that some of NRR's Jocassee Dam correspondence contain the stamp "Limited Internal Distribution Permitted". My answer to him was that, although I believed these stamps were Inappropriately keeping a serious safety concern from publlc scrutiny, these markings were not in any way hindering the professional internal discussion of concerns regarding Jocassee Dam. Based on what I have read in MD 12.6 tonight, I do not know if I still agree with that answer. When 11
possible, I would like to meet with you regarding the four questions above. Also, I have had people within the NRC request to see my 2012-09-18 letter to the chairman but I have been unwilling to share it with anyone since being told I was violating SUNSI guidance by not properly stamping It OUO - SRI. I would like to review that leller with you and get your assessment as to how It should be stamped.
R, Larry From: Criscione, Lawrence Sent: Thursday, October 25, 2012 5:50 PM To: cardenas, Daniel
Subject:
RE: Information Release The version of MD 12.6 that Is linked to in the SUNS! website is from December 20, 1999. Is this the version I am supposed to review or is there a more current revision?
From: cardenas, Daniel Sent: Thursday, October 25, 2012 5:39 PM To: Criscione, Lawrence Cc: Beasley, Benjamin; Coe, Doug; Ross-Lee, MaryJane; Pretzello, Andrew; Skidmore, Karen; ODonnell, Edward; Sullivan, Randy
Subject:
Re: Information Release Larry-If you have r,ead and understand the SUNSI guidance, then a meeting may not be necessary. I will contact you if a meeting is necessary. In regards to transmission of SUNS! outside the NRC, please contact your supervisor as identified In MD 12.6 and follow applicable guidance located on the OIS SUNS! website.
Regards.
Dan
~ Sent from an NRC Blackberry ~
Daniel Cardenas, Chief Facilities Security Branch Division of Facilities and Security Office of Administration U. S. Nuclear Regulatory Commission Office Email: Daniel.Cardenas1@nrc.gov Office Numbf;,r* C3Ql) 4 l 6-6164 Cell Number: l(b)(6l I
Fax Number. (301) 415-5132 From: Crlscfone, Lawrence To: cardenas, Daniel Cc: Beasley, Benjamin; Coe, Doug; Ross-Lee, MaryJane; Pretzello, Andrew; Skidmore, Karen; ODonnell, Edward; Sullivan, Randy Sent: Thu Oct 25 17:31:31 2012
Subject:
RE: Information Release
- Daniel, 12
My Outlook calendar Is up to date through the end of the year. I should be able to review MD 12.6 and the other guidance by tomorrow morning.
The only personnel outside the NRC to whom I have provided "Official Use Only-Security Related Information" are either with the Office of the Special Counsel, staffers of US Senators or staffers of members of the US House of Representatives. I will not release any additional information to the Office of the Special Counsel or to members of the US Congress until I have met with you.
Please send me a copy of the NRC Form 183 mentioned below so that I may review it prior to our meeting.
Is my union steward allowed to accompany me to the meeting?
V/r, Larry Criscione 5 73-230-3959 From: Cardenas, Daniel Sent: Thul'Sday, October 25, 2012 5:01 PM To: Criscione, Lawrence Cc: Beasley, Benjamin; Coe, Doug; Ross-Lee, MaryJane; Pretzello, Andrew; Skidmore, Karen
Subject:
Information Release Importance: High Mr. Criscione-I have received a NRC Form 183 "Report of Security Incident# indicating that you have released information (Official Use Only - Security Related Information, etc) to personnel outside of the NRC. This release of information must "stop" immediately. The guidance for handling Sensitive Undasslfled no.n-Safeguards Information (SUNSI) is identified in MD 12.6 and on the 01S webpage. Please see the following llnk, which provides detailed information on the handling of this type of information.
http:U www.internal.nrc.gov/sunsl/
If you have released any other information, you must cease these activities, and report the releases to the Director, Division of Facilities and Security.
Please schedule a time to discuss this matter with me.
Regards.
llAnltl Ci!rdt11U Chief, Facilities Sccun1y Branch Division or Fncilitil."l und Securizy, Office of Admin1srra1ion Location. T6-13J I Office Entail: Dani~
a(denasJ!._nrc.gov Office Number (301) 415-6184 NRC Blackbcrryf(bll61 NRC Fax: (301 )4 !"il""!-~5'""'32.---""
l3
NRC Policy for Handling, Marking, and Protecting Sensitive Unclassified Non-Safeguards Information A.
Purpose and Scope This policy is issued to ensure that sensitive unclassified non-safeguards information (SUNSI) is properly handled, marked, and adequately protected from unauthorized disclosure.
"SUNSI" refers to any information of which the loss, misuse, modification, or unauthorized access can reasonably be foreseen to harm the public interest, the commercial or financial interests of the entity or individual to whom the information pertains, the conduct of NRC and Federal programs, or the personal privacy of individuals.
The various categories of SUNSI have been organized into the following nine groups:
Allegation information Investigation information Critical Electric Infrastructure Information (CEIi)
Export Controlled Information (ECI)
Security-related information Proprietary information Privacy Act information Federal-, State-, foreign government-, and international agency-controlled information Sensitive internal information To the extent that requirements under a section for a particular SUNSI group were already stipulated in a statute, regulation, or other directive, the requirements have been incorporated into this policy. The requirements set forth in this policy and procedures for handling allegation information come from Management Directive (MD) 8.8, "Management of Allegations." The requirements for the handling of Privacy Act information come from the Privacy Act of 1974, as amended, and MD 3.2, "Privacy Act." The requirements for marking incoming confidential commercial or financial (proprietary) information come from 10 CFR 2.390. Requirements for electronic processing, storage, destruction, and transmission of SUNSI can be found in MD 12.6.
When more than one SUNSI group applies to information, the most restrictive handling requirement of the applicable groups should be applied.
B.
Applicability NRC employees, consultants, and contractors are responsible for ensuring the procedures specified in this announcement are followed to protect SUNSI. The use of the word "contractors" includes subcontractors.
C.
Handling Requirements for SUNSI Web Address for Handling Requirements The handling requirements for SUNSI are published on the NRC internal Web site at http://drupal.nrc.gov/sunsi. The Web site contains detailed requirements for each of nine SUNSI groups in the following fourteen areas:
Applicable document categories Authority to designate Access Marking Cover sheet Reproduction Processing on electronic systems Use at home o
Use while traveling orcommuting Physical copytransmission Electronic copytransmission Storage Destruction Decontrol authority D.
Generally Applicable Requirements
- 1.
Marking Each document containing SUNSI must be properly and fully marked when such markings are required for the SUNSI group. (See item 4, Marking, in the SUNSI group handling requirements http://drupal.nrc.gov/sunsi.)
- 2.
Need-To-Know Access
- 3.
- 4.
A security clearance is not required for access to SUNSI. However, except as the Commission may otherwise authorize, no person, including employees of the U.S. Government, NRC, an NRC licensee or certificate holder, or an employee, agent, or contractor of a license applicant may have access to SUNSI unless that person has an established need-to-know the information for conducting official business.
If doubt exists in any particular case whether it is proper to grant access to SUNSI originating from outside the NRC, NRC contractors, or NRC licensees or applicants, consult with the originating party, the party responsible for the information, or other source from which the information is derived.
Ensuring legible markings on copies All copies must clearly show the protective markings on the original document. Markings on documents submitted for reproduction should be in black or red and dark enough to be reproduced legibly.
Packaging SUNSI for Physical Transmission
- 5.
- 6.
Material used for packaging SUNSI for physical transmission must be opaque and of such strength and durability as to provide secure protection for the document in transit, prevent items from breaking out of the container, and facilitate the detection of any tampering with the container.
Profiling SUNSI in ADAMS When a document containing SUNSI is authorized to be entered into the Agencywide Documents Access and Management System (ADAMS),
personnel entering the document must ensure that one of the sensitive values (e.g., Sensitive-Security Related - Periodic Review Required, Sensitive-Proprietary, Sensitive-Protected subject to adjudicatory order, etc.) is marked in the "Document Sensitivity" profile property and that the "Availability" profile property is marked as "Non-Publicly Available."
Identifying the appropriate document sensitivity and availability along with the markings on the documents will aid in protecting SUNSI. It will also alert staff to the sensitivity of the document when it is requested under the Freedom of Information Act (FOIA) or the Privacy Act, thus ensuring that the document is properly reviewed under FOIA and Privacy Act exemptions standards.
Removal of Markings Normally, a document will retain its markings until the agency decides that the document will be made public either on its own discretion or in response to a FOIA request. Before releasing a document with a SUNSI marking, the marking on the copy to be released should preferably be blackened out or, at a minimum, marked through in such a way that it conveys that the marking is no longer applicable to the document. This should be done on each page containing a marking.
- 7.
Inadvertent or Unauthorized Release of SUNSI Whenever SUNSI is inadvertently released or disclosed by NRC personnel or contractors, a security incident has occurred. Some examples of SUNSl-related security incidents include leaving sensitive unclassified documents or material unattended, unsecured, or improperly stored (including on shared network drives unless access controls are applied); improper transmission of sensitive unclassified documents or material; allowing an unauthorized person access to sensitive unclassified information; and/or failure to safeguard a sensitive unclassified lock combination.
In the event of a SUNSI security incident, in accordance with MD 3.4, "Release of Information to the Public," the office director shall promptly inform the Executive Director for Operations (EDO) and the Office of the Inspector General (OIG).
In accordance with MD 12.1, "NRC Facility Security Program," NRC employees and contractors shall report all security incidents immediately following their occurrence or observed occurrence by:
- 8.
A. Completing and submitting an NRC Form 183, "Report of Security Incident." If necessary, the initial report to the Division of Facilities and Security (DFS) may be made orally but must be finalized in writing by submitting an NRC Form 183 to DFS. A report should not contain any SGI or classified information unless the report is protected according to the level of information involved when transmitted or verbally communicated to DFS through an authorized secure telecommunications system or secure information technology (IT) system. A security incident may be initially reported by telephone to 301-415-6885, or online at http:// d ru pal. nrc. gov/ conten t/report-saf ety-or-security-i ncident.
B. A contractor shall immediately report a security incident to DFS and send a copy to the NRC project officer and/or Contract Officer Representative (COR) and the regional security advisor, if appropriate. The report must include the details of the incident, as well as the name of the person who committed it. If the contractor does not have the capability to complete and submit the NRC Form 183, the COR must do so on behalf of the contractor.
C. The NRG Form 183 must contain the following:
- 1) The full name of the individual involved;
- 2) The individual's office and title or if a contractor, the company and COR's name;
- 3) The classification of the information involved, but not the vulnerability if it has not been corrected; and
- 4) The date, reason or cause, and nature of the incident.
Consequences of non-compliance with protecting SUNSI Consequences of non-compliance with protecting SUNSI may include:
A. Removal of system access for a specified period of time; B. Mandated training regarding the information about the specific security incident; and/or C. Possible disciplinary action up to and including removal from Federal service or the contract. (See MD 12.1, "NRC Facility Security Program,"
and MD 12.5, "NRG Cybersecurity Program").
- 9.
Release of Information to the Public Each document considered for routine release to the public by the agency must be reviewed to determine whether the document is releasable under NRC policy (see MD 3.4, "Release of Information to the Public"), including application of screening criteria for determining if information should be withheld from public disclosure because it could reasonably be expected to be useful to a potential adversary. (See http://drupal.nrc.gov/sunsi/34661 ).)
Each document requested by the publi'c via FOIA or the Privacy Act must be reviewed to determine whether the document, or part thereof, is releasable or is exempt from public disclosure. (See MD 3.1, "Freedom of Information Act" and MD 3.2, "Privacy Act.")
- 10.
The presence or absence of cover sheets or markings as "Allegation Information," "Investigation Information," or similar markings, does not determine whether a document may be withheld from the public. Whenever an NRC employee has a question regarding the releasability of information, the employee should consult with the employee's supervisor or-
- The Governance & Enterprise Management Services Division (GEMSD), Office of the Chief Information Officer (OCIO) if a request for information involves the Freedom of Information Act (FOIA) or the Privacy Act. (See MD 3.1, "Freedom of Information Act" and MD 3.2, "Privacy Act.")
The Office of Enforcement (OE) regarding allegation information.
The Office of Investigations (01) regarding 01 investigation information.
The Office of the Inspector General (OIG) regarding OIG investigation information.
The Office of Nuclear Reactor Regulation (NRR) or the Office of Nuclear Material Safety and Safeguards (NMSS), as appropriate, on whether a document contains 10 CFR 2.390(d)(1) information.
The Office of the General Counsel (OGC), or appropriate regional counsel, on legal questions.
Other Government and International agencies should be consulted before documents bearing restrictive markings or containing SUNS! of primary interest to them are released to the public.
"No Comment" Policy for SUNSI Should SUNSI appear in the public domain (e.g., newspapers) prior to the agency's official release of that information and should an NRC employee be contacted by an organization outside of the agency to confirm or deny either the accuracy or sensitivity of the released information, the NRC employee should respond to such a request with a "no comment" statement. If an NRC employee has any questions about how to handle a request for comment about an unauthorized release of SUNSI, the employee should consult with the employee's supervisor or the originator of the information.
- 11.
Security Preparations Required for Hearings, Conferences, or Discussions NRC personnel, NRC consultants, NRC contractor personnel, and others (e.g., bidders) who arrange or participate in hearings, conferences, or discussions (see MD 3.5, "Attendance at NRC Staff Sponsored Meetings")
involving SUNSI shall-
- Ensure before a hearing, conference, or discussion that participating personnel are identified and are authorized to have access to the information to be discussed.
- Inform participating personnel that the specific information they will receive is SUNSI and advise them of the protective measures required.
- Ensure that no discussion takes place that is audible or visible to persons not authorized access to the information.
6
8/3/2020 Security-Related Information I NRC Intranet You are here: H~me >> Offices >> SUNSI ;, Security-Related Information Security-Related Information CONTENT OWNER Page content maintained by: SUNSI.Resource@nrc. ov 19 Table of Contents
- ~pe,l_i~~bl~... '?.C?E.l:!.n.:1.. C..~~---~~-~~e<?.r.i~.~
- .t:J.1.~.rkir.ig
- Use at Home
..-.. -*~*
- Authority to Designate
- Cover Sheet
- Use While Traveling or Commuting_
- Access
- _Re,p_rod!:!,~tiqr.i,
- Physical C~py 1.:r~_ns.~lsslo~
- Need-to-Know Controls
- Processln on Electronic S stems
- Electronic Co Transmission
- Storage
- Destruction
- q~-~-~r.iY.o.I ~':l.t~C?,ri,!y APPLICABLE DOCUMENT CATEGORIES 10 CFR 2.390 Information Information that could be useful, or could reasonably be expected to be useful to a terrorist In a potential attack that does not qualify as Safeguards or Classified Information (see Staff Gu_ldance..Jor Scr _,enlng Documents that Could _be, Useful __ to. a r.. rrorlst) tor AUTHORITY TO DESIGNATE NRC-Orlglnated Information: The originator proposes and the signer approves designation.
Information Received by NRC: The office principally responsible for the Information.
ACCESS Who may have access?
NEED-TO-KNOW CONTROLS Do Need-to-know controls apply?
https://drupal.nrc.gov/sunsl/34643 0
NRC staff, contractors, or consultants who have a need-to-know the information to perform their official duties.
....... lcP..
o Need-to-know controls must be applied to the Information.
o Recommend the establishment of pre-designated user groups that exclude administrative, other select Offices and/or groups that do not have an obvious mission need from access.
ADAI 1/5
8/3/2020 MARKING What documents should be marked?
Who may authorize document marking?
How should a document be marked?
When Is portion or page marking required?
COVERSHEET When should a cover sheet be used?
What cover sheet Is used?
REPRODUCTION How many copies may be made?
Security-Related Information I NRC Intranet TOP Mark all pages of all documents.
Originator, supervisor, or principal recipient.
NRC-Generated Documents: Mark the top and bottom of each page *
"Official Use Only - Security-Related Information."
Documents Generated by Licensees, Applicants, Contractors or Other Outside Persons/Organizations Subject to NRC Jurisdiction: Mark the top of each page -
"Security-Related Information - Withhold Under 10 CFR 2.390."
If an ntire page of a document containing OUO-SRI contains other categories of Information, Including non-sensitive information.
On documents that may be released following the redaction of sensitive Information.
The following criteria apply when considering whether a document contains nuclear/security-related Information (see Crlterla_for _NuclearjSecurlty-Related, Information_. ).
Not applicable.
Not appllcabl.
Reproduction is limited to the number of copies needed for official use unless stated otherwise on the document.
Coples must clearly show the original markings.
Note: Where restrictions are imposed on reproduction, the employee must also ensure that there are no non-authorized copies residing in electronic systems, such as on the network drive, local hard drive, printers, copiers, or any other electronic medium.
tcr PROCESSING ON ELECTRONIC SYSTEMS On what Information systems may the document be processed?
Is encryption required while data Is at rest?
May the information be https://drupal.nrc.gov/sunsl/34643 NRC LAN and other syst ems authorized to operate by the NRC under.~1.D 1.3.:.?, -NRC Cyber Security Program.
0 MB has directed that all sensitive information be encrypted using only NIST-certified cryptographic modules both at rest and during transmission. NRC automatically encrypts data at rest and during transmission within NRC facilities. Any SU NSI that is outside of NRC facilities must be encrypted at rest.
Security-Related Information may be entered Into the ADAMS Main Library and must be profiled as Non-2/5
8/3/2020 processed In ADAMS?
USE AT HOME May I use the document at home?
May I use the Information at home under the NRC Flexible Workplace Program?
Security-Related Information I NRC Intranet Publicly Available and Sensitive. Assign access rights to user groups with a need to access the Information to perform their official duties. ADAMS Sensitivity Code: A.3 - Sensitive-Security-Related - Periodic Review Required Yes. Abide by the following requirements.
Employees are prohibited from using, handling, and storing the information at their residences and on personally owned devices or sending information to non-NRC email addresses (e.g., personal email accounts).
Occaslona I use at an employee's residence requires approval of the employee's immediate supervisor or above.
To ensure that the Information Is not viewed or accessed Inadvertently or willfully by a person not authorized access, the employee must ensure that the Information cannot be seen by a family member, guest, or any other Individual who Is not authorized access.
Employees who work at home must perform electronic processing of SUNSI on eith er (1) a home computer within the virtual environment provided by the agency through CITRIX, (2) an NRC-issued laptop with NRC-approved ncryption software, or (3) using an NRC authorized solution such as BYOD.
Employees are expressly prohibited from processing SUNSI on personally owned computers, even when an encrypted storage media Is employed.
It is discouraged to take hard-copy material to private residences. If hard copy material is taken home, it must be returned to an NRC facility and stored and/or destroyed according to the Instructions provided In this guidance.
Yes. Abide by the following requirements.
Employees are prohibited from using, handling, and storing the Information at their residences and on personally owned devices.
If you are approved to work at home under the NRC Flexible Workplace Program, use In accordance with standards set forth In NRC Form 624, Flexible Workplace Program Participation Agreement.
To ensure that the Information Is not viewed or access d Inadvertently or willfully by a person not authorized access, the employee must ensure that the Information cannot be viewed by any other Individual who Is no authorized access.
Employees are prohibited from processing SUNSI on personally owned computers unless connected to and working within CITRIX, the NRC Broadband Remote Access System. Employees are prohibited from downloading or storing SUNSI to the hard drive of a personally owned computer when connected to and working w ithin CITRIX. Employees are also expressl y prohibited from processing SUNSI on personally owned computers even when an encrypted storage media is employed.
Employees who work at home must perform electronic processing of SUNS! on either (1) a home computer within the virtual environment provided by the ag ncy through CITRIX, (2) an NRC-lssued laptop with NRC*
approved encryption software, or (3) using an NRC authorized solution such as BYOD.
USE WHILE TRAVELING OR COMMUTING May I use the information while on official travel or commuting to or from work?
https://drupal.nrc.gov/sunsl/34643 Yes. Abide by the following requirements:
Use of the information is discouraged while traveling on public transportation. To ensure that the information Is not viewed or accessed inadvertently or willfu lly, the employee must ensure that it cannot be seen by persons not authorized access. Particular care should be taken on a public conveyance or in waiting rooms where others may be sitting and standing in close proximity to where the information is being used.
Individuals should hand carry protected information during travel only if other means for transmitting the information, (e.g., malling ahead, secure Information sharing), are not readily available or are operationally unacceptable. If hand carrying is determined to be the best transport method, care must be exercised to ensure that the information is not compromised th rough loss or inadvertent access.
3/5
8/3/2020 PHYSICAL COPY TRANSMISSION May I transmit paper or electronic media Including CD-ROM, disk or tape?
Security-Related Information I NRC Intranet Information must be kept in the traveler's personal possession to extent possible, and stored, appropriately wrapped as to reveal evidence of tampering, in hotel security facilities if possible.
Information must not be saved/stored on a personally owned computer. Work must be performed on an encrypted laptop computer or other encrypted mobile IT device authorized for use per MD 12.5, to preclude unauthorized access If the laptop or device is lost or stolen.
The Information should be returned to an NRC authorized storage location at the earliest possible opportunity.
IC' Yes. Abide by the following requirements:
Inside the NRC (including Regions): Information may be -
Hand-carried.
Sent via NRC's interoffice mall system.
Sent via NRC pouch service between headquarters and the regions. Transmit In a single opaque envelope.
Sent via approved commercial express carriers between headquarters and the regions (time-sensitive material only; use NRC Form 420). Transmit In a single opaque envelope.
Outside the NRC: Information may be transmitted by -
NRC Mess nger/NRC contractor messenger.
U.S. Postal Service: First Class Mall, Registered Mall, Express Mall, Certified Mall. Requ st tracking service where available.
Hand-carried by any Individual authorized access to the information. That Individual shall retain the information in his or her possession where possible unless they place th docum nt In the custody of another person authorized access.
Approved commercial express carriers (time-sensitive material only; use NRC Form 420}; Transmit In single opaque envelope. Request tracking service where available.
Other means approved by OIS and the Director, Division of Facilities and Security, ADM.
Incoming to the NRC: Electronic submissions, Including CD-ROMs, submitted to the NRC should follow the E-Rule "Guidance for Electronic Submission to the Agency," available on NRC's external W b site at:
(httpj/www.nrc.gov/site-help/electronic-sub-ref-mat.html}.
Encryption:
All electronic media (CD-ROM, disk, tape, hard drives, thumb drives, etc.) must be encrypted In accordance with MD 12.5.
ELECTRONIC COPY TRANSMISSION May I transmit the document electronically by e-mail or fax?
https://drupal.nrc.gov/sunsi/34643 Yes. Abide by the following requirements:
Inside the NRC (Including Regions): Information may be emailed or faxed.
Outside the NRC: Electronic transmissions (e.g., e-mail, fax) outside the NRC must be encrypted In accordance with MD 12.5.
Please follow the guidance outlined in the Office of the Chief Information Officer Issued announcement 9.~!ed,.~U!!l!S,tJi.. ?91 ?.*
Use of portals that encrypt the information during t ransmission, such as "BOX" are highly encouraged.
Electronic files must contain appropriate markings.
IOP 4/5
813/2020 Security-Related Information I NRC Intranet STORAGE Inside the NRC (Headquarters and Regional Offices): Store in non-locking or locking container at t he end of each business day or when not in U!>e.
Outside the NRC (Resident Inspector Sites): Store in key locked desks or other key locked containers.
On NRC Electronic Systems: May be stored on NRC encrypted computer systems that are authorized to operate under MD 12.5.
For storage requirements of other Federal, State, Foreign Government, and International Agency con trolled information use their guidelines (See).
I TO DESTRUCTION Official Record Version: Destroy In accorda nce with NRC Comprehensive Records Disposition Schedule (NUREG-0910),
Non-Official Record Copies: Destroy as Indicated below:
Using an ADM/DFS approved shredder that has been approved to destroy Classified Information, Safeguards Information, SUNSI, and Controlled Unclassified Information (CUI).
Placed In a Sensitive Unclassified Waste Disposal Containers.
Tear Into one-half Inch pl ces or smaller (In all dim nslons) and dlspos of In a waste receptacle.
Burning, pulping, pulverizing, or chemical decomposition.
Electronic Data: Use NRC authorized destruction methods In accordance with MD 12.5.
101 DECONTROL AUTHORITY Originati ng office or office primarily responsible for the information.
IOI' https:/ldrupal.nrc.gov/sunsl/34643 515
8/3/2020 Sensitive Internal Information I NRC Intranet You are here: H~me >> Offices >> SUNSI ;, Sensitive Internal Information Sensitive Internal Information CONTENT OWNER Page content maintained by: SUNSI.Resource@nrc. ov 19
- ~pe,l_i~~bl~... '?.C?E.l:!.n.:1.. C..~~---~~-~~g<?,_r_i~.~
- Authority to Designate
- Access
- Need-to-Know Controls
- Storage
- Destruction
- q~-~-~r.i.\\.f.o.I ~':l.t~C?.ri,!y APPLICABLE DOCUMENT CATEGORIES Attorney-Client Privilege Attorney Work Product Table of Contents
- .t:J.1.~.rkir.ig
- Cover Sheet
- _Re,p_rod!:!,~tiqr.i,
- Processln on Electronic S stems
- Use at Home
..-.. ~-~-
- Use While Traveling or Commuting_
- Physical C~py 1.:r~_ns.~lsslo~
- Electronic Co Transmission Includes any predeclslonal Information that rises to a level of sensitivity to justify it being protected as SUNSI. As such SIi includes predeclslonal enforcement Information but can also Include other types of predeclslonal Information. A subject matter expert should make a determination whether the specific predecisional Information rises to a level that requires protecting It as SUNSI.
Information submitted to the Commission marked "Sensitive" Information Systems Vulnerability Information (Information that, If not protected, could result In adverse effects to Information systems)
Sensitive
- Not For Distribution (Except to Commission Adjudicatory Employees In Accordance with 10 CFR 2.348)
Source selection Information other than proprietary Information TOP AUTHORITY TO DESIGNATE For NRC originated Information, originator proposes - signer approves.
For NRC received information, office principally responsible for the information.
ACCESS Who may have access?
NRC employees or NRC contractor employees who have a need-to-know the information to perform their https://drupal.nrc.gov/sunsl/34644 ADAI 1/6
8/3/2020 NEED-TO-KNOW CONTROLS Do Need-to-know controls apply?
MARKING What document s should be marked?
Who may authorize document marking?
How should a document be marked?
When Is portion or page marking required?
COVERSHEET When should a cover sheet be used?
What cover sheet ls used?
REPRODUCTION How many copies may be made?
https://drupal.nrc.gov/sunsi/34644 Sensitive Internal Information I NRC Intranet official duties.
10P o Need-to-know controls must be applied to the information.
o Recommend the establishment of pre-designated user groups that exclude administrative and other selected Offices without an obvious mission need from access.
Mark all pages of all documents.
Originator, supervisor, or principal recipient.
Mark at top and bottom of each page.
Mark as "Official Use Only - Sensitive Internal Information" OR use more specific markings, as Illustrated in the following examples:
For Attorney-Client Privilege: "Official Use Only -- Attorney-Client Privilege" For Attorney Work Product: "Official Use Only - Attorney Work Product" For Predecislonal Enforcement Information: "Official Use Only - Predeclslonal Enforcement Information" For Adjudicatory Material: "Official Use Only - Adjudicatory Material" If an entire page of a document containing OUO-SRI contains other categories of Information, including non-sensitive Information.
On documents that may be released following the redaction of sensitive information.
The following criteria apply when considering whether a document contains nuclear/security-related information (see f~!.!e,r,!,~,_for N.. ucl.~.~.~(Sef~.lty,: R,.~1~.~~.d ln,to,nnau,~~-...... ),
TOP Not required.
Note: Use of the green "Official Use Only" cover sheet has been discontinued.
Not applicable.
ft)p Reproduction Is limited to the number of copies needed for official use unless document contains restrictions.
Copies muist clearly show the original markings.
2/6
813/2020 Sensitive Internal Information I NRC Intranet Note: Where restrictions are imposed on reproduction, the employee must also ensure that there are no non-authorized copies residing in electronic systems, such as on the network drive, local hard drive, printers, copiers, or any other electronic medium.
TCJ~
PROCESSING ON ELECTRONIC SYSTEMS On what Information systems may the document be processed?
Is encryption required while data Is at rest?
May the Information be processed in ADAMS?
USE AT HOME May I use the document at home?
May I use the https:/ld rupal.nrc.gov/sunsl/34644 NRC LAN and other systems authorized to operate by the NRC under MD _12.5, NRC Cybersecurity Program."
0MB has directed that all sensitive information be encrypted using only NIST-certified cryptographic modules both at rest and during transmission. NRC automatically encrypts data at rest and during transmission within NRC facilities. Any SUNSI that is outside of NRC facilities must be encrypted at rest.
Sensitive Internal Information may be entered Into the ADAMS Main Library and must be profiled as Non-Publicly Available and Sensitive. Assign access rights to user groups with a need to access the information to perform th Ir official duties. ADAMS Sensitivity Code: A. 7 Note: Sensitive Internal Information has two (2) sub-categories within the A.7 sensitivity code. Therefore, you must select the proper A.7 based on the following criteria:
Sensitive Internal Information
- No Periodic Review Required
- contains attorney-client privilege, attorney work product, or predeclslonal enforcement Information.
Sensitive Internal Information
- Periodic Review Required
- contains all other Sensitive Internal Information ICP Yes. Abide by the following requirements:
Employees are prohibit d from using, handling, and storing th Information at their residences and on personally owned devices or sending information to non-NRC email addresses (e.g., personal email accounts).
Occaslona I use at an employee's resld nee r quires approval of th mployee's lmmedlat upervlsor or above.
Electronic work from home must use an NRC computer or an NRC authorized capability, suc.h as BYOD or CITRIX.
To ensure that the Information Is not viewed or accessed Inadvertently or willfully by a person not authorized access, the employee must ensure that the information cannot be seen by a family member, guest, or any other Individual who Is not authorized access.
Employees are prohibited from processing SUNSI on personally owned computers unless connected to and working within CITRIX, the NRC Broadband Remote Access System. Employees are prohibited from downloading or storing SUNSI to the hard drive of a personally owned computer when connected to and working within CITRIX. Employees are also prohibited expressly from processing SUNSI on personally owned computers even when an encrypted floppy disk, CD, DVD, or thumb drive is the storage media.
Employees who work at home must perform electronic processing of SUNSI on either (1) a home computer within the virtual environment provided by the agency through CITRIX, (2) an NRC-lssued laptop with NRC-approved encryption software, or (3) using an NRC authorized solution such as BYOD.
It is discouraged to take hard-copy material to private residences. If hard copy material is taken home, it must be returned to an NRC facility and stored and/or destroyed according to the instructions provided in this guidance.
Yes. Abide by the following requirements.
316
8/3/2020 Information at home under the NRC Fle><ible Workplace Program?
Sensitive Internal Information I NRC Intranet If you are approved to work at home under the NRC FleKible Workplace Program, use in accordance with standards set forth In NRC Form 624, FleKible Workplace Program Participation Agreement.
To ensure that the information is not viewed or accessed inadvertently or willfully by a person not authorized access, the employee must ensure that the information cannot be seen by a family member, guest, or any other individual who Is not authorized access.
Employees are prohibited from processing SUNSI on personally owned computers unless connected to and working within CITRIX, the NRC Broadband Remote Access System. Employees are prohibited from downloading or storing SUNSI to the hard drive of a personally owned computer when connected to and working within CITRIX. Employees are also eKpressly prohibited from processing SUNSI on personally owned computers even when an encrypted storage media is employed.
Employees who work at home must perform electronic processing of SUNSI on either (1) a home computer within the virtual environment provided by the ag ncy through CITRIX or (2) an NRC-lssued laptop with NRC-approved encryption software, or (3) using an NRC authorized solution such as BYOD.
....... ror....
USE WHILE TRAVELING OR COMMUTING May I use the Information while on official travel or commuting to or from work?
PHYSICAL COPY TRANSMISSION May I transmit paper or electronic media Including CD-ROM, disk or tape?
https://drupal.nrc.gov/sunsl/34644 Yes. Abide by the following requirements:
Use of the information Is discouraged while traveling on public transportation. To ensure that the information Is not viewed or accessed inadvertently or willfully, the employee must ensure that it cannot be se n by persons not authorized ace ss. Particular care should be tak non a public conveyance or in waiting rooms where others may be sitting and standing In close proKimity to where the information Is being used.
Individuals should hand carry protected Information during travel only If other means for transmitting the information, e.g., malling ahc d, secure Information sharing, are not readily available or ar operationally unacceptable. If hand carrying Is determined to be the best transport method, care must be exercised to ensure that the Information Is not compromised th rough loss or Inadvertent access.
Information must be kept In the traveler's personal possession to extent possible, and stored, appropriately wrapped, In hotel security facilities If possible.
Information must not be saved/stored on a personally owned computer. Work must be performed on an encrypted laptop computer or other encrypted mobile IT device to preclude unauthorized access If the laptop or device Is lost or stolen..
The information should be returned to an NRC authorized storage location at the earliest possible opportunity.
I 10~
Yes. Abide by the following requlr ments:
Inside the NRC:
Electronic submissions, including CD-RO Ms, submitted to the NRC should follow the E-Rule "Guidance for Electronic Submission to the Agency," available on NRC's external Web site at: (_h_~pj/ www. nrc.,9_':'.bitt?..:
~~.l,e/.~ 1.e c! rpni.~~s~.?*r~.f :~~.!.:.~t~l,l.
Outside the NRC: Information may be transmitted by-N RC Messenger/NRC contractor messenger.
U.S. Postal Service: First Class Mail, Registered Mail, EKpress Mail, Certified Mail.
Hand-carried by any Individual authorized access to the information. That individual shall re-tain the Information in his or her possession to the maKimum eKtent possible unless they place the document In the custody of another person authorized access.
Approved commercial eKpress carriers (time-sensitive material only; use NRC Form 420); Transmit in single opaque envelope.
4/6
8/3/2020 Sensitive Internal Information I NRC Intranet Other means approved by OIS and the Director, Division of Facilities and Security, ADM.
Incoming to the NRC: Electronic submissions, including CD-ROMs, submitted to the NRC should follow the E*
Rule "Guidance for Electronic Submission to the Agency," available on NRC's external Web site at:
(~p://vppt~-9rc:&9X/~it~-p~lp/~I.~cp:9pi_c~s.Y.~:~e.f~rq~t.~qtrnI)
Encryption:
All electronic media (CD-ROM, disk, tape, hard drives, thumb drives, etc.) must be encrypted In accordance with MD 12.5.
ELECTRONIC COPY TRANSMISSION May I transmit the document electronlcally by e-mail or fax?
STORAGE Yes. Abide by the following requirements:
Inside the NRC (Including Regions): Information may be emailed or faxed.
Electronic transmissions (e.g., e-mail, fax) outside the NRC must be encrypted In accordance with MD_12.5 Outside the NRC: Information may be transmitted by-Fax: May use non-secure facilities where it is confirmed that a recipient who Is authorized to access the Information will be present to receive the information.
E-Mail: All SUNSI Information must be encrypted during transmission outside of the internal network as stated In.~D,_g :_5,- Please follow the guidance outlined In the Office of the Chief Information Officer Issued announcement dated August 9, 2017.
Use of portals that encrypt the Information during transmission, such as "BOX" are highly encouraged.
Otherwise, transmit a physical copy In the manner set forth above.
Electronic files must contain appropriate markings.
..... *er Inside the NRC (Headquarters and Regional Offices): Store In non-locking or locking container at the end of each business day or when not in U!'>e.
Outside the NRC (Resident Inspector Sites): Store In key locked desks or other key locked containers.
On NRC Electronic Systems: May be stored on NRC encrypted computer systems au thorized to operate under M.,D},2:?.*
...... TOI,
DESTRUCTION Official Record Version: Destroy In accordance with NRC Comprehensive Records Disposition Schedule (NUREG-0910).
Non-Offfc:lal Record Coples: Destroy copies other than the official record version by any means that prevents reconstruction In whole or part, In luding the following methods:
Using an ADM/DFS approved shredder that has been approved to destroy classified information, Safeguards Information, SUNSI, and Controlled Unclassified Information (CUI).
Placing In a Sensitive Unclassified Waste Disposal Container.
Tearing Into one-half Inch pieces or smaller (in all dimensions) and dispose of In a waste receptacle.
Burning, pulping, pulverizing, or chemical decomposition.
Electronic Data: Use NRC authorized destruction methods In accordance with MD 12.S.
01 DECONTROL AUTHORITY https://drupal.nrc.gov/sunsl/34644 5/6
8/3/2020 Sensitive Internal Information I NRG Intranet Originating office or office primarily responsible for the information.
TOP https://drupal.nrc.gov/sunsi/34644 6/6
8/3/2020 Sensitive Unclassified Non-Safeguards Information (SUNS!) I NRC Intranet You are here: HC?me >>Offices >> Sensitive Undassified Non~S;afeguards Information (SUNSI}
Sensitive Unclassified Non-Safeguards Information (SUNSI)
SUNS! Is defined as any Information of which the loss, misuse, modification, or unauthorized access can reasonably be foreseen to harm the public Interest, the commercial or financial Interests of the entity or individual to whom the information pertains, the conduct of NRC and Federal programs, or the personal privacy of Individuals.
The NRC generates and receives many categories of documents containing SUNS!. Eacri category of documents falls into one of nine SUNSI handling groups. NRC employees, consultants, and contractors are responsiblle for properly protecting SUNSI documents in accordance with procedures established for the eight handling groups.
The presence or obsence of morf<lngs or cover sheets does not entirely determine whether a document may be withheld from or released to the public. Whenever on NRC employee hos o question regarding the denlol or releasab/1/ty of a document, whether It Is marked or not, the employee should consult with their supervisor ond/or the originator of the document, the SUNS/ guidance contained on this site, and MD 3.4, "Release of information to the Public."
General guidance applicable to all SUNSI handling groups is contained In.~R.S.~.O..l.l~y an~... ~.ro~~-d~r~sfor.ti~.~-dli~.~! -~.~.r.~!.n~t ~.~d P~.<?~e~.t:!~~
Sensitive Unclassified Non-Safej!uards Information (SUNSI)
. For detailed Information on handling requirements for each of the nine SUNSI groups, follow the appropriate link below, or use the navigation buttons above.
Staff are reminded of the need to protect SUNSI via yellow announcement YA-10-0102, Policy Reminder of the NRC's Policy for Protecting SUNS/ as Described In the NRC Polley for Handling, Marking, and Protecting SUNS/ and Applicable MDs," (ML192980153.. 0 ). Specifically, the YA notes possible consequences of non-compliance with protecting SUNS! Including: (a) removal of system access for a specified period; (b) mandated training regarding the Information about the specific security Incident; and (c) possible disciplinary action up to and including removal from the Federal service.
SUNSI Information must be protected with respect to "need-to-know." The definition of need-to-know was provided via yellow announcement YA-16-0052, "Change to Need-to-Know Definition" (ML16111A43}_,~ ). The definition Is stated as follows:"
"Need-to-Know"
- 1. A determination by o person having responsibility for protecting or holding the sensitive information, be it classified information, safeguards Information, or sensitive unclassified Information, that o proposed recipient's access to the sensitive Information Is necessary In the performance of an official and lawful requirement.
- 2. Knowledge, possession of, or access to, sensitive Information Including classified, safeguards, and/or sensitive unclassified information shall not be afforded to any individual solely by virtue of the individual's office, position, or security clearance.
The Commission has approved the Office of General Counsel's guidance and recommendations for program offices regarding finalized procedures to allow potential intervenors to gain access to relevant records that contain sensitive unclassified non-safeguards information and safeguards information. To review the guidance and recommendations see the final procedures (ML080440239 0 ) and SRM-SECY 0215 (ML080320502 0 ).
All SUNS/ must be encrypted when the information is outside of NRC facilities as stated in MD 12.5. This includes the requirement to encrypt the information during transmission outside of the Internal network. All encryption used by NRC must use Ff PS 140 validated algorithms and cryptographic modules or encryption https://drupal.nrc.gov/sunsi ADA!
1/4
8/3/2020 Sensitive Unclassified Non-Safeguards Information (SUNSI) I NRC Intranet approved by the Notional Security Agency for protection of classified information. Contact Kathy Lyons-Burke, Senior Level Advisor for Information Security, Office of the Chief Information Officer (OCIO) with any questions regarding information protection policy.
SUNSI Groups Allegation Information Investigation Information Crltlcal Electric
!nJr.~.str!:l~-~!:lt~.!.~_fo,r')".~.~~~
(CEIi)
.~!!.P.!>_rt Controlled
!nfC?r,.ma~.C?"n. (~9!.
~ c.~Jlty-~-~!at!~
Information Proprietary Information Applicable Document Categories Confidential Allegation Information Sensitive Allegation Information Office of the Inspector General (OIG) Investigation-related documents Office of I nvestlgatlons (01) Investigation-related document Information related to a system or asset of the bulk-power system, whether physical or virtual, the Incapacity or destruction of which would negatively affect national security, economic secuirlty, public health or safety, or any combination of such matters.
CEIi is exempt from disclosure under the Freedom of Information Act, S U.S.C. SS2(b)(3), and Includes ( but Is not limit d to) sp clflc engineering, vulnerability, or detalled design Information about proposed or existing critical Infrastructure that:
(i.) Relates details about the production, generation, transportation, transmission, or distribution of energy; (Ii.) Could be useful to a person In planning an attack on critical Infrastructure; and (Ill.) Does not simply give the general location of the critical Infrastructure.
(S CEIi page: "what documents should be marked" and "how should a document I:>
marked" sections for guidance on marking documents received or generated by NRC as CEIi.)
Statutory and r gulatory authorities for export controlled Information (ECI) provld designation authority to agencies other than the U.S. Nuclear Regulatory Commission (NRC). Questions about ECI designations should be ref rred to the Office of the Chi f Information Officer who will coordinate with the U.S. Department of Energy (DOE), U.S. Department of Commerce (DOC), or U.S. Department of State (DOS) as necessary.
10 CFR 2.390 Information Licensee-submitted Information that may qualify as Critical Infrastructure Information as defined by other agencies including -
- Sensitive Security Information (SSI) - Transportation Security Administration (TSA)
Information that could be useful, or could reasonably be expected to be useful to a terrorist In a potential attack that does not qualify as Safeguards or Classified Information (see Staff Guidance for Screening Documents for Information that Cou Id be Useful to a Terrorist)
Sensitive Homeland Security Information - Department of Homeland Security (OHS) to define Trade Secrets or Confidential Commercial or Financial Information.
INPO Priv.ate - Institute of Nuclear Power Operations (INPO)
Source Evaluation Proprietary Data
!'tlvac Act/Personall'l https://drupal.nrc.gov/sunsl Privacy Act - All Information contained in a Privacy Act System of Records (see the "Privacy Act 2/4
813/2020 Identifiable Information Federal-, State-, Forel~.'!
Government-and
...................,,,,w............,..,
!'!ternational Ag_!!!~~=
Controlled Information Senslttv Intern I Information
.......,~.... ~,,..,......... w......
Sensitive Unclassified Non-Safeguards Information (SUNSI) I NRC Intranet
.? stem of Records Notice Cl> ").
Personal I Identifiable Information PII).
- All information that can be used to distinguish or t race an individual's identity.
PII Relationship to Privacy Act - Only PII that is part of a Privacy Act system of records will be protected by the provisions of the Privacy Act. Therefore, while some PII may be considered Privacy Act information, not all of it is. PII that is contained in documents, files, or databases not part of a system of records will not receive the specific benefits of this legal protection but is to be treated In accordance with applicable agency policy for handling sensitive information.
information not to be released to foreign nationals without the permission of th e author or originating agency (NOFORN)
Not For Pu blic Disclosure Under Terms of the Joint Convention on the Safety of Spent Fuel Management and the Safety of Radioactive Waste Management Law Enforcement Sensitive (Federal & State Law Enforcement Agencies)
For Official Use Only (FOUO) - Department of Defense (DOD)
Official Us Only (OUO) - Department of Energy (DOE)
Unclasslfi,ed Controlled Nuclear Information (UCNII) - DOE Naval Nuclear Propulsion Information (NNPI) - DOE Sensitive but Unclassified (SBU) - Department of State (DOS)
Government-Controlled Information Foreign Government-Controlled Information State Age ncy-Controiled Information Attorney-Client Privilege Attorney Work Product Predeclsional Enforcement Information Sensitive - Not For Distribution (Except to Commission Adjudicatory Employees in Accordance with 10 CFR 2.348) information submitted to the Commission marked "Sensitive" Source se lection Information other than proprietary Information Consolidated guidance on SUNSI was developed In response to recommendations made by the EDO's Task Force on Management of Sensitive Unclassified Non-Safeguards Information (SUNSI). The final report of the task force is available In ADAMS under accession number ML043170097.
CUI Briefing https:/ldrupal.nrc.gov/sunsl 314
8/3/2020 Sensitive Unclassified Non-Safeguards Information (SUNS!) I NRC Intranet 1S00 - CUI Briefing - January 27, 2017 a
- p, nt t1 onumv 1 (Jllut I) N1 Jr. /Ar h,vr 011d~r l'Jrd AdmmMI 1rt1 fl What's New In SUNS!? ~ SUNS! is being transitioned to Controlled Unclassified Information (CUI)
SUNSI Polley and Procedur~s
~ Inadvertent or Unauthorized Release of SUNSI lie Marking SUNSI In Electronic Formats IT!fi1 Frequently Asked Questions Contact SUNSI.R sourc @nrc.gov ~
https://drupal.nrc.gov/sunsl 4/4
8/3/2020 Policy Reminder of the NRC'S Policy for Protecting SUNSI as Described in the NRC Policy for Handling, Marking, and Protecting SUNS! a...
You are here: Home >> Announcements )) Policy Reminder >> Policy Reminder of the NRC'S Policy for Protecting SUNSI as Described in the NRC Policy for Handling, Marking, and Protecting SUNS1 and Applicable MOS United States Nuclear Regulatory Commission
Subject:
Policy Reminder of the NRC'S Policy for Protecting SUNSI as Described in the NRC Policy for Handling, Marking, and Protecting SUNSI and Applicable MDs ANNOUNCEMENT CATEGORY Policy Reminder ML #
ML19298D153 MANAGEM ENT DIRECTIVE#: MD 12.1, MD 12.5, MD 12.6 TO:
All NRC Employees Yellow Announcement: YA-19-0102 Date: December 9, 2019 Expiration Date: June 30, 2020
SUBJECT:
POLICY REMINDER OF THE U.S. NUCLEAR REGULATORY COMMISSION'S POLICY FOR PROTECTING SENSITIVE UNCLASSIFIED NON-SAFEGUARDS INFORMATION AS DESCRIBED IN THE NRC POLICY FOR HANDLING, MARKING, AND PROTECTING SENSITIVE UNCLASSIFIED NON-SAFEGUARDS INFORMATION AND APPLICABLE MANAGEMENT DIRECTIVES The Office of the Chief Information Officer (OCIO), has become aware of several recent security Incidents regarding the handling of sensitive unclassified non-safeguards Information (SUNS!), Including some that could have potentially resulted In a release of Information to external entities without a need-to-know. Additionally, OCIO's Data Loss Prevention monitoring tools have continued to identify the transmission of unencrypted SUNS,! Information to external parties and personal e-mail. Although these incidents are reported to office management, them ishandling of SUNS!
Information persists. This Yellow Announcement reminds staff of the U.S. Nuclear Regulatory Commission (NRC) policy for protecting SUNS! and reinforces NRC policy for noncompliance Including potential disciplinary action.
Background
Management Directive (MD) 12.6, " NRC Sensitive Unclassified Information Security Program," describes NRC policy regarding NRC personnel responsibility for ensuring that sensitive unclassified information is marked, handled, and protected from unauthorized disclosure under pertinent laws, other NRC MDs, and applicable directives of other Federal agencies and organizations. The SUNSI policy, posted on the SUNSI Web site, "~fl.~
.P.,c:>,licy for Handline!.M,~r.~l ~SJ.,and Protecttns Sensitive Unclassified Non-Safegu~_r~~.,!,~.fc:irmation
," updated SUNS! categories and describes applicable requirements not included in MD 12.6. MD,12.1, " NRC Facility Security Program," describes NRC policy regarding potential consequences for failure to protect against unauthorized disclosure of SUNS! and other types of information.
Other documents that describe NRC policy regarding marking, handling, and p rotection of SUNS! are:
- 1. For the release of information to the public - MD 3.4, "Release of Information to the Public";
- 2. For electronic processing, storage, destruction, and transmission of SUNSI including storage of SUNSI on share drives - MD,,12.5, "NRC Cybersecurity Program" and the "N_RCAgency-wlde Rules of Behavior for Authorized Computer Use";
- 3. For handling allegation information - MD 8.8, "Management of Allegations"
- 4. For handling of Privacy Act information - MD 3.2, "Privacy Act," and the Privacy Act of 1974;
- 5. For security incidents, infractions, and violations of SUNSI disclosure - M D 12.1, "NRC Facility Security Program"; and https :/ /d rupal. nrc. gov/announcements/yellow/policy-rem i nder/58541 ADAI 1/3
8/3/2020 Policy Reminder of the NRC'S Policy for Protecting SUNSI as Described in the NRC Policy for Handling, Marking, and Protecting SUNS! a...
- 6. For marking incoming confidential commercial or financial (proprietary) information -
As described in the "NRC Policy for Handling, Marking, and Protecting Sensitive Unclassified Non-Safeguards Information," SUNSI is organized into the following nine groups:
- 1. Allegation Information;
- 2. Investigation Information;
- 3. Critical Electric Infrastructure Information;
- 4. Export Controlled Information;
- 5. Security-Related Information;
- 6. Proprietary Information;
- 7. Privacy Act/Personally Identifiable Information;
- 8. Federal-, State-, Foreign Government-, and International Agency-Controlled Information; and
- 9. Sensitive Internal Information.
To the extent that a different statute, regulation, or other directive already established the requirements for a particular SUNSI group, this policy incorporates those preexisting requirements. For example, MD 8.8 establishes the requirements and procedures for handling allegation information, while the Privacy Act of 1974, as amended, and MD 3.2 lay out the requirements for handling Privacy Act information. Further, 10 CFR 2.390 establishes the marking requirements for incoming confidential commercial or financial (proprietary) Information. Finally, MDs 12.1 and 12.5 contain the requirements for electronic processing, storage, destruction, and transmission of SUNSI. When more than one SUNS! group applies to l11fu11natio11, lhl! IIIOSl,e~tilclive handll1111 requhl!lfll!nl or lht! apµllcdUll! 111ouµ df)f)llt!~-
While the NRC is currently working to Implement the Controlled Unclassified Information (CUI) program, the SUNSI policies remain In place until the CUI program Is fully Implemented. NRC employees and contractors will be Informed of plans to support the NRC's transition to CUI. Additional information on the CUI program is available at the NRC's CUI Web sit.~.
Appllcablllty NRC employees, consultants, and contractors aro responsible for ensuring that SUNS! Is protected In accordance with the procedures specified In applicable policies, The use of the word "contractor" Includes subcontractors. SUNSI s.ecurlty Incidents, as described In MD 12.1 Handbook Part VIII, Section B, Include: leaving sensitive unclassified documents or material unattended, unsecured, or Improperly stored (Including shared network drives unless access controls are applied); Improper transmission of sensitive unclassified documents or material; allowing an unauthorized person access to sensitive unclassified Information; and/or failure to safeguard a sensitive unclassified container combination. Consequences of non-compliance with protecting SUNSI may Include: (a) removal of system access for a specified perlod;(b) mandated training regarding the information about the specific security Incident; and/or (c) possible disciplinary action up to and including removal from the Federal service.
If you have any questions regarding this policy and procedures, contact ~UNS_l:,~es~u~~~@n.r.~J9..Y.. ~ *
/RA/
David J. Nelson Chief Information Officer Management Directive
References:
- 1. MD 12.1, "NRC Facility Security Prosram," Handbook Part VIII (8)(2) and (E)(2)
- 2. MD 12.5, "NRC Cybersecurlty ProgJa_m," Handbook Including "NRC Agency-wide Rules of Behavior for Authorized Computer Use"
- 3. MD 12.6, "NRC Sensitive Unclassified Information Security Pro~!am," Handbook Part I (A)(2) and (B)
SUBMITTER'S EMAIL Adam,Glazer@nrc.gov AUTHORIZING OFFICIAL David Nelson SIGNATURE DATE Monday, December 9, 2019 PUBLISH ON https:l/drupal.nrc,govlannouncements/yellow/policy-remlnder/58541 2/3
813/2020 Policy Reminder of the NRC'S Policy for Protecting SUNSI as Described in the NRG Policy for Handling, Marking, and Protecting SUNSI a...
Monday, December 16, 2019 YELLOW NUMBER YA-19-0102 https:1/drupal.nrc.gov/announcements/yellow/policy-reminder/58541 3/3
8/3/2020 Proprietary Information I NRC Intranet You are here:
H~me >> Offices >> SUNSI ;, Proprietary Information Proprietary Information CONTENT OWNER Page content maintained by: SUNSI.Resource@nrc. ov 19 Table of Contents
- ~pe,l_i~~bl~... '?.C?E.l:!.n.:1.. C..~~---~~-~~g<?,_r_i~.~
- .t:J.1.~.rkir.ig
- Authority to Designate
- Cover Sheet
- Access
- _Re,p_rod!:!,~tiqr.i,
- Need-to-Know Controls
- Processln on Electronic S stems
- Storage
- Destruction
- q~-~-~r.1.\\,r,o,I ~':l.t~C?.ri,!y APPLICABLE DOCUMENT CATEGORIES Trade Secrets or Confidential Commercial or Financial Information.
IN PO Private - Institute of Nuclear Power Operations (INPO).
Source Evaluation Proprietary Data.
- Use at Home
..-.. ~-~-
- Use While Traveling or Commuting_
- Physical C~py 1.:r~_ns.~lsslo~
- Electronic Co Transmission Information or records concerning a licensee 's or applicant's physical protection, cl sslfied matter protection, or material control and accounting program for special nuclear material not otherwise designated as Safeguards Information or classified as Nation I Security Information or Restricted Data.
Information submitted In confidence to the Commission by a foreign source.
AUTHORITY TO DESIGNATE Business originator makes proprietary claim. For proprietary Information to be protected, NRC must accept proprietary claim based on review by the respon sible office and OGC, when needed.
ACCESS Who may have access?
https://drupal.nrc.gov/sunsl/34642 TOP NRC staff, contractors and consultants who have a need-to-know the Information to perform their official duties andl have the proper clearance.
1or ADAI 1/5
8/3/2020 NEED-TO-KNOW CONTROLS Do Need-to-know controls apply?
MARKING What documents should be marked?
Who may authorize document marking?
How should a document be marked?
When is portion or page marking required?
COVERSHEET When should a cover sheet be used?
What cover sheet Is used?
REPRODUCTION How many copies may be made?
https://drupal.nrc.gov/sunsl/34642 Proprietary Information I NRC Intranet o Need-to-know controls must be applied to the information.
o Recommend the establishment of pre-designated user groups that exclude administrative, other select Offices and/or groups that do not have an obvious mission need from access.
Mark all documents containing Trade Secrets or Confidential Commercial or Financial Information.
Do not mark documents from INPO designated INPO Private.
NRC recipient or originator (or supervisor) pursuant to 10 CFR 2.390.
NRC Generated Documents:
The top arnd bottom of each page should be marked -" Official Use Only - Proprietary Information."
Incoming Documents:
Marking requirements are defined In 10 CFR 2.390(b) and require marking only at the top of page, and each successive page containing proprietary Information, and adjacent to the specific proprietary Information.
Required for all documents.
If the entire page Is not affected, Indicate the basis (I.e., trade secret, etc.) for the designation adjacent to the protected Information. See 10 CFR 2.390 (b)( l)(l)(B ).
TOP Not required.
Not applicable.
Note: Use of the yellow Proprietary Information cover sheet has been discontinued, and must not be used.
ro No reproduction for INPO Private without INPO permission; otherwise see below.
Copies must clearly show the original markings.
Abide by copyright restrictions.
Reproduction limited to number of copies needed for official use.
Note: Where restrictions are Imposed on reproduction, the employee must also ensure that there are no non-authorized copies residing in electronic systems, such as on the network drive, local hard drive, or removable storage media.
TOf 2/5
813/2020 Proprietary Information I NRC Intranet PROCESSING ON ELECTRONIC SYSTEMS On what information systems may the document be processed?
Is encryption required while data is at rest?
May the Information be processed In ADAMS?
USE AT HOME May I use the document at home or under the NRC Flexible Workplace Program?
NRC LAN and other systems authorized to operate by the NRC under MD 12.5, "NRC Cybersecurity Program."
0MB has directed that all sensitive Information be encrypted using only NIST-certified cryptographic modules both at rest and during transmission. NRC automatically encrypts data at rest and during transmission within NRC facilities. Any SUNSI that Is outside of NRC facilities must be encrypted at rest.
Proprietary Information may be entered into the ADAMS Main Library and must be profiled as Non-Publicly Available and Sensitive. Assign access rights to the group "NRC Users". ADAMS Sensitivity Code: A.4 -
Sensitive-Proprietary-No Periodic Review Required.
10 Yes, abide by the following requirements:
If you are approved to work at home under the NRC Flexible Workplace Program, use In accordance with standards set forth In NRC Form 624, Flexible Workplace Program Participation Agreement.
When using at home or at an alternate work location abide by the following:
Employees are prohibited from using, handling, and storing the Information at their residences and on personally owned devices or sending Information to non-NRC email addresses (e.g., personal email accounts). See exceptions below.
Occaslona I use at an employee's residence requires approval of th employee's Immediate supervisor or above.
It Is discourage to take hard-copy material to private residences. If hard-copy material Is taken home, it must be brought back to an N RC facility and stored and/or destroyed prop rly, To ensur that the Information Is not view d or access d lnadv rtently or willfully by a person not authorized access, the employee must ensure that the Information cannot be seen by any individual who is not authorized access.
Employ es who work at home must p rform lectronlc processing of SUNSI on either (1) an NRC-lssued laptop with NRC-approved encryption software, (2) a home computer within the virtual environment provided by the agency through CITRIX, or (3) using an NRC authorized solution such as BYOD, Employees are prohibited from processing SUNSI on personally owned computers unless connected to and working within CITRIX, the NRC Broadband Remote Access System. Employees are prohibited from downloading or storing SUNSI to the hard drive of a personally own d computer when connected to and working within CITRIX. Employees are also prohibited expressly from processing SUNSI on personally owned computers even when an encrypted storage media is employed.
i toe USE WHILE TRAVELING OR COMMUTING May I use the Information while on official travel or commuting to or from work?
Yes, abide by the following requirements:
Use of the Information Is discouraged while traveling on public transportation. To ensure that the information Is not viewed or accessed inadvertently or willfully, the employee must ensure that it cannot be seen by persons not authorized access. Particular care should be taken on a public conveyance or in waiting rooms where others may be sitting and standing In close proximity to where the Information is being used.
Individuals should hand carry protected Information during travel only if other means for transmitting the information, e.g., mailing ahead, secure information sharing, are not readi ly available or are operationally unacceptable. If hand carrying Is determined to be the best transport method, care must be exercised to ensure that the Information Is not compromised through loss or Inadvertent access.
https:/ldrupal.nrc.gov/sunsi/34642 315
813/2020 PHYSICAL COPY TRANSMISSION May I transmit paper or electronic media Including CD-ROM, disk or tape?
Proprietary Information I NRC Intranet Information must be kept in the traveler's personal possession to extent possible, and stored, appropriately wrapped as to reveal evidence of tampering, in hotel security facilities if possible.
Information must not be saved/stored on a personally owned computer. Work must be performed on an encrypted laptop computer or other encrypted mobile IT device authorized for use per MD 12.5 to preclude unauthorized access if the laptop or device is lost or stolen.
The information should be returned to an NRC authorized storage location at the earliest possible opportunity and/or destroyed appropriate ly as described In the " Destruction" section below.
TOP Yes. Abide by the following requirements:
Inside the NRC (Including Regions): Information may be-Hand-carried to an individual authorized access to the information.
Sent via NRC's interoffice mall system. Transmit in a single opaque envelope and address to an Individual authorized access to the Information.
Sent via NRC pouch service between headquarters and the regions. Transmit In a single opaque envelope and address to an Individual authorized access to the Information.
Sent via approved commercial express carriers between headquarters and the regions (time-sensitive material only; use NRC Form 420). Transmit in a single opaque envelope and address to an Individual authorized access to the Information.
Outside tile NRC: Information may be transmitted by -
NRC Mess nger/NRC contractor mess nger.
U.S. Postal S rvlce: First Class Mall, Registered Mall, Express Mall, Certifl d Mall. Request tracking service If not lnclud d.
Hand carried by any Individual authorized access to the information. That individual shall retain the Information In his or her possession unless th y place the document In the custody of anoth r p rson authorized access.
Approved commercial express carriers (time-sensitive material only; use NRC Form 420). Transmit In single opaque envelope and address to an Individual authorized access to the Information. Request tracking service where available.
Other means approved by OCIO and the Director, Division of Facilities and Secu rity, ADM.
Incoming to the NRC:
Electronic submissions, Including CD-RO Ms, submitted to the NRC should follow t he E-Rule "Guidance for Electronic Submission to the Agency," available on NRC's external Web site at: (R~~e~~~c.e.. M.~terla_l~_for Electronic Submissions Cl> ).
Encryption:
All electronic media (CD-ROM, disk, tape, hard drives, thumb drives, etc. ) must be encrypted In accordance with M D 12.5.
lOP ELECTRONIC COPY TRANSMISSION May I transmit the document electronically by e-mail or fax?
https:/ldrupal.nrc.gov/sunsl/34642 Yes. Abide by the following requirements:
Inside the NRC (Including Regions): Information may be e-mailed or faxed.
Outside the NRC:
All electronic transmissions (e.g., e-mail, fax) outside the NRC must be encrypted in accordance with ~.I?..
12.5.
To an authorized user who has a need-to-know the Information.
4/5
8/3/2020 STORAGE Proprietary Information I NRC Intranet FAX: May use non-secure facilities where it is confirmed that a recipient that Is authorized to access the information will be present to receive the information.
E-MAIL: Please follow the guidance outlined in the Office of the Chief Information Officer issued announcement dated August 9, 2017.
Use of portals that encrypt the information during transmission, such as "BOX" are highly encouraged.
Electronic files must contain appropriate markings.
IOI Inside the NRC (Headquarters and Regional Offices): Store in locking or In non-locking container within areas where there Is supplemental security including electronic access controls (keycard) and/or guards on duty. If management determines additional protection is needed, the information should be stored In key locked file cabinets or equivalent storage containers.
Outside the NRC (Resident Inspector sites): Store In key locked desks or other key locked containers.
On NRC lectronlc Systems: May be stored on NRC encrypted computer systems that are authorized to operate under ~D...1,,2,5.
...... r....,
DESTRUCTION Official Record Version:
Destroy In accordance with "NRC Comprehensive Records Disposition Schedule" (NUREG-0910).
Non-official Record Coples:
Destroy copies other than the official record version by any means that pr vents reconstruction In whol or part, Including the following methods:
Using an ADM/DFS approved shredder that has been approved to destroy classified Information, Safeguards Information, SUNSI, and Controlled Unclassified Information.
Pl ce In Sensitive Unclassified Waste Disposal Containers.
Tear Into one-half Inch pieces (In all dimensions) or smaller and dispose of In the trash.
Burning, pulping, pulverizing, or chemical decomposition.
Electronic Data:
Use NRC authorized destruction methods in accordance with,M91..2,:S:
DECONTROL AUTHORITY Office primarily responsible for the Information.
Information submitted under 10 CFR 2.390 must undergo an acceptance review prior to formal acceptance as Proprietary Information.
Under 10 CFR Part 9, NRC must notify the submitter prior to de-controlling.
A TOP https://drupal.nrc.gov/sunsl/34642 5/5
8/3/2020 Critical Electric Infrastructure Information (CEIi) I NRC Intranet You are here: H~me >> Offices >> SUNSI ;, Critical Electric Infrastructure Information (CEIi}
Critical Electric Infrastructure Information (CEIi)
CONTENT OWNER Page content maintained by: SUNSI.Resource@nrc. ov 19 Table of Contents
- Authority to, Designate
- Cover.Sheet
- L,Js~.. -v,'/~,IJ.~ !,f~~el!.~~ ?.r. ~9.rnm_~ti.,~&
- Access
- Re reduction
- Physical Coe. Transmission
- )'J~ed.:to-K~o"."' ~?11,tro_l.~
- Proce.~sl~S pn,El~~tron,,!~ Sy~t~ms
- El. c.!ro,_nlc ~?PY Tr,~nsml~s.lo,n
- Marking
- Use at Home
- Storage
- Destruction
...........,... """"'"~,..
- Decontrol Authorlt
- ~~S.~.lr. i:ne.11.ts fo..r..f.on..~r.~.~-to!s AUTHORITY TO DESIGNATE ONLY the Federal Energy Regulatory Commission (FERC) has the authority to designate Information as CEIi.
Agencies are encourag d by FERC to label Information believed to be CEIi.
ACCESS Who may have access?
Need-to*Know Controls Do Need-to-know controls apply?
MARKING What documents should be marked?
https://drupal.nrc.gov/sunsl/34638 0
Restricted to those that have a need-to-know the Information to perform their NRC work.
Need-to-know controls must be applied to the Information.
Recommend the establishment of pre-designated user groups that exclude administrative and other selected Offices without an obvious mission need from access. Additionally, recommend considering whether ADAMS document processing contract personnel should have access.
....... TCP..
Mark all pages of all documents, A recommended practice Is that paragraphs containing CEI I should be marked.
This CEIi marking should be applied to NRC information that Is:
Security-related information associated with critical Infrastructure; or ADAI 1/5
813/2020 Who may authorize document marking?
How should a document be marked?
When Is portion or page marking required?
COVERSHEET When should a cover sheet be used?
What cover sheet is used?
https:/ldrupal.nrc.gov/sunsi/34638 Critical Electric Infrastructure Information (CEIi) I NRC Intranet Information associated with critical infrastructure that could reasonably be expected to endanger the life or physical safety of any individual, if released (typicalJly information that qualifies for withholding under FOIA exemption 7F)
NRC Information that should be labeled and handle.d as containing CEIi inciudes not only on site Information but also information related to critical infrastructure offsite from the nuclear power plant, such as hydroelectric dams, gas pipelines, and the electric grid.
- -TOP,
FERC has authority to formally designate information as CEIi.
NRC Information should be labeled as containing CEIi if:
FERC has f,ormally designated the NRC Information as CEIi; or Staff believes that the NRC Information may be CEIi even before a formal FERC designation of that information as CEIi NRC Information associated with critical Infrastructure (e.g., nuclear power plants, dams, electric grid, etc.)
that is potentially CEIi and NRC Information that has formally been designated by FERC as CEIi are to have the same marking: "CEIi - DO NOT RELEASE" All other applicable sensitive Information labeling (e.g., Security Related Information) should be retained.
This CEIi marking should be applied to NRC information that is:
Security-related Information associated with critica l Infrastructure; or Information associated with critical Infrastructure that could reasonably be expected to endang r the life or physicals fety of any individual, if released (typicallly information that qualifies for withholding under FOIA exemption 7F)
NRC Information that should be labeled and handled as containing CEIi inciudes not only on site information but also Information related to critical Infrastructure offslte from the nuclear power plant, such as hydroelectric dams, gas pipelines, and the electric grid.
NRC may also r celve CEIi from other agencl s or external parties that already contain CEIi markings, such as:
CUI//CEII CEIi - DO NOT RELEASE Contains Critical Electric Infrastructure Information - DO NOT RELEASE NRC staff does not need to add any additional CEIi markings to Information NRC receives from other agencies or external parties that already contain CEIi markings.
OJ Portion marking Is not required, but a recommended practice Is that paragraphs containing CEIi should be marked.
A cover sheet is not required TOP Not applicable.
... _ TCP 215
8/3/2020 REPRODUCTION How many copies may be made?
Critical Electric Infrastructure Information (CEIi) I NRC Intranet Should only make as many copies as are absolutely required to perform government mission.
Printing from home location allowed using local (non-networked) printer.
fCJP PROCESSING ON ELECTRONIC SYSTEMS On what Information systems may the document be processed?
Is encryption required while data Is at rest?
USE AT HOME May I use the document at home?
May I use the information at home under the NRC Flexible Workplace Program?
2-factor user authentication Is required to gain access to this Information
,.. ~.. 'CJ~-
Controls at the moderate sensitivity level are required.
CEIi on portable digital media must be encrypted in accordance with MD 12.S
,.,_ !Of_
Yes. Abide by the following requirements:
Can proce s using a government furnished computer, within the NRC CITRIX application, or.approved BYOD device container.
Must restrict access to the Information so that only those with a need-to-know can see the content and computers sslon Is locked when not In use.
Must obtain supervisor approval to have printed copies at hom Printed copies access controlled so that only those with a need-to-know can see the content, and printed copies are locked away when not In use.
Printed co pies must be destroyed using NRC approved Shredder.
All Information must be encrypted In accordance with MD 12.5 TOJ Yes. Abide by the requirements listed under home use above.
,a, USE WHILE TRAVELING OR COMMUTING May I use the information while on official travel or commuting to or from work?
Yes. Abide by the following requirements:
Can process using a government furnished computer, within the NRC CITRIX application, or approved BYOD device container.
Must restrict access to the Information so that only those with a need-to-know can see the,content and computer Is locked when not In use.
Must obtain supervisor approval to have printed copi es while traveling or commuting.
Printed copies access controlled so that only those with a need-to-know can see the content, and printed copies are locked away when not in use.
Printed copies must be destroyed using NRC approved Shredder.
TOP https://drupal.nrc.gov/sunsl/34638 3/5
8/3/2020 PHYSICAL COPY TRANSMISSION May I transmit paper or electronic media Including CD-ROM, disk or tape?
Critical Electric Infrastructure Information (CEIi) I NRC Intranet Yes. Abide by the following requirements:
Inside the NRC (including Regions): Information may be -
Hand-carried.
Sent via NRC's Interoffice mall system.
Sent via NRC pouch service between headquarters and the regions. Transmit in a single opaque envelope.
Sent via approved commercial express carriers between headquarters and the regions (time-sensitive material only; use NRC Form 420). Transmit In a single opaque envelope.
Outside the NRC: Information may be transmitted by -
NRC Mess nger/NRC contractor messenger U.S. Postal Service: signature required.
Hand-carried by any individual authorized access to the Information. That individual shall retain the Information in his or her possession to the maximum extent possible unless they place the document In the custody of another person with authorlied access.
Approved commercial express carriers (time-sensitive material only; use NRC Form 420); Transmit In single opaque envelope.
Other means approved by the CIO and the Director, Division of Facilities and Security, ADM.
Encryption:
All electronic media (e.g., CD-Rom, disk, tape, hard drives, thumb drives, etc.) must be encrypted In accordance with MD 12.5 ELECTRONIC COPY TRANSMISSION May I transmit the document electronically by e-mail or fax?
STORAGE Yes. Abide by the following requirements:
Electronic transmissions outside of the NRC network must be encrypted and only able to be unencrypted by those Individuals with the required access authorization and need-to-know.
If the electronic copy is outside of NRC facilities, the Information must be encrypted In accordance with MD 12.5.
NRC provided mobile desktops automatically encrypt the contents of the hard drive.
Maa5360 containers used with personal mobile devices are encrypted Electronic access to the Information must be restricted to those Individuals with the required access authorization and need-to-know.
Physical copies must be In a locked container when not In use fCl DESTRUCTION Use ADM/DFS approved sensitive information destruction methods.
!OP DECONTROL AUTHORITY https://drupal.nrc.gov/sunsl/34638 4/5
8/3/2020 Critical Electric Infrastructure Information (CEIi) I NRG Intranet FERC I TOP REQUIREMENTS FOR CONTRACTORS Ensure contract clauses that include the following:
Restrict access to the information to those with an appropriate background check that have a need-to-know the Information to perform their NRC work.
Require controls in accordance with MD 12.5.
Require information protection requ irements Included here.
Required unauthorized disclosure be reported within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to the NRC contracting officer.
I TOP https://drupal.nrc.gov/sunsi/34638 5/5
8/3/2020 Export Controlled Information (ECI) I NRC Intranet You are here:
H~me >> Offices >> SUNSI ;, Export Controlled Information {ECI)
Export Controlled Information (ECI)
CONTENT OWNER Page content maintained by: SUNSI.Resource@nrc. ov 19 Table of Contents
- Authority to, Designate
- Storase
- . P..~y~i~~l_,C_O.P..Y *. Transmlssion
- Access
- ~~production
- Electronic Co y Transmission
- ~ark.Ing
- .use at.~or,:i~
- Destruction
,-... ~....... '
- Cover Sheet
- Use While Travelln11 or Commutin~.
- Decontrol Authority_
- Need,_to.. Know controls
- Electronic Identification and Authentication Re ulrements
- Electronic Information Controls
"'.......... _, __,,, '........ '_,,....... _.,_,,.~.................
- ~~9.~irements for Contractors
- Unauthorized Disclosure Ree,ortin~ Re ulrem nts AUTHORITY TO DESIGNATE Statutory and regulatory authorities for export controlled Information (ECI) provide designation authority to agencies other than the U.S.
Nuclear Regulatory Commission (NRC). Qu stlons about ECI designations should be referred to the Office of the Chief Information Officer who wi ll coordinate with the U.S. Department of Energy (DOE), U.S. Department of Commerce (DOC), or U.S. Department of State (DOS) as necessary, Inform submitters that If they submit ECI to the NRC that, by law, may not be shared with foreign nationals, they must label It as such before suibmitting the Information because the NRC may otherwise, as part of its ordinary course of business, provide Information It receives to other parties (e.g., contractors) that may employ foreign nationals.
TOP ACCESS Restrict access to U.S. citizens who have a need to know (NTK) the information to perform their NRC work. ECI may not be provided to Individuals who are not U.S. citizens, Including foreign assignees working In NRC's offices and contractors.
i 10 MARKING Apply the proper marking to all documents. and digital media designated by the applicant or licensee as containing ECI.
Mark documents "Export Controlled Information" at the top and bottom of every page.
Mark electronic media "Export Controlled Information."
https://drupal.nrc.gov/sunsl/57002 ADAI 1/4
8/3/2020 Export Controlled Information (ECI) I NRC Intranet TOP-COVERSHEET Use a cover sheet marked "Contains Export Controlled Information."
STORAGE Adopt a "clean desk" strategy for ECI when it's not attended.
Hard Copies: Lock your computer and putting hard copies out of sight (e.g., in a desk drawer, cabinet, or carrying case). Consider ECI to be unattended any time you are not In the same cubicle or office as the ECI.
Electronic Media: Store "audit" di scs and other electronic media In an approved safe or other secure location (such as the records vault) unless It is In use. (Th DLSE sa fe is currently located In the Limited Access Computing room In OWFN-2Al).
re REPRODUCTION M ake only as many copies as absolut ly required to perform the Government's mission.
Printing Is on ly allowed on th NRC's network or oth r location approv d for processing ECI. Secure print should be used.
USE AT A REMOTE WORK LOCATION (I.e., outside of the NRC's offices)
Process the Information using a Government furnished computer or within the NRC CITRIX application or with an approved bring-your-own-device (BYOD) container.
Use only approved secured WIFI within a secured BYOD device container or use an NRC issued air card.
Secure laptops that are not in use to prevent loss or access by unauthorized Individuals.
Restrict access to the Information so that only those with NTK are able to see the content and lock the computer screen when the computer Is not In use. Secure computers that are being transported to prevent loss or access by unauthorized Individuals.
Obtain prior supervisor approval to have printed copies at home.
Control printed copies so that only those w ith NTK see the content and secure printed copies in a locked container when they are not in use or are unattended (e.g., a locking drawer w ithin an approved work area at home or a locking cabinet).
Destroy printed copies and electronic media using a destruction method approved by the Office of Administration, Division of Facilities and Security (ADM/DFS).
USE WHILE TRAVELING OR COMMUTING Require approval by DOE to take electronic or hard copy ECI on travel to a foreign country in accordance with DOE Order 5S1.lC, "Official Foreign Travel."
Process information using a Government furnished computer within the NRC CITRIX application or an approved BYOD container.
Restrict access to the information so that only those with NTK are able to see the content and lock and password protect the computer sc reen when the computer is not in use or is unattended.
Obtain prior supervisor approval to have printed copies while traveling or commuting.
https://drupai.nrc.gov/sunsl/57002 2/4
8/3/2020 Export Controlled Information (ECI) I NRC Intranet Control access to printed copies so that only those with NTK are able to see the content and secure printed copies In a locked container when they are not In use (e.g.. a locking drawer with a key(s) under positive control).
Destroy printed copies and electronic media using an ADM/DFS approved destruction method.
PHYSICAL COPY TRANSMISSION Inside the NRC (Including regional office space), Information may be-hand carried sent through the NRC's interoffice mail system ror sent through the NRC's pouch service between Headquarters and the regions (i.e., transmit the information in a single opaque envelope) sent through approved commercial express carriers between Headquarters and the regions (for time-sensitive material only; use NRC Form 420 and transmit the Information In a slngl opaque envelope)
Outside the NRC, information may be trans.mltted by-NRC messenger/NRC contractor messenger U.S. Postal Service (I.e., first class mall, registered mall, express mall, or certified mall) hand carried by any Individual who has authorized access to the Information (that Individual shall retain the information In his or her possession to the maximum extent possible unless he or she places the document In the custody of another person who has authorized access) approved commercial express carriers (time-sensitive material only; use NRC Form 420 and transmit the Information In a single opaque envelope) oth r means approved by the Chief Information Officer and AOM/DFS TOf ELECTRONIC COPY TRANSMISSION Encrypt electronic transmissions to or from e-mail addresses outside the NRC network such that they are only able to be unencrypted by those Individuals with the required access authorization and NTK. Encryption Is not required If the Information Is sent to and from an e mail address Inside the NRC network.
10 DESTRUCTION Destroy printed copies and electronic media using an ADM/DFS approved destruction method.
DECONTROL AUTHORITY Decontrol ECI in accordance with the statutory or regulatory authority (e.g., DOE, DOC, DOS, or other relevant Federal entity) under which the Information was determined to be ECI.
10 NEED TO KNOW CONTROLS Apply "most limited access" controls to the Information, Including the establishment of predesignated electronic user groups (e.g., on https://drupal.nrc.gov/sunsl/57002 3/4
8/3/2020 Export Controlled Information (ECI) I NRC Intranet network shared drives or in ADAMS) that exclude administrative and other selected offices without a mission need.
I TOP ELECTRONIC IDENTIFICATION ANO AUTHENTICATION REQUIREMENTS Use two-factor user authentication to gain access to this Information.
ror ELECTRONIC INFORMATION CONTROLS Use controls at the moderate sensitivity level in accordance with the requirements of the Federal Information Security Modernization Act of 2014.
REQUIREMENTS FOR CONTROLS Ensure contractual documents provide proper export control requirements for work coming into the facility and work being outsourced from the facility that are equivalent NRC controls. To handle this, use the contract clauses In Title 48 of the Code of Federal Regulations (48 CFR) 925.7102, "Contract Claus "; 48 CFR 952.225-71, "Compliance with Export Control Laws and Regulations (Export Clause)"; 48 CFR 970.257131 "Contract Clause"; and 48 CFR 970.5225-1, "Compliance with Export Control Laws and Regulations (Export Clause)," or as approved by ADM/DFS as applicable.
Update NRC Form 187, "Contract S curlty and/or Classification Requirements," for contracting offic r r presentatives (CORs) to Identify requirements for any contract that involves the handling or use of ECI, Including the NTK restriction and the U.S. citizenship requirement.
Update the statement of work template to Include the NTK restrictions and U.S. citizenship requirement.
Ensure the Inclusion of contract clauses that do the following:
Restrict access to the Information to U.S. citizens who have NTK for the ln(ormation to perform their NRC work.
R qulr unauthorized dlsclosur be r ported within l hour to the NRC contracting officer. The contracting of-fie r would Immediately report the unauthorized disclosure to the COR, Computer Security Incident Response Team (CSIRT), and ADM/DFS.
TOP UNAUTHORIZED DISCLOSURE REPORTING REQUIREMENTS Report unauthorized disclosure to the Office of the Chief Information Officer and CSIRT within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> of Its discovery.
fol*
https://drupal.nrc.gov/sunsl/57002 4/4
8/3/2020 Federal-, State-, Foreign Government-, and International Agency-Controlled Information I NRC Intranet You are here:
H~me >> Offices >> SUNSI ;, Federal*, Stc1te*, Foreign Gov~rnment-, and International Agency-Controlled Information Federal-, State-, Foreign Government-, and International Agency-Controlled Information CONTENT OWNER Page content maintained by: ~.~!'JJ.!:~.esource@nrc. gy_.. ~
Table of Contents
- ~pe,l_i~~bl~... l?.C?E.l:!.n.:1.. C..~~... ~~.~~g<?,.r.i~.~
- .t:J.1.~.rklr.ig
- Use at Home
..-.. ~-~-
- Authority to Designate
- Cover Sheet
- Use While Traveling or Commuting_
- Access
- _Re,p,rod!:!,~tiqr.i.
- Physical C~py 1.:r~_ns.~ lsslo~
- Need-to-Know Controls
- Processln on Electronic S stems
- Electronic Co Transmission
- Storage
- Destruction
- C?~.~.~r.i.\\.r.o.I ~':l.t~C?.ri.!y APPLICABLE DOCUMENT CATEGORIES Information not to be released to foreign nationals without the permission of the author or originating agency (NOFORN, Export Controlled Information (DOE))
Not For Public Disclosure Under Terms of the Joint Convention on the Safct or S.. ~.':1-tf.~.!l.! M~D.~eement and th~.. S.~.f.!:Y.. C:?rn.f.l.ci..J.?..~.£~Y.~ vy~~\\~.
Management,~.
Law Enforcement Sensitive (Federal & State Law Enforcement Agencies)
For Official Use Only (FOUO) - Department of Defense (DOD)
Official Use Only (OUO) - Department or Energy (DO E)
Unclassified Controlled Nuclear Information (UCNI) - DOE Naval Nuclear Propulsion Information (NNPI) - DOE S nsltiv but UnclasslA d (SBU) - Department of State (DOS)
Government-Controlled Information Foreign Government-Controlled Information State Agency-Controlled Information AUTHORITY TO DESIGNATE 6 TOP Originating Federal, State, Foreign Government or International Agency.
TO https://drupal.nrc.gov/sunsl/34639 ADAI 1/6
8/3/2020 Federal-, State-, Foreign Government-, and International Agency-Controlled Information I NRC Intranet ACCESS Who may have access?
NEED-TO-KNOW CONTROLS Do Need-to-know controls apply?
MARKING What document s should be marked?
Who may authorize document marking?
How should a document be marked?
When is portion or page marking required?
COVERSHEET When should a cover sheet be used?
What cover sheet is used?
REPRODUCTION How many copies may be made?
https://drupal.nrc.gov/sunsl/34639 NRC employees and contractors who have a need-to-know the information for the conduct of official business.
___.,TOP.
o Need-to-know controls must be applied to the Information.
o Recommend the establishment of pre-designated user groups that exclude administrative, other select Offices and/or groups that do no*t have an obvious mission need from access.
R ly on marking of submitting organization, If the submitting organization's marking Is not sufficient to Indicate the document's sensitivity, contact the organization to clarify the document markings.
Submitting organization.
R ly on marking of submitting organization. If th submitting organization's marking Is not sufffcl nt to Indicate the document's sensitivity, contact the organization to clarify the document markings. If additional marking Is deemed necessary, mark the top and bottom of each page as Illustrated In the following examples:
'For Official Use Only - State-Agency Controlled Information - State of Iowa'
'For Official Use Only - Sensitive But Unclassified (SBU) - DOS' Not required; however If an unmarked document containing sensitive Information is received, containing Federal-, State-, Foreign Governm nt-, and International Agency-Controlled Information, the document should be marked to alert users of the sensitivity of the information that is contained within, and the originating agency should be contacted to alert them of the discrepancy.
Not required. If other agency marking is not sufficient to indicate the document's sensitivity, contact the originating agency to clarify the document markings.
Note: Use of the green "Official Use Only" cover sheet has been discontinued and must not be used.
Not applicable.
Note: Use of the green "Official Use Only" cover sheet has been discontinued and must not be used.
10, Reproduction limited to number of copies needed for official use unless restriction is placed on document by submitting organization, Copies must clearly show the original markings.
2/6
813/2020 Federal-, State-, Foreign Government-, and International Agency-Controlled Information I NRC Intranet PROCESSING ON ELECTRONIC SYSTEMS On what Information systems may the document be processed?
Is encryption required while data is at rest?
May the Information be processed In ADAMS?
USE AT HOME M ay I use th document at home?
May I use the Information at home under the NRC Flexible Workplace Program?
https:/ldrupal.nrc.gov/sunsi/34639 Note: Where restrictions are imposed on reprod uction, the employee must also ensure that there are no non-authorized copies residing in electronic systems, such as on the network drive, local hard drive, or remova ble storage media.
TQfl NRC LAN and other systems authorized to operate by the NRC under MD __ 12.5, "NRC Cyber Security Program."
0MB has directed that all sensitive information be encrypted using only NIST-certified cryptographic modules both at rest and during transmission. NRC automatically encrypts data at rest and during transmission within NRC faci lities. Any SUNS! that Is outside of NRC facilities must be encrypted at rest.
Most applicable document categories listed for this group may be entered Into the ADAMS Main Library and must be profiled as Non-Publicly Available and Sensitive. Assign access rights to user groups with a need to access the Information to perform their official duties. ADAMS Sensitivity Code: A.6-Sensitive-Fed, State, Foreign Government Controlled Information - No Periodic Review R quired.
The following document categories may not be entered Into ADAMS:
NOFORN Naval Nuclear Propulsion Information (NNPI)
Law Enforcement Sensitive Yes. Abide by the following requlrem nts:
IOI' Employees, contractors, and consultants are prohibited from routinely using, handling, and storing the Information at their residences and on personally owned devices or sending Information to non-NRC email addresses (e.g., personal email accounts).
Occasional use at an employee's residence requires approval of the employee's Immediate supervisor or above.
To ensure that the Information Is not viewed or accessed Inadvertently or willfully by a person not authorized access, the employee must ensure that the information cannot be seen by any Individual who Is not authorized access.
Employees who work at home must perform electronic processing of SUNS! on either (1) a home computer within the virtual environment provided by the agency through CITRIX, (2) an NRC-issued laptop with NRC-approved encryption software, or (3) using an NRC authorized solution such as BYOD.
Employees are expressly prohibited from processing SUNSI on personally owned computers even when an encrypted storage media is employed.
It is discouraged to take hard-copy material to private residences. If hard copy material is taken home, it must be returned to an NRC facility and stored and/or destroyed according to the instructions provided in this guidance. Note: hard-copy of NOFORN, NNPI, and Law Enforcement Sensitive Information are not allowed to be taken home unless specifically approved by the Individual's supervisor or the contractor's COR.
Yes. Abide by the fol lowing requirements:
316
8/3/2020 Federal-, State-, Foreign Government-, and International Agency-Controlled Information I NRC Intranet Employees are prohibited from using, handling, and storing the information at their residences and on personally owned devices.
If you are approved to work at home under the NRC Flexible Workplace Program, use in accordance with standards set forth in NRC Form 624, Flexible Workplace Program Participation Agreement.
To ensure that the information Is not viewed or accessed inadvertently or willfully by a person not authorized access, the employee must ensure that the information cannot be viewed by any other Individual who is not authorized access.
Employees are prohibited from processing SUNSI on personally owned computers unless connected to and working within CITRIX, the NRC Broadband Remote Access System. Employees are prohibited from downloading or storing SUNSI to the hard drive of a personally owned computer when connected to and working within CITRIX. Employees are also expressly prohibited from processing SUNSI on personally owned computers even when an encrypted storage media Is employed.
Employees who work at home must perform electronic processing of SUNSI on either (1) a home computer within the virtual environment provided by the agency through CITRIX, (2) an NRC-issued laptop with NRC-approved encryption software, or (3) using an NRC authorized solution such as BYOD.
USE WHILE TRAVELING OR COMMUTING M ay I use the Information while on official travel or commuting to or from work?
PHYSICAL COPY TRANSMISSION May I transmit paper or electronic media Including CD-ROM, disk or tape?
Yes. Abide by the following requirements:
Use of the Information Is discouraged wh"e traveling on public transportation. To ensure that the Information Is not viewed or accessed Inadvertently or willfully, the employee must ensure that it cannot be seen by persons not authorized access. Particular care should be taken on a public conveyance or In waiting rooms where others may be sitting and standing In close proximity to where the Information Is being used.
llndlvlduals should hand carry protect d Information during trav I only If other means for transmitting the Information, (e.g., malling ahead, secure Information sharing). are not readily available or are operationally unacceptable. If hand carrying Is determined to be the best transport method, care must be exercised to ensure that the Information Is not compromised through loss or Inadvertent access.
Information must be kept In the traveler's personal possession to extent possible, and stored, appropriately wrapped as tor veal vldence of tamp ring, In hot I s curlty facilities If posslbl Information must not b sav d/stored on a personally own d computer. Work mu t be perform d on an encrypted laptop computer or other encrypted mobile IT device authorized for use per M_!?,
]1:~* to preclude unauthorized access If the laptop or device Is lost or stolen.
The Information should be returned to an NRC authorized storage location at the earliest possible opportunity.
IOP Yes. Abide by the following requirements:
Inside the NRC (including Regions): Information may be -
Hand-carried.
Sent via NRC's interoffice mall system.
Sent via NRC pouch service between headquarters and the regions. Transmit in a single opaque envelope.
Sent via approved commercial express carriers between headquarters and the regions (time*
sensitive material only; use NRC Form 420). Transmit in a single opaque envelope.
https://drupal.nrc.gov/sunsl/34639 4/6
8/3/2020 Federal-, State-, Foreign Government-, and International Agency-Controlled Information I NRC Intranet Outside the NRC: Information may be transmitted by -
ELECTRONIC COPY TRANSMISSION M ay I transmit the document electronically by e-mail or fax?
STORAGE NRC Messenger/ NRC contractor messenger.
U.S. Postal Service: First Class Mall, Regist ered Mail, Express Mail, Certified Mall. Request tracking service where available.
Hand-carried by any Individual authorized access to the information. That individual shall retain the Information In his or her possession where possible unless they place the document In the custody of another person authorized access.
Approved commercial express carriers (time-sensitive material only; use NRC Form 420); Transmit in si ngle opaque envelope. Request tracking service where available.
Other means approved by OIS and the Director, Division of Facilities and Security, ADM.
Incoming to the NRC: Electronic submissions, including CD-ROMs, submitted to the NRC should follow the E-Rule "Guidance for Electronic Submission to the Agency," available on NRC's external Web site at: (b.!!e.:!/www.nrc. ov/site-hel. /electronic-sub-ref-mat.html).
Encryption:
All electronic m dla (CD-Rom, disk, tape, hard drives, thumb drives, etc.) must be encrypted In accordance with MD 12.5.
10P Yes, unless restricted by the submitting agency. Abide by the following requirements:
Inside the NRC (Including Regions):
Information may be e-mailed or faxed.
When transmitting Information follow the requlr m nts speclfl d by th F d ral, St t, Foreign Government, or International agency.
Outside the NRC: Electronic transmissions (e.g., e-mail, fax) outside the NRC must be encrypted in accordance with MD 12.S.
Fax: May use non-secure facilltfcs where It Is confirmed that a recipient who Is authorized to ace ss the Information will be present to receive the Information.
E-mail: Please follow the guidance outlined In the Office of the Chief Information Officer announcement dated Auaust 9, 2017.
Use of portals that encrypt the information during transmission, such as "BOX" are highly encouraged.
Electronic files must contain ppropriate markings.
TO Unless originating agency provides specific storage requirements, abide by the following requirements:
Inside the NRC (Headquarters and Regional Offices): Store in non-locking or locking container at t he end of each business day or when not In us.e.
Outside the NRC (Resident Inspector Sites): Store In key locked desks or other key locked containers.
On NRC Electronic Systems: May be stored on NRC encrypted computer systems that are authorized to operate under MD. 12.S.
10 DESTRUCTION Unless originating agency provides specific destruction guidance, abide by the following requirements:
Official Record Version: Destroy In accordance with NRC Comprehensive Records Disposition Schedule (NUREG-0910).
Non-official Record Coples: Destroy as Indicated below:
https://drupal.nrc.gov/sunsi/34639 5/6
8/3/2020 Federal-, State-, Foreign Government-, and International Agency-Controlled Information I NRG Intranet Using an ADM/DFS approved shredder that has been approved to destroy Classified Information, Safeguards Information, SUNSI, and Controlled Unclassified Information (CUI).
Place in a Sensitive Unclassified Waste Disposal Container.
Tear into one-half inch pieces or smaller (in all dimensions) and dispose of in a waste receptacle.
Burning, pulping, pulverizing, or chemical decomposition.
Electronic Data: Use NRC authorized destruction methods in accordance with MD 12.5.
TOP DECONTROL AUTHORITY Normally decision will be referred to the originating entity. Originating office or office primarily responsible for the information will consult with originating entity.
- ..... TOP, https://drupal.nrc.gov/sunsi/34639 6/6
8/3/2020 Investigation Information I NRC Intranet You are here: H~me >> Offices >> SUNSI ;, Investigation Information Investigation Information CONTENT OWNER Page content maintained by: SUNSI.Resource@nrc. ov 19 Table of Contents
- ~pe,l_i~~bl~... '?.C?E.l:!.n.:1.. C..~~---~~-~~g<?,_r_i~.~
- .t:J.1.~.rkir.ig
- Use at Home
..-.. ~-~-
- Authority to Designate
- Cover Sheet
- Use While Traveling or Commuting_
- Access
- _Re,p_rod!:!,~tiqr.i,
- Physical C~py 1.:r~_ns.~lsslo~
- Need-to-Know Controls
- Processln on Electronic S stems
- Electronic Co Transmission
- Storage
- Destruction
- q~-~-~r.1.\\,r,o,I ~':l.t~C?.ri,!y APPLICABLE DOCUMENT CATEGORIES Any Office of Investigations (01) or Office of the Inspector General (OIG) Investigation-related documents.
AUTHORITY TO DESIGNATE 0 1: The Office Director (OD), Deputy Office Director (DOD), and Special Agents In Charge (SAIC's),
OIG: The Inspector General (IG), Deputy Inspector General (DIG), Assistant Inspector G neral for Investigations (AIGI), and Senior Level Assistant for Investigative Operations (SLAIO),
ACCESS Who may have access?
NEED-TO-KNOW CONTROLS Do Need-to-know controls apply?
https://drupal.nrc.gov/sunsl/34640 Personnel authorized by the designated authorities Identified under Authority to Designate, above.
!Cf o Need-to-know controls must be applied to the Information.
o Recommend the establishment of pre-designated user groups that exclude administrative and other selected Offices without an obvious mission need from access.
TOP ADAI 1/5
8/3/2020 MARKING What documents should be marked?
Who may authorize document marking?
How should a document be marked?
When Is portion or page marking required?
COVERSHEET When should a cover sheet be used?
What cover sheet Is used?
REPRODUCTION How many copies may be made?
Investigation Information I NRC Intranet All documents shall be marked.
01: The Office Director (OD), Deputy Office Director (DOD), and Special Agents In Charge (SAIC's).
OIG: The Inspector General (IG), Deputy Inspector General (DIG), Assistant Inspector General for Investigations {AIGI), and Senior Level Assistant for Investigative Operations (SLAIO).
Header and footer markings specific to either 01 or OIG on each page containing Investigation Information.
Examples:
o "Official Use Only - O1 Investigation Information" o "Official Use Only - OIG Investigation Information" Mark each page of -
o Any Report of Investigation o Any other designated Investigation-related document.
Portion marking Is not required since entire page must be marked.
OP.,
On all Reports of Investigation for both 01 and OIG, and any other designated Investigation-related documents.
Investigation Information Cover Sheet 01: Distribution of 01 Reports of Investigation (ROI) is determined and authorized by the SAIC. Any further dissemination must be authorized by the approving official of the ROI, the SAIC, or as autho rized by the Designation Authority.
OIG: As authorized by Designation Authority; o The Inspector General (IG),
o Deputy Inspector General (DIG),
o Assistant Inspector General for Investigations (AIGI), and o Senior Level Assistant for Investigative Operations (SLAIO).
TOP PROCESSING ON ELECTRONIC SYSTEMS On what information systems may the document be processed?
Is encryption required while data Is at rest?
https://drupal.nrc.gov/sunsi/34640 01: NRC LAN and other systems authorized to operate by the NRC under MD. 12.5, "NRC Cybersecurity Program."
OIG: None.
0MB has directed that all sensitive Information be encrypted using only NIST-certified cryptographic modules both at rest and during transmission. NRC automatically encrypts data at rest and during 2/5
813/2020 May the information be processed In ADAMS?
USE AT HOME May I use the document at home?
May I use the Information at home under the NRC Flexible Workplace Program?
https:/ldrupal.nrc.gov/sunsi/34640 Investigation Information I NRC Intranet transmission within NRC facilities. Any SUNSI that Is outside of NRC facilities must be encrypted at rest.
No, for both OI and OIG Investigation Information. ADAMS Sensitivity Code : Not Applicable No, for OIG Investigation Information.
For QI Investigation Information:
!OP
- 1) Ql.personnel must have the Director of Ol's approval to use Investigation Information at home.
- 2) Other NRC staff must comply with the following :
o 01 has Implemented a procedure to facilitate the limited use of Investigation Information by other NRC staff ou tside of NRC-controlled space. The procedure requires Office Directors and Regional Administrators to determine it appropriate and necessary for their staff to use Investigation Information outside of NRC-controlled space to complete high priority work projects. Office Directors and Regiona l Administrators must then make a request for such limited use via memorandum to the Director of 01. The Director of 01 will authorize requesting NRC staff to remove the Investigation Information from NRC-control led space on a case-by-case basis. This agreement will Include specific handling requirements and procedures for Investigation Information under the control of the NRC staff members.
o To ensure that the in formation Is not viewed or accessed Inadvertently or wi llful ly by a person not authorized access, the employee must ensure that the Information cannot be seen by a family member, guest, o r any other Individual who Is not authorized access.
o Employees are prohibited from using, handling, and storing Investigation Information at their residences and on p rsonally owned devices ors ndlng Information to non-NRC email addr sses (e.g., personal email accounts). Electronic work from home must use an NRC computer or an NRC authorized capability, such as CITRIX.
No, for OIG Investigation Information.
For QI Investigation Information:
- 1) 0 1 pers,onnel must have the Director of Ol's approval to use Investigation Information at home.
- 2) Other NRC staff must comply with the following :
o 01 has Implemented a procedure to facilitate the limited use of Investigation Information by other NRC staff outside of NRC-controlled space. The procedure requires Office Directors and Regional Admini:strators to determine it appropriate and necessary for their staff to use Investigation Information outside of NRC-controlled space to complete high priority work projects. Office Directors and Regional Administrators must then make a request for such limited use via memorandum to the Director of 01. The Director of 01 will authorize requesting NRC staff to remove the Investigation Information from NRC-controlled space on a case-by-case basis. This agreement will Include specific handling requ irements and procedures for Investigation Information under t he control of the NRC staff members.
o To ensure that the Investigation Information Is not viewed or accessed Inadvertently or willfully by a person not authorized access, the employee must ensure that the Investigation Information cannot be seen by a family member, guest, or any other Individual who Is not aut horized access.
o Employees are prohibited from processing SUNSI on personally owned computers unless connected to and working within CITRIX, t he NRC Broadband Remote Access System. Employees are prohibited from downloading or storing SUNSI to the hard drive of a home computer when connected to and working w ithin CITRIX. Employees are also prohibited expressly from processing SUNSI on home computers even when an encrypted storage media is employed.
315
8/3/2020 Investigation Information I NRC Intranet o Employees who work at home must perform electronic processing of SUNSI on either (1) a home comput er within the virtual environment provided by the agency through CITRIX or (2) an NRC-issued laptop with NRC-approved encryption software.
TCP USE WHILE TRAVELING OR COMMUTING May I use the information while on official travel or commuting to or from work?
PHYSICAL COPY TRANSMISSION May I transmit paper or electronic media including CD-ROM, disk or tape?
Yes, while on official travel with the proper security for both 01 and OIG.
Hand carry protected information taking care to ensure that the Investigation Information Is not compromised through loss or Inadvertent access.
Investigation Information must be kept In traveler's personal possession to the extent possible, and stored, appropriately wrapped, In hotel security facilities If possible.
Return Investigation Information to an NRC authorized storage location at the earliest possible opportunity.
Information must not be saved/stored on a personally owned computer or sent to non-NRC email addresses (e.g., personal email accounts). Work must be performed on an encrypted laptop computer or other encrypted mobile IT device authorized for use per M D. 12.S to preclude unauthorized access If the laptop or device is lost or stolen.
Inside the NRC:
01:
OIG:
Outside the NRC:
01:
OIG:
Encryption:
IQP
- Normally, hand ca rried.
- For Internal mall, double-sealed "Addressee Only" nvelope.
- Betw en field offices and between a fi Id office and HQ, commercial carrl r may be used.
- Normally, hand-carried
- For internal mall, double-sea led "Addressee Only" envelope.
- Normally, hand-carried, commercial carrier or registered mall.
- Only hand-carried or register d mall.
All electronic media (CD-ROM, disk, tape, hard drives, thumb drives, etc.) must be encrypted in accordance with MD 12.5.
ELECTRONIC COPY TRANSMISSION May I transmit the document electronically by e-mail or fax?
OIG Investigation Information:
o No, for OIG Investigation Information.
01 Investigation Information:
https://drupal.nrc.gov/sunsl/34640 4/5
8/3/2020 STORAGE Inside NRC:
Investigation Information I NRC Intranet 0 OI Personnel and NRC staff must have the Director of Di's approval to transmit DI Investigation Information electronically by email or fax. If approved. 01 Personnel and NRC staff are required to encrypt DI Investigation Information using FIPS 140-2 validated encryption modules operated in FIPS mode prior to sending it in accordance with Management Directive 12.5 "NRC Cybersecurity Program". This information should only be shared with individuals with a need-to-know.
Electronic transmissions (e.g., e-mail, fax) outside the NRC must be encrypted in accordance with MD _12.5.
TOP For both 01 and OIG: Investigation Information must be stored In safes, locked cabinets, or a limited access area protected by a card reader or other access control device.
Outside NRC:
OIG lnvestjgation lnformation: If taken outside the NRC to another U. S. Government office, the information should be stored the same as Inside the NRC, except as specified In "USE WHILE TRAVELING OR COMMUTING.
OI lnyestigation lnformation: If taken outside the NRC to use at home, paper-based records should be transported in portfolios, briefcases, or similar devices that are locked when the records are not In use. These containers should be Identifiable by tag, label or decal with NRC contact and malling Information. Follow the Instructions specified above for "USE WHILE TRAVELING OR COMMUTING.
On NRC Electronic Systems: Encrypted and password protected access for both 01 and OIG Investigation Information.
TOI DESTRUCTION For OIG, follow OIG guidance in accordance with NUREG-0910, "NRC Comprehensive Records Disposition Schedule."
For 01:
o Use an ADM/DFS approved shredder that Is approved to destroy classified Information, Safeguards Information, SUNSI, and Control I d Unclassified Information.
o Place In Sensitive Unclassified Waste Disposal Containers.
o ELECTRONIC DATA: Use NRC authorized destruction methods in accordance with MD 12.5 or return to 01.
Tor DECONTROL AUTHORITY 01: The Office Director (OD), Deputy Office Director (DOD), and Special Agents In Charge (SAIC's).
OIG: The Inspector General (IG), Deputy Inspector General (DIG), Assistant Inspector General for Investigations (AIGI), and Senior Level Assistant for Investigative Operations (SLAIO).
TOP https://drupal.nrc.gov/sunsl/34640 5/5
UNITED STATES NUCLEAR REGULATORY COMMISSION Yellow Announcement: YA-16-0052 Date: May 23, 2016 Expiration Date: July 1, 2019 TO:
All NRC Employees
SUBJECT:
CHANGE TO NEED-TO-KNOW DEFINITION The purpose of this Yellow Announcement is to update the "need-to-know" definition in Management Directive (MD) 12.0, "Glossary of Security Terms." The revised definition of "need-to-know" is as follows:
Need-to-Know
- 1. A determination by a person having responsibility for protecting or holding the sensitive information, be it classified information, safeguards information, or sensitive unclassified information, that a proposed recipient's access to the sensitive information is necessary in the performance of an official and lawful requirement.
- 2. Knowledge, possession of, or access to, sensitive information including classified, safeguards, and/or sensitive unclassified information shall not be afforded to any individual solely by virtue of the individual's office, position, or security clearance.
Please note that MD 12.0 will be updated to include the revised definition. If you have any questions, please contact Denis Brady at (301) 415-5768.
IRA/
Cynthia A. Carpenter, Director Office of Administration Management Directive
Reference:
MD 12.0, "Glossary of Security Terms," Directive Section II, and MD 12.1, "NRG Facility Security Program," Handboolk Section IV.B
ML16111A432 OFFICE ADM/DFS/FSB ADM/DFS/FSB/BC ADM/DFS/DD NAME ARoundtree DBrady SSchoenmann DATE 04/20/2016 04/20/2016 05/17/2016 OFFICE ADM/DFS/D ADM/DD ADM/D NAME TPulliam SStewart CCarpenter DATE 05/17/2016 05/23/2016 05/23/2016